Getting started in digital forensics

Chris Sienko: Welcome to another episode of the Cyber Work with InfoSec podcast, the weekly podcast where we sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of InfoSec professionals as well as tips for trying to break in or move up the ladder of the cybersecurity industry.

Today's episode is a webinar which we released on April 30th, 2019 and features InfoSec instructor and managing partner at KM Cyber Security, Keatron Evans. During the course of this webinar, Keatron is going to give you a solid foundation on which to start your digital forensics career discussing some of the following topics: the difference between computer, mobile, and network forensics, how a forensic certification can progress your career, and a digital forensics demonstration of your choice from which attendees pick the topic. We also answer digital forensics questions from live viewers. I should note that because some of the episode involves hands-on demonstrations of digital forensics topics, you should probably also go to our YouTube page, search for InfoSec, and watch the video version as well. And now let's listen to this episode, Getting Started in Digital Forensics featuring Keatron Evans and moderator Hunter Reed.

Hunter Reed: We're excited to have Keatron back with us today to teach us a little bit about digital forensics. Keatron has done a few webinars with us in the past and always offers valuable contemporary insight into the world of cybersecurity. Keatron Evans is regularly engaged in training, consulting, penetration testing, and incident response for government, Fortune 50, and small businesses. In addition to being the lead author of the bestselling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you'll see Keatron on major news outlets such as CNN, Fox News, and others on a regular basis as a featured analyst concerning cybersecurity events and issues.

Hunter: For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry. Jeff Peters is the product manager for InfoSec training, including both InfoSec Flex Boot Camps and our new InfoSec Skills on-demand training platform. He'll be helping me moderate today's webinar. Today they will be diving into digital forensics and how it relates to careers, education, and training in cybersecurity. Jeff, why don't you go ahead and get us started.

Jeff Peters: Hey, thanks Hunter. Great to be here and great to have Keatron back to discuss digital forensics with us. Keatron, I thought we could start by giving an overview of the different types of forensics out there. You know, here at InfoSec you teach a few different courses on different types of forensics such as computer, mobile, network forensics. So maybe we could briefly explain the different types of digital forensics and how they relate to when you're conducting investigations?

Keatron Evans: Yeah, absolutely Jeff. Thanks a lot. So computer forensics is really where a lot of it all started when we think about digital forensics. If you look at the things listed here, a computer was one of the first things, at least on the consumer side, that we had access to. Not everybody had a network or access to a network 40 years ago, but there were computers that were parts of mainframes and things like that. So when we look at computer forensics, that's really the foundation of it all and where it all started.

I think the very first computer forensics program was actually written by an IRS Special Agent, Department of Treasury Special Agent, that was trying to prosecute some tax case with some big corporation, right? So it was a white-collar thing. So computer forensics is where it started. And nowadays, when we say computer forensics, we're mostly talking about dealing with memory and hard drive. So is there any evidence or any data on the hard drive that can prove a case or help us prove a case? And is there anything in memory on that computer that was leftover from some recent attack or whatever the case may be that can help us prove a case?

When we look at mobile forensics, that's definitely a more recent innovation. Because if you think about it, once upon a time, if you look at your mobile phone, like your cell phone, when phones first came out, they were primarily used for what? We used to just talk on them, right? if you think about how you utilize your phone, we primarily used them to talk. And then we migrated from that to we do everything but talk on it. I rarely actually have a conversation on my cell phone now and I think most of us fall in that same category. We do social media, we check emails, and we play games on these things more than we do anything else.

And another important thing we do on them is actually look for directions and use it for GPS. So long story short is these mobile devices, phones and things like that, are just little treasure troves of digital evidence. So this has a lot to do with the huge uptick in the relevance and importance of mobile forensics. So when we say mobile forensics, we're primarily talking about cell phones, iPads, and tablets and things like that.

Network forensics is really you're doing forensics on how all these other things communicate, right? So cell phones communicate via towers and packets. Computers communicate over networks via packets. So network forensics is really looking at the communication between devices and getting data and relevant evidence out of packets and that type thing as related to how stuff is communicating. And it's really another area that's taken a lot more importance as of recent because, again, the more and more that we innovate in how we compute and do these things digitally, it changes where a lot of the evidence is.

