All Forensic Investigators Are Not Created Equal

I've always had a predilection toward incident response and forensics. For some reason, I just like digging through a compromised system, network flow data, and unknown binaries to figure out what happened -- it gives me a rush.While some of us love it, others just do it because it's a J-O-B. What I've noticed during the last year is that there is a distinct separation in the forensic community in skills and focus.

There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.

On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case.

So why do I mention the distinction? It's something I've believed for a while but was reminded of it again while reading "The Black Art of Digital Forensics" over at infosecurity.com. The article makes several interesting statements. The one that stuck out is that forensic investigators can't rely only on GUI tools to perform task for them (which is usually only against one system or one type of system and not ALL systems), they must understand what's going on behind the scenes for the GUI. While that's true, I'm just not sure that's going on in the real world.

Sure, there's some really great research coming from guys like Harlan Carvey and many of the great folks behind the SANS Computer Forensics and e-Discovery blog, but I think they go above and beyond the norm. I think the release of more forensic tools like those mentioned in the article are making digital forensics become point-and-click and easy so anyone can say they do digital forensics without understanding the foundations.

Ever hired someone to perform a forensics investigation only to end up being bitterly disappointed? Did you have to hire another one to get the job done right? Leave me comment or e-mail me. I'm always looking for good war -- or horror -- stories to use as examples.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.