Review of my Computer Forensic Internship

I have been interested in Information Security for about 12 months and I’ve studied pentesting/Computer Forensic (CF) off and on for about the same time. After researching Info Security careers like so many of us do, I knew it would be difficult to get into the field without a good amount of I.T. experience, so I decided to look into internships. Roughly three months ago, I was lucky enough to land a computer forensic internship through a friend.

Over the past couple of months, I have read a lot about people wanting to get into CF field but there are so FEW articles/blogs/threads regarding someone’s experience in the field, so I decided to write a review of my experience as a Junior Computer Forensic Analyst.

Before I start talking about my experience, I would like to give you my opinion of the field before I started.

After reading the 20 coolest Info Security jobs and noticing 2 of the top 3 jobs were CF jobs, who would not think CF was a badass job? The job just sounds “sexy”; going through someone’s computer to solve an investigation or just trying to find something on a computer that someone is trying to hide.
I have read on a couple of forums about how Info Security involves a lot of writing and that the career is not as “sexy” as people would think. I personally wouldn’t mind writing reports and I really thought people were trying to say the job wasn’t “sexy” because they didn’t want more people entering their field.

Now onto my internship:

I met my mentor (I will call him Mr X.) in late March and he’s one of the nicest guys I have ever met. He’s been in the CF field for 13-15 years and he was also one of the 1^st individuals trained by the government to do CF work. Not only did he have years of experience but he’s one of those people who enjoys teaching and passing on his experience/knowledge.

I ended up doing the internship for about 2 months and I had about 4-6 different cases. I had cases involving;

A wife wanting to know if her husband was cheating
A Lawyer wanting to know if his ex-employees stole important documents and put malware on his computer
A Christian woman wanting to know if her husband has been viewing ****
A guru from India had a sex tape leaked onto the internet and we had to confirm if the video had been altered in any way and if in fact it is the guru in the video
An employee left company A for company B (which was a competitor) and Company A was suing the ex-employee for stealing client information from their computer days before he left Company A.

Here were the basic steps we took in completing a case

Meet the client
Ask the basic questions and take notes; what/where/why/who/how
Have the client surrender the equipment they would like us to check out. If the equipment was for a court case, we needed to make sure we had the proper court documents before accepting the equipment.
Image hard drive
Bookmark all possible evidence (use forensic tools; FTK, EnCase, FTK registry,etc..)
Go through everything you bookmarked in detail and see what you find
Create a report with everything you found

Now I would like to go into one of the cases in greater detail, so everyone can see what the job is actually like. I will describe the case involving the lawyer who thought his ex-employees deleted/stole important documents and put malware on his computers.

We met the Lawyer; listened to his story, asked questions, and took notes. Then he handed over his 3 computers and we took it back to the lab where we imaged the hard drives using a write blocker (which was my 1^st time using such a device, which was cool), and then mounted the hard drive into Encase. I took the next 7 hours bookmarking “all possible pieces of evidence”, which was literally any .doc or .pdf file deleted in the last 2 months (I bookmarked over 1,000 items). Just to explain bookmarking a little more, it’s like looking at a never ending Word documents that has a whole bunch of random letters and numbers mixed in with documents. This is an example of what you’ll be looking at when you’re bookmarking:

ggfgddjdfy876fs87f6687hj9hjhjh7jh8jh97n87hn79g7g97b9g7h97r987r9t7e87e9r78r7e9r7e9r7e987r9e............////::::

????///
hjsdjsd44348374837:://fjhsjkhkjdsdhk34873fdhfkjjkhsdjkhsdhsdksd364374364736437846487637864374634783746374368473fkjhfjkshskjdhsdhsdhsdhsk739847398473498374934873skhsdkjshjdhsdjkhdkjdhs29387298323983983892287929829833//::customer_acct_info_2006.pdf.////83493748hjhdkdhdhs834/customer.account.information.2006.gfgfgfgfgfgfgfgfgfgjjhjhjhjhjj//john.smith.123457894.1512.main.st.credit.card.number.4563.2356.2584.4569./ggfgffg54544545454545454555454554ffffffff7f97df98d7dfds7fds8f97f98d7f89df7d9f7d89f7dfd7fd9f7df9s7fd9f7d9fd7f9df//fgfg/g/gf/f/f4445554545//fdf///7498343437843894734893743894739483748hjhjskhdjshdsjhdskjhdskjdhskdshdsdhskdjshdkjshdskjdhsdkjsdkjshdskjdhsjkdhskjdhskdshdskjdkjdkdskskjsh4j5k4j4k35g45k43hg54h5kg45j43f54fk45ghg5jgk54kg54g535k35g45gk4543g54kh5g35kgk354k5gkgk345g45k5g4k

You can obviously see where the document begins and ends but doing this for 7 hours makes you want to smash your head against the sidewalk. After THAT, I took another 7 hours going through all 1,000 items that were bookmarked. Then I assisted Mr. X with writing a report with our findings. Finally, we met with the client one more time to let him know what he found but since we did not find evidence that supported what he was looking for, he become angry and said we didn’t do our job. And from what Mr. X said, a lot of the time, client’s will get mad if you don’t find the “information” that they thinks is on the computer.

