dfir blog

All about dfir.

The #1 Tip to Solve your DFIR Case Problem

The #1 Tip to Solve your DFIR Case Problem

Have someone else take a look at it.

That’s the best tip you can do for any problem that you cannot solve; have another set of eyes take a look.  I personally know investigators (in LE, or DFIR, or LE DFIR) who refuse to ask for help because, as I am told, they can do it better than anyone else.

This reasoning is understandable, especially if you are highly skilled and have massive experience.  Why would any highly skilled DFIRer ask help from a junior examiner?  Seriously.  If the expert can’t figure it out, how can a lowly, low-skilled, less-experienced person figure it out?

The answer is that it is not the skill or experience level that can solve your problem. It is the simple act of looking at your problem from a different point of view.  I have seen complex criminal investigations, including a murder case, that was solved simply because someone looked at the case and asked a simple question that made everything come together.

Sometimes, we need help because we just forgot to look somewhere for some artifact that we overlooked.  Or maybe we see it, but don’t recognize it.  The answer may be right in front of your nose but it takes someone else to point it out.

Asking for another set of eyes does not mean you admit defeat, that you are incompetent, or that anyone else is ‘better’ than you. It means you are thorough. It means you are good.  Most likely, you do this anyway, but not by asking for someone else to look at the problem, but by stepping back for a time and coming back later to look at it.  Giving your eyes a break (physically and mentally) can solve 90% of anything you come across.  I am talking about that 10% of the time where no matter how much effort you expend, you are not going to find the solution.  You need to ask.

Don’t think this works? Then you have never tried it.  Cold cases are solved with this same concept.  When a case is given to someone else, many times it is closed quickly solely because a different perspective took a look at it.

Want to be the best?  Want to be known as someone who can work a case?  All you gotta do is to remember to ask for help and borrow someone’s eyes.   That’s the number 1 tip.

98 Hits

3 Animalistic Tips to Bust Open Your DFIR Job.

3 Animalistic Tips to Bust Open Your DFIR Job.

1. Be the Bloodhound.

The Bloodhound has the best nose to find anything.  A DFIR’er should be like the Bloodhound, in that if the evidence exists, you can find it.

Evidence: Where is it?

Tools: Where can I find the tools?

Training: Where is the training?

2. Think like the Squirrel.

Squirrels may look cute and innocent, but they are always thinking, planning, and being deceptive in what they do.  The better DFIR’ers are constantly thinking, planning, and being a step ahead of every obstacle that comes up.

Training: Which training do I need? Which training fits me best to learn?

Evidence: What constitutes evidence in a specific analysis?

Analysis: What does the data mean?  How do I interpret it? What are the connections?

Investigative:  What is the adversary thinking? What was the adversary’s plan?

Reporting: How do I accurately and concisely get the point across to someone else?

3.Work like the Honey Badger

The best DFIR’ers don’t give up.  They dig and dig and dig until they get what they need to solve a problem or solve a case.  The only time they might give up is when forcibly taken off a case and put onto another. Otherwise, once they have been given a mission, it is followed through until completion.

Tenacity: What will it take to overcome every obstacle in this field, this case, or this one problem.


Some lucky DFIR’ers instinctly have all of these traits.  Others have some or maybe only one of these traits.  All DFIR’ers can learn and employ all of the traits if effort is applied and time is carved out is made. 

Do you want to know the secret to getting this?

The secret is that there is no secret.  The way the most famous or most competent DFIR person does it is no different than the high school student learning how to do it.  For example, read a book on the subject. Watch a video.  Take a class.  Practice on your personal device.  Search and experiment with different tools.  Really. That’s it.  No one has special access to special tools.  Everyone has access to the same thing, however, it is what you do with what you find that makes the difference.

Take a forensic artifact of your choice as an example.  It may not take extreme skill to find an artifact using any selection of a forensic tool.  But, it takes the 1,2, and 3 tips to use a forensic tool artistically, scientifically, and even experimentally to exploit the artifact to get what you need in a case. 

Never sit idle.

The day you think you know it all or know enough is the first day your competence will degrade.  Period.  As an example, if you did nothing to improve upon your job today, your skill and knowledge degraded.  BUT, if you did just one thing, such as watching David Cowen’s forensic lunch, you would have learned (if you didn’t already know):

And this knowledge takes less than an hour of time with virtually no physical effort other than focusing on the discussion and taking notes when you hear something to follow up on later.  Do something every day, whether it  takes 5 minutes or an hour.

If you happen to be naturally inclined for DFIR work, congrats.  I’m a bit jealous, but certainly not in the least bit discouraged, because I am the Bloodhound, I  think like the Squirrel, and I work like a mission-focused Honey Badger.  You can do the same, and maybe even better :)


434 Hits

3 Steps to be a DFIR Superhero

3 Steps to be a DFIR Superhero

  • Know your job
  • Know your tools
  • Know what your client wants

If you can do steps 1-3, you can be a DFIR superhero.   It may look easy, and it is, sort of. 

  • Knowing your job is simply knowing what to do in a given situation. Clock in on time.  Fill out paperwork correctly.  Keep the ship afloat on a day-to-day basis.

There are days that DFIR work is mundane.  Actually, many days are mundane.  Whether you are looking at an image of an employee workstation or trying to keep the network safe from attacks, most days are routine and mundane.  The occasional emergency is something different and if your company is full of emergencies, that’s another story.  If you can show up to work, take a lunch break, and leave on time, then you are probably handling the job tasks fine.

  • Knowing your tools goes beyond using the tools you have always used. This also means keep up with the new tools that come out that might be better than the tools you have been using

Seriously.  If you have been with so-and-so DFIR tool since version .0001 when it was on a floppy disk, you may want to revisit the tools that have been developed since 1997…  There now more tools that can do more things compared to the 1990s.  Know your tools!  Keep up with the new tools!

  • Know what your client wants is the hardest. Your client can be your boss or a third party that hires you.  You know what your clients need.  Your clients may not know what they need, but they certainly know what they want.  Knowing how to navigate between a client’s wants and needs takes skill.

When your client ‘wants’ you to image every single computer on their network for forensic analysis to find the employee stealing data but you know that the client actually needs a lot less, you will find yourself in the world of want vs need.  If you are really good, you can pull your client into the ‘need’ and out of the ‘want’ without any issues while receiving a job-well-done by your client.  If you have no tact, the outcome will either your client being unhappy because you did what was ‘needed’ and not ‘wanted’ or you feel like you did a poor job by doing what was ‘wanted’ but that which was ‘needed’.  Luck is when the wants and needs are the same.  I’m waiting for that day myself…

169 Hits

Dead-box forensics is not dead

Spirited debates can be draining

I use the acronym “DFIR” as loosely as everyone else does.  I know exactly what it refers to, both “digital forensics” and “incident response”, but that it also implicitly refers to “ethical hacking”, “infosec”, and other related disciplines.   I don’t see any way someone can misuse “DFIR” when speaking generically.  Of course, when you get down to the nitty gritty, specifics matter.  But I'm not talking about specifics here.  I'm talking about a near all-out-craz-out by an "IR" guy..

Not that I like debates, arguing, confrontations, or disagreements, but good grief…I sometimes find myself dodging arrows and darts.   As a recent example, right before leaving a conference (within the last two months…just to muddy the number of conferences to avoid guessing which one), in passing, I mentioned “digital forensics” to an “incident response” person that ended up with me being told that those in “digital forensics” are dinosaurs heading to the graveyard if they don’t do “incident response”.   The guy went down the path that ‘dead box forensics is dead’ and that no one should focus on dead box forensics and if you do, you'll be out of business in a year.

All I responded with was that someone has to do dead-box forensics, some cases are solely dead-box forensics, and even incident response deals with dead-box forensics.  If no one does dead-box forensics, then what?  I also agreed that anyone doing dead-box forensics needs to expand their repertoire a bit, not because dead-box forensics is useless, but that getting outside that box will lead to more evidence (via clues) inside the box.

I am giving the guy a break in that maybe he drank too much the night before, didn’t get any sleep, or maybe is getting audited by the IRS. Whatever the reason, the fever he had that having “DR” as part of the “DFIR” acronym is sacrilegious and dead-box forensics folks are incompetent in the field just reminded me of how many Type A personalities we have in DFIR.  To the credit of Type A personalities, that is kind of what is needed in this field to begin with, but it’s a double-edged sword when two Type As work together or even sit together in a conference..

My points are;

There's nothing wrong with the term “DFIR.  Dude, we work in the same field. It’s not combat against each other.

Dead-box forensics is not dead.  Many cases come down to a hard drive.  It’ll be around for a long time.  If you just do dead-boxes, be sure you can dive deep.


By the way, DFIR doesn't always mean "DFIR"...





628 Hits

Don’t be that DFIRer.

When you have a cup of coffee with your co-worker, peer, boss, subordinate, or opposing expert, don’t be the expert who didn’t read the latest and greatest finding posted yesterday or today by someone in your field.  Seriously.  I’ve seen this happen.  One person knows the newest discovery in forensics and the other guy doesn’t.  Don’t be that DFIRer. Keep up on the blogs!

DFIR.training has an extensive listing of RSS feeds for blogs and podcasts, separated by category.  This list does not include every single (or even the majority) of available blogs on the Internet.  There are several reasons RSS feeds are not listed on the front page:

#1 – No date on the blog posts.  Is the information from 1999 or 2017? Who knows??

#2 – Inactive.  If the most recent post is over a year old, is the information still relevant today?

#3 – Selling their product every other post? I don’t want to read that blog.

#4 -  Hard to find RSS feed on the blog? If I can’t find it, and my reader can’t find it, I’m not reading it.

#5 – Difficult to read website? Lots of flashy colors and crazy fonts? Not for me.

#6 – Need an invite to view the blog?  Forget that.

I also do not put the “Paper Li” feeds on dfir.training.  The Paper.Li set up just doesn’t do it for me at all.

During my search for blogs and podcasts for the dfir.training website, I kept coming up with blogs so old that the information can’t be relevant today.  Surely, if a blog’s last post covered Windows XP, then not much will be of value today. Too much has been researched and written since 2007 (or 2015 for that matter)

Other blogs found by Google no longer exist, which is natural since no blog lasts forever.  But, some of my favorite blogs from long past are in that group. I miss those blogs….


This is what you get for blogs at dfir.training:

The front page lists the most recent posts in categories of DFIR, Podcasts, eDiscovery, Security, and Hacking.  If you are like me and check on a dozen or more blogs from the most active DFIR bloggers and podcasters, you get frustrated when you don’t see anything new from the day before because you spent time clicking and looking for dates/titles.  HOWEVER, on the front page of dfir.training, you’ll see listed, by date,title, and blog name, and in order of most recent updates, from top to bottom.  You won’t find posts updated a month prior, because the intent to keep the very newest posts listed on the front page.  That is what we need; the most current information, listed right in front of our face. 

You can see the list of RSS feeds on this site here: Blogs 

Keep in mind that some of the listed feeds and blogs may not be getting updated by the respective author.  For those, they are not going to show on the front page of the website.  The front page is where you go to make sure you don't miss something important.  In 2 minutes, you can check if anything happened in the DFIR blogosphere that pertains to your job. To stay up to date, follow these three easy steps:

1) Boot you computer.  

2) Run your browser.  

3) Make the homepage dfir.training


Tip: If you write a blog and I have it on the list, the more you write, the more you are on the front page.  Want to be top of the list? Post often.

522 Hits

‘Yes’ means ‘yes’. But ‘no’ could mean 'maybe' or 'maybe not', but 'no' never means 'never'.

A recent forensic course I attended gave me a little bit of high blood pressure, which was my own fault.  I try to only take courses where I know I don’t know the content, but should learn it.  Sometimes it turns out that I should have asked to teach the course rather than take it (or pay for it).

In the last course I took, the instructor presented on USB devices and finding artifacts of use.  Easy enough, good refresher, learned a thing or two on how to do something a little differently.  Fair enough.

The issue I had was when the instructor said if there is no record (artifact) of the USB device by name or serial number, then that USB has not been connected to the system.

