Why you need programming skills to be a good computer forensics investigator

(certainly in the commercial world anyway)

In the corporate world getting licenses for forensic software is a slow and painful process and using open sourced tools is usually a no go, so you have end up with a limited toolset to carry out forensics. So unless you have all the tools that do exactly what you want, you frequently rely on having to do things manually. Being able to script something quickly together, in my opinion, is one of the most important skills any forensic investigator should have, especially one constrained by the software they are allowed to use. Taking a few hours to write a program that does the labour intensive, often boring, task for you saves many more hours, if not days, in the future. What’s more scripts can be reused; and if you’ve written it, you have a better chance of explaining what it does to court or those that need to know than trying to unravel what of earth EnCase is doing under the hood.

Here are a couple of obvious examples where scripts are a godsend:

1. In commercial forensics a large part of your evidence will come from centralised log files. Examples include proxy logs for internet access, DNS logs, printer logs, remote access logs and authentication protocol logs. Most of these logs will come back to you in a raw and ugly format with far too many columns, timestamps in funny formats and more information than you really needed. Unless you have a tool that knows what to do with the logs and can produce exactly what you want form them, you are manually going to have to go through them and extract what you need. Do you really want to trawl through 400MB of proxy logs to find all the times user A went to website B? Why not write a simple parser that goes through each line and spits out useful data when a regular expression matches what you want?

2. Some parts of the Windows registry have the entries rotated 13 characters to obfuscate the data. Do you really want to manually work out what each entry translates into? Why not write a simple program that takes a list of rot-13 text and converts them to normal text?

3. Case images, notes, reports, exported files etc may have to be copied to a secure area for safe keeping. Do you really want to manually hash each file, wait for that to finish and then copy the files across? Why not write a script that computes a hash of each file one after the other, copies the files across, computes the hashes again, compares the hashes and outputs whether the copy was successful or not?

As many other forensics bloggers have said, you must know your data and be able to do things manually instead of relying on the heavyweight tools like EnCase and FTK. However I think you also need to know the basics of scripting – even if it’s just EnScripts and batch files.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s