SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: FTK's updates

Whether you use FTK or Encase, commercial products have incredible functionality that can be utilized in conjunction with open source computer forensics tools. For this week's Digital Forensics Case Leads, I wanted to focus on the updates to FTK. With commercial based products, just like with open source, it is a matter of preference which tool you want to add to you forensic arsenal.
 
Tools:

  • Forensic Toolkit® (FTK?) version 3.1.2 was released May 17th with a 'New and Improved' section including 'View This Item in a Different List' feature that allows the user to right click on a folder, then go to that folder in a Graphics tab and see the files inside as well as improved identification of JavaScript Object Notation (JSON) files such as those found in programs like FaceBook.
  • For the Password Recovery Toolkit?(PRTK?) version 6.5.1, and Distributed Network Attack® (DNA®) version 3.5.1, 64-bit support has been added.
  • FTK imager has added command line imaging functionality to support for MAC OS, Debian, Ubuntu, Fedora and RedHat.

Good Reads:

  • A great website for open source tools for both the UNIX and Windows sides of the house: http://www.opensourceforensics.org/
  • For anyone not familiar with the Digital Forensics Certifcation Board, take a listen to CyberSpeak and check out both websites for great computer forensics information.
  • This is a great tutorial site for all the MAC/Linux enthusiasts on how to mount HFS+ image or partition in Linux.
  • www.bankinfosecurity.com interviewed our own Rob Lee back in February. The discussion focuses on what companies should look for in digital forensics practitioners as well as what individuals can do to further their careers in the field.

Coming Events:

Digital Forensics Case Leads for 20100603 was compiled by Jennie DeLucia. Jennie is the Manager of IT GRC for Excellus Heath Plan. In addition she is a SANS Community 508 Instructor, an adjunct Professor at the Rochester Institute of Technology, as well as an independent computer forensic consultant.

3 Comments

Posted June 3, 2010 at 8:08 PM | Permalink | Reply

Craig Burget

Hi,
I just finished reading the interview with Rob Lee in bankinfosecurity.com. I found it very informative and encouraging.
I find myself at a cross-roads in my career today. I was recently laid-off from an ISSO job. I have extensive general IT and networking experience, but my info-sec experience is recent and relatively short in comparison (7 of 24 years). Also , my experience in info-sec to date has been more focused in the area of security management (IA, C&A, Risk Management, T&E, etc) and some system engineering.
I have always had a fascination with forensics but the most immediate opportunities, as my IT career evolved toward Info-sec/IA, ended up being more along the lines of what I described above. However, now, I have a clean-slate (perhaps a little too clean) to work with so I am exploring the possibility of "breaking-in" to the field of Digital Forensics, but I am unsure of the best strategy to accomplish this.
I can't afford to start back at an entry level and claw my way back up to the top. I have a family and a lifestyle to maintain commensurate with 24 years in the "biz." Yet, a couple of statements Rob made in the interview indicated that someone with a broad and extensive IT background would be an asset. This was encouraging to me, but I really need to know where to start. Intuitively, I don't think it would be realistic to expect someone to hire me without some direct exposure to the tools and techniques as well as some semblance of a successful track record in real-life situations.
As a first step, I was considering investing in the vLive offering of SANS 408 starting next week. However, I decided against it because I didn't foresee an immediate impact on my job prospects and it would be a large sum of money out of my own pocket with no income rolling in right now.
At this point, I am thinking my best bet is to seek another position in the Security Management domain and then attempt to steer my career in the direction of Forensics''"once I am employed full-time again.
Am I taking the right approach, or selling myself short?
Craig Burget

Posted June 4, 2010 at 4:57 PM | Permalink | Reply

Barry

This seems like a really effective tool for computer forensics. This is an area I need to lear a lot more about

Posted June 5, 2010 at 5:26 PM | Permalink | Reply

Rob Lee

Craig,
Contact me off-list. SANS has a program in place to get training to individuals who are out of work currently. It is a massive discount training program. But yes, 408 will get you trained to a level in which you can compete for entry or mid level forensic positions around the country.
rlee at sans.org
Best,
Rob