I've always had a predilection toward incident response and forensics. For some reason, I just like digging through a compromised system, network flow data, and unknown binaries to figure out what happened -- it gives me a rush.
While some of us love it, others just do it because it's a J-O-B. What I've noticed during the last year is that there is a distinct separation in the forensic community in skills and focus.
There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.
On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case.
So why do I mention the distinction? It's something I've believed for a while but was reminded of it again while reading "The Black Art of Digital Forensics" over at infosecurity.com. The article makes several interesting statements. The one that stuck out is that forensic investigators can't rely only on GUI tools to perform task for them (which is usually only against one system or one type of system and not ALL systems), they must understand what's going on behind the scenes for the GUI. While that's true, I'm just not sure that's going on in the real world.
To Continue Reading: Click Here
-----------------------------------------
Source: darkreading.com
By: John Sawyer
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment