My Education in Digital Forensics

     I have been in school awhile now, and was lucky enough to have a few classes with Mark McKinnon.  Mark, was kind enough to share his passion for the digital forensics field with not only me, but the hundreds of students who've attended his courses at Davenport University here in West Michigan over the last few years.  In many ways my many thanks go to him and everything he's been willing to share, and much of this post will kind of stem from his knowledge and suggestions he provided me with progressing into this field.  This will be a recap of how I went about learning about digital forensics, mostly pertaining to analysis of Microsoft Windows computers and, eventually, was lucky enough to get certified.  Also, I'm writing towards  the digital forensic interested people, not those in the field (although I would love to hear comments or suggestions for alterations to my following suggestions in the comments).

Disclaimer:
     First, there is a lot of great material available on digital forensics but you have to realize reading this books do not make you an expert.  That being said, I highly recommend getting as much hands on experience as you possibly can.  Many of the books I will be suggesting contain a list of tools they use or show output from tools. It's highly advantageous to download these tools and execute the same commands to analyze more practically what you're reading about.  Be prepared to get hands on with a lot of different software, and be prepared for mistakes and know that making a mistake is OK as it's all a learning experience.  Also, I'm not an expert!  Take my advice with a grain of salt.  I am just beginning in this field and want to share what I can.

Mentors and Involved Community
     That being said, let me get into it.  As I mentioned, I started my interest in digital forensics (DF) in seat at Davenport University in their IAAS 421 course, taught by Mark McKinnon.  This was an invaluable introduction to a lot of topics involved in DF from file systems, to registry and memory analysis.  If you are unsure about DF as a possible career, I highly recommend trying to find an intro course.  After taking the course I went from thinking as forensics as an interest to I wanted it to be my career.  Another reason I suggest taking a course is with the right teacher you can use them as a springboard into the field.  I quickly found Mark as a forensic guru who could point me in the right direction, and if he didn't know an answer he probably knew someone who he could get it from.  Too me, I think finding people you can bounce ideas off of is a great way to advance in this field.  I quickly got involved on twitter and started following people in the industry and began to frequent #DFIR searches.  This was a great way to figure out what was happening in the community and proved to link to a lot of great resources and blogs that I could reference for other things.

Books
     I started diving deep into forensics books, and per suggestion, I started with Brian Carrier's File System Forensic Analysis.  As you may have guessed this book is pretty much regarded as the holy grail of forensic analysis of file systems.  This book is highly technical, and for me at the time, was somewhat dry.  However, this book provides knowledge that will be called upon by almost every other book I'll suggest (most in fact reference it).  Therefore, I suggest you start here as it's an essential forensic knowledge foundation.

     Next, I picked up a copy of Handbook of Digital Forensics and Investigation.  This would be the first of Eoghan Casey's books that I read.  This book was recommended to me by Eric Huber on Twitter.  This book was a great reference and was a lot broader than Carrier's book, but it allows you better insight as to how the field is and what sort of artifacts to look for throughout an investigation.

     This is not how I read the following, but how I would now recommend reading these books as it will flow much better.  After finishing Casey's book, Mark McKinnon introduced me to the writing styles of one Harlan Carvey.  I started with Windows Forensic Analysis Second Edition (WFA2E) which is a great resource on Windows forensic artifacts.  I would then suggest reading Windows Registry Forensics as it'll delve deeper into the registry, where WFA2E will act as a great precursor for.  You'll learn more about the Windows registry than you probably think may be possible.  The next book I suggest is Windows Forensic Analysis Third Edition, as this will progress even further your understanding of Windows operating systems and will move into the more modern Windows versions, including Windows 7.  However, I will say before reading those three texts.  Start by reading Digital Forensics with Open Source Tools authored by Cory Altheide and Harlan Carvey.  I say this because it goes over a lot of artifacts for every system, but I suggest it more so because it goes over how to set up a lab machine and provides a great list of tools to utilize and install on your system that will allow you to do analysis without purchasing the more expensive software.

     I next chose to read Digital Evidence and Computer Crime, Third Edition: Forensic Science, Computers, and the Internet again by Eoghan Casey.  I chose this book for one distinct reason, as all of the other books were valuable in learning about the forensic artifacts available in an environment, as is this text, but Casey provides two chapters on the legal side of forensics.  These chapters provide a lot of great information on legal side of forensics in both the United States and European nations.  Another interesting aspect of the text is more of the psychological end of how a criminal acts when using digital devices.

Challenges
     Hopefully, while you're reading those texts you're following along with them and performing a bit of hands on work with each book.  Getting familiar with all of the different tools and how they work is one of the more fun things you get to do in forensic investigations.  Also, application testing and verification is a big part of the industry, so it's a good idea to get used to it from the beginning.  Two of the best things I have found to play with tools are the SIFT forensic workstation, this was made available from SANS and DEFT which are both free live Linux distributions which include tons of tools to play with and get familiar with.
 