I can honestly say the only interesting part of the whole case was the initial meeting with the client; listening to their story, asking questions, and taking notes. Everything after that was extremely boring, which was literally 95% of the job. I knew almost right away after I started bookmarking, that this career was not for me. Depending on the size of the hard drive, I could have been bookmarking for another 7 hours! I am so lucky I was able to have this experience before I possibly started a CF degree, classes, or even certifications. I definitely feel like most schools/websites build this career up to be something it is totally not. Hey, if you don’t mind staring at a computer screen scrolling through data/info for 80-90% of your job, then all the power to you but I definitely wouldn’t. I honestly can say I like my NOC job twice as much as CF. Don’t get me wrong, you could get an interesting case every now and then, but 90% of time it won’t be too interesting.

I respect the CF profession and all CF professionals but after reading so many posts about individuals wanting to get into CF and spending thousands of dollars on certifications/classes without ever doing CF work, I just want them to hear what my experience was like. BUT AGAIN, THIS REVIEW IS JUST MY OPINION...take it for what it's worth.

After learning the hard way with CF and how some careers are not what they seem, it definitely makes me question what a Pentesting career would be like…

*****I probably left out some important stuff, so if you have any questions…just ask and I’ll be happy to answer them.

Find more posts tagged with

Comments

the_Grinch

Thanks for the review! I sort of expected that is what CF would consist of. That being said, I don't think I'd have too much of an issue with sifting through data for 8 hours a day (depending on the pay of course).

shecool

Were you the fellow who had a previous post about their CF internship (All I remember was -- the OP said something about lots of reports)?

In any case, I really relate to these first security internship threads, especially since I was considering requesting CF for my 2nd rotation. I'm currently 1 month into my first security related internship (not cf -- identity management) and my expectations were a lot different, lol! I spend a ton of time reviewing, rewriting and creating technical documentation.
(To other security professionals: Is this a good or bad thing?)

I guess I can relate to you because I'm also a telecom/networking major with previous coop exp working for a NOC and in provisioning for a carrier. It was a bit more... hands on in those positions so I kind of miss that, haha.

veritas_libertas

Thanks for the interesting review.

@The_Grinch: I wouldn't either. Of course that could mean we are both odd-balls?

Hypntick

Thanks for the review, was wondering what your take would be. Like the_grinch said, i'm not shocked with the duties, halfway what I expected. I can imagine it would get a little old after a while, even more so with the clients who are upset that you're not getting their desired outcome.

YuckTheFankees

@hypntick,

Just like you said, it does get old..pretty quick. And also like you said, not only do clients get angry at results but sometimes they do not pay because your outcome did not match theirs.

@shecool,

I'm definitely getting more hands on with the NOC/telecom position, and I don't know if I could do Information Management (rewriting procedures is not my cup of tea). After the CF experience, I kind of want to stick with networking instead of security..but then again, CF is a very small part of security.

laughing_man

Wow, clients don't pay up? Have those fools sign a contract before hand. I know it is not that simple, but man that is cheap and low.

I am currently working as a junior security analyst and CF work is typically delegated to me. It is fun the first few times you do it, but after that it is drudgery. I can also relate to the whole "client gets mad because the evidence does not equal their assumptions" thing. We do audits just for internal departments and people act like you did not do your job. Fankees is right.

Great piece by the way!

JDMurray

What helps is if you are really interested in the case you are examining. Being on a "mission" to find criminal evidence, parole violations, or anything to do with CP can really focus an examiner's interest and resolve. Experienced examiners also know when to conclude the investigation because of the reduced probability of finding anything as the examination proceeds.

Experienced CF examiners have also learned a bunch of shortcuts to speed up and automate parts of the investigation process. One I know of is never use the indexing feature in EnCase 6; always index using FTK2 or 3 instead, because it is much faster. Interns would need to be told that.

YuckTheFankees

@laughing_man

The client's definitely sign a contract and they usually pay a retainer of $2500, but a lot of the time, the case will cost more than that....
It sucks but that's reality.

@JD

All very good points, thanks for your input.

ChooseLife

Thank you for sharing your experience, YTF.
One thing I wonder about is whether this impression of dull work is influenced by the fact that you had to deal with mundane tasks as an intern. Have you had a chance to learn what your mentor's workday looks like? Did it include as much repetitive non-creative work?

docrice

Since forensics generally entails legal involvement / entanglements / obligations, you have to be very detail-oriented to cover your bases. And when I say detail-oriented, I mean that you must be thorough, use a methodology you can defend, and I'm sure it can get extremely tedious like you experienced. I would enjoy doing forensics for an in-house company case once in a blue moon, but to do that day after day would kill me.

