Digital Forensics – Careers Tips from Rob Lee of SANS Institute
February 5, 2010
http://www.bankinfosecurity.com/podcasts.php?podcastID=435
Increasingly, digital forensics is an important element of an information security program for organizations of all types and sizes.But where can security leaders find qualified forensics professionals? How can these professionals obtain the skills and expertise they need to be successful?
Rob Lee of Mandiant and SANS Institute discusses forensics careers, focusing on:
Hot trends of 2010;
Questions hiring managers must ask;
Growth opportunities for qualified pros.
Lee, a director with Mandiant and curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the [...] Continue Reading…
Editor’s note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company’s products. Please note that JADSoftware has offered a discount to readers, see the details below.
Q: Jad, Take a minute to introduce yourself and give us some insight into your background. How did you get involved in computer forensics and software development?
I’ve been involved in software programming on and off for a long time, going back to my teenage years. I’ve always had an interest in system tools and figuring out what’s going on behind the scenes in a computer. I went to college and studied computer networking and programming, and worked in the industry for a short while before getting into law enforcement, which is another passion of mine. I didn’t want anyone to know about my computer skills when I [...] Continue Reading…
Awhile ago, I was asked to assist in responding to a security problem on a client’s network. A major vulnerability was reported on a website that involved failure of the primary authentication and access control mechanism. So severe was the vulnerability that not only could one user view another’s PII, but complete authentication circumvention was itself trivial! I was tasked with assessing what, if any, impact had resulted from this exposure. This probably sounds familiar to many security analysts: a vulnerability was discovered, what compromise resulted from it?
These cases turn classic incident response on its head. We are trained, and often work, on issues where a compromise is discovered, from which analysis reveals a vulnerability. Here, we have the opposite. One immediate difference is clear: when there is a compromise, some vulnerability was necessarily exploited. However, the result of a vulnerability investigation is not so clear. Our normal incident [...] Continue Reading…
Dr. Jason H. Byrd, Internationally Recognized Forensic Entomologist – Feb 07,2010 http://bit.ly/ax55mA #
RT @andrewsmhay: @robtlee quoted by ABC – "U.S. Oil Industry Hit by Cyberattacks: Was China Involved?" – http://bit.ly/buUUMJ #
RT @Schizophreud: "A Temporary Change of Focus" http://forensic4cast.com/?p=522 #
Which SANS Digital Forensic Course Should You Take? http://bit.ly/a047GK #
It’s the little things (Part One) http://bit.ly/99mYmk #
CSM IT Team Wins Digital Forensics Competition- Information technology students at the College of Southern Maryland… http://bit.ly/dqo9Uh #
Katana Forensics Launches New iPhone Forensic Software- A new iPhone forensic tool, Lantern, launches this week at … http://bit.ly/965SQ6 #
Last call for UK graduates looking to jump-start their careers- IntaForensics (http://www.intaforensics.com) is cal… http://bit.ly/cET1Nz #
Temporary Change of Focus http://bit.ly/9hw9t1 #
CyberSpeak January 31, 2010- DoD CyberCrime Conference was last week in St Louis MO and was their biggest event eve… http://bit.ly/a3HR33 #
Digital Forensics Magazine Website Redesigned- Digital Forensics Magazine has had its website redesigned by top Sco… http://bit.ly/aB6qZU #
Computer [...] Continue Reading…
Posted by Dave Hull on February 5, 2010 – 3:16 pm
Recently, the forensicator-in-chief, Rob Lee, put out the call for a new series of posts here at the SANS Computer Forensics Blog. Rob wanted to present a few short “case leads” that may interest practitioners. A small group of volunteers took on the task of formulating a weekly “Digital Forensic Case Leads” post each Friday to include coverage of tools both new and old, interesting reads, news items and more.
