Skip navigation

DFIR Truisms

I collect quotes. Quoting something or someone is fun and entertaining; sometimes it is challenging – much like delivering a joke, timing is everything.

During the holidays as I was performing my yearly household purge of both true junk and digital junk, I came across a handful of quotes that I had collected over the years and thought each of them were applicable to the world of DFIR so I thought I would share… I hope if you have similar, short quotes, you will share too. For me, keeping a quote in mind while conducting an examination is relaxing and helps me focus on the task at hand.  Maybe the following will strike you in a similar way, let me know.

From  a conference I attended in Atlanta in March 2005 as part of ISSA’s CISO Executive Forum Conference:

That which is unrecorded did not occur;
That which is undocumented does not exist;
That which is unaudited is vulnerable.

― Jeffrey Ritter, Waters Edge Consulting, LLC
www.johnritter.com

 

I first stumbled upon the following quote after someone told me that I had too much DF training “experience” and not enough practical “experience”; I suggested at the time that practice is experience, just in a more controlled setting.  Thankfully that sentiment was expressed to me many cases ago, so I think I now have a good balance between theory (training) and practice (casework.) 

As it turned out, I think the end result has provided me with a strong foundation so for those new to the DFIR world, do not be discouraged because someone says you DO or DON’T have something on your CV. You’ll get the “experience” and “practice” when the time is right in your situation.

The other reason for including the quote is – who doesn’t like to read and re-read Yogi Berra quotes.

In theory, there is no difference between theory and practice.
But in practice, there is.
― Yogi Berra

 

Finally, probably the best quote of the three (with a great DFIR twist)…

Sometimes the QUESTIONS are complicated and the answers are SIMPLE!
―Dr. Seuss

When conducting an investigation, do not let things get so crazy that you loose focus on the ultimate goal of those making the request.  This Dr. Seuss quote I think helps keep that in perspective as DFIR analyst work towards answering The Question!

Do you have some DFIR Turisms to share?

The Next Generation & Core Competencies for DFIR Analysts

This week I had the privilege of speaking with a group of Network Security students from ECPI University in Greenville, SC on the topic of what employers look for in hiring graduates into the information security field.

When I first outlined what I thought I wanted to share, I realized I focused too much on technology and not enough core competencies in the area of critical thinking and personal qualities.

As a result, I balanced my presentation and landed on what I hope to be a discussion on why competencies in these key areas (as well as basic skills) is the most important component of what employers seek when hiring new talent. My thought process here is that a great attitude combined with a good aptitude will compensate for a lack of hard technical skills and “real-world” experience.

While I have been involved in hiring several dozen people during my 26 years in the information technology / DFIR field, I still rely on the intangible “x-factor” in making those decisions.

Below is more narrow list of core competencies I presented to the students, it was derived from a compilation of books and information I’ve read over the years including Type Talk and other leadership authors.  Stay with me as I tie this all back to DFIR work.

Critical Thinking

  • Inquisitive
  • Creative Thinker
  • Reasoning
  • Decision Making
  • Problem Solving
  • Organizing and Planing

Decision making and reasoning involve gathering information, evaluating various solutions, and selecting the best option. Sounding like qualities a DFIR analyst needs?

Planning and organizing are also critical thinking skills. The ability to plan and organize means you will get tasks done and done correctly (with high efficiency too.)  A person who is well organized is prepared to do the job correctly the first time.

Creative thinkers come up with new ways of doing things that add value and serve customers/clients more efficiently. They offer new perspectives about the job at-hand. Again, I think these are key components in DFIR because no two DFIR situations are the same so having creative approaches to problems is an absolute necessity.

Finally, a lifelong learner will always be valued in the marketplace and to their clients because you become a linchpin when you continually evolve and educate yourself on new ways of tackling a “problem.”  The person who is receptive to learning new things and techniques will be more successful than the person who is afraid of learning new things.

Personal Qualities

  • Inquisitive ** (yes I think it’s that important)
  • Responsible and Accountable
  • Self Confidence
  • Self Control
  • Honesty and Integrity
  • Adaptable and Flexible
  • Well Groomed
  • Self Directed
  • Self Motivated

Among the Personal Qualities I would like to highlight include for current and up-and-comming DFIR analyst include:  Self-management or self control is the ability to manage your personal feelings and reactions to challenges on the job and in life.

Likewise having a strong value system with a reputation for honesty and personal integrity is key because a DFIR analyst may inadvertently discover information about others they rather not know or wish they had not seen.  The analyst must be beyond repute and trusted to not share that information. For that reason, I subscribe to the need stronger ethics reviews from the major certifying bodies.