On the other hand, it can be the same way with firewall configurations, intrusion detection, and watching traffic go by hoping that there's a packet filled with dirty laundry. It's the mission to find the needle in the haystack that you'll either miss or that it never existed in the first place.

onesaint

It's so interesting that on one side you have docrice who talks about always keeping up and constantly being aware of the state of infosec. Then on the other side of the spectrum, it's sifting through "a never ending Word documents that has a whole bunch of random letters and numbers mixed in with documents" for 7 hours a day.

I'm under the impression that there is a lot of money to be made in E-discovery and CF. Still, I'd rather be in the Admin trenches personally.

Great write up and glad to see you putting the word out to enlighten others.

JDMurray

onesaint wrote: »

I'm under the impression that there is a lot of money to be made in E-discovery and CF.

That money is mostly for the owners of the eDiscovery/digital forensics companies and the few notable consultants whose knowledge and integrity command great need--and price--as expert witnesses. For the rest of us with the dirt under our fingernails, not so much. You gotta spend the time (many, many years) to build your CV and get to that level.

onesaint

That makes good sense. Where my information is coming from is an expert witness. He's always saying there is great money in E-discovery.

I'm kind of surprised at the thought of you not being paid handsomely, JD. With your effort and knowledge I would think you'd be giving testimony all the time.

JDMurray

The closest I've come to being in a courtroom (besides jury duty) is in a couple of patent cases, but those fizzled out. I really don't have the type of job that would allow me to schedule being deposed and to give witness. There is also the problem with expert witnesses not being covered by attorney-client privileges, so you are fair game to the opposing side. I really need to write every detail down to remember it all, but no notes or email allowed as they are legally discoverable, so it's telephone conversations and memory only. That would kill me.

YuckTheFankees

@chooselife,

I worked for a one man shop, so I wasn't only during "Intern" work per se. I would shadow him through-out his regular work day and then he would let me do various task. And yes, the work is VERY repetitive.

@docrice,

I agree with you 100%. I wouldn't mind doing CF, firewall configuration, or intrusion detection work every once in a while..but certainly not all day everyday.

@onesai

I'm glad you brought up salary, because I had the same assumption as you (impression of making a lot of money in CF). My mentor was very open, so I was able to ask questions regarding how much he made and some other salary questions. He's been in the field 13-15 years, he's the best CF professional (CF/E-discovery/expert witness) in my state, and one of the best in the country...he charge's $175.00 per hour for private cases and $100.00/hour for state cases (keep in mind he owns the business, so don't expect to make that much). Each cases at the minimum is usually 10-20 hours but then again; he has to pay for CF equipment (which isn't cheap), CF software, rent, etc... But as a CF professional not owning their own business and with 0-5 years, expect 40k-80k (but more towards the 50-65k range)...even after 5 years of experience..still not that impressive.

the_Grinch

It was great that you were able to get some perspective on the job and also that you shared it here. Job decision, like life decisions, are often a crap shoot and the ability to go in knowing full well what is ahead is priceless. As far as salary goes, if you aren't happy no salary is going to make it so. Do what you love and the money will come.

ChooseLife

YuckTheFankees wrote: »

@chooselife,

I worked for a one man shop, so I wasn't only during "Intern" work per se. I would shadow him through-out his regular work day and then he would let me do various task. And yes, the work is VERY repetitive.

Fair enough, thanks for addressing that comment

beads

Don't forget the "other" use of forensics - Incident Handling. Which is critical to finding unknown malware and other baddies that go bump in the night. Forensics doesn't just involve court cases. If you have a good background in development or database work you'd probably be surprised how difficult it can be to find unregistered malware or intrusions on a suspect machine. Few incident handlers are good with EnCase or FTK but is becoming a very critical skill particularly when dealing with the hyped up "APT" style threats out there. Then again, most large companies don't even begin to want you to even LOOK for APT, let alone find it.

- beads

Cerebro

Put some sexy CSI music on while you work!..."who, who, who are you?"

sundara vijeyan

UNNECESSARY QUOTATION DELETED

pls..help me wit interns in cyber forensice field

Dave B

Finding an internship for computer forensics can be extremely difficult. I am a forensic examiner in law enforcement and have had two interns in the past two years! It appears that the field is growing and has been stated in some of the previous posts it isn't that lucrative! I handle primarily child pornography cases, which get tedious. I have had some intrusion cases and theft/fraud type cases which are a little more challenging.

Interning is a great way to learn the ropes in the CF field. You will have the opportunity to use equipment (write blockers) that you would not get in any other way. You also get to interact not only with the computers but the people involved. This provides a different perspective indeed! It is most useful to obtain the information you need for the exam from the user rather than an uninterested party, such as a cop writing a search warrant.

The only advice I can give is to start calling anybody doing CF work that you can identify and beg for an internship. It is hard to get one but you have to put yourself out there!

JDMurray

I would gladly do volunteer CF work for the one CF examiner at my local police department, but they have no program to manage such volunteers. Even unpaid volunteers require a line in the department budget to manage them.

zcarenow

i would love to get into this sector if i had the opportunity? i currently am a sys admin just building windows servers and supporting them

MalwareMike

Old thread but super interesting!