And so in the spirit of Kevin Riggins and his “Interesting Information Security Bits” or Dave Lewis, James Arlen (et al) and their “Liquid Matrix Security Briefings”, we present “Case Leads: 20100205-001:”
Tools:
Andreas Shuster released an update of his Vista event log parser, Evtx Parser Version 1.0.2. The update fixes a few issues with the tool’s XML output. See Andreas’ blog and the README for additional information about Evtx Parser.
Also check out David Kovar’s analyzeMFT, a Python script that parses [...] Continue Reading…
Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.
Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.
$ fsstat SamsungBlackjack.bin
FILE SYSTEM INFORMATION
——————————————–
File System Type: FAT16
OEM Name: MSWIN4.1
Volume ID: 0×8250047
Volume Label (Boot Sector):
Volume Label (Root Directory):
File System Type Label: TFAT16
Sectors before file system: 0
File System Layout (in sectors)
Total Range: 0 – 112389
* Reserved: [...] Continue Reading…
Computer Forensic Course Assessments
Over the past year, we have been asked many questions about what the SANS Digital Forensic courses offer and which course would be appropriate for you.
FOR 408 – Computer Forensic Essentials – Teaches Traditional Crime Forensics -FOCUS -> Windows Forensics In-Depth and Investigation Analysis
https://computer-forensics.sans.org/course/computer-forensic-essentials-1207-1
FOR508 – Computer Forensic Investigations and Incident Response – Teaches how to respond to technically savvy criminals and challenging intrusion cases – FOCUS -> File System Forensics, Intrusion Analysis, and Live Response
https://computer-forensics.sans.org/course/computer-forensics-investigation-and-response-98-1
.
Digital Forensic Assessment Test For FOR408 and FOR508:
SANS is conducting a Computer Forensic Course Assessment to help place people in the appropriate forensic course based on your skills. This is not a certification. You cannot claim you are an expert if you pass. If you score poorly it does not mean you are lack any skills. It is merely based on the a little bit of the material in both courses.
The test [...] Continue Reading…
Posted by Steven on February 1, 2010 – 7:00 am
For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.
Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor “tidbits”. These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a “scrubbed PC.”
The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.
XP stores the .lnk files for the Word 2007 Document Brains.docx in:
%Drive%:\\Documents and Settings\\User ID\\Recent
The above .lnk (..\Recent)is slightly larger
%Drive%:\\Documents and Settings\\User ID\\Application Data\\Microsoft\\Office\\Recent
Windows [...] Continue Reading…
Hal Pomeranz, Deer Run Associates
Several months ago now, I wrote up a little article on using FIFOs to trick the script command into writing output over the network. But there are other neat hacks you can do with FIFOs, and I want to show you one right now that can save you lots of time.
Suppose you had a disk image and you wanted to pull out both the ASCII and Unicode strings from a specific partition. The classic approach is to read the partition twice– once to gather the ASCII strings and once to pull out the Unicode. But on a large partition, reading the image even once can take a huge amount of time. The good news is we can use some Unix FIFO magic along with the frequently overlooked tee command and only have to read the partition once.
Let me show you the magic incantation first, and [...] Continue Reading…
Posted by robtlee on January 25, 2010 – 1:25 am
M-Trends Quote: “Most APT Malware is not packed, because packing is relatively easily detected. APT attackers that use packed malware are usually more advanced in their skills.” – APT Malware Trends and Statistics Section
.
M-Trends Quote: “Most organizations struggle to detect real incidents. Organizations that rely solely on automated security appliances are ripe targets for an APT intrusion. “ –APT Victim Recommendations
.
M-Trends Quote: “Standard security tools usually do not detect APT malware. When MANDIANT discovers new APT malware, we scan it with the anti-virus and anti-malware programs that most organizations use. Of the samples we discovered and examined, only 24% of all the APT malware was detected by security software.” APT Malware Trends and Statistics Section
.
___________________________________________________________________________________
Over the past two years, there have been many discussions surrounding China and the Advanced [...] Continue Reading…
