Friday, April 27, 2012

My Education in Digital Forensics

     I have been in school awhile now, and was lucky enough to have a few classes with Mark McKinnon.  Mark, was kind enough to share his passion for the digital forensics field with not only me, but the hundreds of students who've attended his courses at Davenport University here in West Michigan over the last few years.  In many ways my many thanks go to him and everything he's been willing to share, and much of this post will kind of stem from his knowledge and suggestions he provided me with progressing into this field.  This will be a recap of how I went about learning about digital forensics, mostly pertaining to analysis of Microsoft Windows computers and, eventually, was lucky enough to get certified.  Also, I'm writing towards  the digital forensic interested people, not those in the field (although I would love to hear comments or suggestions for alterations to my following suggestions in the comments).

     First, there is a lot of great material available on digital forensics but you have to realize reading this books do not make you an expert.  That being said, I highly recommend getting as much hands on experience as you possibly can.  Many of the books I will be suggesting contain a list of tools they use or show output from tools. It's highly advantageous to download these tools and execute the same commands to analyze more practically what you're reading about.  Be prepared to get hands on with a lot of different software, and be prepared for mistakes and know that making a mistake is OK as it's all a learning experience.  Also, I'm not an expert!  Take my advice with a grain of salt.  I am just beginning in this field and want to share what I can.

Mentors and Involved Community
     That being said, let me get into it.  As I mentioned, I started my interest in digital forensics (DF) in seat at Davenport University in their IAAS 421 course, taught by Mark McKinnon.  This was an invaluable introduction to a lot of topics involved in DF from file systems, to registry and memory analysis.  If you are unsure about DF as a possible career, I highly recommend trying to find an intro course.  After taking the course I went from thinking as forensics as an interest to I wanted it to be my career.  Another reason I suggest taking a course is with the right teacher you can use them as a springboard into the field.  I quickly found Mark as a forensic guru who could point me in the right direction, and if he didn't know an answer he probably knew someone who he could get it from.  Too me, I think finding people you can bounce ideas off of is a great way to advance in this field.  I quickly got involved on twitter and started following people in the industry and began to frequent #DFIR searches.  This was a great way to figure out what was happening in the community and proved to link to a lot of great resources and blogs that I could reference for other things.

     I started diving deep into forensics books, and per suggestion, I started with Brian Carrier's File System Forensic Analysis.  As you may have guessed this book is pretty much regarded as the holy grail of forensic analysis of file systems.  This book is highly technical, and for me at the time, was somewhat dry.  However, this book provides knowledge that will be called upon by almost every other book I'll suggest (most in fact reference it).  Therefore, I suggest you start here as it's an essential forensic knowledge foundation.

     Next, I picked up a copy of Handbook of Digital Forensics and Investigation.  This would be the first of Eoghan Casey's books that I read.  This book was recommended to me by Eric Huber on Twitter.  This book was a great reference and was a lot broader than Carrier's book, but it allows you better insight as to how the field is and what sort of artifacts to look for throughout an investigation.

     This is not how I read the following, but how I would now recommend reading these books as it will flow much better.  After finishing Casey's book, Mark McKinnon introduced me to the writing styles of one Harlan Carvey.  I started with Windows Forensic Analysis Second Edition (WFA2E) which is a great resource on Windows forensic artifacts.  I would then suggest reading Windows Registry Forensics as it'll delve deeper into the registry, where WFA2E will act as a great precursor for.  You'll learn more about the Windows registry than you probably think may be possible.  The next book I suggest is Windows Forensic Analysis Third Edition, as this will progress even further your understanding of Windows operating systems and will move into the more modern Windows versions, including Windows 7.  However, I will say before reading those three texts.  Start by reading Digital Forensics with Open Source Tools authored by Cory Altheide and Harlan Carvey.  I say this because it goes over a lot of artifacts for every system, but I suggest it more so because it goes over how to set up a lab machine and provides a great list of tools to utilize and install on your system that will allow you to do analysis without purchasing the more expensive software.

     I next chose to read Digital Evidence and Computer Crime, Third Edition: Forensic Science, Computers, and the Internet again by Eoghan Casey.  I chose this book for one distinct reason, as all of the other books were valuable in learning about the forensic artifacts available in an environment, as is this text, but Casey provides two chapters on the legal side of forensics.  These chapters provide a lot of great information on legal side of forensics in both the United States and European nations.  Another interesting aspect of the text is more of the psychological end of how a criminal acts when using digital devices.

     Hopefully, while you're reading those texts you're following along with them and performing a bit of hands on work with each book.  Getting familiar with all of the different tools and how they work is one of the more fun things you get to do in forensic investigations.  Also, application testing and verification is a big part of the industry, so it's a good idea to get used to it from the beginning.  Two of the best things I have found to play with tools are the SIFT forensic workstation, this was made available from SANS and DEFT which are both free live Linux distributions which include tons of tools to play with and get familiar with.
     Once you've gotten used to your tools and read a bit, I suggest looking for forensic challenges.  You can find them from several area's, i started out with a few of my mates from college and we did the DC3 Cyber Crime Challenge, which is an annual competition put on by the Department of Defense.  Even if you don't want to submit challenges this is a great way to get some hand-on  work done, as you're often given an artifact to analyze and you have to give information regarding that artifact.  Challenges vary and can take a lot of time, but they are well worth it I feel if you're new to the field.

     Back to being involved with the community, there are many forums and mailing lists you can become a part of.  I suggest going out and once you have your feet wet with forensics a bit and become involved with them.  You can quickly learn the types of issues you can face on a daily basis within the forensic community. Sometimes you'll find a challenge presented there, I was lucky enough to win a SANS Lethal Forensicator Coin this way.

