As many of you know, I have been running a couple of series here on Null Byte about digital forensics called Digital Forensics for the Aspiring Hacker and Digital Forensics Using Kali. Although many readers have seemed to enjoy these series, just as many seem to be pondering, "Why should I study digital forensics?"
Few seem to grasp the value of understanding digital forensics as a hacker or security engineer. As a result, I'd like to pause here and take at least a moment to share my thoughts as to why you should be studying digital forensics.
If you understand what trail you leave behind that can be traced back to you, the better and more elusive hacker you will become.
Often times, hackers have absolutely no idea that every time they touch a system, they leave evidence of their presence that a skilled forensic investigator can trace back to them. Knowing where and when these evidence artifacts are left on the system can enable the truly gifted hacker to get in and out of a system while leaving barely a "fingerprint."
It is important to note that I said barely, as it is nearly impossible to leave no trace behind. Just like anonymity, you can only make it more difficult to trace you.
Undoubtedly, your actions will leave evidence, but if you know where, you can clean up your tracks before you leave making it very time consuming and costly for the forensic investigator to track you and attribute any actions to you.
By studying digital forensics, you will gain a better understanding of how operating systems work. Few security and network engineers, for instance, have a clear understanding of how the Windows Registry works and how it can be manipulated. Many are reluctant to even touch the registry for fear that they will make a mess of the system that they are incapable of remedying.
Studying digital forensics enables us to delve deep into how the operating system works in order to determine the artifacts left behind by the perpetrator. Undoubtedly, that depth of that understanding will set apart any network, system, or security engineer from their peers.
In this era of cybercrime and cyberwarfare, the profession of digital forensic investigator is rapidly growing. Concomitant with this growth in demand for forensic investigators has been the growth in their salaries. Major cyber security consulting firms, such as Mandiant et al., have dedicated personnel that they can deploy in the event of a cyber intrusion of one of their clients. They cannot get enough well-trained people in this field.
National militaries and espionage organizations are employing digital forensic investigators to track intrusions by their enemies. As you know, in the 21st century, warfare has largely migrated into the cyber-realm. Without excellent digital forensic skills, how would a nation even know they have been attacked and by whom? One of the most difficult tasks in cyberwarfare is to determine who attacked you. If you are to retaliate either in the cyber-realm or the world of traditional, kinetic warfare with tanks and guns, you must be certain who was responsible for the attack. That is the role of the forensic investigator.
In addition, nearly every local law enforcement agency now employs digital forensic investigators. In the U.S., this includes state police, the FBI, and other law enforcement agencies. If you are coming from a hacking background, this gives you an advantage on the others in this field as few of them understand hacking. The skilled hacker makes a EXTRAORDINARY forensic investigator! Many private investigators are also hiring or contracting to digital forensic investigators.
Security engineers often need to respond to cyber-events in a way that assists the incident response team or the forensic investigators. This type of response requires knowledge of at least the basics of digital forensics in order to respond appropriately. In any case, knowledge of digital forensics will make you a more attractive job candidate and employee leading to faster advancement and higher salaries.
Within security consulting firms and large corporations with a significant security infrastructure, there is often an incident response team. This is an elite group of professionals whose job it is to respond to cyber-incidents and forensic skills are obviously required.
So, no matter what your career ambitions are in this field, you should be studying digital forensics. It's not just for CSI anymore!