The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Pages
▼
Sunday, August 16, 2009
HelpNet Security Interview Posted
I recently responded to an email Q&A session for HelpNet Security...it's posted here.
It's a series of excellent responses! I'm not sure what most people imagine when they hear about a forensic computer examiner/author/generous guy. Probably something like they see nightly on CSI:Whatever.
Your response seems honest and humble, and full of useful perspective on what really matters...understanding, intention, documentation, and methodology. Those are the traits I respected the most in my late grandfather who was a Special Agent. He was the lowest-key guy you would ever meet, but he knew what he knew, knew what he needed to know, planned the action, and then assembled the tools (and team) needed to successfully complete the task.
No cool shades or cars or any of that for him. Just good old gumshoe methodology.
It's the knowledgebase and application that makes the difference...not the toys and tools by themselves.
Wise and encouraging words. Thank you for sharing them!
Claus, that's definitely what I've been trying to get across for some time now...it's not about having EnCase or some other spiffy software package, it's about understanding what you have available and what you need, and then pursuing it in as complete a manner as possible. I know that no one can know everything, but that's why we have a "community"...no one of us is as smart as all of us together.
Unless the one is Cory Althiede! Then it's just game over! (Sorry, Cory...I couldn't resist...you ARE my favorite tool!!)
I enjoyed your response to the question on what aspiring forensic examiners should be working on. It's very important for all examiners at all levels to be conscious of what it takes to be a competent.
As recent as six or seven years ago, the industry was different -- for example, examiners really needed to know how to read a lnk file by hand.
With tools today moving towards the "point, click, get results" type of analysis (see how FTK is moving), examiners misrepresenting themselves or findings (either consciously or unconsciously) could be considered a by-product of the industry.
I believe the burden still falls on the examiner (as you noted) not to get lazy. From my perspective in teaching students and observing their cognitive thinking and deductive reasoning skills evolve while at college, its important for both examiners and students studying to become examiners to read what you posted, reflect, then read it again. Its critical for all examiners to realize that computer forensics is not something you can do on just on the weekends and expect to stay current in technology and analysis techniques. It's a lifestyle. -- Well, maybe for some it’s too much of a lifestyle, but you get my point :)
Great read! The interview was very down to earth and enjoyable to read. I especially like the fact that you emphasise the importance of figuring out how the tools work.
I'm still very new to the forensics world but I have talked to a few experienced professionals who rely too much on commercial products. This, I reckon, leads to a limited mindset.
I enjoyed the Q&A very mch. You have a way of bringing alot of ideas and thoughts together and presenting them coherently. Thank you.
ReplyDeleteHi Harlan!
ReplyDeleteIt's a series of excellent responses! I'm not sure what most people imagine when they hear about a forensic computer examiner/author/generous guy. Probably something like they see nightly on CSI:Whatever.
Your response seems honest and humble, and full of useful perspective on what really matters...understanding, intention, documentation, and methodology. Those are the traits I respected the most in my late grandfather who was a Special Agent. He was the lowest-key guy you would ever meet, but he knew what he knew, knew what he needed to know, planned the action, and then assembled the tools (and team) needed to successfully complete the task.
No cool shades or cars or any of that for him. Just good old gumshoe methodology.
It's the knowledgebase and application that makes the difference...not the toys and tools by themselves.
Wise and encouraging words. Thank you for sharing them!
Cheers and respect!
--Claus V.
Thanks, gents, for your comments!
ReplyDeleteClaus, that's definitely what I've been trying to get across for some time now...it's not about having EnCase or some other spiffy software package, it's about understanding what you have available and what you need, and then pursuing it in as complete a manner as possible. I know that no one can know everything, but that's why we have a "community"...no one of us is as smart as all of us together.
Unless the one is Cory Althiede! Then it's just game over! (Sorry, Cory...I couldn't resist...you ARE my favorite tool!!)
I enjoyed your response to the question on what aspiring forensic examiners should be working on. It's very important for all examiners at all levels to be conscious of what it takes to be a competent.
ReplyDeleteAs recent as six or seven years ago, the industry was different -- for example, examiners really needed to know how to read a lnk file by hand.
With tools today moving towards the "point, click, get results" type of analysis (see how FTK is moving), examiners misrepresenting themselves or findings (either consciously or unconsciously) could be considered a by-product of the industry.
I believe the burden still falls on the examiner (as you noted) not to get lazy. From my perspective in teaching students and observing their cognitive thinking and deductive reasoning skills evolve while at college, its important for both examiners and students studying to become examiners to read what you posted, reflect, then read it again. Its critical for all examiners to realize that computer forensics is not something you can do on just on the weekends and expect to stay current in technology and analysis techniques. It's a lifestyle. -- Well, maybe for some it’s too much of a lifestyle, but you get my point :)
Hey Harlan,
ReplyDeleteGreat read! The interview was very down to earth and enjoyable to read. I especially like the fact that you emphasise the importance of figuring out how the tools work.
I'm still very new to the forensics world but I have talked to a few experienced professionals who rely too much on commercial products. This, I reckon, leads to a limited mindset.
Keep doing what you're doing Harlan!
Ali,
ReplyDeleteThanks! It's important for me to reach new folks such as yourself, as well as some of the more experienced folks...