Day 1 in DFIR: Thoughts and Tips for Beginners
This past year I have made the transition out of the hospitality and tourism industry and into the world of digital forensics and incident response. I had heard of this intriguing industry niche through a friend; she pointed me towards taking the SANS FOR500 Windows Forensics Analysis course and getting the GIAC Certified Forensic Examiner certification. Two months after I received my GCFE I was fortunate enough to land my first job in DFIR. Although I have made big strides in my transition into DFIR, there is still a lot I must learn and some gaps in knowledge I need to fill in this industry. Now that I have to opportunity to have hands on training with my new employer, I want to share with you my journey and any advice I have for anyone new to DFIR and technology.
Hello DFIR! It's me, Estee.
After I finished the GCFE, my first step was to expand my horizon and study more topics to help me in DFIR. I continually found myself starting one subject only to realize I needed to learn something else first. I was staring at an endless blackhole of topics I needed to learn and could not figure out my starting point. Once I started my new position, I realized the starting point wasn't so complicated at all - start with evidence.
Ask yourself, what kind of evidence will you be handling? On my first day in the lab, I was given a powered down laptop. Next, I was asked what I thought I should do first and my answer was: take an image if the hard drive. I was a little ahead of myself - there are a few small steps you should take before you get into this. After handling the chain of custody and other paperwork, simply look at your device. Get to know the device in front of you. What physical attributes does it have? Look at any scratches or dents, are you able to unscrew the back of the laptop? What kind of operating system are you working with, do you know the type of filesystem? Think about what your assignment is and how time sensitive it is. You need to decide the best way to acquire the laptop's contents. We decided that the best way to extract an image was to open up the laptop, take out the hard drive, plug it into a converter and, extract an image. Now, I had studied what the hard drive was and what it did for a device, but I realized at that moment, I had no idea what it looked like. I didn't know what the RAM looked like. The only thing I could confidently pick out in an opened laptop was the battery. This was such a basic concept and I didn't even think to study it. After my first day in the lab, I was able to pinpoint some topics I could start to review that would directly help me apply knowledge to my first week of work.
If you are just starting out in the DFIR industry I suggest reviewing these subjects first:
Open up and review the internal setup of different devices.
Start with your personal devices - review your laptop, go digging around for that old laptop that barely works but you refuse to get rid of, just in case you left something important on it. Look inside a personal desktop computer if you have one. Open up these devices and locate the hard drive, ram, battery, CPU, etc. Try to identify everything you are looking at. The internal setup of different devices all varies depending on product brand and model. So, It is good practice to be able to recognize, for example the hard drive, because it might not be in the same place as the last device you looked at.
Research different types of hard drive interfaces.
Not all hard drives are the same, they are manufactured with different connection interfaces. The connection interface on the hard drive must match the connection on the motherboard. Look for different connection interfaces when you examine opened computers. Look at its differences and research what makes them different. Identifying the hard drive used can give you an idea of how long your extraction might take. For example, with an IDE interface data transfers at the rate of up to 133MB/s while a SATA interface supports a rate of up to 6 Gb/s. Identify interfaces like these:
· IDE (Integrated Drive Electronics)
· EIDE (Enhanced Integrated Drive Electronics)
· PATA (Parallel ATA)
· SATA (Serial ATA)
· SCSI (Small Computer System Interface)
Familiarize yourself with different operating and filesystems.
If you know the operating system and filesystem of the device ahead of time, you can make a plan on the best way to extract evidence data. It is a good idea to get to know the difference between operating systems and what file systems will look like forensically. This will help you know where to look for different artifacts. For example, the Windows OS has the Windows Registry and its information is separated into different hives/keys. Start by familiarizing yourself with some of these operating and file systems and look at the differences.
· Windows- NTFS, FAT32, FAT, exFAT, ReFS
· Mac- MacOS, OS X
· Linux- ext3, ext4, XFS
Review basic technology concepts.
Since I have just started my first job in the industry, I realized a lot of content I studied was still unfamiliar to me because I had not put it to use yet. Before taking the SANS FOR500 I read through a Security+ textbook to familiarize myself with basic concepts. After that I put all of my attention into the SANS FOR500 and getting my GCFE - I had not looked at the basics since. I didn't even think to review the basics again because I had already skipped ahead to the more complicated subject matter. I suggest reviewing the basics right before you start a new position because, with my experience, you will need to know and use it.
All of these topics may seem very simple and straightforward and can lead you to overlook them - I did. Take a step back and review.