     Once you've gotten used to your tools and read a bit, I suggest looking for forensic challenges.  You can find them from several area's, i started out with a few of my mates from college and we did the DC3 Cyber Crime Challenge, which is an annual competition put on by the Department of Defense.  Even if you don't want to submit challenges this is a great way to get some hand-on  work done, as you're often given an artifact to analyze and you have to give information regarding that artifact.  Challenges vary and can take a lot of time, but they are well worth it I feel if you're new to the field.

     Back to being involved with the community, there are many forums and mailing lists you can become a part of.  I suggest going out and once you have your feet wet with forensics a bit and become involved with them.  You can quickly learn the types of issues you can face on a daily basis within the forensic community. Sometimes you'll find a challenge presented there, I was lucky enough to win a SANS Lethal Forensicator Coin this way.

Development
     When I started my capstone for my bachelors degree, I was having a tough time to come up with what I wanted to do.  If you're not familiar a capstone, it is essentially a big project (150+) where you come up with some sort of product (paper/software/whatever) and then present that topic to a group.  Once again I leaned on Mark McKinnon, and he basically convinced me to make my own forensic analysis machine and software for quick triage of system.  Seemed like a lot of work and a big challenge, and it was; but it was worth it.

     Creating my own machine and triage script forced me to recall everything I had learned.  I had to know what tools to use and then validate those tools.  For the triage script, I had to know what artifacts are more relevant to an investigation and can provide actionable intel through quick analysis.  It also, got me into the world of computer programming, something I had never attempted before.  After my capstone project I turned the triage script into a pretty neat tool that I released as open-source, it's still in it's infancy but it's progressing nicely.

Stay Involved
     The biggest suggestion I can make?  Get involved and join the conversation!  It doesn't take a lot to get out and provide feedback or commentary.  If you look at my blog I post about once a month and probably on average about 5 times a week on twitter, something that takes maybe 3 hours of my time a month.  If you're out testing tools, provide feedback (things you like, didn't work or things you'd like to see).  They may not be seen by many but providing back to the community is a great way to stay involved and keeps you dedicated.  A great reason to stay involved, also, is because this industry especially evolves quickly with new applications that could produce a relevant artifact released almost daily.  Staying up-to-date on that stuff can mean a lot to an investigation, so it's important to at least keep a rough idea of what's going on in the wild; you shouldn't just stop your education.

     Also, if you're researching something interesting and come across an interesting artifact take a quick minute to share it.  Start a blog or something and share experiences!  If you look at my blog, I don't think I have put up a lot of stuff, but I like to think it's valuable at least to someone.  If you can share your failures along with your successes, as we can all learn together.

     Conferences are a great way to stay involved as well.  You can also meet a lot of great people this way.  I have only had the opportunity to sit in at a few conferences, but they've always been a blast.  Sometimes they can be expensive; however, you can think of them as an investment often times as networking within the industry is a great way of possibly getting jobs.  In my job now, I'm more likely to look at someone for an internship or whatever if I know they're keeping up and possibly have seen them at conferences or meetings I attend.  Often time you can find meetings for cheap, I am lucky enough to have several free meetings around me locally, even though they're not dedicated to forensics it's in the general realm of information security.  And if nothing else, you can sign on once a month and check out Mike Wilkinson's awesome idea of a monthly forensic meetup online known as DFIRonline.

How I Used This All
     From the time I sat in my first digital forensics course to today it's been about 18 months.  It was a long and a very fun process of learning all of this stuff.  During that time, while pursuing my bachelors degree I was lucky enough to get an internship in an information security office and then able to turn that opportunity into an analyst position where PART of my duties include forensics.  But, I was able to get sent to Florida for SANS 2012 where I took Forensics 408 or Computer Forensic Investigations - Windows In-Depth with Ovie Carroll and Lee Whitfield.  This opportunity was amazing!  The course covers in 6 days what I learned over the course of a year and a half and then some.  After reading all those texts and keeping up with events, I had learned a foundation to where everything was familiar.  However, the course will put it into context for you on how you'll use the information you used put it into an investigation and then report it properly.  If you get the opportunity, I highly suggest taking it.  After taking the course, I went over the text material they provide to you for a couple of weeks and took the exam weeks after the course.  After 18 months I went from an interested party to now a GIAC Certified Forensic Examiner.  It took a lot of time and dedication, but it has been a lot of fun and I can't wait to continue (NEXT is SANS FOR 508 and the GCFA! since they re-wrote it).  Also, I want to thank all the people who helped me get where I'm at, including all the previously mentioned authors, the great people on the #DFIR twitter realm, the people at SANS and especially Mark McKinnon.

