Interviews are tough, and digital forensics jobs in law enforcement don’t come up very often. So how do you prepare? Getting a job in #DFIR is a common thread and I thought I’d add my thoughts as well as some possible interview questions specific to law enforcement. Even if these questions don’t remotely come up in your actual interview, the key for success is preparation. So thinking about these questions will put you in good stead for a role.
Great sources of DFIR information are endless: books, blogs, repositories, Twitter, lectures, conferences, and journals. One of the hardest skills I am yet to master is transferring this huge amount of information into digestible and searchable chunks. At the moment my ‘system’ consists mainly of a stack of printouts, endless Twitter bookmarks, 75 open Chrome tabs, and sticky notes with Excel formulae (generally different ways to convert Unix epochs to a readable format en mass…).
So many people recommend ‘The Cuckoo’s Egg’ as a must-read for information security professionals. For those in the dark, the book follows the author Cliff Stoll tracking unauthorised access to the US Lawrence Berkeley National Laboratory computer network in the late 1980s. The book itself is an engaging and fascinating account of a low-tech attacker (by today’s standards) penetrating various networks across the US and the low-tech defender tracking his activities.
This post can actually be pretty short: write contemporaneous notes. There. Done. Finished. Need more detail? Writing contemporaneous notes is the smartest, best, and most important thing you will do in your DFIR career. They will help you, save you, protect you, and aid you in every aspect of your work. DON’T make the mistake of thinking that contemporaneous notes will be some ‘extra evidence’ that will get you in trouble, or contradict your report findings.
It’s common when exploring a new file format or Windows registry key to look for dates and times. Lots of binary structures encode dates and times which are essential to parse out. Windows 10 has been exceptional at releasing ‘new’ data formats - especially in the registry where many of these new configuration settings are stored. Some great work has been done by the DFIR community to locate, parse and understand these new structures.
HTTP/2 is fundamentally different from HTTP/1.x; but it is not some edge-case of internet traffic. Figures that I found from April 2016 indicated it was 68% of web-traffic. It is supported by the major browsers, and even the lowly bit_of_hex blog is sent via HTTP/2. To check, the browsers generally identify HTTP/2 traffic as ‘h2’ in their developer tools. HTTP/2 is a binary protocol (as opposed to HTTP/1.1) and based around ‘frames’ which include types such as HEADERS, DATA, SETTINGS, and WINDOW_UPDATE.
We verify our forensic tools, right? And once we verify them, it’s all good? But what if the application is lying? Is the forensic tool right or wrong? I was playing around with HTTP/2 to see how the protocol works. A more detailed post examining HTTP/2 is forthcoming, but as usual I went down a rabbit hole and ended up…well, writing a Chrome bug report. But I’ll take a few steps back.