For example, a lot of the child exploitation cases that I've assisted on in the last five or six years, there's been a ton of evidence that's been gathered from network traffic. And primarily because if you look at the bad guys that are doing this stuff, a lot of them have wised up to the fact that, "Oh, we should be streaming this stuff. We shouldn't be downloading it and having evidence on our hard drive. We should just stream it." Whereas there used to be a treasure trove of evidence on hard drives we don't see as much of it anymore. And we're at definitely having to turn to memory and network and get that.

And cloud forensics is obviously the newest because there's a whole lot of questions, and we'll get into some of that when we talk about some of the cloud stuff later, where there are questions about responsibility. How much access is Amazon or Microsoft or Google going to allow you into that cloud environment to do proper forensics? What does proper forensics even mean anymore because cloud services have actually changed a lot of that? We don't have physical access to our computing devices anymore because a lot of those computing devices are really virtualized amazon servers are virtualized Microsoft Azure service. So that's kind of the differences between the four.

Jeff: Yeah. And then for those listening out there who are maybe thinking about getting into a career in digital forensics, are they likely to need to know all four of these different areas or is it a team of people that's investigating and you kind of specialize in one area? I was wondering if you could explain that a little?

Keatron: Yeah. Generally, you start off with one specific area and, just because of how integrated our environments are now, you will end up touching on kind of all of them at some point. But there are definitely people that specialize in certain areas. For example, I started off my career, as far as doing anything forensics with computer forensics, and then slowly moved into mobile as that became a thing, and moved into network, and now I do probably more cloud, I would say cloud and memory forensics combined and I do just about anything else. So I think you could jump in at either one of these. A lot of people that I know that are experts in different areas, a lot of them kind of started with, I guess you could say, mobile forensics. Especially if you look at like law enforcement because a lot of the people, the detectives and people like that in law enforcement, their first forensics thing that they had to do was get something off somebody's cell phone. And again, that's because a lot of the evidence nowadays in crimes end up starting on cell phones.

Jeff: Mm-hmm (affirmative) And is there one type of forensics that you enjoy doing the most?

Keatron: I would probably say that I think combining memory and network, I think I probably have a hybrid. The combination of those two is probably my favorite because of the fact that the mobile is kind of getting to the point to where if you don't have a way to get past some of the vendor protection, there's a limit as to how much you can get. So combining network and cloud and memory is kind of where I focus a lot of my time now because there have been several cases where we've been able to get at iCloud accounts, for example, and get evidence out of there that we couldn't get off the phone because we couldn't get around the lock on the phone. But getting into iCloud sometimes proves to be easier than, for example, trying to get around the app or protection on the physical device. So it's just I find myself kind of gravitating more towards the network and the cloud side. And also that's where a lot of my work lies too.

Jeff: Mm-hmm (affirmative) Yeah. So I'm moving on to the forensics process, the next slide. Just wondering, maybe, if you could kind of walk through... As far as I understand it, this is the basic forensics process that works for a lot of investigation. So could you maybe explain each of those steps and what someone who has a career in digital forensics will actually do as they go through an investigation?

Keatron: Yeah, sure. So generally, if specifically, let's take computer, for example, if you're approaching a site or something like that, there are some steps that you go through where you have to make sure that you're not investigating or you're trying to grab evidence that's not going to be relevant to the case. But you have to balance it out with you don't want to exclude something that later turns out to be extremely relevant as well. So the first thing is identification. Being able to identify what needs to be investigated or gathered or tagged. For example. Next, you want to go through a process of preserving data. And when we talk about digital evidence, that can be a very tough thing to do because when we look at hard drives and the risk of static electricity and all these other things that you can physically do to disrupt or destroy evidence on these devices, you have to get into things like understanding what electrostatic bags and bags that don't allow wireless communications in and out of them, like Faraday bags and things like that.

Because if a suspect knows that their device is being seized, they might do something like try to wipe it. There are all kinds of different things like that that you'd have to consider as far as preservation. Proper evidence collection. When you collect it to put it somewhere to be analyzed later, that's part of preservation as well. Making sure that the evidence that you're collecting is actually done in a forensically sound way. I can't tell you the number of cases that I've been pulled into either halfway through it or last minute where they really messed up the preservation part and a lot of the evidence is completely not usable or it definitely wouldn't be admissible in court because of how they collected it or how they preserved it.

