

Ask HN: Computer Forensics - rorry_Breaker

Hey all. I've worked in network infrastructure for a few years, and went back to school to finish up a cs degree. I felt a bit burned out when I left my job, mainly because of boredom... For example, a whole day could be about fixing a connectivity issue in some department or essentially getting their phones and other equipment to work... I know, every job can get repetitive and boring eventually, but I also wanted to work on something that had more substance if you know what I mean...<p>Well, I am really interested in Computer Forensics, and hope to move in this direction upon finishing my degree. Is anyone currently work in this field that can give some pointers as to how I can get started? I'd also love to hear "a day in the life" story if you have any. At the moment I'm researching computer forensic certifications to attain, but any additional info is much appreciated; thanks.
======
jcr
Your previous day job of "making things work" implies you might have a talent
for learning and understanding "how things work." If so, this talent will
serve you well in Computer Forensics, Reverse Engineering, Security Auditing,
and many other related fields. Heck, it will even serve you very well in
countless unrelated fields.

You should state what you mean by the phrase "Computer Forensics" and what you
expect such a job to entail?

Without knowing your definition and expectations it's very difficult to give
you a good direct answer. Some of the stuff I've done professionally qualifies
as "Computer Forensics" (by some definitions), but I'm certainly not an expert
in the entire field.

~~~
rorry_Breaker
Yeah, I shouldn've been more specific; I forgot the phrase encompasses a
pretty broad range of jobs. Well right now, I'm mostly interested in working
in a lab analyzing confiscated equipment for some contractor that does such
work for police or whomever to get started. Malware analysis is pretty
interesting as well; though I'm not trying to start there.

~~~
jcr
It seems I wasn't clear... Do you want to work at the physical hardware level,
or the software level, or betwixt, or between, or other?

There's a big discrepancy in skill sets between knowing how to drive a SEM
(Scanning Electron Microscope), knowing how to drive test equipment (signal
analysis), knowing how to drive a disassembler (binary analysis), knowing how
to drive a text editor (manual source code analysis), and knowing how to drive
the "typical" industry tools (automated source code analysis, fuzzing, disk
inspection, case management, ...). On top of all that, there's also knowing
legal requirements and procedure (evidence handling) as well as proper cost
and feasibility estimation ("is it possible?" "is it worth it?").

The most fundamental basis for all of these related fields is knowing how to
write code, preferably in a whole lot of different programming languages. You
need to know the high level languages used in applications and services. You
need to know the common "systems" languages like C and C++. You need to know
the low level assembly languages very well, preferably for multiple
architectures. You may or may not need to go even lower down to knowing
microcode. You may or may not need to know firmware engineering and reverse
engineering. You may or may not need to know a good deal about hardware
engineering and reverse engineering.

There are even people who work at the materials sciences levels, and yes,
they're beautifully fun and spooky to work with because they actually can
answer questions like, "Was this ATM system board frozen with liquid
nitrogen?" --Similar fun is true for the signal analysis folks.

As you've probably guessed by now, there's a lot of heavy engineering and
sciences involved, as well as a bit of art, so you'll need a nearly
masochistic dedication to constantly learning. You might find books helpful to
get you started in various topics, but you'll do most of your learning hands-
on and on your own. The people who are "truly great" in various fields and
topics are at least partially, if not completely, self-taught.

Pick an area of interest, and dive into it. Learn to do your own research, and
learn to find the research of others. The two things to keep in mind are, (1)
all of the areas of interest are inter-related, and (2) there is significant
competition between security/assessment vendors. The competition can often
make finding the research of others nearly impossible. This is especially true
for the malware analysis and security auditing industries where many tools and
techniques are considered trade secrets.

Even if you are an amazing generalist with both depth and breadth in your
skills, you will still most likely still specialize to some degree. The useful
skill and knowledge of any single person has limits, so you'll need to know
how to work well with others, many of whom are amazingly talented in their own
right, if not absolutely brilliant. If you can remain content, helpful and
useful while knowing you might be the dumbest guy in the room, then there is
hope for you.

