SANS Digital Forensics and Incident Response Blog

Hal Pomeranz: Computer Forensic Hero

The SANS Computer Forensics Heroes project is to help introduce you to people that have made a difference in information security and the digital forensic community. We believe there are a lot of people contributing to make computer forensics work, and we want to introduce you to them.

Interview with Hal Pomeranz

by Rob Lee

1. Tell us how you became interested in IR or Forensics.

As a computer security professional, IR and Digital Forensics had always been of interest to me, but generally had always been handled by "somebody else" in the organizations I worked for. What pushed me to learn more was teaching the Forensics material in SANS Sec506 (the SANS Linux/Unix Security track) that was originally developed
by John Green. John was very helpful and a great mentor during those early days.

What's also fascinating is the huge body of knowledge you need to be conversant in to be a top-tier Forensic Analyst: perimeter security, network and host-based IDS, log analysis, host security, operating systems and file systems, programming, and so on. So there's always something new to learn and ways that you can improve your own skills
as well as improving your infrastructure to make your job as a Forensic Analyst easier when you do experience an incident.

I actually don't do Forensics as part of my private practice, though I have found myself doing initial incident validation, both for paying customers as well as for friends who find themselves in trouble. Generally, though, once I've validated that the system(s) in question have in fact been compromised I advise the owners of those systems
to seek qualified forensic experts rather than relying on my services.

2. What gives you the most satisfaction while working on a case?

Like a lot of people in the IT industry, I like solving problems. Unraveling an incident- particularly if it involves a new attack vector- is a terrific problem-solving exercise.

3. What is your forensic tool of choice and why?

Obviously, I spend most of my life working with Linux/Unix systems. Historically, Unix folks have always seemed to believe that you investigate incidents in Unix with operating system tools like lsof, find, and grep. And certainly these are great tools and I find them very useful- especially lsof.

Because I don't do Digital Forensics professionally, I haven't invested in any of the expensive, commercial forensic tools. But it's amazing how much data you can recover just using Open Source tools like the Sleuthkit and Foremost.

4. What area of forensics/IR needs to be understood by every new investigator?

As technical people, I think we have a tendency to concentrate on the technical details too much sometimes. We think that we can find all the answers if we just find the right pattern of bits. But many times basic human factors like motive and opportunity as well as non-digital evidence are just as important for solving a case. So be careful not
to go in with blinders on.

Also never skimp on the legal and procedural aspects of an investigation. This stuff seems boring and esoteric, but it will make or break your case.

5. What do you do in your free time when not working on computer forensics?

Obviously, continuing self-education occupies a lot of my non-work hours. But I also think it's important to mentor others, so I write numerous technical articles and also help run a local professional group in addition to the time I spend teaching for SANS.

I'm a huge baseball fan and spend a lot of time keeping tabs on what's going on in Major League Baseball and going to ballgames. During the summer months, you'll more often than not find me watching the game at our local minor league ballpark here in Eugene.

My wife and I are both movie buffs, and especially share a passion for bad movies- stupid action flicks, B-grade science fiction, you name it. You won't believe some of the stuff we own on DVD. We also enjoy live theater, travel, trying new restaurants, reading and discussing books, and so on.

Sign up for the NEW class SEC408 Computer Forensic and E-Discovery Essentials debuting at SANSFIRE 2009. Receive a Tableau T35e Read-Only forensic kit as a part of the new class.