How to Become a Forensic Computer Professional

computerforensicprofessional A computer forensic professional collects electronic evidence and provides information to an investigation team. Being a computer forensic professional requires you to have skills to help criminal investigators solve computer crimes. You should have knowledge of criminology, business law and computer data analysis.

If you like crime scene investigation shows or the thought of cracking encrypted computer security codes excites you, then a career in computer forensics might be right up your alley. The requirements to become a computer forensics professional can vary. An associate or bachelor’s degree are two of the more common paths to a career in this field, but graduate degree programs are becoming more common. Forensic computer analysts made an average salary between $47,117 and $79,667 in 2010, according to PayScale.

  1. Obtain an associate or a bachelor’s degree. Having a degree in computer science or accounting will be more beneficial in finding a computer forensics job than having a criminology or criminal justice degree, says the U.S. Bureau of Labor Statistics. Associate and bachelor’s degree programs in the field of computer forensics are offered at schools such as ITT Technical Institute and Westwood College.
  2. Apply for positions with law enforcement agencies. Most law enforcement agencies will require you to pass an extensive background check and a series of written and psychological tests before they will hire you.
  3. Attend courses at a police academy. Although you can work in computer forensics as a civilian analyst, having insight into the criminal investigation process and police detective techniques can provide you with invaluable insight on how the criminal mind works and possibly provide you with a better understanding of how to access information that may be hidden on computer systems.
  4. Gain experience through hands-on training. Most computer forensics professionals learn about the specifics of their trade through the computer forensics training program offered by the law enforcement agency they work for, according to the U.S. Bureau of Labor Statistics. In fact, the bureau also notes that many utilize this training as a way to break into the field before moving on to the private sector.
  5. Obtain certification as a computer forensics investigator. Agencies and organizations such as the International Society of Forensic Computer Examiners offers certifications in the field that will give you the credentials that will set you apart from your competition for jobs or clients. Certification from the Society requires you to complete additional computer forensics training, have a minimum of 18 months of verified experience in the field and engage in self-study in digital forensics. Once your qualifications have been verified, you can then take the certification exam.

Be sure that the school that you enroll in is accredited. Be sure that you earn maintain an acceptable grade point average at the school you are enrolled in. Some two-year programs require that you complete 60 credit hours and earn nothing less than a 2.0 GPA. Ask the college you are applying to if you need to submit to a criminal background check. You may be excluded from admission to a post-secondary school if you have a previous felony conviction.

Read More

Work in Forensics: 5 Key Steps

Work in Forensics: 5 Key StepsJoseph Naghdi, an experienced computer technologist, transitioned to digital forensics in early 2000 because he was intrigued by how data is stored and discovered on computers. Today, he’s a forensics analyst at Computer Forensics Lab, a U.K. consultancy specializing in computer forensic services and advanced data recovery. The high point of his work, he says, is when he solves tough cases, such as a recent phishing attack against a UK bank that almost led to the transfer of 3 million pounds.

With the rise in cyber-fraud and various breach incidents, digital forensics is becoming a growing field with plenty of opportunities. The job involves determining the cause, scope and impact of security incidents; stopping unwanted activity; limiting damage; preserving evidence and preventing other incidents. Digital forensics experts typically investigate networks, systems and data storage devices.

The average salary for digital forensic professionals is about $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud computing could lead to higher salaries.

Information security professionals interested in making a transition to a career in digital forensics, as Naghdi did, need to take five key steps, experts say.

1. Develop Windows Expertise
Because 90 percent of the systems that forensics experts investigate are Microsoft Windows-based, practitioners need to understand the core technology, says Rob Lee, director and IT forensics expert at Mandiant, a certified forensics instructor at SANS Institute.

“Kind of like in the Army, you need to know how to shoot a rifle – Windows is the rifle of computer forensics,” Lee says. Information security professionals who want to specialize in forensics must understand all aspects of how Windows works, including how information is stored, he contends. He also suggests developing expertise in mobile devices and cloud computing.

2. Obtain Specialized Training
Greg Thompson, security manager at Canada’s Scotia Bank, who is also an (ISC)2 advisory board member, believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association.

Thompson recently hired two professionals from community colleges in Canada who were trained in applying forensic investigative techniques and skills. “The main skill is developing a creative mind-set to think like an attacker in responding to the situation,” says Thompson, who oversees the forensics practice at Scotia Bank.

He also recommends security professionals take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.

3. Build a Broad Technical Background
When investigating unauthorized data access, for example, forensics experts must know how to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. “This requires a solid understanding of networks, systems and new types of malware intrusions and analysis,” says Marcus Ranum, CSO at Tenable Network Security. “Only a broad IT exposure can help professionals understand the different types of data and what is most critical to capture.”

Naghdi emphasizes the need for good computer programming skills to understand how data is stored and how hard disks operate. “Strong programming skills often help the forensic expert in understanding and discovering the different ways of storing and recovering data,” he says.

4. Gain Legal Knowledge
Forensics specialists need to understand breach notification regulations as well as the legal implications of not maintaining a proper chain of data custody. They also need to understand, for example, how a cloud computing provider will identify, locate, preserve and provide access to information when the need arises, as well as how to legally preserve data for litigation purposes. “More and more practitioners need to understand the legality around data retrieval, storage and protection,” Lee says.