So those first two steps, I would even say that the preservation and doing proper and forensically sound preservation and gathering is more important than just about anything else in these phases. Because if you don't preserve it or you don't maintain the forensics integrity, everything else that you do after that's kind of useless. You could be the best analyzer and the best hard-drive analyst person in the world, but if you're working with data or forensics evidence that may have been tainted because the integrity wasn't maintained on it, then it's going to be useless.

So I always tell people when I teach gathering evidence and things like that is the only thing you can't come back from is if you mess up the collection and preservation. Because if you mess that up, everything else from that point on is going to be flawed. If you go to the analysis part, for example, and you miss something or you don't find something, well, you can always go back and find it, you know? Whereas with the preservation part you can't undo that mistake that you made to make that evidence inadmissible.

Extracting the information is basically you want to make sure you follow proper methodology for that as well. And you have to be careful because with the powerful tools that are out there now, we always say with great power comes great responsibility. A couple of things can happen, and I've seen this, you can set your extraction tools would be extremely sensitive because you don't want to miss any little smidgen of evidence but also doing that could make the extraction take exponentially longer. So you might say, I got Jeff's hard drive and I want to get every image thumbnail that's bigger than 1 KB. Well, if you set your tool to that setting, for one, it's going to take probably 10 times as long as is if you use what something that we would commonly use, like 12 KB or something like that. And then on top of that, you're going to have sometimes so much digital evidence now that you're never going to be able to get through all of it and analyze it. So that's another part that's important as far as you actually getting through a case.

And then, of course, the analysis, you want that always to be non-biased. And then probably the second most important part, almost as important as not messing up the collection and preservation is the reporting. Because if you do everything else right and your report doesn't clearly reflect your findings in a clear and concise way, then it might be viewed upon as bad or frowned upon. And even may not be admissible because a judge might decide that your report has no relevance to the case because of how poorly you wrote the report. And I've actually seen it happen on a few cases.

So all of these steps are important and just getting them kind of nailed down and getting hands-on with the processes is really what makes it makes you good at it.

Jeff: Yeah, now does every forensics investigation pretty much follow these same steps.? I'm thinking back on the last slide we were talking about mobile and cloud and different types of forensics. So obviously, over your career, has there been a shift at all with these new technologies into the way you conduct forensics or maybe with more emphasis on different steps or more challenges for some of those steps?

Keatron: Yeah, you generally still follow the same process here, but what ends up happening a lot of times is when you come into cases now, let's say, because we can't even just say forensics anymore or digital forensics because the truth of the matter is is there's digital forensics for cases where we might be trying to prosecute someone, right? Like if it's a child exploitation, human trafficking, murder or something like that, then we're trying to prosecute someone. But what we also have to consider is a lot of the investigations are hinged on supporting incident response. There's been a data breach or something like that.

And most of our customers that we do incident response for, if you were to rate on a prioritization table how high they prioritize being able to prosecute somebody, it's usually really, really low down the prioritization chart. They're really just trying to do business continuity and be able to get back to operational state. Find out root cause. Make sure it doesn't happen again. Those things. So your forensics approach might not change but your forensics focus changes. So that would a lot of times affect how much time you spend on each one of these phases.

So I don't think the phase has changed that much, but I think your focus in each phase changes based on what type of case it is. Because we always want to maintain integrity of evidence and that type of thing. But when we're looking at a hack or data breach, a lot of times that's kind of the out the window because you might not even have any integrity to maintain. For example, if it's a cloud server that's been compromised, you can't really get a forensically sound image of that hard drive anymore because you don't have physical access to it. So the best you have is a logical image and a memory dump. And these things are, since that VM is constantly running, you have a hard drive but you're going to have a hard time being able to verify integrity on. So it's really just, at that point, investigating for the sake of finding out root cause and eventually eradicating whatever that threat is.

Jeff: Mm-hmm (affirmative) Yeah. And you've been teaching these courses for a while so just wondering, as you teach, is there any one of those steps that students have the most difficulty trying to either understand conceptually or the actual process of it?

