Sunday, 21 October 2012

Thoughts on Intern Monkeys

I apologise for the long break between posts. I've been doing some renovation work and my well of ideas seems to have run dry. In an attempt to kickstart some creativeness, I recently contacted some people to volunteer my limited testing services. Even though I didn't end up testing much, one of the parties (lets call them an "Anonymous Benefactor") offered me an unpaid remote internship. It has the potential to help both of us - I get some actual hands-on experience and they get a (hopefully timesaving) research monkey.
So this got me to thinking that a post on internship issues could prove useful to my fellow noobs and/or a prospective employer who is considering taking an intern on.

Both parties should agree on what tasks the intern is expected to do before they commence. For example, the intern will conduct supervised forensic exams on cases, or subsets of data provided by a senior examiner. This may include ongoing cases, past cases, or simulated cases. Analysis may include, but is not limited to Windows registry files, Internet History, keyword searches, timeline construction, data carving and data recovery. Other duties may include report review and writing, research and testing, and script/programming development.

Position Details / Terms and Conditions of Internship
Some other issues which could be addressed include:
Timeframe: List the Start and End date (if applicable/known).
Working Hours: Is the internship part-time/full-time? It might be helpful to list the maximum number of hours per week expected. Time zone differences should also be taken into account for remote internships.
Location: Can the duties can be performed remotely (ie via Internet) or is the intern required on site/to travel.
Scheduling: Agree on how work is assigned, what to do if a deadline is unachievable etc.
Spell out if it's an Unpaid Internship and if there is (not) a promise of future employment.
Termination: State the agreed period of notice, if both parties can terminate and what happens to any relevant data/hardware/software after termination (eg gets returned/wiped).
Liability: State who is legally responsible for the intern's work. For example, the intern's work will be verified/reviewed before being used in a report. Any liability then remains with the employer.
Travel costs: Obviously this is more of an issue with remote internships. Should the intern be required to travel / testify in court, both parties should agree beforehand on who will pay for reasonable travel costs.
Equipment: Both parties should agree on what hardware/software will be provided by the intern and what hardware/software will be supplied by the employer. Also, what happens to data/software/hardware upon the ending of the internship. One potential requirement which might surprise a new intern is that analysis computer(s) must not be connected to the Internet whilst the Intern is working with client data. Separate PCs and/or use of Virtual Machines could assist with this requirement.
Software Authorship: If the intern writes a script/program during the internship, do they own it? Or does the employer?
Blogging: If the intern wishes to blog about something they learned/observed, is it OK? Employers should be given the chance to review/approve any content which could potentially disclose confidential information.
Additional work for 3rd parties: Can the intern perform tasks for other parties (eg beta testing)? The employer might want final say just in case the 3rd party is a potential competitor.

Obviously, the employer is trusting the intern not to disclose sensitive data but if Johnny/Janet Law comes knocking, the intern should be aware that they are obligated to obey any lawful orders. Some orders may even prohibit the intern from notifying their employer.
As an example of a confidentiality clause -  the intern is not to disclose any confidential information (eg client data, employers business data) unless with the employers consent or as required by the law.

Non compete
Address any restrictions on who the intern can work for after their internship ends. This could prove difficult to agree on because the intern will likely be interested in any/all potential offers. Limiting the intern's knowledge of the employer's business practices (eg client list, pricing list) could be one strategy to reduce an intern's ability to "compete" in the future. A remote internship is also less likely to result in the need for a non-compete agreement.

Applicable Labour Laws
This will vary from each state/country. I am not a lawyer so please don't rely on this monkey's ramblings - seek your own legal advice! Some things you may need to consider - term limits, start/end dates, which party is benefiting more (it should probably be the intern).
In general, I think most governments realise that unpaid internships are a good thing (especially in the current economy). As long as everyone agrees to what is expected of them, then there should be no need for lawyers. To minimise any surprises, spell out as much as you think relevant in any internship agreement. It may take a little longer to get started, but it really should be worth the effort.

Final Thoughts
As an intern, my attitude should be to learn as much as possible and to protect the employer's interests. The employer is doing me a favour, so I should treat them accordingly. By addressing the above issues before the internship starts, both parties can then focus on the forensic work at hand.
If you have any questions/thoughts, please leave a comment. Just note my "Anonymous Benefactor" is not seeking any other interns at this time. So please don't ask for their contact details!
I'd like to finish off by thanking a few forensic friends for sharing their valuable thoughts about internships - Mari DeGrazia, Syd Pleno and Carl House.
Hopefully, I will be able post something new and more forensically interesting soon ...


  1. Like it a lot Monkey! I'm looking to do an internship in my office to further my knowledge - what sort of expectations of DF knowledge would you have of an intern? None at all, but ready to learn, or some knowledge/experience of in-house tools? I just wonder if someone who has to be hand-held through the first few weeks of working could be seen as a liability rather than an asset...

    I think a lot of interns will be set to imaging, triage,or perhaps QAing reports? I'd be interested to hear from places that had run successful internships to see what they had them doing. I suppose there's always tea to be made...

    1. Hi John,

      Hmm ... I think the more hands on experience you have beforehand, the more likely you will:
      1. get the internship
      2. learn more interesting stuff

      For example, knowing how to mount an image in SIFT or how to use RegRipper. These don't have to be difficult/complex tasks but by learning it yourself beforehand you are also showing your enthusiasm. I don't think it matters if you're not using the exact same tools that your office uses (eg commercial tools) - understanding the general concepts/steps should be the objective.

      If you also blog about your research, it kinda documents your progress as well. Makes it easy to say "See my blog for proof I want to do this professionally".

      Also, start reading now. There's heaps of books on DFIR. "Digital Forensics with Open Source Tools" is a good starting point. You can create your own VM (or use SIFT) and follow along with the book.

      For me, doing the M57 Jean practice investigation was a good first step. It allowed me to progress at my own rate and take detours into areas which I hadn't initially thought of.
      It also showed me how much learning a scripting language (eg Perl, Python) can help automate mundane search tasks.

      Hope this helps and thanks for reading,



    2. Ooops! Sorry John, I just realised you've done all the stuff I was crapping on about. eg blog & reading books.
      My attention to detail doesn't look too good here eh?
      Congrats on the Masters BTW :)

      Anyway, I'll leave my original reply up in case someone else might find it handy.
      But I do agree with you - it would be interesting to hear some comments from an employers perspective ...