Now…I come across this often.  The client, always an attorney, asks a simple question in many  of my cases:

While holding a USB flash drive, asks me “Can you tell me affirmatively if this USB has ever been plugged into that laptop?” while pointing to a laptop on the desk.  The answer will be:

Yes, or maybe, or maybe not.

I tried to relay to the instructor during a break that it is most always impossible to prove a negative without some other information outside the hard drive.  I gave about a half dozen examples besides of forensics.  Simple things that can’t be proven.  Still, his point was that if a system has no record of a specific device being plugged in, then the answer is an affirmative ‘no’.  Reformatted drives, reinstalled OSs, swapped hard drives, data wiping, booting to a CD/USB, and registry cleaning did not change his mind.

I would have let it go had it not been for some new DFIRrs in the room.  Teaching new DFIRers incorrect information will only come back hard later.  Can you imagine defending your position on the stand saying that without a doubt, no question about it, but this USB device was never plugged into the defendant’s computer, based only a forensic analysis of the hard drive?  You just can’t do it.

Of course, it is easy to say “yes” when you find the artifacts in the system.  If the registry shows evidence that same make, model, and serial number of the USB device exists on the machine, then of course, it was connected at one time (at least once).  But to say that something never happened is a risky path to take.

The point being, and the point I made in the class, was that it is best to never say never, because you really don’t know what happened when there is a lack of data.  It’s like asking if we can prove a tidal wave ever washed across Kansas during the last million years.  Maybe it did.  Maybe it didn’t.

I admit that some negatives are possible to prove, but these are beyond the scope of what is reasonable when solely looking at data on a hard drive. 

Points to drive home:

1)  If you can’t prove it in the AFFIRMATIVE, that does not necessarily make it a NEGATIVE.

2)  If a student in the class you are taking seems to have an answer that is different than the instructor, consider both answers and test to see which is right.  They can both be wrong, both be right, or one can be right.  TEST IT YOURSELF!

ps. Yes, before taking this course, I did due diligence to make sure I was spending my money and time wisely.  Unfortunately, I should have stayed in the hotel room and watched HBO.




281 Hits

So…who are you voting for?

I have submitted nominations and voted every year for the Forensic 4:cast awards.  Although it may seem like a popularity contest, it actually is a popularity contest.  The more ‘popular’ someone or something is, the more votes that person or thing gets.

For those who (1) do not really know what to vote for, or (2) want to do as little research/thinking as possible, but still want to vote, here are my top contenders in this year’s Forensic 4:cast awards.  I have nominated every category.  I am only listing two for each, but at least you have an idea of what to look for when you decide to vote.

What is your nomination for Open Source Forensic Software of the Year?

Bulk Extractor http://www.forensicswiki.org/wiki/Bulk_extractor

Recall  http://www.rekall-forensic.com

What is your nomination for Digital Forensic Blog of the Year?

This Week in 4n6 https://thisweekin4n6.com/

Malware Jake https://malwarejake.blogspot.com

What is your nomination for Phone Forensic Hardware of the Year?

UFED Touch.

There is no second in my opinion…

What is your nomination for Computer Forensic Software of the Year?

X-Ways Forensics.  http://www.x-ways.net

Carbon Virtual Forensics Suite https://sumuri.com/software/carbon/

What is your nomination for Digital Forensic Book of the Year?

Windows Registry Forensics (Harlan Carvey) https://www.amazon.com/Windows-Registry-Forensics-Second-Advanced/dp/012803291X/ref=pd_sbs_14_t_0?_encoding=UTF8&psc=1&refRID=0KDHTZXWWMH0FQ29M90P

Hiding Behind the Keyboard (Brett Shavers) https://www.amazon.com/Hiding-Behind-Keyboard-Uncovering-Communication/dp/0128033401

What is your nomination for Computer Forensic Hardware of the Year?

Velocity T1000 Workstation  http://www.tritechdf.com/velocity-t1000-df-workstations.html   

Forensic Duplicator https://www.digitalintelligence.com/products/forensic_duplicator/

What is your nomination for Phone Forensic Software of the Year?

UFED http://www.cellebrite.com/Mobile-Forensics/Solutions?gclid=CJCKhfnH5tECFUlNfgodhCoEMA

MobileEdit http://www.mobiledit.com/forensic-solutions/

What is your nomination for Digital Forensic Organization of the Year?

http://www.Dfir.training  (of course!)


Who is your nomination for Digital Forensic Investigator of the Year?

David Cowen https://twitter.com/HECFBlog

Heather Mahalik https://twitter.com/HeatherMahalik

The main point of this is to get you to vote.  Fill in the online form, and hit SUBMIT.  Help get your favorite category to be nominated.  And seriously, it takes 3 minutes of your time.  Don't feel obligated to vote for any of the two I selected.  These are just starting points for you to consider and think about other choices. I will say that I have nominated one of the above in each category and believe any choice listed is well worthy of a nomination.  The order I typed them does not indicate the choice I made.  If I spent more time on this, I could easily picked another 10 choices for each category because some categories have many great choices out there.

Most importantly, if you are only going to vote in one category, make it……

What is your nomination for Digital Forensic Organization of the Year?

http://www.Dfir.training  (of course!)



459 Hits

One skill every DFIR practitioner must have…..

If there is one skill that every analyst should have, it is the ability to solve problems.  Sounds easy if you are the kind of person that solves problems.  As a matter of fact, if you are the kind of person that comes across a problem, works on it, figures it out, and solves it, you probably have no concept of how other people can’t do it.

When I say “problems”, I don’t mean solving world problems of air pollution, famine, or wars. I’m talking about the little things like;

-an evidence hard drive is not seen by the operating system

-having to image 25 computers before lunchtime…while taking client calls

-getting a DFIR dongle recognized in a virtual machine for analysis

-booting a forensic image

-decrypting an encrypted image (and you have the decryption key!)

-imaging a hard drive without a hardware write blocker 

-where is the 'create forensic image' button on software X?

-and the other little things we deal with every day

Few things bothered me more than a junior analyst (or even a supposedly senior analyst) calling me to tell me that “Windows doesn’t see the evidence drive” or asking “how do I copy files from a live system” or “I can’t get software X to run” or on and on. 

