* Elizabeth Genco sez: : make use of it. Any suggestions (from anyone -- not just former : sysadmins) on where to best apply my energies would be helpful. I'd also : love to hear about any companies or organizations in the New York City : area that do computer forensics work. I guess the most important part about doing forensic work is to understand the mechanics of a crime, the physiology of the victim, psyche of victim and attacker and to understand the way environments influence crime mechanics. In computer forensics this is not much different. It's imperative to learn the inner mechanics of systems you'll be working on. It's hard to examine memory and current process tables without understanding how the particular OS handles those things and without at least some knowledge of how to read raw memory you'll be almost unable to find out how a program worked. Crime Scene investigators learn to see crime scenes as part of a bigger matrix and to apply theories without having to disturb the scene. If your testimony and findings are presented in court you'll have to make sure that there's no doubt you saw everything and did not destroy evidence or modified it. Programs may help you at this step but they're merely krutches to make your life a bit easier and by no means meant to replace your brain. I'd say you're on the right way. Just be aware that no certification - as much as they help to convince clueless CEOs - can prepare you for what you'll encounter in the field and in court. As some kind of self-assessment, why not write a program that - under, say, Windows 2k, Windows 95, Linux 2.2 and 2.4 (with and without DEVFS) and some BSD flavor helps to save the current contents of the RAM to a file and prepares them for analysis. This must be done without modifying the contents of the RAM, process table, etc. more than absolutely needed and should fit on a disk/cdrom. To understand crime mechanics you have to be able to understand the HOW, WHY, WHEN, WHAT and WHERE of any given crime. That means - in IT-world - you need to understand IP and the routed protocols, how communication and entry is done legitimately and in "not-so-legitimate" cases, where a given system is vulnerable and why it is that way. Best wishes and welcome to the dark side of IT :) jonas
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:04:22 PDT