5. Understand Upstream Intelligence
Gathering upstream intelligence involves such steps as observing outgoing messaging patterns or filtering infrastructure for suspicious source rules or inappropriate user behavior. This may provide significant insights into the security posture of an organization.

Forensics goes far beyond relying on recovering pictures, data and e-mails in order to solve a case. “We now require professionals to be engaged in intelligence gathering and analysis and to work across multiple machines, different environments and devices, which could lead to investigating advanced hackers that are moving within the organization,” Lee says.

Complexity of Investigations
Digital forensic investigations are becoming far more complex.

For example, Lance Watson, chief operating officer and forensic investigator for Avensic, a forensics and e-discovery consulting company, tackles such challenges as locating information in the cloud or helping clients track and analyze e-mails and text messages on mobile devices. “It’s become harder to investigate user activity or discover digital evidence quickly because of remote locations and multiple storage devices used,” he says.

The growth in cloud computing and mobile devices has further strengthened the market for forensic pros by increasing demand for eDiscovery services, which involve preserving, collecting, managing and producing electronic evidence relevant for a court case.

The demand for eDiscovery services is leading many companies to establish an internal eDiscovery team rather than relying on an outsourcer. And this is creating new job opportunities. For example, Thompson of Scotia Bank recently transitioned from outsourced eDiscovery to an in-house forensics and data recovery team largely to gain cost savings and get better control of investigations and data.

Naghdi of Computer Forensics Lab says information security professionals can expect demand for forensics experts to grow. “There is definitely an uptake in hires for forensic experts, and this trend will continue,” he says. But to make a successful transition to a role in forensics, Naghdi says, security professionals must “have an inquisitive mindset to find new ways of exploring emerging areas and finding digital evidence.”

Read More

What Does It Take to Do Forensics?

Hardware
1. Become familiar with the inside of the computer
2. Understand hard drives and their settings
3. Motherboards
4. Power connections
5. Memory

Knowledge of Operating Systems and Software

Operating Systems
–Microsoft Products
–Linux RedHat
–UNIX

Software
–Forensic Software
–HTML
–Microsoft Office
–Quick View Plus

Training
1. New Technologies (NTI) in Gresham, OregonGuidance Software (Encase)Access
DataHTCIA Annual Conference
2. PatienceOne needs the ability to be able to sit in front of the computer
and analyze the data for what could be an extensive amount of time.”No such
thing as point and click forensics.”

Read More

Where Should Computer Forensics Begin?

Analysis Areas
–Email
–Temp Files
–Recycle Bin
–Info File Fragments
–Recent Link Files
–Spool (printed) files
–Internet History (index.dat)
–Registry
–Unallocated Space-free space on the hard drive
–File Slack-free space between the end of the logical file and the end of physical file (cluster)
–RAM Slack-free space between the end of the logical file and the end of the containing sector
•Sector-the smallest group that can be accessed on the disk. A group of disk sectors as assigned by the operating system are known as clusters

Read More

Acquiring Electronic Evidence from Hard Drive

Forensic Image of the hard drive means to take an exact copy of a hard drive including deleted files and areas of the hard drive that a normal backup would not copy;
Never boot off of the hard drive;
Use write protection software to protect the original evidence;
Make a copy of the original evidence and do all work off of the copy;
Document all aspects of the hard drive;
Tag and store original evidence;
Best evidence is original evidence;

Read More

How to Secure the Computer as Evidence?

Photograph and log room, position of computer and status of computer;
If the computer is “OFF,” Do Not Turn “ON”;
If the computer is “ON,” Do Not Turn “OFF”;
Place Evidence tape over each drive slot;
Photograph and label back of computer components while they are plugged in;
Label all connection ends to allow reassembly if needed;
If transporting, treat all components as fragile;
Collect all devices such as cables, keyboards and monitors;
Collect instruction manuals, documentation, and notes;
User notes may contain passwords;

Read More

Computer Forensic Example

Recovery of over 1000 E-Mails off of a hard drive;
A year and half after the individual left the company;
After the hard drive had been formatted;
After the machine was in use by another user for that year and a half;
Best way to remove e-mail from a hard drive is to hit with a sledge hammer and throw it into a furnace;

Read More

What the role of the computer in the forensics is?

A computer can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime. In some cases, the computer can have multiple roles. It can be the “smoking gun” serving as the instrument of the crime. It can also serve as a file cabinet storing critical evidence. So when investigating a case, it is important to know what roles the computer played in the crime and then tailor the investigative process to that particular role.

In most cases, the computer forensics specialist will take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system:

1. Protect the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction.

2. Discover all files on the subject system.This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all (or as much as possible) of discovered deleted files.
4. Reveal (to the extent possible) the contentsof hidden files as well as temporary or swap files used by both the application programs and the operating system.
5. Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called unallocated space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as slack space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data but once again may be a possible site for previously created and relevant evidence).

7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provide an opinion of the system layout; the file structures discovered; any discovered data and authorship information; any attempts to hide, delete, protect, or encrypt information; and anything else that has been discovered and appears to be relevant to the overall computer system examination.

8. Provide expert consultation and/or testimony as required.

Read More