     That's about all I have to say and share on the subject.  I hope you enjoyed reading, and I would love to hear other people's takes on this topic about what they did to get where they're at, as I'm not done with my journey and would like to learn from someone smarter than me.  :)

Review of Digital Evidence and Computer Crime

            Just finished “Digital Evidence and Computer Crime:  Forensic Science, Computers and the Internet” by Eoghan Casey and featuring other contributing authors, and it’s quite good.  I bought this book because I wanted an all-encompassing book that provided insight on the various aspects of an investigation, especially the legal portion.  And in this aspect the book does an excellent job, and is in-depth in area’s I have yet to see in other books.  The book is divided into five portions digital forensics, digital investigations, apprehending offenders, computers and network forensics.  For me the book was worth it for the first three portions; however, the computers and network portions, while a good start, there are more in-depth books that provide better insight. 

            Part I: Digital Forensics, was one of my favorite parts of the book.  It provides the reader with a good background on where digital forensics comes from and how it has evolved.  It details the role of the investigator in a case and the complications with digital evidence (the portion applying to levels of certainty was very enlightening).  I really enjoyed the portions of the book relating to both US and European law.  This was an aspect I was looking to learn more about and the book provides a great overview while outlining the specific important parts of popular cyber law. 

            Part II:  Digital Investigions, is all about the process.  Casey does a good job of applying the tradition scientific method to the digital forefront.  Applying it in this way it provides an easy to apply method to the investigative process.  Not focusing on the specifics but more the outline of the thought process, which allows you to go beyond knowing the specifics.  Methods for conducting investigations, handling crime scenes and reconstruction are discussed, as well as, going into motives.

            Part III:  Apprehending Offenders, was rather unexpected when I looked through the table of contents and even more so when I read the chapters.  However, in this case unexpected was excellent.  Various scenarios of need of investigation are discussed like cyber stalking and computer intrusions, and then delve into the victimology of the scenarios.  This was really interesting to me, as it provides a psychological aspect to the investigative process; something I then realized can really help with an investigation.

            Part IV and V:  Computers and Networking are pretty much what I expected.  The computer portion really does give a great foundation of knowledge, and if this is one of your beginning journeys it’s a great place to start.  It does go over the background of important artifact information like file system structure, basics of file recovery, browser artifacts, and the registry.  It also provides good info on Unix and Mac systems.  The network portion is quite detailed describing the various layers of the network topology. There is a lot of great information in these chapters that was a great review of knowledge. 

            Overall, the book was enjoyable from start to finish and I would recommend it to anyone looking for a great overview of digital forensic investigation process from start to finish.   I am happy to add this book to my growing reference library.  

Coming Up:

So, I have a lot going on.  I have the following books to read (expect reviews):

• Windows Forensic Analysis 3rd Edition
• Practical Malware Analysis
• Digital Triage Forensics
• Windows Internals 6th Edition

I also have some research that I wish to share regarding File Tagging, with maybe a tool to follow eventually.  So look for that as well.  

Road to CCE, Pt. 3: Review of Digital Forensics with Open Source Tools

     "Digital Forensics with Open Source Tools" (DFwOST), by Cory Altheide and Harlan Carvey is an excellent resource for a beginning forensics student I feel.  I am so happy that I decided to pick up this book, it has proven to be one of the best resources I now have.  This book reads extremely well, as the information it contains is concise and to the point.  DFwOST is certainly a value and I can see myself returning to it in the coming months.  

     As far as the content of the books is concerned, the authors provide a wealth of knowledge covering the basics of digital forensics.  The beginning chapter goes over what open source is and how its going to relate to the book.  The next chapter then discusses the differences in choosing a host operating system (mainly Windows vs Linux).  Chapters 3 through 8 analyze varying topics of digital forensics like file system analysis, points of analysis for varying operating systems, Internet artifacts, and file analysis.  These chapters hold a lot of information relating to the multiple points of interest in digital forensics; and while discussing the topics the authors provide the reader with examples of analysis with popular open source projects.  The final chapter then offers the reader insight into how to utilize the various discussed tools with better efficiency; as well as, the pros and cons of graphical user interfaces versus command line interfaces.  

     Overall, I feel like this is one of the best resources for learning about digital forensics because it provides great information along with practical knowledge of how to use the information.  It's easy enough to follow along with the reading while testing these tools with your own test lab.  The authors often provide easy to follow installation methods, which can often be valuable with dealing with some open source projects.  If you're looking to get into forensics more or even just learn about current open source projects going on in the forensics world I would recommend you go out and pick up this book.  I feel like this book helped me take the knowledge I've learned from other books I've discussed in this blog and transform it into practical knowledge as it's easy to get access to these tools and test them for myself without spending money (a plus for any college student).