Subscribe
About
  • Home
  • /
  • Security
  • /
  • Part 2: ‘You have got to have the hunger. Digital forensics is not just what I do, it's who I am’

Part 2: ‘You have got to have the hunger. Digital forensics is not just what I do, it's who I am’

Jason Jordaan: certified SANS instructor and principal forensic analyst.
Jason Jordaan: certified SANS instructor and principal forensic analyst.

We met with certified SANS instructor and principal forensic analyst Jason Jordaan to get the top tips for moving into the digital forensics field. Whether you currently work in cyber security or have no experience in the field, this two-part Q&A covers all things digital forensics, with all the resources and advice you might need to make a move into this space in cyber.

10. How do you think DFIR has evolved in South Africa in the past five years?

“Our South African National Standards authority has endorsed and adopted the international ISO digital forensic standards for South Africa so these are now actual South African national standards which can be applied. So, I think that’s a nice development. The other development is the Cyber Crime Act itself which has increased the number of cyber crime offences that we have, it improves investigative capabilities and introduces the concept of standard operative procedure. As far as I am aware, we are going to be the first country in the world which mandates standard operating procedures for digital forensics, at least for government agencies. This Is going to mean that for people doing digital forensics in government, they are going to have to comply with approved operating procedures and these will carry the weight of all law. So hopefully, this will see a significant improvement in how we do digital forensics in South Africa. “

11. Do you think COVID-19 has had an impact on digital forensics?

“I think it has had an impact in different ways. The South African situation was rather interesting as a lot of businesses were severely impacted by COVID-19 with a lot of them closing. There was a lot of people who ended up leaving digital forensics because of COVID as people didn’t have the means to retain private digital forensics practitioners. I don’t think overall it was necessarily a negative impact though, as people have become more open to remote acquisitions. One of the things that used to frustrate me, was that whenever a client wanted to engage with us, they wanted us to be physically there. Whereas now, we can have that meeting over Zoom. So, a lot of people in the industry are more willing to engage in online platforms which has saved a tremendous amount of time. We are also spending more of that time that was spent travelling, investing in our work, spending time on analysis and going to court – which is what we should be doing! In South Africa, our courts are quite old-fashioned in a sense, they have learnt a certain way of doing digital forensics and prior to COVID-19, there wasn’t a willingness to accept the evidence of doing it remotely. Now, they are beginning to accept there are other ways of collecting evidence, which is in my opinion, a positive spin on things.”

12. What is the current job market looking like for aspiring Digital Forensicators or Incident Responders?

“From a SA perspective, there are a lot of jobs being offered; however, not at the entry level. A lot of the job adverts I see are expecting someone with a fair level of experience. So, the market is kind of eating itself. There is a lot of turn over of experienced people from one organisation to another, but we are not necessarily bringing youngsters in to fill that gap. One of the big problems is that we get youngsters coming in with no experience or the necessary qualifications, but the expectation of salary far outweighs what they can produce. So, therefore a lot of people don’t pursue the digital forensics roles they get exposed to, they just go into general cyber security or something like that. There is a big demand for skills but mostly at an experienced level. I think there are entry -evel jobs, they just aren’t as well advertised, if that makes sense. But overall, salary demands definitely outweigh skillset. It’s a difficult market in that sense for that reason.“

13. Do you have any advice for anyone looking to transition from a career in cyber security to digital forensics?

“So, I will give two pieces of advice. One for general cyber and one for somebody that’s never done cyber in their life.

"If you are in cyber and you want to move into digital forensics, the easiest way to do this coming from a cyber background, is to start reading up about investigations and law issues and the field. Also, where possible, if you’re not going to pursue the formal training route, read blog articles and watch YouTube videos. If you are really interested in this field, find somebody who is in digital forensics and approach them, show that you are genuinely interested and see whether or not they would be willing to mentor you. The one thing I can say about the digital forensic community worldwide, we are a very supportive community.

If you are not in cyber and you come from an investigation or a law background, for example, you need to start learning the cyber stuff. I’m not saying you need to learn a forensics tool and push buttons; you need to go and figure out how computers work. Build your own computer, go and set up your own network, learn a bit of Python. Learn the general computing stuff and then start applying your investigative skills and knowledge to that. Again, the same principle applies, reach out to people in the digital forensics community and show them that you are genuinely interested. They will help guide you.”

14. For those who are looking to make the career transition, is there any desirable or necessary education, certifications or training you would recommend?

“If you can afford it, and if its within your means, the SANS training courses have a very good career path for someone moving into digital forensics. The first core course I would recommend doing is the FOR308 course to begin with – disclaimer, I am one of the course authors for FOR308. This is the Digital Forensics essentials so that talks you through all the core forensic concepts, the law, how to write reports, testifying and all those kinds of things. Then, the second course I would recommend is our FOR498 course which is our Battlefield Forensics & DataAcquisition course which will basically teach you how to collect evidence from cellphones, computers, servers, novel devices and how to quickly get to evidence which you can use in an investigation. The next course I would then recommend would probably be the FOR500 course which is the Windows Forensic Analysis course which really teaches you to do deep dive forensics on a Windows machine. Then, after that it really depends on what your area of interest is.

"It would be a good idea, if you don’t have a degree in computer science to potentially get a degree in computer science. The reason I say that is, if you are going to end up going to court, having a degree plus certifications can really be a huge benefit for you. So, that would definitely be an added advantage.

15. Are there any free resources or training without a fee that you can recommend?

Below are a range of free resources recommended for anyone moving into the digital forensics field.

13Cubed
https://www.youtube.com/c/13cubed/featured

The Open University
https://www.open.edu/openlearn/science-maths-technology/digital-forensics/content-section-0?active-tab=description-tab

DFIRScience
https://www.youtube.com/c/DFIRScience/featured

Linux LEO
https://www.linuxleo.com

SANS DFIR
https://www.youtube.com/c/SANSDigitalForensics/videos

DFIR Python Study Group
https://www.youtube.com/playlist?list=PLz61osc7c3OqQ_xBZJbzZdIkVd8HnxLmC

SANS White Papers
https://www.sans.org/white-papers/?msc=main-nav

SANS Posters and Cheatsheets
https://www.sans.org/posters/?msc=main-nav

Tools

SANS Tools
https://www.sans.org/tools/?msc=main-nav

Tsurugi Linux
https://tsurugi-linux.org

CAINE
https://www.caine-live.net

FTK Imager
https://www.exterro.com/ftk-imager

Arsenal Image Mounter
https://github.com/ArsenalRecon/Arsenal-Image-Mounter

Practical Challenges

SOCVel
https://socvel.com

Share