As many of you know, I have been running a couple of series here on Null Byte about digital forensics called Digital Forensics for the Aspiring Hacker and Digital Forensics Using Kali. Although many readers have seemed to enjoy these series, just as many seem to be pondering, "Why should I study digital forensics?"
Few seem to grasp the value of understanding digital forensics as a hacker or security engineer. As a result, I'd like to pause here and take at least a moment to share my thoughts as to why you should be studying digital forensics.
A More Elusive Hacker
If you understand what trail you leave behind that can be traced back to you, the better and more elusive hacker you will become.
Often times, hackers have absolutely no idea that every time they touch a system, they leave evidence of their presence that a skilled forensic investigator can trace back to them. Knowing where and when these evidence artifacts are left on the system can enable the truly gifted hacker to get in and out of a system while leaving barely a "fingerprint."
It is important to note that I said barely, as it is nearly impossible to leave no trace behind. Just like anonymity, you can only make it more difficult to trace you.
Undoubtedly, your actions will leave evidence, but if you know where, you can clean up your tracks before you leave making it very time consuming and costly for the forensic investigator to track you and attribute any actions to you.
A Better Understanding of Operating Systems
By studying digital forensics, you will gain a better understanding of how operating systems work. Few security and network engineers, for instance, have a clear understanding of how the Windows Registry works and how it can be manipulated. Many are reluctant to even touch the registry for fear that they will make a mess of the system that they are incapable of remedying.
Studying digital forensics enables us to delve deep into how the operating system works in order to determine the artifacts left behind by the perpetrator. Undoubtedly, that depth of that understanding will set apart any network, system, or security engineer from their peers.
Prepare to Become a Forensic Investigator
In this era of cybercrime and cyberwarfare, the profession of digital forensic investigator is rapidly growing. Concomitant with this growth in demand for forensic investigators has been the growth in their salaries. Major cyber security consulting firms, such as Mandiant et al., have dedicated personnel that they can deploy in the event of a cyber intrusion of one of their clients. They cannot get enough well-trained people in this field.
National militaries and espionage organizations are employing digital forensic investigators to track intrusions by their enemies. As you know, in the 21st century, warfare has largely migrated into the cyber-realm. Without excellent digital forensic skills, how would a nation even know they have been attacked and by whom? One of the most difficult tasks in cyberwarfare is to determine who attacked you. If you are to retaliate either in the cyber-realm or the world of traditional, kinetic warfare with tanks and guns, you must be certain who was responsible for the attack. That is the role of the forensic investigator.
In addition, nearly every local law enforcement agency now employs digital forensic investigators. In the U.S., this includes state police, the FBI, and other law enforcement agencies. If you are coming from a hacking background, this gives you an advantage on the others in this field as few of them understand hacking. The skilled hacker makes a EXTRAORDINARY forensic investigator! Many private investigators are also hiring or contracting to digital forensic investigators.
Develop Skills as a Security Engineer
Security engineers often need to respond to cyber-events in a way that assists the incident response team or the forensic investigators. This type of response requires knowledge of at least the basics of digital forensics in order to respond appropriately. In any case, knowledge of digital forensics will make you a more attractive job candidate and employee leading to faster advancement and higher salaries.
Prepare for Incident Response
Within security consulting firms and large corporations with a significant security infrastructure, there is often an incident response team. This is an elite group of professionals whose job it is to respond to cyber-incidents and forensic skills are obviously required.
So, no matter what your career ambitions are in this field, you should be studying digital forensics. It's not just for CSI anymore!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
12 Comments
As a malware analyst wannabe I strongly support this article and the need for Forensics. Anyone else on the same path as me needs to know how to sift through the data of an infected system.
Totally agree, thats why I have already started going through your guides. It never occurred to me how crucial learning Digital Forensics is until I got a taste of your guide with autopsy.
basic forensic knowledge now a days in the IT industry should be mandatory to know for any average IT-working guy now. Very solid statements here OTW, I most definitely agree, and I for one also enjoy your forensic series.
I have to ask, as you say, how do hackers not know they leave a trace of themselves? I'm not doubting you, but you think they'd take the time to at least learn how to get rid of some evidence after learning how to break into a system.
Of course this is not speaking for all hackers, I'm just saying it seems more common sense then anything if you know computers let alone hack into them.
I think the point OTW is making with the forensic series is knowing 100% of the traces you leave behind. I imagine that some hackers get lazy and depend on tools that are supposed to get rid of all traces and call it good. And even though it works most of the time, there are times when the lack of discipline is the reason the person gets caught.
I think more accurately I meant to say, :hackers are unaware of ALL the traces they leave behind".
M
I have a off topic question
When i use metasploit for hacking, i would entermy ip on the LHOST option. Even if i'll use tor+vpn combo, they can track me, because of my ip on LHOST, right?
Both ToR and VPN encrypt the information.
i meant the payload on victim pc
Like all communication via ToR or VPN, only the last hop or the IP of the VPN is left behind.
Ll
Share Your Thoughts