Digital Forensics Interviews: Law Enforcement Edition

Interviews are tough, and digital forensics jobs in law enforcement don’t come up very often. So how do you prepare? Getting a job in #DFIR is a common thread and I thought I’d add my thoughts as well as some possible interview questions specific to law enforcement. Even if these questions don’t remotely come up in your actual interview, the key for success is preparation. So thinking about these questions will put you in good stead for a role.

As a background, I used to work as a civilian for a law enforcement agency in various roles. The last one being as a Digital Forensic Examiner. This post represents my views alone.1

photo of computer cablesPhoto by Thomas Kvistholt / Unsplash

General Thoughts

First, I understand some people don’t like the police. Some people have undergone life changing, destructive, hurtful, or terrible experiences in their dealings with police. Others simply could never see themselves working for the law enforcement, or are not interested in the role. I understand. This post is not for you.

For others who are considering applying or working for law enforcement (or any government agency), I recommend researching and understanding the kind of work you might be doing. Police roles vary in states, provinces, and countries and therefore the types of DF work will also vary. A good way to understand what role you might have is to look at the legislation the agency enforces. It is local or federal? Is is community policing? Is it immigration or border policing? Is it aligned with customs or tax enforcement? Don’t think you’re going to catch murderers and serial killers when your agency only looks after narcotics and people trafficking. You’ll be disappointed.

Law enforcement is hierarchical and has a chain of command. You can be told what to do, and as long as the order is within policies and legal, then you have little scope to refuse the request. Likewise, problems and issues are fed up through the chain of command. They are not flat, agile organisations, and that is something you might have to get used to.

But it’s not all gloom and doom. The work is incredibly varied, the training is often excellent, as a specialist you’ll have good autonomy, and the pace can be fast.

Interview Questions

These are some questions I would consider for an interview. Some are junior questions and some are more senior. I’m going to mix them up because they can be adjusted for either type of interview. I see no purpose in tricking people in an interview, it’s a short time someone has to evaluate your skills, not to stumble over tricky questions you spent weeks scheming. Hence, some questions might seem simplistic - but the purpose is to stimulate discussion.

I’m not putting any specific answers here but rather my thoughts on why I think certain questions are important.

white and gray metal armless chair Photo by Daniel McCullough / Unsplash

Communication Skills

In my opinion, DFIR is a great deal more about having decent communication skills than technical skills. For law enforcement (as with most jobs) you need the ability to be able to succinctly and accurately communicate both written and verbal information to a wide range of audiences.

Q: Explain <insert basic IT concept> to someone who has never used it? (For example: email, a hard drive, the internet, SMS, SnapChat, a web-browser etc.)

This might sound trite but there are plenty of people (cough judges cough) who have limited exposure to computers. To some, ‘basic’ computing functions are akin to quantum physics. Being able to explain an ‘everyday’ computing activity in basic terms is essential for testifying in court.

I wouldn’t be looking for detail, but for the essential concepts being explained accurately without jargon. More senior positions could include explaining more DF specific topics such as a write-blocker, an E01 file, or a hash.

Want to ace the question? Answer using a simple and accurate analogy that your grandmother could understand.

Q: Tell me about some written technical work you have produced? Who was the audience? How do you tailor your document to your audience?

Things like an executive summary (for busy prosecutors), diagrams (for bored juries) and timelines (for everyone) make technical documents bearable.

Q: What’s more important in written and verbal communication: accuracy of information or timeliness?

Most people will say ‘both’, which is true (in my opinion), but can you think of a time when one out weighs the other?

General Technical Knowledge

Q: What is a hash, and how is it used in digital forensics?

Depending on the answer this could lead to all sorts of follow up questions which will provide insight into the level of maturity of the DF examiner. Follow up questions could examine hash collisions, what to do in the event of a hash mismatch, types of hashing used for evidence acquisition, and when hashes would be verified.

Q: How would you test if a write-blocker worked?

Google ‘known sample’. Work the rest out.

Q (junior): Explain what happens when a user moves a file to the recycle bin.

Don’t have experience? Download FTK Imager. Put a file on the desktop. Move it to the Recycle Bin. Look at Recycle Bin in FTK Imager. Explain what happened.

Q (senior): Explain what happens when a user deletes a file on an NTFS file system?

There can be a lot in this answer. Start with File System Forensics by Brian Carrier.

Q: On an NTFS file system, explain the difference between file created, file modified, MFT modified, and file accessed?

Q: Where on a Windows system could you find evidence of a file being opened by a user?

This question could also be modified to any artefacts from the SANS ‘Evidence of…’ poster.

Q: You are examining a hard drive and have a keyword hit for the url in unallocated space. Explain what analysis you would do next.

This is pretty open ended. For me it would be trying to put context around the keyword hit. If context can’t be made, then reporting with the appropriate caveats.

