Re: transition to a career in computer forensics

From: Jonas Luster (lokiat_private)
Date: Wed Jul 11 2001 - 15:49:08 PDT

Next message: Michael H. Warfield: "Re: Where is the data written?"

Previous message: daniel heinonen: "Re: transition to a career in computer forensics"
In reply to: Elizabeth Genco: "transition to a career in computer forensics"
Next in thread: Gregory_DeGennaroat_private: "RE: transition to a career in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Elizabeth Genco sez:

: make use of it.  Any suggestions (from anyone -- not just former
: sysadmins) on where to best apply my energies would be helpful.  I'd also
: love to hear about any companies or organizations in the New York City
: area that do computer forensics work.

I guess the most important part about doing forensic work is to
understand the mechanics of a crime, the physiology of the victim,
psyche of victim and attacker and to understand the way environments
influence crime mechanics.

In computer forensics this is not much different. It's imperative to
learn the inner mechanics of systems you'll be working on. It's hard to
examine memory and current process tables without understanding how the
particular OS handles those things and without at least some knowledge
of how to read raw memory you'll be almost unable to find out how a
program worked.

Crime Scene investigators learn to see crime scenes as part of a bigger
matrix and to apply theories without having to disturb the scene. If
your testimony and findings are presented in court you'll have to make
sure that there's no doubt you saw everything and did not destroy
evidence or modified it.

Programs may help you at this step but they're merely krutches to make
your life a bit easier and by no means meant to replace your brain.

I'd say you're on the right way. Just be aware that no certification -
as much as they help to convince clueless CEOs - can prepare you for
what you'll encounter in the field and in court.

As some kind of self-assessment, why not write a program that - under,
say, Windows 2k, Windows 95, Linux 2.2 and 2.4 (with and without DEVFS)
and some BSD flavor helps to save the current contents of the RAM to a
file and prepares them for analysis. This must be done without modifying
the contents of the RAM, process table, etc. more than absolutely needed
and should fit on a disk/cdrom.

To understand crime mechanics you have to be able to understand the HOW,
WHY, WHEN, WHAT and WHERE of any given crime. That means - in IT-world -
you need to understand IP and the routed protocols, how communication
and entry is done legitimately and in "not-so-legitimate" cases, where a
given system is vulnerable and why it is that way.

Best wishes and welcome to the dark side of IT :)

jonas

application/pgp-signature attachment: stored

Next message: Michael H. Warfield: "Re: Where is the data written?"
Previous message: daniel heinonen: "Re: transition to a career in computer forensics"
In reply to: Elizabeth Genco: "transition to a career in computer forensics"
Next in thread: Gregory_DeGennaroat_private: "RE: transition to a career in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:04:22 PDT