Tuesday, November 20, 2018

Basic Skillz

Based on some conversations I've had with Jessica Hyde and others recently (over the past month or so), I've been thinking a good bit lately about what constitutes basic skills in the DFIR field.

Let's narrow it down a bit more...what constitutes "basic skills" in digital forensics?

Looking back at my own experiences, particularly the military, there was a pretty clear understanding of what constitutes "basic skills".  The Marines have a motto; "every Marine a rifleman", which essentially states that every Marine must know how to pick up and effectively operate a service rifle, be it the M-16 or M-4.  Boot camp (for enlisted Marines) is centered around a core understanding around what it means to be a "basic Marine", and the same holds true for TBS for officers (both commissioned and warrant).  From each facility, Marines head off to specialized training in their military occupational specialty (MOS). 

Is something like this an effective model for DF?  If so, what constitutes "basic skills"?  What is the point where someone with those basic skills transitions to an area of specialty, such as, say, Windows forensics, or Mac or mobile forensics? 

Thoughts?

17 comments:

Brett Shavers said...

I don't know why there hasn't been a basic DF skill foundation already. Something along the lines of a General DF Practitioner that branches off into the specialties in the field (OS specific, device specific, etc..). Most other professions do this already (doctors, lawyers, plumbers, etc..).

Should be easy enough to determine what would constitute basic skills, starting with collecting the common skills needed across every specialty (the 'basic things'). Things like, seizing evidence, imaging, hashing, etc..

Harlan Carvey said...

Brett,

Thanks. To start:

- Seizing/collecting Evidence, data acquisition
- Understanding data integrity verification/hashing

Brigs said...

Maybe a three tier progression? Some thoughts/ideas...

Evidence Collector Skills
-Use of writeblockers, data at rest preservation.
-Triage, volatile artifacts preservation to include memory dumps and logical imaging of encrypted volumes.
-Hashing and data integrity.
-Setup of equipment and collection of network traffic.

Data Extraction skills
-Basic file system understanding (ex. allocated vs unallocated, mft vs fat vs ext)
-Use of main forensic tool sets for parsing and presenting the content of self authenticating artifacts (emails, logs, images, etc...)
-Use of physical extraction of data equipment (chip-off, jtag, etc...)
-Metadata analysis of network traffic (netflow)

Analyst Level skills
- Branch into platform specific deep artifact knowledge (Linux, Windows, Android etc...)
- Deep understanding of platform specific artifacts (LNK, apk, journal etc..)
-Proper creation and analysis of timelines.
-Testing and implementation of software extraction techniques (roots, jailbreaks, etc..)
-Content and deep protocol analysis of network traffic.

I guess the idea would be to move to one level to the next with deep platform specific knowledge being the ultimate levels.

Harlan Carvey said...

Brigs,

Thanks for the comment, greatly appreciate it!

> Use of main forensic tool sets...

Then I don't qualify! ;-)

> ...chip-off, jtag...

Again...I don't qualify.

> ...roots, jailbreaks...

Once again...

Great stuff, but per your list, I don't even qualify as "basic". ;-)

James said...

I don't think you can say that someone can have basic skills and transition int an area of specialty like OS specific forensics.
An understanding of an OS is crucial to performing forensics in that realm - Digital Forensics requires an understanding of OS file structures, process creation/management, network protocols that IMO precedes the collection, documentation & reporting aspects of DFIR.

Unknown said...

Interesting. I gave it a thought in the past when I created a training class for new people in my team.

Under basic we also included data acquisition and data integrity.
Other things we had under the basics category were things like: understanding different evidence *categories* (user activity, evidence of execution, conbexted devices, network connection, etc.), understanding the concept of timeline.

Luis Martinez said...

Harlan. Let’s start at ground zero. First, a desire to drill down to find answers. You can’t be happy with initial findings, because there’s a chance there’s more underneath the surface. You have to keep digging.

