Tuesday, June 29, 2010

Adopting a Philosophy of Learning

John CalvinImage via Wikipedia

I have a background in philosophy. My undergraduate degree was in philosophy, and I credit much of my success in digital forensics to the study of this discipline.

I am not proposing that an understanding of existentialism or Platonism is particularly useful in digital forensics. However, what I learned in the study of philosophy, at its root, is not the knowledge of different schools of thought, but how to think.

The ability to focus one’s mind on the task at hand, to bring to bear the full force of all your mental faculties on a problem is an invaluable ability that should be fostered as a digital forensics examiner.

This leads me to my next point; “Education proves you have the potential to accomplish something. Experience proves that you have.” - Larry E. Daniel

There are many exceptional conferences, training programs, and schools that can teach you a breadth of knowledge about digital forensics. But if that knowledge is not put to use, if it is not exercised, then it will fade away and eventually die.

We cannot master our field from nine to five. I learn a lot in the process of my work, but if your work day is like mine, it is filled with constant distractions; responding to emails, conference calls, consultations, and so forth.

So then, how to we turn our education into experience?

If you want to master any subject, sacrifices must be made in order for it to happen. In this case, you cannot have your cake and eat it too. We all have a limited amount of time and many things in our lives that must take priority. But many of us sure have a lot of distractions that provide us with little benefit in the long run.

To turn this education into experience, we must pursue knowledge of digital forensics through repeated study and practice. Repetition is the best schoolmaster I have ever met. To perform as best as we can, we must be disciplined to read and practice, to play with new methods of examining data when we can as often as we can

Malcolm Gladwell, in his book Outliers has said it takes 10,000 hours to become an expert in a discipline. These 10,000 hours are not composed primarily of hours doing the work itself, but in the disciplined study and practice related to the discipline.

There is little doubt in my mind that if we do not stay focused on learning and practicing our discipline, outside of our “paid” employment hours and the limited time we get to spend in training we will undoubtedly fall behind.

Lars Daniel
Digital Forensics Examiner & Forensic Artist

Enhanced by Zemanta

Sunday, June 27, 2010

Computer Forensics – The Next Ten Years

The Crystal BallImage via Wikipedia

Normally I leave it to the pundits over at PC World and other consumer type computer magazines to do their predictions of what will happen to the industry over the next ten years.  But what the heck, I can guess as good as anyone. So, after consulting my Magic Eight Ball, here we go.

1. Encryption will become the norm rather than the exception, driving live memory forensics

As computer users we need encryption to protect our personal data.  Although it is a fairly simple task to encrypt computer hard drives, USB drives and other media, very few people actually do it.  Mainly, because it is an extra step they must perform themselves to do the encryption. And it is a drive performance killer. The average computer user, who by the way, is the one that needs this the most, is the least likely to even know that their operating system includes this feature.

I think that in the next few years, we will start to see user data areas encrypted by default on new computers. Even if the operating system makers don’t really care about security of data for end users, it will be a marketing advantage to differentiate one brand from the others.  And as processors become more powerful and encryption algorithms get more efficient, it will be less of a performance hit.
What this means to us is that live memory forensics will become more important in order for us to be able to crack encryption to examine this data.

2. My phone will be my primary computer and mobile forensics will become king.

Personally, I am looking forward to the day when my phone becomes the brain of my computer.  I would still carry it around like I do now, make phone calls on it and answer the occasional short email. But when I need to work on something larger, I just slip it into a slot on a pad computer for a larger screen to surf the web, answer email, write this blog post or do my office work.  I use my laptop 98% of the time to read email, surf the web or write documents.  Not exactly heavy lifting for a computer.  It sure would be nice to just plug the phone into a slot on a nice pad computer and use that instead of dragging the laptop around.  Why bother since I carry both anyway?  Well, the phone could provide connectivity for the pad via 4G or Wi-Fi. Then there wouldn’t be a need for the pad to have those features.  So I predict the day will come when you buy a pad/phone combo where the two work together for computing power, (Think distributed processing) and connectivity.  If the iPad didn’t prove that pad computing hardware and software is truly ready for primetime, I think that the consumer market is clearly sending a message that computing in a lightweight package is what they want to buy.