     When I started my capstone for my bachelors degree, I was having a tough time to come up with what I wanted to do.  If you're not familiar a capstone, it is essentially a big project (150+) where you come up with some sort of product (paper/software/whatever) and then present that topic to a group.  Once again I leaned on Mark McKinnon, and he basically convinced me to make my own forensic analysis machine and software for quick triage of system.  Seemed like a lot of work and a big challenge, and it was; but it was worth it.

     Creating my own machine and triage script forced me to recall everything I had learned.  I had to know what tools to use and then validate those tools.  For the triage script, I had to know what artifacts are more relevant to an investigation and can provide actionable intel through quick analysis.  It also, got me into the world of computer programming, something I had never attempted before.  After my capstone project I turned the triage script into a pretty neat tool that I released as open-source, it's still in it's infancy but it's progressing nicely.

Stay Involved
     The biggest suggestion I can make?  Get involved and join the conversation!  It doesn't take a lot to get out and provide feedback or commentary.  If you look at my blog I post about once a month and probably on average about 5 times a week on twitter, something that takes maybe 3 hours of my time a month.  If you're out testing tools, provide feedback (things you like, didn't work or things you'd like to see).  They may not be seen by many but providing back to the community is a great way to stay involved and keeps you dedicated.  A great reason to stay involved, also, is because this industry especially evolves quickly with new applications that could produce a relevant artifact released almost daily.  Staying up-to-date on that stuff can mean a lot to an investigation, so it's important to at least keep a rough idea of what's going on in the wild; you shouldn't just stop your education.

     Also, if you're researching something interesting and come across an interesting artifact take a quick minute to share it.  Start a blog or something and share experiences!  If you look at my blog, I don't think I have put up a lot of stuff, but I like to think it's valuable at least to someone.  If you can share your failures along with your successes, as we can all learn together.

     Conferences are a great way to stay involved as well.  You can also meet a lot of great people this way.  I have only had the opportunity to sit in at a few conferences, but they've always been a blast.  Sometimes they can be expensive; however, you can think of them as an investment often times as networking within the industry is a great way of possibly getting jobs.  In my job now, I'm more likely to look at someone for an internship or whatever if I know they're keeping up and possibly have seen them at conferences or meetings I attend.  Often time you can find meetings for cheap, I am lucky enough to have several free meetings around me locally, even though they're not dedicated to forensics it's in the general realm of information security.  And if nothing else, you can sign on once a month and check out Mike Wilkinson's awesome idea of a monthly forensic meetup online known as DFIRonline.

How I Used This All
     From the time I sat in my first digital forensics course to today it's been about 18 months.  It was a long and a very fun process of learning all of this stuff.  During that time, while pursuing my bachelors degree I was lucky enough to get an internship in an information security office and then able to turn that opportunity into an analyst position where PART of my duties include forensics.  But, I was able to get sent to Florida for SANS 2012 where I took Forensics 408 or Computer Forensic Investigations - Windows In-Depth with Ovie Carroll and Lee Whitfield.  This opportunity was amazing!  The course covers in 6 days what I learned over the course of a year and a half and then some.  After reading all those texts and keeping up with events, I had learned a foundation to where everything was familiar.  However, the course will put it into context for you on how you'll use the information you used put it into an investigation and then report it properly.  If you get the opportunity, I highly suggest taking it.  After taking the course, I went over the text material they provide to you for a couple of weeks and took the exam weeks after the course.  After 18 months I went from an interested party to now a GIAC Certified Forensic Examiner.  It took a lot of time and dedication, but it has been a lot of fun and I can't wait to continue (NEXT is SANS FOR 508 and the GCFA! since they re-wrote it).  Also, I want to thank all the people who helped me get where I'm at, including all the previously mentioned authors, the great people on the #DFIR twitter realm, the people at SANS and especially Mark McKinnon.

     That's about all I have to say and share on the subject.  I hope you enjoyed reading, and I would love to hear other people's takes on this topic about what they did to get where they're at, as I'm not done with my journey and would like to learn from someone smarter than me.  :)

Tuesday, April 10, 2012

Review of Windows Forensic Analysis and Windows Registry Forensics


     Both "Windows Forensic Analysis (Third Edition)" and "Windows Registry Forensics" are authored by Harlan Carvey and he is the author of a few other books regarding digital forensics.  This will be a short review of both books.  I really enjoyed both of these books.  If you've ever read anything from Harlan, his writing style is very easy to follow and understand.  Each book is laid out in a manner that makes sense as far as being applied practically.

     Windows Forensic Analysis is the third installment to Harlan's Windows forensics books; however, as he says in the intro you should think of it as a companion to the second edition rather than a re-write replacement. This book includes all the latest and greatest information from the latest Windows 7 release.  Things like volume shadow copies, application analysis, and a summary of registry analysis provide great insight on Windows Artifacts.  Chapters on malware detection and timeline analysis are especially exceptionable.

      Windows Registry Forensics, I like to think of it, is an extension to Windows Forensic Analysis books.  The Windows registry is a treasure trove of evidence for analysis.  Registry forensics does an excellent job of not only outlining most of the artifacts that are known about, but gives you a background on available tools that can be used to analyze these artifacts.  The case studies are especially helpful in relating the discussed artifacts to practical experience.

      Both books are fantastic, and I would highly suggest adding them to your digital forensics library and put them next to at least the second edition of Windows Forensic Analysis.  Honestly, I feel like all three books should be considered one big compendium on Windows digital forensics.  I would also say that, at this point, there isn't a better collection of material on the subject of Windows analysis.  If possible, I would recommend setting up a lab with various Windows machines so you can test and play with all of the artifacts you will learn about.  Also, that will give you a chance to install the various tools mentioned in the text and test them out for yourself.