If you are the type of person that comes across a “what the heck?” and then starts to figure it out, Googling for an answer, testing solutions, reading the manual, checking the software forum for similar problems, and lastly, asking someone for the answer, then you are doing pretty good.  However, if you come across a problem and the first thing you do is ask someone for the answer, you just made it onto the “I can’t solve problems by myself” list.

If this is you, here is some really bad news.  If you continually have to ask how to do something and you don't try to figure it out and learn how to do it first, you may be seen as either lazy or incompetent.  There really isn't any other excuse or perception.  Incompetent doesn't mean stupid.  It means you either don't have what it takes to do the job or don't want to put forth the effort to learn. Lazy is just plain lazy.  

This is not to say that I don’t believe in asking for an answer. I am saying that before it gets to the point that you have to ask, figure it out yourself.  Be the analyst that when you call someone for help, they know you tried everything and that you must have a serious issue to figure out.  Managers do not like these non-problem solving workers.   Having two or three of these employees in different locations calling you at the same time for problems they should be able to solve wastes your time, the client’s time, and the employees don’t learn how to solve their own problems.

This is one of the reasons I built dfir.training.  It was for myself to find answers when I needed information.  Rather than ask someone (over and over again), I limit my questions to those times when I really need help.  If I call for help, that means I am in trouble; that I tried absolutely everything; and yes, I Googled the heck out of it too.  I may have missed an easy solution, but it was not for lack of trying to figure it out.

EXCEPTIONS: Yes, there are exceptions.  If it is an extremely time sensitive matter and the analyst can’t figure it out in a timely fashion, either I will give the answer or jump in to do it myself to get the job done.  That is not my preference as I would rather the analyst figure it out and learn. 


TIP: If you are new to the field and come across something you haven’t seen before (which will be everyday for your career) Stop, Think, and Figure It Out before asking for help.  You will learn faster, you will learn better, you will become a better analyst for it.  And your boss will be happy with your effort to learn on your own before giving up and asking for help.

522 Hits

e-evidence.info was one of my favorite DFIR blogs


I looked forward to every update.  At the time, few DFIR sites existed that compiled the things I wanted to read.  e-evidence.info was one of those sites.  Primarily, I was hoping to see a just-published-white-paper on some topic of interest because again, there just wasn’t that many sites aggregating information like e-evidence.info did.  Sadly, the site went away and unfortunately, it left with an embarrassing reputation of copyright accusations, name-calling, and legal threats.  I really did miss that site after it was gone…


But the good news is that since then, MANY sites with DFIR resources have been created and those that were just starting have become my staple diet of information. Forensic Focus being the only public forum I use (other than all of the commercial forums and association forums to which I belong).

In fact, there are resources specific to mobile device forensics, network forensics, Internet forensics, and anything else you could ever need sprouting up all the time.  Again, some sadly fade away or just abruptly disappear.   The disappearing part has always frustrated me a little because just when I get used to a DFIR resource site, somehow it seems to go away or never get updated (and then goes offline).

After about a decade of this…..I figured I may as well do a DFIR resource website for myself, the way I like it, with what I want on it, and pay the bill to keep it going without worrying that it will suddenly disappear.  That was the start of www.dfir.training.

I use my own site every day, not just to maintain it, but to get information from it.  The homepage is a simple RSS feed of the most active blogs that I have bookmarked in the past.  Now, rather than clicking a hundred bookmarks to check if a blog has been updated, I go to one page to scan for the latest updated blogs.  The DFIR tool database is where I go for my software management and ideas.  I have not used every DFIR tool in the database.  I do not recommend any or every tool in the database.  But I also do not have a need to use every single tool.  I realize that others might, so I listed as many as I could and keep adding when I come across new tools, or tools new to me, or submitted to me to add.  It would be a bit unrealistic of me to only put the tools I have used while ignoring tools that probably will work for someone.  The really neat thing about the database is that if you create a user account on the website, you can favorite your tools and have a list maintained for you.  So, rather than Googling for the URL to a tool you use to check for updates, go to your dfir.training tool page and they are all listed for you.   Easy peasy.

The other things on the site are certainly valuable for anyone looking for more DFIR information.  There are #DFIR:

Software & Hardware



Training courses (on demand, classroom, and live online)



Blog list


Forms, templates, and example affidavits/search warrants/court orders


I do weed out material that is clearly substandard.  To put absolutely everything on the site would require an employee that does nothing but Google “dfir” all day long only to aggregate useless information intermingled with the good info.

The site is coming up on 6 months (or 7?) and has over 400,000 unique visits (average of about 2,000 unique visits every day).  I don't see the traffic slowing down ever.

As for as more content, more is coming.  As to the type of content coming, you’ll see it soon.  If you don’t see what you would like to see, send me an email to suggest it (use the form on the site).  I'll probably be taking on an extra hand to help add the content, but I'll see how that goes.  As for one thing I'm not putting on the site, is a forum.  Forensic Focus has the best forum, hands-down, and is the first place I go to ask or answer questions.  I hope that Forensic Focus keeps the forum going...at least until I retire completely from the DFIR world.


As for any other DFIR compilation websites….I say the more the merrier because I can use as many reference sites as possible to help me do my job J

235 Hits

Just because you can doesn't mean you can.

I had a unique discussion with a potentially budding DFIR newbie.  I say “budding” because his technical potential is out-of-this-world with the only holdup being getting across the point of the “F” part of DFIR.  The entire discussion revolved around the point of just because you can (physically) do it doesn’t mean you can (legally) do it.

The simplest difference between hacking and forensics is, well…the legality of it.  If the law gives you authority to do something, you can do it.  Otherwise, don’t touch it.  No matter the situation, it all comes down to having the legal authority to do what you want to do.   Legal authority can be a search warrant (or any court order) or consent of the owner (a business, person, or government).  Yes, there are a few other reasons to legal granting of authority, but generally, these are the big two doors of entry for DFIR folks to do what they need to do.