But how would you use the phone if it is docked, you ask? Bluetooth device of course.

I am also predicting that this will drive the industry toward fewer mobile operating systems as phones and mobile devices become more application driven, finally making it possible to have mobile forensic tools that can address a wider variety of phones and giving access to physical data storage.

3. In the year 2020, we will still be examining Windows 7

This is a cheat really since it is 2010 and we are still examining computers running Windows XP (Released in 2001), Windows 2000 (Released in 1999) and even some Windows 98 computers.

4. The world will see more cloud computing forensics

There are quite a few definitions of cloud computing.  But the bottom line is that cloud computing represents software and data storage as a service, using the Internet as the network so people can access their stuff from anywhere.  Whether it is widely adopted by business is one thing, but the consumer market has already dived into the deep end.  One of the things I think will continue to become ever more common is always on, always connected people.  However you think of it, Facebook, Twitter, Google Apps, Windows Live Office, Hosted Exchange, Yahoo Mail and so forth are all basically software as a service where everything is stored in the “cloud”.   As forensic examiners, the collection of artifacts from local devices will become ever more important, especially from mobile devices such as phones and pad computers.

5. Forensics will get harder, not easier.

One of the primary things that makes computer (digital) forensics different from forensic sciences like DNA analysis and fingerprint analysis is the simple fact that in those disciplines, the type of evidence doesn’t change.  DNA has had the same structure for millions of years.  Only the methods to analyze it change over time as our technology gets better.  In the case of digital forensics, not only do the methods change, but the basic structure of the evidence changes with the introduction of each new file systems, encryption methods, data storage formats and new devices.
Yes, computer forensic tools will continue to get more powerful, but they will continue to chase the technology as it changes.  It will still be up to examiners to pursue constant learning to stay up with the changes in technology if they are not to be left behind.

6. The computer forensics industry will continue to grow.

It can only logically follow that as the technology becomes more prevalent and integrated into everyday life, evidence left behind by that technology will become more common.  In developed countries, the use of technology will continue to become a necessary and normal part of everyday life, so much so, that we will stop thinking about it.  In other words, we don’t have to think about natural processes like talking.  We just do it.  I see a day in the very near future that we will be the same about the personal technology we use.

As devices record more, the possibility of evidence being present in all types of legal scenarios becomes ever more likely.  To the point where one of the first questions asked in any legal procedure will be, “Did you get the data?

Check back in ten years and see how close I got.

Enhanced by Zemanta

Wednesday, June 23, 2010

A Picture is Worth a Thousand Words.

Figure 2: Simple-minded frame-of-reference exampleImage via Wikipedia
Explaining technical information in any field can be a challenge. As many of us have experienced throughout our education, sometimes the most brilliant of people make the worst teachers. An expert may be extremely proficient and capable in their field, but unable to explain  technical information to non-experts in a way they can understand.

This is probably okay if you are a brain surgeon or a rocket scientist. It is not okay if you are a forensic expert, primarily because we are required to explain our methodologies and findings to non-experts on a regular basis.

As digital forensics experts,  communicating effectively with those whom we rely on to build the framework of our examination is a requirement, not an option.

As an attorney explains to me the framework of a case, I must be able to see the places where my expertise can be of use. If I cannot relay back to the attorney why certain digital information is of value to the case, how it can be used, and what it means, then I am not doing my job.

Becoming adept at explaining technical information with language in a way that non-experts can understand is a skill that every digital forensic examiner must learn. This skill requires much practice, discipline, and experience. It also requires the expert to truly be an expert in the subject  they are attempting to explain, because a person cannot adequately teach something they do not fully understand.