Second, you should have some ability to be organized and stay focused. Having a basic framework, or methodology to go on, while working on projects (cases), is incredibly helpful. Because, despite the best framework, you still take those rabbit hole plunges. A good framework to work with can help in redirecting from the rabbit hole, back to the original scope of things.

Third, desire to document methods, and understand the documentation process can be refined as you go.

Harlan Carvey said...

Luis,

How do you measure those "basic skills"? How do you quantify them such that you can designate or certify an individual as having those skills?

I'm not saying you're wrong...not at all. What I am saying is that a "basic rifleman" knows how to demonstrate measurable skills; disassembly and reassembly of the service rifle, as well as being able to load and employ it, putting rounds down range, putting rounds on target. All of these skills can be measured, and someone is able to demonstrate those skills.

dre said...

https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/workroles?name_selective=Cyber+Defense+Forensics+Analyst&fwid=All

Brigs said...

I see your point. I should have explained more. A practicioner does not need to have all the skills in a section. If you don't do forensic phone acquisitions then you don't need it and you can still be at the analyst level.

Makes sense?

Brigs said...

Cool. Three tiered level approach. 😎

Phill Moore said...

>> All of these skills can be measured, and someone is able to demonstrate those skills.

That's the difference between the sciences and the humanities right? There is a way to "quantify" that someone has a capability, but it's much more nuanced than there is a right or wrong answer.

Brett Shavers said...

Basics should a skill that is common to all in DFIR. Just as someone in infantry can field strip a rifle, so can a fighter pilot. Common skill across the spectrum. Imaging would be a common skill.

PrestonC said...

Perhaps this isn't basic enough. How about DFIR practitioners actually have IT skills, as in hardware, OS, and networking as needed? Would that be more of an equivalence? At least in your analogy, a DFIR practitioner's tool is their system (and all that entails). They should be able to set it up, deploy, and maintain it. Basically...configure it to do what they want it to do before you ever get into using an actual "forensic" tools.

Anonymous said...

I look for the following basic skills
1. Good understanding of operating system internals
2. An investigative mindset (ability to look for evidence, dig deeper, expand your goals, etc.)
3. Integrity
4. Good writing skills and ability to articulate what you identified and what your methodology is/are

mattnotmax said...

You need to find the balance between prescriptive and more nebulus skills.

Prescriptive is: how to collect evidence, how to image a HDD, how to collect memory, how a file system works. These are things that really are learnt on the job, formal training and through experience. They will vary but a competent employer can determine what is needed for the role (i.e. it is mobile forensics only? Is it network forensics, dead drives etc.)

Nebulus skills (I can't think of a good term and I don't like 'soft skills') are hard to 'teach' but are essential even at the basic level in order to be competent. Asking 'why' is the tool producing this output instead of simply 'the tool produced this output' and being able to modify a process to suit a situation. I honestly am not sure how best to teach these skills.

For DF and looking at dead disks: being able to 1. collect the evidence properly 2. image the hard drive 3. verify the tool that did the imaging, and then verify the image taken 4. know what sort of analysis is required even if they don't know how to do it (i.e. can form a hypothesis) 5. document all their process, analysis and findings 6. can write a report and communicate that report to a technical and non-technical audience.

1, 2, 3, and 5 are critical and can make or break a court case. 4 and 6 are skills that are developed over a career.

Harlan Carvey said...

There are a lot of very valuable things being said and shared here, and I greatly appreciate the time everyone has taken to reply.

@mattnotmax...

How would one quantify and measure "nebulous" skills? To Brett's point, an infantryman and a fighter pilot are held to the same measurable standard when it comes to field stripping/reassembling, and shooting, the service rifle. This testing and measurement shows that they are competent in the required skills.

I like your list, but how does one measure collecting the evidence properly? What is "properly"?

Over two decades, I've seen case after case where #4 isn't performed, and I have had a very hard time finding where #5 has been done at all (in my mind, the two are tied very closely together...).

Don't get me started on #6.

Based on the input thus far, I'll start noodling over something to put in a blog post, so that it's not lost in the comments.

Again, thanks everyone for your invaluable input.