I believe that when examiners can see what they can and cannot do, then accept it, working in DFIR becomes a little easier.  The way I have always seen it is that some things may never be possible, either technically, physically, or legally.  For those situations, fuhgeddaboudit.  Just follow the chart above and all is well.  No need about worrying about lawsuits or having your door kicked in at 6 in the morning. For those in the DFIR world long enough, you will, or have, come across lawyers who also don't like restrictions.  The lawyer may ask to do something you KNOW is not authorized and in which case, you say, "go get legal authority".  In my experience, no matter what someone promises for your protection in case something goes wrong, if there isn't some sort of written document giving legal access, there is no protection.  Lawyers will throw you to the wolves as if you were a rogue DFIR guy if anything goes wrong after agreeing to do something not legal.  I have heard lawyers even say that they can 'argue the facts in court' later to justify what they want done now.  

By the way, there isn't any space between LEGAL and ILLEGAL.  There is no grey area, no room for error, no room for personal opinions or judgment.  The work you do in DFIR is either LEGAL or ILLEGAL.  Few other jobs exist where the worker walks the line of inadvertently committing multiple felonies in the course of a normal workday than in DFIR.  When you get in that spot, regardless of how big the retainer is, no amount of money will make up for loss of credibility, loss of reputation, criminal indictments, conviction, or incarceration. 

Ps. It is so difficult to tell someone who has technical skills from another planet that something is “technically impossible”, until you explain that money and time is not unlimited.  Clients will generally not agree to spend until bankruptcy on something that is impractical (in effect, impossible) to accomplish.  Even government agencies will not generally try something that is practically impossible  due to resources unless the case is so extreme that you have to keep trying until the wheels fall off.


191 Hits

Colleges and DFIR Programs

There was a time when only one digital (computer) forensics book was available, that is, a book solely written on forensics and not as part of an IT book.

There was a time when higher education did not provide any digital forensics degrees or programs, other than computer security.

There was a time when the only people trained to do forensics were typically former law enforcement.

There was a time when only a few websites existed that provided resources for forensics.

That time is gone.

The good news that we have more resources to draw upon for training, education, and reference, the better off we are to learn.  The bad news is that finding the golden nugget of good information has become a lot harder.

I updated the college/university listing of digital forensics programs today.  Between the time I started this list last year, I found twice as many college level programs than I did the first time.  Some of the programs I had listed have been closed for good. One college even shut its doors...as in, the school closed down.  But overall, there has been an increase of such magnitude that it is practically impossible to list every program available.  If you are looking for a DF college course, there is one in your community already. 

It seems that just about every community college, university, and higher education campus of any design offers some sort of “digital forensics” certificate, honors program, minor, or major in varying degree levels up to PhD.  The dilution of higher education only makes it difficult for hiring managers to gauge the value of a school they may have never heard of before.  Taking a look at the updated list, I see more than a dozen schools that could have opened their doors a century ago or last week and I would not have known the difference.  

I found some colleges touting how much money their potential students can earn with a degree from their college, with small print disclaimers on the same page.  I found digital forensics programs in college departments that make little sense to me, such as having a cyber security program in the social studies department. Really?    Some programs offer a “honors” or “minor” for taking less than a handful of very general and broad cyber/forensic topics.  I even had to change the program name on some colleges because the colleges apparently wanted a sexier sounding name for the same program I listed last year.  

As to content, the requirements of some programs do not even seem to focus on forensics at all.  I understand knowing theory is important, but if a student doesn't even know how to connect an eSATA drive to a computer with a write blocker, what good is that diploma?

Anyway, I stopped adding college programs once the list reached a tad bit over 100 different colleges.  Browsing Google hits, I found probably 100 more programs that I could have added.  I also suspect that within a year, 25% of these programs will be gone with a different 25% started at different colleges.  Consider this list as an example of what is actually out there.  I'll go through it again and again to add and subtract, but there is no way that a complete list of colleges can be made.  I suspect that even Google will have a hard time keeping up with colleges as they open and close programs.

Seriously, if you are looking for a forensic program to take in a classroom, check your local college because they certainly have a program.  Better yet, take an online course from a really good school. It’s easier to make class and have a better name brand on a piece of paper you get when you finish.

Find out who your instructor/professor is going to be as well BEFORE writing your check (of entering your credit card information).  Depending on what you want to learn, it may better to learn from someone who has done it rather than from someone that has only read about it or someone who has only written about it without having actually done it.  

200 Hits

DFIR tools.  Get them while you can.

If you have been doing forensics/IR for more than a day, then I know you are always scanning for the latest and greatest tools.  I also know that you have a repository of ‘older’ tools that may have (1) been discontinued, or (2) are no longer updated, or (3) simply not found online anymore.  But, some of these tools still do exactly what you need and may not need to be updated for what it does.

That is the crux of this post.  When you find a DFIR tool that works, I highly suggest that you download it and archive it because one day, it may not exist anymore, even if it works and is still relevant. 

I bring this up because I have been in that boat of clicking a bookmarked download link to an open source tool only to find that it has vanished…for some tools, that is best if they are unreliable or no longer relevant.  But there are some that are still useful tools but just abandoned by their owner.

So, on day 2 of my DFIR career, when I have found a useful tool, I not only downloaded and used it (after testing), but also archived it and backed up the archive on a backed-up archive, just to be safe.  This includes hash sets too.  If it is online and I needed it, I saved it because the last thing I want to say is..


For the tools you see listed at dfir.training, if it is a freeware or open source tool and you like it, grab it.  And when it is updated, grab the updated versions too, because one day, it may be gone.  I say that because since the start of dfir.training, several tools (and a hashset) have disappeared.  Commercial tools sometimes fall into this as well.  Sometimes a developer will close up shop and call it quits (or retirement).  Others will allow their tools to be downloaded freely until they don't.  One example is the Maresware set of tools.  Dan Mares gives his previously commercial tools away for free at http://dmares.com/.  Yes, they are command line. Yes, they are from 2008.  But yes, some of them are still useful.  But I bet you already have these backed up on a backup, just in case, right? 

524 Hits

Share your stuff!

If there is one thing I know about DFIR folks…it’s that they are not shy.  Most are quite the opposite to the point of being rude (to clarify, I mean ‘bluntly honest’) when you have a conversation with one.

Part of the shyness includes not sharing information, not speaking out to let a peer that s/he is wrong or could do better, or to even tout their own findings and tools.  Of all the things to deal with, we should not be doing ourselves a disfavor by not sharing.