The technical challenges of forensics and related work are endless and very
rewarding, but there is a little known and very damaging emotional toll
extracted from you. Every day you at work you must stare at evil. Seriously.
You need to stare at the results of truly wicked people committing viciously
brutal crimes against other human beings.

You will become jaded.

If you fail to maintain some hope in the general goodness of humanity, you
will become bitter.

If you become really good at your job, you will have learned to think like the
bad guys... and anyone who recognizes your skills will consider you "spooky"
to some degree, even if you're one of the good guys. The absolute nicest and
most honorable "good guys" in the various fields are also frighteningly
talented.

Becoming jaded, or worse, bitter, and always being suspect due to your
demonstrated skills tends to be a rather high price tag for a career. --This
is really the very first thing you should learn.

~~~
rorry_Breaker
Thank you, that was an incredibly insightful reply. It would probably be
easier for me to gain entry via the software aspect, however I'm leaning
towards the hardware aspect as you described above. So, to give a solid answer
to your question above, I'd choose "between" (or even just hardware). Books on
this subject matter seem relatively obscure though. Perhaps I shouldn't look
for "forensics" books, but rather just detailed books on some of these devices
and how they work.

Your explanation of the emotional toll taken is especially insightful and
makes me even more intrigued. Admittedly though, I didn't think people working
in computer forensics would witness or have to work on situations involving
brutal or violent crimes; not that it would deter me from pursuing the career.
I imagined it mostly comprised of corporate crimes. I did read about people
having to deal with things like "snuff films" or child pornography; I can
imagine people becoming jaded and having a cynical outlook on humanity after
working on things like that.

~~~
jcr
It seems you already realize your degree in CS will not prepare you for
electrical engineering and analysis of hardware. On the bright side, your CS
degree will (should) provide a good knowledge of fundamental logic,
mathematics and algorithm design, so it is _always_ helpful. For example, you
may be required to write code to automate electronic test equipment to gather
results on a piece of hardware you're scrutinizing, and then, of course,
you'll need to write even more code to analyze the result datum.

If you really want to specialize in hardware forensics, getting an EE degree,
or even a minor, will be very beneficial. Personally, I never bothered to get
an EE degree, and the gaps in my EE knowledge are something I stumble over far
more regularly than I'd like to admit. Off the top of my head, I can't think
of a single autodidact that is a good electrical engineer. The only exception
would possibly be Bob Davis of IEEE fame but only with a caveat; he simply
skipped a 4-year EE degree and went straight for a masters (MSEE). ;-)

I do not mean to offend you but if you believe "corporate crime" is somehow
victimless, then you are naive and you are in for a very rude awakening. It is
a very common misconception so don't be too embarrassed by your oversight. I
had the very same misconception when I started.

Always remember that you are dealing with real crimes, real victims, and real
criminals. The manner in which you respond (incidence response) and the manner
in which you handle the situation (evidence handling) can either make or break
the case against the perpetrator. You will often be working directly with law
enforcement, or even be a law enforcement professional yourself.

Like any law enforcement professional, you will be running a risk to both
yourself and your family. Criminals are dangerous.

I strongly encourage you to take the time to talk to officers and agents about
their careers. Even an every-day "street cop" can teach you far more about the
crimes they must face than you might ever want to know. As mentioned before,
the first thing you need to learn is whether or not forensics is the kind of
career you really want, but the second thing you need to learn is whether or
not you are actually cut out for the job...

[http://arstechnica.com/tech-policy/news/2011/01/csi-
google-w...](http://arstechnica.com/tech-policy/news/2011/01/csi-google-
winning-murder-convictions-with-search-engine-data.ars)

That's just a recent headline I read yesterday, and even though it's murder,
it's tame by comparison to some of the crimes you will face with in forensics.
Even if you have the dedication to acquire all the needed technical skills,
you may not have the required personality and fortitude to do the work.

