[tclug-list] Forensics, sysadmin, and other Linux-related careers

Thu Dec 16 14:30:49 CST 2010

> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org
> [mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Eric Schultz
> Sent: Thursday, December 16, 2010 1:50 PM
>
> .... I emailed with Barry about this very subject, as I wanted
> to work with the BCA doing Law Enforcs forensic tools, but I
> agree with Chuck, the level of skill shouldn't be for the laymen,
> but expert...its not forensics if you smash and break what you
> are looking at.

I did NOT mean "expert" in any sense of book learning, but from a more
hands-on and detailed level of working with the hardware, sectoring schemes,
track "seek" schemes, and so on, usually in hex representations.  Quite a
bit of graduate degree technical background is needed to actually understand
and "do" PRML encoding and the various kinds of encryption, BUT forensics is
typically dealing with KNOWN PRODUCTION MODELS AND SYSTEMS, so it's more a
"fixit" approach using "canned algorithms" in software tools than one of
"doing the math".  Much of the work is at detailed levels of looking at and
searching for hex patterns of encrypted track and sector info that has been
scrambled (fragmented) by the normal chaos of allocation management that
probably gone astray and/or become corrupted.  Much of the problem is to
reconstuct a collection of scattered sectors from assorted tracks that
comprise a data record that is encrypted itself.  For me, this is
unbelievably detailed and boring, but for some it's a delight of abstract
puzzle play.  My interests are all over the HW/SW map and include graduate
levels in several disciplines..  I prefer to develop the schemes and messes
that forensic guys may try to unravel   :-)   My point is ONLY "different
stokes for different folks"!

Knowledge of Linux seems to me like becoming an expert in making wooden
pencils in order to become a writer: Linux is a tool that may be useful, but
a ball-point pen or word processor might be just as useful for writing that
forensics book...  ie, for "doing" drive forensics that Knoll Ontrack is
best known for.  Being a test helper or manufacturing helper at Seagate who
wears a clean room "bunny suit" may be more direct experience for Knoll
Ontrack work.  Forensics at data levels in systems that work perfectly is a
different matter and I think THAT requires LOTS of both book learning and
experience that is mostly hardware-independent.

Chuck