Q: What are some anti-forensics methods you might encounter on computer systems (e.g. laptops, desktop computers)?

silver Android smartphonePhoto by Rami Al-zayat / Unsplash

Mobile Phones

Law Enforcement have to deal with a lot of phones. So expect questions relating to mobile phones, especially for senior positions.

Q: Explain the difference between a logical, file system and physical extraction of a mobile phone.

Q: You are given a phone and asked for all location data relating to Los Angeles Airport. Explain how you would conduct your analysis.

I’m looking for a basic method. Thinking about what phone data might meet the requirements and how you might go about extracting it.

Q: A police investigator walks in, hands you a mobile phone and says “all the evidence is in the chat program”. They then walk out. What do you do next?

OK, terrible chain of custody aside, it is somewhat common you get evidence but little further information. Don’t get flustered and forget basic examination procedures. Be calm, examine the phone as normal giving priority to the chat programs.

Q (follow up): OK, you extracted the phone with a physical extraction using Product A. But only one of the chat programs has been recognised and parsed out. The key evidence is not there. What do you do next?

Looking for some understanding of the main data structures of mobiles (hint).

Q: You’re given a locked iPhone. What do you do?

Don’t go technical straight away. Remember, it’s the police - have you asked for the PIN? It might sound stupid, but the case officer might simply not know that you can’t easily bypass iPhone PINs.

If you don’t have the PIN then start asking some other questions: “Is the phone on?” “Has it been switched off since it was seized by police?” “Do we have any other computer hardware belonging to the owner?” “Have any pass-codes been tried already?”

OK, now start talking about technical bypasses. I’m not going to list them because it depends heavily of the iPhone and iOS version as well as specific settings.

Q: What are some ways someone can hide data on a mobile phone?

Or similar to above, asking about anti-forensics capabilities of a phone.

Non-Traditional Skills

Q: You’re called to a search warrant where there is one desktop computer switched on. Chrome is open with over 25 tabs and you can see something downloading. Explain how you would examine the computer.

Hang on? Shouldn’t this be in technical skills? In fact, how someone conducts a live examination is so varied the actual process is less important (to me) than someone who covers the following:

First, I’m looking for someone not to panic. Don’t jump in and cycle through tabs, or look to see what is downloading. They’re red herrings.

Second, I’m looking for someone to ask some follow-up questions: “What is the search warrant for?"2 “Is there a time limit for the examination?” “Can you provide any more information on the owner of the computer?” “Has anyone touched the computer since police arrived?” In fact, any questions are good questions, because this replicates what I would expect you to ask if you were really there.

Third, somewhere in your answer you need to talk about documenting the scene (and/or contemporaneous notes). Photos, video, notes, voice recorder, etched into stone tablets…it doesn’t matter how, but before you do anything and while you are examining, you need to document your actions.

Fourth, OK,now you can collect your memory!

Q: You’ve been working a long day, there is no-one else in the office. While examining a mobile phone you swipe an email and it moves it to the trash bin in the mail app. You haven’t extracted the phone yet. What do you do?

Again, it’s not the specific action but the overall process that is important. Document the action. Take photos. The criticality of the evidence and the specifics of the error would inform if the mistake is reported or simply put in your notes. Just don’t cover it up. Shit happens.

Ethics & Values

Any interview will should contain some questions about ethics, your values, anti-corruption. Be prepared. Some questions could be:

Q: You are offered $1,000 by a suspect not to do a complete examination of a mobile phone - what do you do?

Q: What would you do if you suspect a colleague is corruptly involved in a investigation?

Q: A colleague tells you ‘not to examine this hard drive’ before removing it from the lab and walking off. What are your next immediate actions?

Q: Your having a beer with some work mates and other non-police friends, a work colleague starts talking about a current narcotics investigation. What do you do?

Q: You’re examining a mobile phone and see WhatsApp communication between the owner of the phone and your brother-in-law. What do you do?

No answers here. This is on you. But be prepared for follow-up questions nailing down exactly the steps or actions you might take.

forest trees marked with question marksPhoto by Evan Dennis / Unsplash

General Themes

If you’ve read this far (and apologies for the length of the post) then you can hopefully see some themes in my questions and answers. Many questions are open ended and rely on you asking follow-up questions or the answers stimulating a discussion. This is because you need to have the confidence to ask questions: the who, what, where, when, and why of the evidence. The police investigator might have some or all of the answers, or they might be able to get the answer. But often you’ll need to ask those questions to progress your analysis.

What questions to ask comes with experience, just like asking the right questions is important in an IR engagement, or for a SOC analyst.

Good luck in your job hunt. If you have any questions or comments please contact me via [email protected] or @mattnotmax.

  1. No, I can’t get you a job. Really. ↩︎

  2. Ideally you would know this but… ↩︎