Point in case, while listening in to the Forensic Lunch today, one of the most revered DFIR practitioners in the current community said he was timid in posting his tools to dfir.training.  More accurately, he said that he was waiting for someone else to post his tools.


This message goes out to everyone, not just those who write tools.



If you write tools and want people to use them, you gotta let people know. I promise you, that if you upload to your website and that’s it, few will ever use it for the simple fact that they have no idea it exists.  This includes your white papers/reviews/powerpoints/PDFs/etc… If you want others to read it and comment on it, then let them know about so they can find it.

With that, submit your tools to dfir.training.  Either send me an email with JUST THE URL and I will cut and paste the tool info to add it or better yet, you can create an account to submit (and control) the listing yourself.

Without question, there have been great DFIR blogs that ended because the blogger assumed no one liked the blog (no comments, no interaction, nothing)… The same can be said of tools.  You can write the baddest mama jama tool, but if no one uses it because they don’t know about it, you will falsely assume no one wanted it.  Nothing could be further from the truth.

This is the primary intention of creating dfir.training.  Put all the tools in one place, in a format that can be searched, reviewed, commented upon, and updated for everyone.

The same goes for the DFIR training.  I have taken courses on more than one occasion only to find out that a better course existed that I would have rather attended but just didn’t know about it.  DFIR vendors: stand by your course and list it next to everyone else’s courses.  Want mileage in getting the word out, submit it to dfir.training



241 Hits

Free #DFIR training is great! Except when it's not.

I’ve been asked to add free DFIR training to the dfir.training website (again).  Before I go on a rant, first let me say that I have found a few good sources of free online forensics training.  But, countering those very few sources, I have found more less-than-worth-the-time-to-watch free training.

To give but one example, this course fits in the main reason I don’t want to list free training.

I endured the first half of the course until I got to FTK.

As soon as I saw the course uses FTK v1 (that’s right, version 1), I could go no further.   This is a problem on several fronts. First, can the instructor use current commercial applications or open source instead of a seriously outdated software program?  Seriously.  FTK v1 came out how many years ago?  It’s been over a decade and this course was not created in 2005...

My point is that free courses are sometimes worth the money you pay.  Sometimes they can provide a great value, but if you don’t know the difference, such as being new in the field, it’s a crapshoot if you are getting credible training.  Can you imagine a job applicant talking about having learned forensics last week with FTK v1 as the forensic tool…with a free Internet class?

I am not a fan of paying $5K for a week’s worth of training, but I do accept that most likely, it’s being taught by someone who shows up in Google as knowing what they are talking about.  Whether the instructor writes books in the field, teaches and researches professionally, or writes forensic software, generally I take those courses to be valuable.

Going back to the value of “free” DFIR training…if it is free to you because your company pays for it, that is not what I mean.  I mean “free” as in you provide an email address and watch some guy or gal talk about forensics, without any means of tracking your time to watch.  Or using such outdated information that the “free” course you watched was in effect, a negative, since you not only wasted your time but might have learned something that is not correct.

To the newbies in the field, be careful with where you get your information. Question all of it.  Verify that it is credible.  For if you do not, you will be in a hot seat one day wishing you did.  That hot seat can be a job applicant interview chair or the witness chair in court.  Trust me when I say the witness chair hot seat is much worse than applying for a job if you are wrong in what you say.

For me, if the provider is not credible (as in any of the major software developers), or the instructor is unknown (as in, “who is this guy”), or the software and materials used are out of date, then that class is not worth the time.  Sometimes you can get a great name teaching for a great vendor using all the latest and greatest tools.  On the other end of the spectrum, it doesn’t look so good. 

I will admit that Youtube is great for what it does.  If I need to quickly learn how to replace an overhead microwave, Youtube shows me how.  But if I need to learn about a forensic artifact, in which my results determine incareration or termination, then Youtube is the last place I will look.  Yes, I know there is credible information in Youtube, but when trying to put someone in jail for a crime, I'll take credible sources of training over entertainment videos.

For me, I require:

  1. Recognized company/vendor/provider (can be a software company like Guidance Software or a government training course), and/or
  2. Recognized trainer (someone who actually does the job, has been recognized for their work, published, or discovered forensically sound methods), and/or
  3. The software developer of the program I want to master.

If none of those exist in ANY training I am interested in, you will not find me spending any time in that training.  I simply do not have the time to evaluate something as credible for a course that I can get from a credible provider elsewhere.  Kudo to those who can spend the time figuring out credible courses for the rest of us. *Note* DFIR conferences generally have everything, so I am only talking about a specific course to learn a specific thing.

In short, this is a long answer to “can you put some free training on your website?” question. 


the answer is no, I am not going ot list free training, if you haven't figured that out yet...


Disclaminer: Yes, some very credible forensic folks put out valuable free training on Youtube or their website.  As long as it fits in #1, #2, and/or #3 above, that is not the free training I am talking about.



BS Blog: UW

343 Hits

I worked the same case twice this week.

Changing a primary forensic tool is no easy measure.  Either you go all the way or you don’t really do it at all.  For most cases I work, I don’t really have a “primary” forensic tool.   Depending on the case, I hand pick tools that fit the needs of the case.   On top of that, I rarely crank up a major forensic suite, check every box, and let it process for hours or days.  

In 75% of the cases, I simply listen to the needs of the client, the expectation data to find, and evaluate the tools that can do what is needed.  Sometimes…all I may need is something like RegRipper to find one little piece of data that is needed to make the case.   Sure, I can choose a dongle from my tree of dongles and use a major forensic suite to find a few tiny bytes of data, but why do all of that when I can easily pull out exactly what I need in the matter of minutes (which includes the boot-up time of my forensic machine).

I’ve been raised in the forensic world by FTK and Encase for the most part.  From FTK v1, I learned that it was common practice to process a hard drive for days, and that I better check on the machine every few hours to see if it crashed.  With Encase v3, I learned that during the examination, I better save my case every few minutes.  My fingers still have the ‘save case’ shortcut keys burned into memory because of Encase….

A few years ago, I manned up and bought a X-Ways Forensics license.  Being a self-educated person, I figured that I would figure out how to use it, which I did, but never to the point of actually trusting myself with it.   I took an online XWF course recently, but only took it to justify the years of not renewing my X-Ways dongle.  I mean, really, X-Ways didn’t really help me too much for the price I paid when I didn’t take training in using it.  