Keatron: Yeah, I think definitely the... Because ironically, the collecting where you do to preservation. You take images and stuff like that. While that's the most critical, that's also the easiest because once you remember these two or three critical things that you never ever, ever do, and the two or three things that you always have to do, once you to get that down to a process you're not likely to mess that up.

But the part where I find that students have the most challenges is in the analysis because there's so much to analyze. And when we're doing analysis, you have these tools that are going to spit out all this information for you, but you still need considerable amount of skills to process that information and make it into a report that's useful to someone. Because a lot of it's really, really technical and to take that and convert it into something that someone that's not technical can understand, I find that a lot of students have challenges with that part. Either they're not technical enough to get it or they're so technical that they're not good at putting together that non-technical report for case findings and that type thing.

Jeff: Mm-hmm (affirmative) Yeah. So moving on to some more general forensics career kind of discussion. This is one of the slides that I was most interested to hear your thoughts on today. Because whenever I go to local chapter events for InfoSec professionals or people just send us questions or want to know more stuff about InfoSec careers, that's always one of the big questions we get is, how do I get started in this career? How do I change this career? Or how does it fit into the overall picture? So I was wondering if you could touch on that a little bit, maybe different types of forensics careers out there, whether they're entry-level or mid-level? Just how they fit into the overall picture and overall teams that are out there.

Keatron: Yeah, absolutely. So what I've seen, at least in the industry, most people that are doing forensics come from one of two backgrounds. Either they were doing pen testing or some other cybersecurity row and they worked their way into doing something forensics or they come from a law enforcement background. So they already have investigative skills, some analysis skills that they just translate it into doing computer forensics or cyber forensics. So I definitely think that those are the two primary places that we see people coming from as far as a background. But I also don't want to eliminate. I think you can come from anywhere and do it, but as we said at the bottom, their skills do carry over.

But also I want to point out that to be a good pen tester or a good hacker, you have to have some decent forensic skills because a big part of pen testing is covering tracks or a big part of hacking is covering tracks to where you want to make it to where forensics is hard. And if you don't understand how forensics work, then you are not going to be very good at making forensics difficult for a seasoned forensics person. So I think that to be a good pen tester you need forensic skills.

And I think really to be a good forensics person in this day and age, you have to have some pretty significant skills and understanding of how attacks work and pen testing and that type thing. Because, essentially, if you're going to be doing forensics as part of an incident response effort or even as part of a threat hunting effort, for example, you going to need to have an understanding of how these threat actors operate, otherwise you don't even really know what you're looking at. You can collect the evidence, but you don't know what you're looking at you can't piece it together.

So I think it goes hand in hand and I don't want to limit people to think that you really have to come from one to the other. It's just that wherever you start, you're going to always have to round it out to really be good at whichever one of these careers you pick. Forensics is no different. You want to have other skills. I mean the day and age of where you can make a living just doing hard-drive forensics, I think those days are numbered so you're going to definitely have to step it up some.

Jeff: Mm-hmm (affirmative) Yeah. And curious about entry-level roles in forensics. I mean you talked about how you need a good amount of experience in different things and how those skills fit into a lot of different areas. But, for example, if you're hiring someone maybe a little more new to the field for a forensics role, I mean I guess, one, are there roles out there that are more entry-level? And two, what would be kind of the minimum that you would be looking for for someone to go into one of those roles?

Keatron: Yeah, I think the entry-level stuff starts a lot with just doing collections, is what we call it in the industry, where if I hired somebody new your primary job is probably going to be to go out and either do collections or assist with collections. Because, as we said, that's the most critical part but it's also the easiest to master because if you're doing hard drive collections or mobile device collections, once you remember to always plug in a hardware write blocker between that device and your imaging machine and get those steps down, it's really hard to mess that up. So as an entry-level person, you're going to get really, really good at doing collections. Just collecting the evidence and bringing it back to the lab for the more seasoned people to do the examination and the analyst type work.