While the above paragraph paints a somewhat daunting picture, there is hope. When explaining technical information, it is best to provide your listener with as many visual aids as possible.

One of the biggest challenges in explaining technical concepts to a non-expert is finding a common ground from which to begin.  It helps to not only use verbal analogies, but visual ones as well.

Enter the explanatory image or diagram.

Below are some images I have made to explain the difference between what is gathered in a logical acquisition vs. a physical acquisition. I happen to use Photoshop because I have years of training and experience in using this software.  But a simple paint diagram can be just as  effective. We have been using stick figures for thousands of years to relay information.

I use these images to give me a place to begin from where both I and the non-expert can share a common frame of reference.  Pretty much everyone is familiar with an old fashioned filing cabinet.  I have dozens of such illustrations I have made that are packed away for when I need them, and they can be especially useful in court and for CLE Classes.

The first image below is used to explain a logical acquisition by showing that all you will be retrieving is files and documents in a file directory.  Just like reaching into a filing cabinet and pulling out the files and folders you are interested in. 

The second illustration is used to explain how a physical acquisition can be used to not only get the same files and folders shown in the first illustration, but how you can also get back information that has been deleted.

I equate the recycle bin on the computer to the wastebasket in the picture.  This shows how just tossing a file in the recycle bin on the computer is just like tossing a piece of paper in a waste basket.  You can just reach in there and get it right back.

The paper shredder is how I explain unallocated space.  It is still in the computer on the hard drive, but you have to find all the pieces and electronically tape them back together.  Just like you would find the pieces in a physical paper shredder and tape them back together to reassemble a document.

I have found this method very successful in communicating technical concepts to non-technical people. Even if they don't use a computer at all, they can still understand this because they have a reference point they can relate to in their experience.

Lars Daniel
Digital Forensic Examiner and Forensic Artist

Enhanced by Zemanta

Thursday, June 17, 2010

What about computer forensics jobs?

Starbucks and EnCase Computer Forensic IIImage by 2Tales via Flickr
I have been studying the job market lately to see what jobs are out there and what some of the most common requirements are being requested by employers.  This is far from a scientific study, but I think it is educational to be looking at what employers are asking for if you are planning on making a change, entering the field or trying to plan your educational and certification routes.

Who is hiring?

The big government contractors seem to have the most openings available.  Firms like FTI Consulting, General Dynamics, Deloitte, Booz Allen, ManTech, and others that do a lot of contract work for the military and large corporations.

Most popular area for employers looking for consultants:

Washington, DC area including the surrounding environs like Reston, VA and Linthicum, MD.

Most popular software experience desired in order of preference:


Mentioned occasionally (Not enough to form a preference listing for these):
iLook, Paraben, Drive Prophet, WinHex, Helix

I saw in very few job listings, any requests for experience with Macs and no requests specifically for Mac forensic software experience. 

Most requested certifications in order of employer preference:

  1. EnCE
  2. CISSP
  3. Comp TIA Net+
  4. CFCE
  5. GCFA

Most often required certification:


Education and Experience:

The typical job listing was looking for 3 to 7 years of experience in computer forensics with or without a degree.

Entry level or junior level positions were asking for 0-2 years experience with a college degree in computer forensics / and or extensive IT / Network Security experience.

A lot of employers will accept experience in lieu of a degree, which makes sense considering that degree programs are relatively new in the field.

Salary ranges:
When posted, the salary ranges were in the 60K to 100K range depending on the level of the job.  Bear in mind that most jobs that showed salary ranges were in the Washington, DC area, so you need to calculate what that really means in living costs differential from where you are now.


Very few of the companies appear to offer relocation assistance.

Most often mentioned soft skills qualifications:

1. Excellent oral and written communication skills
2. Ability to interface effectively with clients and stakeholders.


A LOT of these jobs require either an active secret / top secret clearance.  Some will accept the “ability to obtain” a secret clearance.
Enhanced by Zemanta