System Advancements at the Monastery

“Because your own strength is unequal to the task, do not assume that it is beyond the powers of man; but if anything is within the powers and province of man, believe that it is within your own compass also.” — Marcus Aurelius

Passing the certification exam for System Forensics, Investigation & Response (Sec-508) and becoming a GIAC Certified Forensics Analyst (GCFA) might not have been what Marcus Aurelius had in mind. Still, I am very glad to have the certification exam over with. To get things straight in my head, I have to study for an exam. I can go through class, and basically understand most of what is discussed. Until I sit down to study, I do not truly put the parts together. When I studied for the exam, I did not limit myself to SANS material. It is about learning the topic, not just passing the exam.

I want to point out a few additional references. I am not claiming they will help you with the certification exam. The truth is, they might hurt. It is easy to become a bit overwhelmed. If your goal is to pass the certification exam, stick to the SANS material. But, if you want to learn forensics a little better, these addition sources might be help.

For a good discussion of file system forensics, I recommend Brian Carrier’s book, “File System Forensic Analysis.” While there are tools that will do alot of the file system forensic work for you, I really enjoyed reminding myself of the very structures that we are analyzing. If you want a book more focus on Windows, Harlan Carvey’s book, “Windows Forensic Analysis.” The SANS forensic class is already full of information. Still, the course would benefit by incorporating some of Harlan’s material. Finally, one of my favorite books by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose is “Real Digital Forensics: Computer Security and Incident Response.” It provides a great hands on approach for both UNIX and Windows to learning forensics.

For enjoyable podcast listening, I recommend CyberSpeak. The podcast is done by Ovie Carroll and Bret Padres and they describe their show as, “Two Former Federal Agents Talk About Computer Forensics, Network Security and Computer Crime.” If you need to keep up on news and forensic topics, there are a few blogs that might interest you. There is the Computer Forensics and Incident Response, written a gentleman who identifies himself as Bill. I am afraid I can provide no additional details, besides the fact that it is a good blog. Bob Krantz and Jeff Fehrman maintain the EDD Blog Online which provides, “An insiders look into the ever evolving landscape of legal discovery to include but not limited to computer forensics, electronic discovery, email archiving, online review and proactive management.” Forensic Focus provides computer forensics news, information, and community forums. Finally, there is the Forensic Incident Response by hogfly who describes the blog as, “created to support some of the work I’m doing and to contribute to the forensic community. I’ll be blogging about the science of forensics, incident response, methodologies, relating real world investigations to digital ones and some other tidbits.”

Studying for an exam like the GCFA, helps me to put together pieces of computer knowledge that I have long since forgotten. I am not that old. At least I don’t think so. Senility has not set in. Or, if it has, I am too far gone to realize it. Still, I have been doing something with computers since I was twelve. For those Technorama fans, my first computer I would have to say was really a book. No, not an iBook. I learned to program through the use of a book. My interest in computers started before I had access to a computer. Our grammar school was doing an experimental program where students were able to get out of regular class for an afternoon once a week. We could choose to attend a course in literature or robotics. Most girls and the smart boys, who figured it was not a bad idea to go where the girls went, choose the literature class. I chose the robotics. Looking back, this program was probably just a way for the school to get more money from the state. While it was an interesting idea, it was not like we had access to a robot or even a computer. The literature class did have access to books though.

One day the instructor told us our homework was to write a BASIC program. She had not spent anytime during the class teaching us how to program. I don’t think she really expected much from us. Probably just a begin, print, end kind of program. Well, during that time my mom was bringing in some extra income by watching kids. The father of a family who’s child we watched did some programming as part of his job. He heard about my assignment and volunteered to help me. The poor man did not know what he was getting himself into. Thanks to his extreme patients, by the end of the day we had a program. And it did take all day because I had to keep going over it to get it straight in my mind. By the time I left, I knew that program. Well, the course spent an hour or so the next week talking about programming, and that was it for the course. Still, it introduced me to a way of thinking that I wanted to learn. I started buying books and learning how to program.

This was a time when computers were not in every classroom. I was in 8th grade, which was part of the grammar school. It was not until 9th grade, when we switched to attending the high school, that we would have access to a computer room. Even then, the programming classes were suppose to be limited to the upperclassmen. Fortunately, fate stepped in and because of a scheduling conflict, I got into the programming class. Well, fate and supportive parents. The high school computer room had Commodore PETs. Later, in a year or two, the PETs would be replaced by the Apple II. Also, right before I attended high school, my dad purchased for our home an IBM XT. His company allowed their employees to purchase these computer with no interest loans. The computer cost about as much as a decent car. It was a major investment on my dad’s part. Like I said, it helps to have supportive parents who value education.

Before any of this, I spent a year learning how to program using programming books. Once I got into high school, I was in the lab everyday after school making use of the computers. I gave back to the high school with such great programs as the dating program. Now that program was used for many years at the high school for fund raising around Valentine’s day. Of course, there was the scouting program which analyze the playing strategies of the opponent’s football team. I developed that for the coaches. I just wanted to make it clear that I did not have any kind of gambling programs going on, though it could have been used for that purpose. Considering these were the times of computers with less than 64k memory and 10M hard drives, the programs were pretty decent.

I was listening to Security Wire Weekly where they interviewed David Foote of Foote Partners on his latest research on the value of IT security job skills and certifications. The bottom line is that David found the security management exams lead to higher salary increased than the technical focused certifications. This is not surprising, but I would argue it can be misleading. The CISSP is not more valuable than a SANS GIAC certification. It is a different target group. A manager that demonstrates a broad base knowledge of security will do better than the pool of managers without such skill. A technical person who becomes certified is being compared to other technical people.

Put another way, there are managers who may have a vision of what to do but really do not know how it might actually get done. On the other end of the spectrum you have good technical people who are so focused in their area that they can’t see beyond their world to the requirements of the company as a whole. Most people don’t have the ability to switch perspectives or bridge the gap between these camps. A person who demonstrates both an enterprise focused / high level view coupled with the ability to get into the weeds, is a very valuable asset to a company.

No matter what you do, I think Marcus would agree that the key is to continuously learn and strive to understand. That twelve year has come a long way in his understanding of computers.