Self Confidence is another key for the new DFIR analyst because one day they will be faced with defending their opinion or findings to their client, employer or Court of law. In those cases, the decision maker will likely read the body language of the analyst more than the written/spoken words. As we know some organizations train their agents on how to present information, findings and opinions to most effectively support their case. The private-hire examiner does not have this luxury and must seek “experience” through non-traditional methods. I took it upon myself to be coached by a couple of local attorneys (one civil; one criminal) on how to best present the relevant pieces of information to a court. I found this exercise eye-opening and used a recent opportunity to watch a couple of cases tried on In Session. (Boring?  Yes, perhaps, but for those non-legal type it is a good way to understand the flow of cases.)  Remember experience can come from any source; it is all about what you derive from the content you consume.

It might be argued that personal qualities of well groomed and self control are too obvious for this list; however, does any attorney want to see an unkept, unfiltered witness on the stand?  Likewise, I do not think an employer would desire such a personality for fear of the unknown potential harm to the organization.  It is not my intent to rationalize discrimination in any form or fashion, rather state the obvious. If someone wants to be taken seriously, they should present themselves in a serious manner.

I could write about each of the other core competencies I have put forward, however, I think you see where I was headed — DFIR analyst need more in their “bag” other than technology, tools and techniques; DFIR professionals must have the soft skills (that I suggest are core) to solving any DFIR problem.

Keep sharing….

Avenues to Entry into DFIR

Over the past few years several people have asked me what the best route would be to enter the Digital Forensics / Incident Response field.  While there is no best method, there may be one that works well for you. I know the path I took had it’s challenges – mainly of acceptance – because in a corporate-world most at a senior-level management roles did not want to believe that the DF role was necessary.  For some reason, the IR role was something easier for them to understand.  In the non-corporate world, I had zero law enforcement background so obtaining my first South Carolina SLED Private Investigator’s license was challenging to say the least.  It was not easy to find a current SC PI that (1) understood what DF was; (2) understood it’s value in a priviate investigation; and (3) could provide proper “oversight” as required by SLED in the field of DF.  Most PI’s in SC still conduct photographic or location-based surveillance of some sort and very few (in SC) are properly credentialed and experienced in the digital forensics field. For more information on Digital Forensic licensing in SC see my post from December 17, 2012.

This brings us to the topic of Avenues to Entry into Digital Forensics / Incident Response.  As I mentioned from the outset, I answer a several questions each month on how someone can enter the DF field; next month I will be speaking to a group of Network Security students at ECPI University about what employers are looking for in the network security field.  That topic will undoubtedly cross into the DFIR arena as they have  many commonalities.

Some criteria for becoming a successful DFIR investigator or examiner would include:

  • critical thinking;
  • methodical;
  • willing to ask questions;
  • have (or develop) an investigator’s mindset;
  • a will-to-learn;
  • willing to admit you don’t know it all, nor can you;
  • ability to maintain a personal network of like-minded DFIR individuals who you can bounce ideas of off;

Without regard to personal situations and the like, my typical number one response on how someone with little or no experience can inexpensively enter the DFIR filed is via the United States military cyber-divisions. In today’s tech-driven world, many military operations have a digital forensics component whether it be networks, computers, smartphone, “dumb”-phones, recordable media, etc. The US military is the ideal environment to train the highly experienced DFIR technician.  I look at it this way, if a solider can survie the acquisition of digital evidence while under combat conditions, they are surely capable of dealing with the civilan public during a forensic engagement.  In addition, benefits such as high-quality forensic training, the GI Bill to pursue college studies after service and the intangible of working on some of the more sensitive DF cases in the world on your CV.

If the military is not a viable option for you, then I would suggest pursuing experience via a federal law enforcement agency where you will gain the necessary (1) training; (2) support; and (3) experience to advance your DFIR career path.  Join a federal law enforcement agency early enough in your career and you could likely retire with full government benefits while pursuing your chosen field in the private sector.  A federal agency will provide the properly educated candidate with additional training in areas of evidence-handling, chain of custody, expert testimony, and an in-house support network to further enhance your skills.

In these first two, options you will not require “special” state-level licensing as I referenced in my December 17, 2012, post. Typically military and law enforcement are exempt from such requirements as long as the individuals are pursuing their official duties.

Remembering that we are introducing the next generation of DFIR analysts to the field, I would suggest one pursue a career in DFIR in the private sector. In doing so, obtain experience and credentials in the following areas in order to become a candidate for those junior-level positions:

  • Bachelors’ Degree in a technical field – Computer Science, Math, Engineering, etc.
  • Broad-based IT related certifications – from providers like (ISC)2, CompTIA
  • A good understanding of networking – from Cisco or CompTIA
  • Be familiar with at least one scripting language – this is more about structure than mechanics though both are good
  • Be familiar with at least two operating systems – Windows plus MacOS X, Linux, or other Unix-based OS
  • Incident handling / digital forensic certification – from  The International Society of Forensic Computer Examiners®SANS/GIAC
  • Any investigative experience where evidence handling procedures are established and followed

Of course these are guidelines oriented to the beginner into the field; those seasoned IT professionals with 10+ years experience as a network engineer, SysAdmin, etc. could likely substitue that experience in some of the areas mentioned above.

