Forensics 101, Software

I’m here! Now what?

by Ken Pryor

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I’m the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you’re bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of freely available disk images available for download. There are images available in several different file system formats, so you won’t find yourself limited to just one type. The images have documented content which can be used to compare against the data your tools produce.

The site I’ve most taken advantage of when downloading images is The CFReDS Project. CFReDS, which stands for “Computer Forensic Reference Data Sets” is hosted by the NIST and exists to “…provide to an investigator documented sets of simulated digital evidence for examination”. The downloads include disk images, mobile device images and memory images. Some of the images have scenarios that accompany them and present a challenge with questions about the image you must answer. The answers are also available for you to check your work.

Much like the CFReDS page, the Digital Forensics Tool Testing Images page has a list of images you can use for testing. The images provided here are test images designed specifically for the testing of your software and provide you with the opportunity to do file carving, keyword searching and even memory analysis. Other images are there as well, accompanied by great supporting info on what you’ll find in the images.

A newer site I’ve found that has plenty of forensic image goodness is the Digital Corpora site. There is an excellent selection of images here, but it’s not limited to disk images. In addition to disk and file system images, you’ll also find cell phone images and packet dumps to work with.

The annual DC3 Challenge is a fun and challenging way to improve your forensic skills. The Department of Defense Cyber Crime Center (DC3) provides this contest every year with excellent prizes provided this year for winning participants. The great thing about the DC3 Challenge is that everyone can participate, from the forensics noob to the seasoned veteran forensicator with five different levels of challenges are available. Unfortunately, it doesn’t appear that past years challenges are still available for download for those wanting to do them just for the learning experience. If I’m wrong and they are available, I’d appreciate someone letting me know, but I didn’t find them.

The Digital Forensics Research Workshop (DFRWS) posts new challenges each year related to the focus of its annual conference. Downloads are available for this years challenge, which focuses on cellular phone forensics. Unlike the DC3 Challenge, the DFRWS has archives of previous years challenges and still makes the challenge materials available for download in the Archive section of their website.

Finally, a great thing started just last year is the Network Forensics Puzzle Contest featuring the exploits of “Ann Dercover”. Most recently, Ann was featured in “Ann’s Aurora”, a contest held in concert with the SANS Forensic Summit last month. The puzzles and the underlying story for each are well thought out, entertaining and definitely challenging. I haven’t learned enough in the area of network forensics yet to feel like I can do these well, they provide those with the desire to learn an awesome opportunity to work them (and maybe win an excellent prize as well).

I hope you will take the time to look these sites over and see all they’ve got to offer, as I really only touched just a little on each. Also, if you know of other places where practice images and related materials are available, I’d love to hear from you.

Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He became a police officer in 1987 and has been working in the area of digital forensics since 2008. He can be contacted at rpdforensics@gmail.com.

This article was originally published as a blog post on the SANS Computer Forensics website and is reprinted with kind permission.

Discussion

One thought on “I’m here! Now what?

  1. Hi Ken,

    I have less exposure to digital forensics than yourself in my role as IT Manager for a small company so your list of various test and practice resources are most useful. Thank you.

    Posted by Tony | August 22, 2011, 4:04 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,043 other followers

%d bloggers like this: