The Electronic Crime Institute (ECI)
is a federally funded program at Des Moines Area Community College that is designed to help fill the void we currently have in trained digital forensic investigators. The title of the course I taught was Operating Systems for Forensics
. It was a great course which forced me to get back and focus on some of the core aspects of an OS and file systems. As I went through the semester though, I realized most organizations are woefully unprepared to deal with a situation which requires true digital forensics.
It seems that most people who choose this career path are either law enforcement officers or IT professionals who have naturally gravitated to the investigative side of the profession. The problem I saw though is the mindset needed to perform investigation of a system is quite different than that required for administration of that same system. I had some very talented individuals in the class but their questions often appeared to come from an operational mindset. They knew how the system worked, or how to perform a task, but might not have fully understood the architecture of the underlying technology. If you don't know what a Master Boot Record (MBR) is, where it's located on a drive or when it is or isn't used by an OS, you'll never be able to find data that's been hidden there. I realized I needed to take a different approach to help students make the transition.
Early on in the course, one of my lectures covered the conversion of decimal, binary and hexadecimal values. Now obviously we have tools which do this for us, but an investigator has to know what his or her tools are doing in the background. I told the class if they didn't like reading hex and being able to at least identify patterns in file signatures they might want to reconsider their career choice. One student dropped later that week. Those who stuck it out till the end were really digging into the meat of the OS and file systems by the end. They were learning about the journaling functions in NTFS and EXT3, how to convert hex values into the date stamps for files and directories and were finding data hidden in multimedia files which played or displayed fine in their native viewers. They had transformed from a troubleshooter to an investigator. No longer were they looking at an OS as simply an obscure tool used to run their applications. It was a powerful tool which could be manipulated to move and hide data.
It was really quite interesting to see this transformation. I personally think you have to have a natural flair for investigation as there are some things that just can't be taught. The investigative instinct simply can't be taught in a classroom. It takes years of training and field experience to develop and some develop it better than others. Even as I do investigations today I'm continually learning and developing my investigative skills. It's a long road but a great journey.