The online XWF course I took opened my eyes to things that I had no idea about with X-Ways.  I wasn’t blown away by the course information because X-Ways is just a software program and not a magic wand.  But….I sure did see that I did not use X-Ways at any potential.  I basically wasted my time without the training.  And yes, I read the manual.  I read that thing a lot. I searched that PDF often and rarely found what I thought should be in the manual.  That manual was actually one of the reasons of shying away from X-Ways Forensics.  

I won’t go any further in promoting X-Ways Forensics, other than say that if you haven’t taken any training in X-Ways and have a dongle, you don’t know how to really use it.  I have renewed my XWF license since finishing the online course…

Which brings me to working the same case twice this past week.  I ran both Encase v8 and XWF against a full-fledged forensic exam in a civil edisovery case.  To the client that was billed, I did not bill any extra time…but you got a great deal on knowing what I found was validated to the extremes.

The purpose of running two tools side-by-side was to transition to a new primary tool.  I have run both side-by-side with practice images/tests, but this was a real case for the finale. The most important thing I learned is that it is not easy to change your primary forensic suite to something else.  Working side-by-side with two tools doing the same thing was helpful to see how both did the same thing a little differently.

My informal, anecdotal, and one-time real-case comparison completed the switch for me.  Nothing Encase did, XWF couldn’t do.  Some things were easier/faster, other things not so much difference (how many ways can you copy or export a file out of an image?).  When I consider the price difference, I feel that I made the right choice to add more XWF dongles to my dongle tree and re-evaluate how much I want to renew Encase next time around.

All in all, not that difficult to get used to a new tool, but with something like X-Ways, I needed someone to show me where to click to get what I want.

Recent Comments
Daniel Walton
Be interested in some more detail on comparing XWays & Encase. Filesystem browsing. Found (with my limited exposure) browsing,bas... Read More
Monday, 23 January 2017 22:13
Ron Mays
I have found X-Ways to be an essential tool in my kit, as neither EnCase nor FTK will read XFS file systems.
Monday, 13 March 2017 18:24
419 Hits

DFIR training is expensive (if you let it be expensive)

DFIR training is expensive (if you let it be expensive)
This post is about controlling training costs from vendors to get into the #DFIR field and creating your own system to continue training after you get into the field without flattening your bank account.  I’ll post my experience and opinion on the college system in another post.

My start in forensics started in government work where ALL TRAINING IS FREE.  I say free, but I completely understand that the training was never free since taxes paid by the public were used to pay the vendors. As far as the months of government training (FLETC, etc…), I cannot imagine the cost incurred that were paid out of taxes.  Nevertheless, my out-of-pocket expenses were zero.  I consider myself fortunate to start in the DFIR field with practically zero out-of-pocket costs.

In my post government career, I have seen the how the cost of DFIR training directly affects a company, a small business owner, and the individual attendee.  Every dollar counts when it comes out of your pocket (or if you are the owner of a company, out of the company’s pocket).  Adding up just the costs of vendor and government provided training courses I attended while a government employee easily exceeded $100,000.  I miss the days where the only decision I had to make to go to a DFIR training course was based only on “if” I wanted to go…practically anywhere in the country.

At this point in my career, I evaluate training on several levels:

  • #1 Factor Topic
    • If I can teach the topic, I’m not going
    • If I don't foresee a use for knowing that topic, I'm not going
    • If it is something I don't know, but better know, I'm going
  • #2 Factor Provider
    • Known quantity (by the vendor name OR instructor name)
    • Certification (ranks lowest on my scale of importance)
  • #3 Factor Cost (Tuition AND Expenses)
    • Expensive is generally off my list, unless it’s a necessary course provided nowhere else
    • Cheap is ok, but not if I already know the material
    • How much revenue will be lost if I go (for business owners and billable workers)?
    • How much vacation will I have to burn (if company time off not provided)?
  • #4 Factor Location
    • Out of country is out of the question
    • Out of state depends on Factors 1-3
    • Live online depends on the time offered
    • On Demand's flexibility works well

Before I take any training, I factor everything in a spreadsheet. I use a super simple spreadsheet that you can download.  The way I use the spreadsheet is described at the end of this post if you have interest in having some sort of rationalization for spending money on training.  By putting down on paper, the actual dollar amount per hour I pay, I can more easily see if I am wasting money or getting a good bargain in training.  This allows me to take more training overall.

Basically, if the numbers ($$$) don’t work out, I don’t go

For software being provided, this score is important only if the software is something I would have purchased anyway, such as renewing a license or getting a new license of the software.  If the software is something I don’t need or would not have purchased otherwise, the course is probably not relevant to me either.

The length of the course is important.  I don't want to go to a 3-month long course again for the rest of my life, but I also don’t want to spend a few minutes here and there with different vendors and different topics to add up to substantial training.  What I mean is, there are plenty of YouTube videos that range between 15 minutes of instruction to maybe an hour or two.  Nothing against YouTube videos, but when I watch a DFIR YouTube video, I do it mostly for entertainment purposes, like watching a SANS or Blackhat presentation.  Usually some good info, but many times too much goofing off or high level lecturing than anything else.  Plus, when it’s just a video online, without tracking of attendance, completion, or otherwise proof of watching it, what is the point?

Some of the on-demand courses I have personally paid to take have ranged from terrible to really good.  The terrible on demand courses were those that I could not understand because of a language barrier where the instructor’s language was other than native English.  The information may have been superb, but my frustration in trying to decipher what was being said at the same watching the demonstrations on a computer meant losing out on the information.

Other on-demand courses that cost over $200 provide ONLY ONE HOUR OR LESS OF MATERIAL.    I strongly recommend to never take those courses unless it is something you don’t mind spending $200+ an hour to watch.  I figure that a course needs at least 4 hours for me to consider because many times, I find that I knew half of the material beforehand.  A one or two hour course risks handing over money for nothing in return.

Sometimes, you have to bite the bullet for an expensive course.  If you want to be Encase trained and certified, either you pay or your employer pays, but someone is paying Guidance Software.  No one else other than Guidance and licensed vendors will provide Encase training.  Same with many other software tools.   Part of their revenue generation is from training, so expect to write big checks if you go that route.

