Entries by David G (Chuzpah) (32)


Master’s degree finished - finally!

Several people have asked me how I got started in computer forensics and security. I thought I would share my experiences. 
How I got started:

Back in the late 1990s I indirectly participated in my first investigation. I was assisting in a corporate case. Essentially my job was to help the investigative team restore Exchange 5.5 backup tapes for examination in an offline lab. This took days of my time, often spending several late nights and weekends restoring the databases and preparing servers for the investigative team. Since everyone was working around the clock we needed to ensure that the investigative team always had evidence to examine. Once a particular set of evidence was gathered the master document, known as a chain of custody form was updated. The same form was updated once the evidence was check in or out. Storage containers were provided by the local police for each backup tape so the container numbers had to be updated on the chain of custody form, etc. This was a tedious process but it had to be maintained for the court. This process went on for several weeks, I learned a lot in the process. As it turned out I had a knack for investigative work. I really enjoy solving puzzles so this work was really interesting to me. It was not only a break from my day job to being an Exchange Administrator it was really cool stuff. I took pride in knowing that I was helping track down possible criminal activity. 
Deciding to pursue a 2nd career in computer forensics:

Once I decided I would go into the world of computer forensics I headed to the library, the bookstore and the web. At this time (early 2000s) there was little published information compared to what is available to day. I picked up a book titled “Computer Forensics: Computer Crime Scene Investigation” by John Vacca. This book was very helpful because it included a CD with some tools, this was the first time I actually got to play with some real forensic tools such as Recover98, RecoverNT, and the Coroner’s Toolkit. After playing around with the tools in this book as well as any other tool I could find on the internet I decided that I needed a formal education. At this point I was making a good living as an IT Professional and had no degree under my belt. I started checking job listings on various forensic sites such as Forensic Focus (http://forensicfocus.com) and Computer Forensics World (http://www.computerforensicsworld.com) as well as listings on traditional job boards such as DICE and Monster. What employers were wanting at that time were people with law enforcement backgrounds and a minimum of a bachelors degree. Since I always wanted a degree I decided to pursue a Bachelor of Science in Computer Science degree. What I ended up getting was a Bachelor Degree in Computer Information Systems with a concentration in Computer Forensics. What this meant was I attended four to five computer forensics classes as electives for my BS CIS degree.  In hindsight this was probably the best approach for me since I got my education, learned more about programming, and computer forensics in the process. I might have chosen differently had there been any degree programs in computer forensics at the time.
Landing the first official computer forensics gig:

Shortly after graduation with my newly printed diploma in hand I thought it would be easy to land a computer forensics job. I was counting on having my years of Microsoft and general networking skills to at least get me in the door. After several interviews I got several offers but there was one problem. They were either entry level or internship offers. This would have been great but there was one problem. I was making more than double than the highest offer I received. For a single person this would not have been as much of a burden but with kids to feed, mortgages, and not to mention cars to pay for I was not in the position to take any of these offers. A few years later I went to work for a large ISP with a sizable security department. After working for the company for a few years I decided to see about transferring over to the security division. After completing a few trial projects for the department I was able to complete the move. For a while I assisted in various projects but I did not get a solo project until I decided to take my education more seriously and pursue a Master’s Degree program in Digital Forensic Science. 
The work can be very tedious and requires an attention to detail. Everything also needs to be documented, criminals have walked because of a documentation technicality. This is not a 9 to 5 job, there has been many times that I have accepted evidence after 5PM on a Friday or had to work weekends. I’m often working in cramped office spaces, cold labs, or in windowless conference rooms. I’m often at my computer for 12 to 18 hours a day. I do take short breaks, usually 10 minutes every hour to stretch or to take a short walk to get water or coffee. There is often a sense of urgency to the work and a lot of interaction with all kinds of people working with a case. Good communications skills are a must! 
Master’s Degree in Digital Forensics:

After reviewing several college level programs I started the Master’s of Science in Digital Investigative Management program (MSDIM) at Champlain College, located in Burlington, Vermont. Although the degree program was 100% online there was a residency requirement to fulfill. I traveled to Burlington, VT to attend a long weekend session with dozens of other Master’s Degree students. The session was more management focused and we had to do various activities such as Myers Briggs Assessments and other exercises. I found out that I was an ISTP which breaks down to Introversion, Sensing, Thinking and Perceiving. More information can be found here http://psychology.about.com/od/trait-theories-personality/a/istp.htm. Anyway, the program started with basic management concepts that I appreciate today. About a third into the program Champlain created another forensic degree program that was more technical in nature. This was called the Master’s of Science in Digital Forensics Science (MSDFS). I transferred into this program because it was more technical in nature and it did not require a forensic accounting class. ;-)
The MSDFS program was where the rubber met the road! Each class was harder than anything I had experienced in school thus far. After each eight week class period I needed a break! I only got a week between each class. There was several labs and papers due throughout each class, there was a written assignment due almost each week as well. 
Closing Thoughts:
Earning a Master’s has been one of my greatest achievements and my kids are have taken notice. My son is already planning the colleges he wants to apply to and he is still in the 8th grade! The talk around the house has changed from “if” I will go to college to “when”. Working as an Incident Response/Computer Forensics professional has been rewarding and challenging. The work is often tedious and demanding. I can’t tell you how many family gatherings and social events I’ve missed because of work since I’ve lost count. However, it is also gratifying since I help make a difference in the lives of others. I prefer to work in the private sector but there are plenty of public sector jobs as well. I hope this helps anyone who is thinking of starting a career in computer forensics. It is not for the faint of heart but it is worth it! 