The third thing you should learn is proper incident response and evidence
handling. When you know enough to avoid the mistakes destroying the case of
the prosecution, then you can potentially do technical volunteer work with a
branch of your local law enforcement. Be prepared for law enforcement to do
background and reference checks on you, even as a volunteer. Law enforcement
always needs technical help, and volunteering is a good way to get the
experience needed to ascertain if you're fit for the job. Talk to your local
police department, FBI, Secret Service and most of all, District Attorney
offices.

The uber elite world of rainbows and ponies regularly depicted by famous
computer "security" folks fails entirely the moment you mention the f-word
(forensics). It might come as a surprise, but I do not mean to discourage you.
Instead, I'm encouraging you to make an informed and intentional decision.

~~~
rorry_Breaker
Well thanks for the encouragement; this is really only increasing my
enthusiasm. I never meant to say that corporate crimes are victimless in any
way, but that I was under the impression that computer forensics had a
relatively low involvement with "brutal crimes" as you described in your post
before last, and a significant involvement with white collar crimes. Of
course, there are exceptions just as that interesting story you linked; but
admittedly I know very little about this as I've never worked in this field
myself nor do I personally know anyone that has. Sometimes people's
expectations are far from the reality of a thing, like some students first
realization of what computer science really is. I take no offense at all.

Speaking of that story you linked, I was wondering how they knew it was him
who made those search queries, perhaps they somehow found out where she was
during the time the searches where made. When I finished reading it though, I
didn't find myself disagreeing with the verdict --especially considering the
evidence of suffocation. Seems a bit unlikely she'd be able to fake that.

I never knew the agencies you named were so accepting to volunteers. I would
have thought they would act suspicious of people volunteering --especially for
a line of work that carries such a gloomy stigma (what kind of person would
want to do this work and why?). So, thanks for the heads up, and I will
definitely look into that.

It sounds as if you fall into the "between" category yourself. Do you find one
(software vs hardware) more enjoyable than the other?

~~~
jcr
> I was wondering how they knew it was him who made those search queries

It seems you didn't read page #2 of the article which discusses the timing
analysis of the evidence.

Tsk Tsk Tsk ;-)

> especially for a line of work that carries such a gloomy stigma

It is doing very good and very important work. It is doing the right thing. It
is benefiting society. It is making a difference. It is preforming service.
The fact that it happens to be far more difficult than most would ever imagine
only makes it that much more important. Though it can be a very tough job at
times, it is also very rewarding, even if you're just a lowly "volunteer"
doing the time consuming menial tasks.

If you consider it gloomy and depressing, it will be.

If you consider it rewarding and gratifying, it will be (well, at least most
of the time).

The choice is yours.

> what kind of person would want to do this work and why?

Ask street cops. Ask detectives. Ask FBI/SS agents. Ask district attorneys.
...

One of my favorite people on the planet to talk to is a retired detective from
the deep South. He spent 40 years on the force, but even now, he still does
volunteer work. He's a self-proclaimed "techtard" but some of the work he does
is actually quite technical. We got to be friends because I helped him with
understanding tech, and he helped me with understanding everything else. I
definitely got the better half of that deal. --The amount I've learned from
him over the years simply cannot be measured.

> I never knew the agencies you named were so accepting to volunteers.

They are not very accepting of volunteers, and there are tons of rules
regarding volunteers, so it can be a real hassle for them. The thing is, if
they know you are truly interested in pursuing a career in some aspect of law
enforcement, then they understand your situation all too well. At one point in
their life, they were in the exact same situation.

> I would have thought they would act suspicious of people volunteering

Yes. They will be suspicious and more importantly, they _should_ be
suspicious. You must anticipate their reaction. Make it exceedingly easy for
them to do whatever background and reference checks they deem necessary. Be
helpful, be honest, and be patient. It will take time.

You need to be OK with always being under greater scrutiny than others. It
happens if you're a volunteer. Even if you are fully vetted, it happens a
whole lot more if you prove yourself to be "frighteningly talented" in some
technical discipline. Needless to say, it doesn't take much to frighten non-
technical people. If you happen to extremely good at something, even your
technical peers will at least think, if not directly say, "I'm really glad
he's one of the good guys."

I'm definitely tired, and probably rambling. My email address is in my profile
if you'd prefer to continue this off-site.

