Press "Enter" to skip to content

Joining the World of IT Forensics

In my article from August 2018 I wrote about a new phase in life, the completion of my studies and the start of a new job. It was always clear to me that I wanted to work in the world of IT security. So it came that I received two corresponding job opportunities. One of them was more in the direction of Red Teaming, the other in the direction of Blue Teaming. Both offers have been very promising, but in the end I decided against the second offer because for me, the job as a penetration tester was a bit more exciting.

That’s why it is even more interesting that after three months as a penetration tester I accepted an offer to become an IT Forensic Specialist within the company at the end of August. Since September 2018 I have been working more in IT forensics and not as much as a penetration tester.

As I did not have much experience in the IT forensic world, I soon started with a basic course in IT forensic, the SANS FOR500 course which taught me the following points:

  1. Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
  2. Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
  3. Focus your capabilities on analysis instead of on how to use a particular tool
  4. Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

This course was very interesting and astonishing at the same time. I new that a lot of information is saved on a computer when using it for daily business, but I could never imagine how much it really is. For example I never thought that it would be possible to create a very detailed timeline of all events a user did, even with a precision of seconds.

Eventually, on the December 14, 2018 I successfully passed the exam, which gives me now the title of a GIAC Certified Forensic Examiner. I am very excited about what will come in 2019 and I can not wait to examine new cases.

Cheers, Fabian

Comments are closed.