We simply cannot live without our gadgets

I shutter to think how long I could go without my Kindle, iPad or iPhone anymore. However, I usually can live without them long enough to try and get some rest on red eye flights. The last red eye flight I took (last week) I noticed a glow over the entire cabin when returning from the restroom. It seemed like every passenger had some device. I thought it was unusual since it was a red eye flight and most people usually sleep (so I thought). I usually can’t sleep on flights, but I like to give it the old college try when I have early meetings on the east coast the next morning. As I made my way back to the forward part of the cabin to reclaim my seat (just behind  business class) I noticed that most people were watching movies or playing games on all manner of tablets, phones, Ultrabooks, etc. I even noticed a pre-teenage kid watching Django Unchained (totally inappropriate for a 12 + year old to be watching). I did notice a couple of people reading something on printed paper, but most people were glued to those devices. As a technology guy, I’m often on computers and devices for 18+ hours a day but when I’m in flight, I like to take a device holiday for a few short hours!


New (2014) Mac Pro

When I was at the Apple store the other day I noticed something really cool. The new Mac Pro! This is a computer that you must see to appreciate, below is a photo of the new beast next to my iPhone 4 for scale. I plan to review one of these in the next few months so watch this site for updates on how well it performs. I will need to out it through its gaming paces as well. ;-)


Mac Pro as a Gaming Machine

Using my modified 2010 Mac Pro I wanted to see if I could successfully turn my Mac into a gaming machine. To give an accurate representation of the capabilities of the hardware the same games using identical graphical settings were measured on native OS X 10.9.1 as well as Windows 8.1 (boot camp). FPS measurements were taken using the standard Boot Camp 5.x video drivers as well as upgrading the drivers to the latest stable version of the GTX 680 drivers.

Mac Hardware Configuration:
Duel 2.4 Ghz Quad-Core Intel Xeon (5620) processors
NVIDIA GeForce GTX 680 (2GB EVGA Mac Edition)
240GB OWC Mercury EXTREME Pro 6G (both Mac and Windows)
Apple 30” Cinema Display (2560x1600)

Mac Gaming:
Compared to the Windows world drivers on the Mac side seem to be lacking. Frames per Seconds (FPS) values always clock lower than on its Windows counterpart. This is probably due to more frequent driver updates being available on the Windows platform. 

World of Warcraft (2560x1600 Ultra Settings)
Set the slider bar to Ultra settings at 2560x1600 resolution. Since this game is an MMO I performed tests in a couple of different areas in the game (listed below)

Orgimmar: FPS between 32 and 40
Flying around Durotar and Outland FPS was between 80 and 90

Diablo III (2560x1600 High Settings)
Texture Quality - High
Shadow Quality - High (Smooth)
Physics - High
Clutter Density - High
Anti-Aliasing - On
Max Foreground FPS - 100
Max Background FPS - 8

FPS varied between 56 and 61

Bioshock Infinite (2560x1600 Ultra Settings)
With Ultra settings on the Mac I was able to achieve a solid 50 to 55 FPS, however, at times there were lag spikes that were noticeable. 

Windows Gaming on Mac Hardware:
This portion of the article focuses on a Boot Camp (non-virtualized) installation. 

World of Warcraft (2560x1600 Ultra Settings)
Again I set the slider bar to Ultra settings at 2560x1600 resolution. On the Windows side there was a noticeable performance boost but it was not as dramatic as I was expecting.

In Orgimmar I was getting 37 to 50 FPS and flying around Durotar and Outland FPS was between 87 and 98

Diablo III (2560x1600 Ultra Settings)
Under Windows I got a solid 60 FPS for the most part, however, in town it would spike slightly higher at times

Bioshock Infinite (2560x1600 Ultra Settings)
I used the same Ultra settings as on the Mac side and was able to get a solid 60 FPS at all times, sometimes it would go higher. Overall gameplay was very smooth, no noticeable lag spikes.

Note: After upgrading to the latest Nvidia GTX680 drivers frame rates were nearly identical to the standard Boot Camp 5.x drivers that Apple provided. Going to be continuing to benchmark and will post updated results here on a regular basis.


Overcoming Exchange Service Pack 3 Errors

I have applied service packs to nearly every version of Exchange Server. Some times the service pack upgrade does not go so well. Recently I ran into this error.

Error: This server role can't be installed because the following roles aren't current: AdminToolsRole
This role won't be configured because of the following exception: This server role can't be installed because the following roles aren't current: AdminToolsRole


After examining the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\AdminTools and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\ClientAccessRole I noticed a discrepancy with the version number between the UnpackedVersion string value and the ConfiguredVersion (see below).

After adding a string value for the ConfiguredVersion the problem went away. Had similar errors for the MailboxRole key as well. After making the same changes to the ConfiguredVersion values in that key everything installed correctly.

Anyway, hope this helps anyone else with this problem. I was unable to find anything on the Microsoft website about this issue.