And then as you get comfortable with collections and you understand that, there's opportunity for you to assist with the analysts, with the people to an incident response and stuff like that, and eventually move into those roles. And I think anyone could literally go and, if you've got the right tools, you could start from nothing and get pretty good at collections in a very short amount of time. So I think that's a good entry point for people if you know nothing else.

Jeff: Yeah, that's perfect. I was actually just about to ask you that. If someone's listening and they really want to get started in forensics, obviously, they can take one of your courses, which we'll talk about in a minute, but you mentioned different tools. Are there free open source tools that someone can go use to get started and kind of get their feet wet with this kind of stuff or do they have to use paid tools? Can you talk a little bit about that?

Keatron: Absolutely. You can definitely get pretty good with some of the free tools. Some of the ones that we like is Autopsy. It's a good free open source tool that you can go out and download and use for free. There's one called Foremost that we like to use to get our data out of hard drive images and things like that. And these are tools that we still use. Even though we spend lots of money on paid-for tools, we still use a lot of open source tools in our practice just because they're the best at doing some things. So definitely, to start with, you want to have Autopsy, Foremost. There's a tool called Scalpel for network forensics. There's a tool that we always use called NetworkMiner. Wireshark. You definitely want to have that. Volatility you want to have in your docket for memory forensics. There is also a tool called DumpIt that we use actually do a memory dump off of a machine to be able to do memory forensics. So those are some of the key open source or free things that you can go get and start with right away.

Jeff: Mm-hmm (affirmative) Yeah. So moving on to the next slide. Just wanted to touch base a little bit about your course that you actually teach. Obviously, as we mentioned before, you teach a few different forensics-related courses. So can you give the listeners just a sense of what a boot camp is like and a typical day and the kinds of things that they would learn in one of those courses?

Keatron: Yeah, so there's a couple of us that teach this course from time to time. And the thing is is generally what we do is we start off the first day dealing with a lot of the legal stuff, just to kind of get that out of the way because it's very not hands-on, it's not technical, but it's something that's important that we have to kind of get out there. So we start off the first day talking about legal stuff. And then we move in chain of custody where you get the see what chain of custody forms look like. And I even hand out you evidence hard drives and things like that and you have to document that and start a chain of custody for the evidence that I'm handing over to you. So students actually get hands-on experience for like taking photos of evidence, documenting what they have, putting serials and stuff like that in the chain of custody documents. And you walk away with chain of custody templates, which is a good thing because you have something to actually start with.

And then we quickly move right into the technical depth of it. You will actually take an image of a hard drive and then you will analyze that image and then we'll move, later in the week, probably the mid-day Tuesday or late Tuesday afternoon, into doing some memory forensics to where you can get hands on that. And then we move into network forensics. And then we always do these kind of capture the flag type, you can work on it in the evening if you want, types of exercises where you take the things that you learned during the day and you try to solve kind of real-world problems, forensics problems, with those skills that you gained throughout the day. So we create PCAT files and traffic files and memory forensics or memory images and hard-drive images that you get the play with to see if you can answer questions and things like that.

So we make it very real-world and very hands-on. And the Flex Center is kind of like our central point for all that because all the courseware, all of the prerecorded videos, and everything like that is right there in the Flex Center. So you don't have to worry about losing anything, losing a book or anything like that because all of that stuff is provided digitally, right inside Flex here. And that makes it useful for students because some people will come to class and they'll say, "Hey, I can't come back at 6:00 because I got to take the kids to dance or whatever, but I'm going to come work on this at 8:30 tonight." And they have that flexibility because now it's all right here in Flex.

Jeff: Yeah. So, Lori, she was asking about security clearances and if anything like that is required for some of these positions? And if so, what level would be needed?

Keatron: If you're working in the government, they're going to require a clearance if you're going to be working in an area that's either deals with secret or top secret information or something like that. But you can definitely have a successful career in this field without ever having a clearance. You don't have to have a clearance to do this kind of work. It's just if you're going to do it in a government facility, most of them are going to require that you have a clearance. So that's the answer to that.

Jeff: Yeah. And what about specific certifications? I know, for example, the DOD has their certain requirements for different certifications. Are there any forensic certifications that fit into that? Or just certifications in general that you or someone who's hiring for these positions would be looking for?

