Finding Your Digital Forensic Knowledge Sweet Spot: Balancing Breadth and Depth in Digital Forensics Knowledge.

febrero 26, 2024

Understand the underlying technologies and processes to make you a better forensic examiner.

What is the ideal knowledge profile of a digital forensics professional? How much should practitioners know to be effective? I recently presented this topic at the P4 event in the UK.

Digital forensics is a broad discipline (perhaps unusually so), spanning many technologies from raw hardware to userland applications, and everything in between. When we think about traditional digital forensics knowledge areas, some obvious areas spring to mind. How file systems work. How data is stored. Knowledge of OS or application specific artifacts that have forensic value, just to name a few. But if we try and map out all of the technologies and disciplines which apply to understanding or manipulating those technologies in a digital forensics context, the list of subjects quickly becomes overwhelming for a single person.

Technologies, themes, and disciplines

To expound, here’s a list of more relevant technologies, themes, or disciplines that can be applicable, at a root level — many of which can again further branch off multiple times to more specific subjects:

  • Cellular technologies
  • Operating systems
  • Device Security
  • File systems
  • Data storage mediums
  • Cryptography
  • Data encoding
  • Databases
  • Hardware/Electronics
  • Coding/scripting
  • Reverse engineering

For another example, we need to understand each of a number of operating systems in a number of ways: Where and how it stores forensic artifacts. How its security model affects extraction, etc.

The question then is how broad should an examiner’s base knowledge set be around these topics, and indeed how far in depth into any one knowledge base should we go? Is there a sweet spot?

Even where a tool does most of the “heavy lifting,” sometimes we need to understand the underlying theory of how the tools work, as well as where (and why) their limitations may lie, in order to understand the results we are seeing (or not seeing). This understanding enables us to troubleshoot problems more effectively, and generally get the most out of the tool.

Knowledge empowers efficiency

Balancing breadth vs depth of knowledge in a field as wide as digital forensics will always be a challenge. We don’t need to be SQLite admins, but again, we may need to know enough to write an app-specific query. We also don’t need to be fully fledged programmers, electronics engineers, reverse engineers, cryptanalysts, mobile network engineers, etc. You get the picture. But again, it’s helpful to know enough about each discipline to be able to understand, troubleshoot, and when necessary, innovate to solve problems. And it’s just as important to know where to effectively focus our time and which avenues may simply be dead ends.

To use one specific example, from one single facet of digital forensics, if we want to better understand an extraction method for a locked Android device, we need to also know about a raft of interlinked technologies including hardware, chipset specificities and nuances, cryptography (both general concepts and specific implementations), trusted operating systems, and Android OS security features. Without breadth of knowledge across these many technologies, we won’t fully understand or effectively troubleshoot problems when attempting to solve one specific facet of digital forensics.

Breadth based on relevance

My own personal experience and belief is that we should have as broad an overview of all of those relevant disciplines and technologies.  Through this breadth we can gain an understanding of what we see and how we might get started in solving particular problems, knowing “what is the art of the possible” (or impossible).  Depth of knowledge in a particular area often comes naturally when trying to achieve those specific case-to-case goals or solve problems.

Aside from all that, we also need to understand the requirements of the people who consume digital forensics data such as analysts, reviewers, detectives, lawyers, and more. One group of people may not have much use or interest in learning more about artifacts and data. Another group may desperately require knowledge in those areas. Knowing what to deliver to people and how to present it are also important skills that must be learned.

Learning to get the most out of a tool

Then there is the question of tool knowledge. In a “toolbox” industry such as this, we also need to understand how to use the tools and each tool’s capabilities. Even if we are trying to achieve a similar goal in two separate tools, we will need to learn two separate tool-specific workflows.

Digital forensics examiners often work against high caseloads within constrained time frames and budgets, but even in the face of these challenges, gaining more knowledge should always be a part of “business as usual.”

How can we promote better breadth and depth of knowledge?

Agencies and enterprises will get better results by investing not only in tools, but people. Whether taking advantage of free technical webinars or free tool training, successful technologists never stop learning. For example, Oxygen Forensics supports professionalism through people, partners, and products. Our courses and webinars educate and stimulate professionals to do their best work with our tools and find the sweet spot of their digital forensic knowledge. Full access to on-demand education in our Learning Management System is included in our software maintenance and support package, which can free up budgets for additional fundamental or advanced tool agnostic training.

Understanding the underlying technologies and processes will only make us better forensic examiners. Even seemingly disparate areas of knowledge can come together to solve problems or at least give us an idea of what is possible.

Interested in learning more about what Oxygen Forensics has to offer?

Contact one of our digital experts to learn more about our product offerings.