Conferences can be a real winner or real loser when it comes to tuition, solely based on if the conference charges just enough to cover expenses or charges a heck of a lot to cover the pool parties, drinks, food, marketing costs, and maximize corporate profits. 

For the new folks, conferences can be overwhelming because the topics range from one end of the DFIR spectrum to the other, but in short breakout sessions.  Don’t expect to master a skill based on a 2 hour lecture.  Expect to be overwhelmed with what you experience.  For the more experienced DFIR folks, conferences are great because sometimes all you need is a 2 or 3 hour presentation on different topics you want to learn more about.

In short (or long), you can control the amount of money and time you spend on training.  Go ahead and use my spreadsheet and customize it to your needs.   Unprotect it to change it (right click on the worksheet tab > unprotect).  Or use it as is.  I can assure that once you start putting in the numbers, you will have a clearer picture of how much money you are actually paying, per hour, which will change the way you randomly pick training courses to attend.

Generally, I have a range of how much I will spend per hour for any training course.  The only exceptions are when I need/want a specific certification that I cannot get anywhere else.  And for those certs, I usually don’t get any more anyway.

The way the spreadsheet works is simply entering:

  • Rating of importance to you (topic, vendor, etc…)
  • Number of hours*
  • Cost (tuition, expenses, loss of potential revenue/billable hours)

*The number of hours is misleading because of breaks/lunches.  So, the spreadsheet takes into account 10 minute breaks for each hour and a 1-hour lunch break as AVERAGE.  I’ve seen breaks go beyond 20 minutes and as short as 5 minutes.  I’ve seen lunches be served in the room for 30 minutes and had an hour and a half in other courses for lunches.  Add up the time and you’ll see that a 40 hour course has 5-8 hours in breaks.  This means you don’t get 40 hours of training in a 40 hour course.

The calculations will give you:

  • Score of importance to you balanced by important factors (0-5)
  • Cost per hour

You can then quickly compare an on-demand/online course to its classroom version as well as seeing exactly how much money per hour you will spend on any training.  For me, I want to know the value of what I am spending as it relates to what I am getting.

This method also helps me avoid the beer fests that are accompanied by some lectures in the morning, where I would spend thousands on tuition, thousands on expenses, and loss of thousands in potential revenue, just so I could walk among zombies in the day time.  I still do this, but not as much as before.  Maybe I’m getting old or maybe it’s because I now know how much I am spending per hour….

Download the spreadsheet here: Evaluating Training.xlsx

470 Hits

On-Demand Course List

The on-demand DFIR training list has been started, and I will admit that it has to be incomplete since I could not find that many DFIR courses online.  I will continue to search and ask that if you know of courses not on the list, send it to me.

I have purposely not selected some DFIR ondemand training courses and intentionally selected other courses.

The list is here: On-Demand DFIR List

Firstly, Udemy courses are not included.

Many Udemy courses may be great, but I am not a fan of their business model, nor the lack of quality and content control (I've taken several of their courses for evaluation in this list).  Another thing for me with Udemy courses, at least for the DFIR related courses I saw, many are 30 minutes or maybe an hour in length.  I do not believe that half an hour actually constitutes a training course and is borderline YouTube.  Pardons go to the good courses on Udemy that I did not find to put on the on-demand list.

A real issue with Udemy is the theft of courses that Udemy has hosted (still?).  Search the Internet for Udemy and theft and you will find plenty of articles and blogs of how content creators have had their courses pirated on Udemy.

Second, "free" courses are not included.  

I evaluated several providers of free DFIR training and none impressed me with the information and instruction.  I am sure to have missed quality free DFIR courses, but at this point, will not be included, especially if a free course is simply an introduction to a paid course.

Additionally, YouTube videos are not included.

I have found that YouTube seems to have better quality DFIR videos than some of the free courses I evaluated. BUT, I do not believe that any professional DFIR practitioner should rely upon, refer to, or base their knowledge on YouTube videos for the mere fact that YouTube is an entertainment medium without any quality control.

Lastly, if a vendor doesn't provide a course cost on its website, I did not include it.  I understand that a requirement to request the price when it could as just as easily be listed online is just a means to harvest email addresses of potential attendees for future spam.  Those types of courses are not listed until the prices are publicly available.  In some cases, I really wanted to add these courses, but the lack of public information by the vendors is unacceptable, whether it is by intent, inadvertent oversight, or just impossible to find on the respective website.

I just do not understand why a vendor would risk potential students leaving their site when they can just list the prices of the courses.  “Get Instant Pricing” means you give up all your personal contact info in exchange for email after email after email until you unsubscribe and beg to be taken off their mailing list.

Courses that are "live" online are not included since these courses are only available at a set date/time and therefore, not available "on-demand".  Live online courses are listed on the training calendar.  The calendar listing will continue to grow as courses are sent in to me and as I find them.


466 Hits

More updates than you can shake a stick at

I have not had received so many 'thanks' emails than I have since putting http://www.dfir.training online.For every person and organization that submitted tools and/or training, I really appreciate the help in finding something that existed that I otherwise did not know existed.A major point I want to get across about dfir.training is that the site is controlled by the DFIR folks who use it.See something you like? Let me know.Have an idea of what you want on it? Let me know.See something that su...
Continue reading
187 Hits

More goodies.

By request, I've started to add DFIR hardware tools to the database.After thinking about, it makes sense to add hardware as well.Here comes the hard part and the method of database entry I choose.First off, I listed the hardware tools by VENDOR and not by ITEM.In addition, I did not (and will not) list every single DFIR hardware item separately, other than by category.The listing of hardware becomes problematic because of the numerous retailers selling tools from few manufacturers. I believe thi...
Continue reading
229 Hits

Training courses list update

I have put in as many courses that I could find online to add to the dfir.training calendar.The courses I did not add were those that were:-full-incomplete information (no address)Some vendors have hundreds, and I mean hundreds, of courses.Some vendors have been adding their own courses to the dfir.training calendar. If you are a training vendor, send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. if you would like access to add your courses directly.I'll give you access as long as you are a training provider.F...
Continue reading
376 Hits