Helping IT community to separate the myths from reality.
Dispelling a few Myths of Computer Forensics
1. Spending all day behind a computer – This one is mostly true, but it does not work for everyone. Think about this, you will not be carrying a gun, chasing “bad guys” AND spending all day behind the computer.
2. Chasing criminals – You will be chasing a cursor on the command line interface, more than anything else.
3. Everyone is traceable – Bull! I can whack your PC, and when I am done, all you will have is list of 5,000 users who were on the same proxy I was when I whacked your PC. There are several proxy servers who will not reveal log files, besides that, there is a good chance more than one proxy was used. The courts, and companies will usually not go through all that trouble to get information to find out who downloaded your “my documents” folder.
4. Everything has a signature – This is true. The problem is, how many devices did a document go through before you received it? Even tracing an email can be nearly impossible after it has been around the world a few times.
5. Command Line Interface – Yes you will have to know the command line very well, you will also have to know how to interpret results from a command line inquiry. Those Graphical front ends are nice, but they do not always give you all the information you need to do the job.
6. The FBI Needs You – (ROFL) The FBI has a “cyber-crime” unit, but most of their information comes from 3rd party sources.
If you want action, forensics is not really the place. Network security has more action, and many times you prevent crimes, instead of looking at the traces of a crime.
Start by investigating your own PC. Find all your internet cookies, analyze them, and write down your browsing history from the cookie analysis. There are programs that do this for you, but cookie analysis is a good way to learn how internet servers communicate.
Delete some files, overwrite them, and then try to recover them.
Set up a “limited user” account on your PC. Try to get to the administrator documents and programs, without the password. This can be done on most Windows systems.
Forensics can be a lot of fun, if you are the curious type. It requires a deep understanding of how computers communicate, and their underlying processes.
Starting out, don’t worry about catching the crooks, worry about expanding your own knowledge.
In 2005 I started using Windows XP. I had never used Windows, I was an Apple user. Within a month, I knew what every file in the System 32 and the Windows folder did. I knew where to change passwords, where to remove microsoft branding, where to change serial numbers, where to stop the pop-ups on the task bar, etc., etc., etc.
Why would I need that knowledge? When a virus or spyware comes into my PC I can tell “where” it is by “what” it is doing. Instead of just deleting the files, I save them, and analyze them to see where the virus came from.
If things like this do not seem interesting to you, then you may not be cut out forcomputerforensics. If it does interest you, I promise you will never be bored with sitting behind a computer all day, there is a whole virtual world of possibilities out there waiting to be discovered. There is a lot more to computerforensics than just picking apart someones old hard drive.