Keatron: Yeah, I know they are trying to get CHFI on that 8570 lists, but I'm not familiar with a lot of forensics-specific certifications. One of the things about forensic certifications is a lot of the certs are vendor-specific. For example, EnCase has their suite of EnCase certifications and FTK has their access data certifications and those certs are mostly specific to those specific tool sets or products that you're using. But there are not a lot of vendor-neutral forensic certs that are on the 8570 required list.

Jeff: Mm-hmm (affirmative) And we've had a couple of people chime in asking about salary? Obviously, that varies widely depending on position and location. I was just wondering if you have any thoughts you could share around salary for different types of positions?

Keatron: Oh, sure, sure. So it depends on what kind of forensics you're doing. if you're calling yourself just a forensics person and you're doing just forensics you're not going to be making, what we would call, top-end cybersecurity salaries there. But if you're doing forensics and that's one of your core skills, you can definitely use that as a way to increase your value in an organization. But if you're just doing like, for example, hard-drive forensics, you can look to make anywhere from, some of the low-end stuff I've seen starts as low as like $70,000 a year. But then I've seen some also go up to over $100,000 a year as entry-level. And it really depends on what the requirements are and what it is they're wanting you to do.

I know there was one particular person that I mentored. She was really new to the field. She didn't have any real experience or anything like that, but she ended up getting a job paying I think like $160,000 a year as a entry-level forensics person. But she was actually doing it for a large law firm. So she took on the role of being the forensics person for a large law firm. And she was responsible for gathering all their information and that type of thing.

Jeff: Awesome. Yeah, I think we have time, just real quick, maybe take one or two questions before we wrap up. So let me just peek through here, see if there are any ones that stand out. So I guess, yeah, kind of related to the demo that you just showed us. We have one from Calvin. He was asking, "Can attackers do or use anything to thwart the use of these memory dumping tactics?"

Keatron: Yeah, there are some things that they do. So one of the big things now is something called fileless malware, that's F-I-L-E-L-E-S-S malware, where instead of actually putting a functioning binary or functioning piece of code, they just manipulate the things that Windows already has in memory and use those things to do whatever it is they need to do. And that is a common thing now, and that's much, much harder to detect with the memory dump. But you can still detect it, you just have to know what threads and which handles to look for in memory as far as how these built-in Windows APIs are being manipulated and used. But it's much harder for sure.

Jeff: Yeah. I see we have a few other questions. We'll probably just take one more quick, but if you did submit a question we can definitely follow up with you via email after the webinar's over. The last question we'll take here is someone says they don't really have a lot of experience in the field or actually they say they have no experience whatsoever. Looking at your demo and seeing what you're talking about, it says, it sounds like it's primarily for those who are already doing some form of IT-related work. So if someone has basically absolutely zero experience in IT, is there any recommendations you have for them to get started if they have an end goal of being involved in forensics? And do you have a timeline of how long it could take to kind of go from zero to a job?

Keatron: Yeah. Well, definitely you want to... If you have no IT experience, that's something different. You want to jump into A+, Net+, Security+, Network+, things like that to kind of get yourself acclimated to IT. Definitely, I don't recommend someone come from no IT experience at all into forensics. But if you have some IT experience, I think that the transition to forensics is not that big of a curve at all. So if you're new to IT in general, go start looking at the A+ syllabus. Look at the Network+, the Security+ syllabus and even if you don't take a class, just go and study those subject areas to where you get comfortable with it. Set up a wireless network at home, like do basic tech stuff to get yourself into IT before you try to jump right into forensics. I definitely don't recommend coming into forensics with no IT experience at all. I mean people have done it, but it's a much, much bigger learning curve.

Chris: I hope you enjoyed today's episode. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in Cyber Work with InfoSec to check out our collection of tutorials, interviews, and other webinars. And as ever, search Cyber Work with InfoSec in your podcast app of choice for more episodes. See the current promotional offers available for podcast listeners and to learn more about our InfoSec Pro live boot camps, InfoSec Skills on-demand training library, and InfoSec IQ Security Awareness and Training platform, go to infosecinstitute.com/podcast. Thanks once again to Keatron Evans and moderator Hunter Reed and thank you all for listening. We'll speak to you next week.