My recommendations in the private sector would be the security operations center of a major telco/ISP, an incident response service provider or a multi-national company with more than 10,000 users and strong information security practice. I do not want to get to specific here, but I think you make your own judgement on what would be a good fit for your situation.

In closing I want to be clear – no one certification (or degree) will make you an DFIR analyst / examiner / investigator; however, the items listed above will help you make the short-list from an employer’s perspective.  As told to me by a now retired 28-year veteran of the FBI who led the first computer forensic case handled by the FBI, “There is no substitue for experience.”  While that may be true, gaining experience in the DFIR field takes time; expect to spend 3-5 years in an entry level position progressively working towards your goals before you have seen broad variety of cases and situations that are handled by a seasoned DFIR investigator.

 

Topics of Necessary Evil – Licensing

Mention to anyone in the Digital Forensics field that you are a DF examiner or investigator and you may quickly find yourself in a licensing & regulation discussion.

By interpretation, the state of South Carolina (via SC’s State Law Enforcement Division – SLED) has decreed that one must hold a Private Investigator’s license in order to fulfill the role of computer forensic examiner. 

This often cited law actually comes from the first answer of in a SLED FAQ and a nearly six year old SC Attorney General opinion. No existing state statute exists mandating that computer forensic examiners must be licensed Private Investigators.

In fact, the current SC Code of Laws says:

South Carolina Code of Laws
SECTION 40-18-20. Definitions

As used in this chapter, unless the context otherwise requires, the term:
(A) “Private investigation business” means engaging in business or accepting employment to obtain or furnish information with reference to the:
(1) identity, habits, conduct, business, occupation, honesty, integrity, credibility, knowledge, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation, or character of a person;
(2) location, disposition, or recovery of lost or stolen property;
(3) cause or responsibility for fires, libels, losses, accidents, damage, or injury to persons or property; or
(4) securing of evidence to be used in a criminal or civil proceeding, or before a board, an administrative agency, an officer, or investigating committee.

And the then South Carolina Attorney General, Henry McMaster wrote on April 23, 2007, in response to the then SLED Chief of Staff, Chief Mark Keel:

Consistent with such, in the opinion of this [South Carolina Attorney General] office, the better reading of Sections 40-18-20, 40-18-30 and 40-18-70 support the conclusion that such provisions require that an individual or company selling their services in South Carolina as “computer forensics” experts secure licenses as private investigators. Such determination would be applicable to individuals who accept fees to examine and copy computer hard-drives to extract information to be reported to clients and to be presented in courts as evidence and/or testimony in civil and criminal actions. The duties performed by such individuals or companies would appear to meet the definition of “private investigation business.”

In recent years, there has been an effort underway in SC to formalize this discussion into perhaps more clearly worded language.  The most recent attempts occurred in the State Legislative Sessions of 2010-2011 and 2011-2012.  In 2012, S.580 made it to the Governor’s office where it was vetoed.

As I enter my seventh year of paying SLED an annual fee of $350 in order to perform the duties of a computer forensic examiner in the South Carolina I ask you — What do you think the South Carolina legislature should do in the upcoming term regarding Digital Forensic legislation?

What areas of DF are you interested in?

With literally dozens of areas of Digital Forensics (and Incident Response) that we would discuss, what would be key topics or questions you would want to ask someone who currently practices in the Digital Forensics field?

For me, I would like to hear how other people handle the following:

  • Report writing, perhaps sharing report templates;
  • Forms – contract language, chain of custody, evidence collection;
  • Investigative techniques; and finally…
  • Tool tricks.

My listed is in a ranked priority because I think forensic tools should come after good habits are developed. But that’s just me.

What would top your list of things to learn more about from local practicing forensicators?

Task One – Identify DF professionals within SC

One of the largest challenges with starting a new group is to identify potential interested parties in the digital forensics field that would like to participate.  In doing so, I strive to keep this project running on a very low budget with no membership dues required.  At this point I think participation would be the best membership fee that we could impose.

If you are interested, please leave a message – I will soon open up self registration so please take advantage of this and let’s see if we can get at least a couple of people together that might be interested in continuing the Digital Forensic discussion via a local meetup.

The Launch 0.2

South Carolina has many talented digital forensic practitioners. We also have dozens of colleges/universities in the state with students who are interested in this growing field.

So, a few of us have put our heads together and realized we should create a method to informally share information and hopefully have regular meet-ups to discuss digital forensics, e-discovery, incident response ideologies, network and share war stories.

We hope to share more information in the coming days but we are targeting a first meet-up in January 2013.