dfir blog

All about dfir.
I'm a training monster.  I eat it up.  I get it wherever and whenever I can.  I support anyone in the DFIR field to get as much as they can too.  If you are in government, you get more than your share without spending a dime out of pocket (sorry for the private sector folks, but you guys get to pay for the public sector expenses for training).  I l
I’m fortunate to have seen the DFIR field change well beyond anything I could have expected.  I started in “ computer ” forensics when Encase was on floppies, SafeBack was the imaging tool of choice, Norton Disk Editor was part of the toolkit, and we would literally seize entire computer systems as evidence in case we were told to rebuild everythin
During an all day intern interview selection, the biggest thing I always see is that many of the new kids wanting to get into "DFIR" are on the wrong track. No offense to anyone getting into the field when I say "new kids".  I just mean those who are new to the field.  And by "DFIR", I mean the field as a whole, which I'll get into shortly. There a
Occasionally, I jest about forensic tools.  I believe that most of us have experienced a wide spectrum of emotions when having to rely upon a hardware or software tool to get a job done.  When it works, we are happy.  When it does not work, we are not happy.   But sometimes we are wrong in blaming the tool.  In short, we need to ensure that… ...the
If I have seen any trends over the past years, it has been the questions of how to get into the field (digital forensics, incident response, or any sub-field of any sub-field in the realm of “cyber” security).  The first range of responses generally recommended applying to law enforcement and hope to get a rare chance to compete as a digital invest
Some cases can’t be closed.  It does not matter that you can’t figure out whodidit or howtheydidit, you just can’t close the darn file until you get something.  I have quite a few of those.  I regularly pull them out when I have a break to see what I missed. Sometimes I realize I overlooked a small detail, like a grammatical error, but mostly, the
I came across an article this week where a judge didn’t accept printouts and screen grabs of a Facebook page as evidence because the metadata wasn't captured AND the defense couldn’t click on the links that were captured via screenshot.  Really? Since when is it is not enough for a law enforcement officer to not only testify what s/he saw, but also
...for the better.  These past few weeks have been nothing but wildfire after wildfire (maybe your workplace was quiet?).   If not for the news showing up at the gate and everyone sneaking in the back door, phones ringing off the hook, I'm surprised the whole world wasn't burning down by 2pm on some days. But that was just my office...Hawaii would
Some #DFIR cases are easy.  The Reality Winner case is one of those, at least for the purpose of obtaining Probable Cause to arrest and most likely, convict, without having to do much more work.  In police work, this is called “a case assigned on a silver platter.” To be the case agent assigned to this is a joy simply because of criminals making mi
I’m a digital immigrant.  For a long time, I used pagers at work and had a cell phone that was the size of a toaster with a battery that lasted 10 minutes if it wasn’t plugged in.  I grew up with BASIC, DOS, AOL, and 5-1/4 floppy drives.  Now…I make phone calls on a computer that I carry in my pocket, have video meetings on a tablet that is thinner
Whenever I have to buy a dongle (ie…a license for a software I don’t have or an additional license to a software I do have), I go through periods of frustration lasting 2 or 3 days.   In short, I just want to know how much to pay .  That is all I ask.  How much does it cost?  Nothing more, nothing less. The 2 or 3 days of frustration is having to w
One of the greatest questions in the field of DFIR has nothing to do with analysis, but rather, “How do I get started in DFIR?” Using Google-fu , you can find plenty of answers reaching back a decade or more of blog posts and forum threads of how to get into DFIR.  To add to the Internet resources, here is some methods of getting in that you may or
Before I get started talking about the #DFIR books I’ve read, don’t be too excited that I’ll have a ‘book of the month’ post more than once.  With forensic books, there just isn’t enough to do a book of the month review.   With that, I do want to post a bit about the books I have enjoyed and some that I have not. These are only the books that I hav
A few changes to the DFIR.training website.   First, several lists have been updated (bad links removed, more links added).  The event calendar has been removed.  Too many courses have been canceled or changed to keep up with as I have curated most of the courses myself with only a handful of providers updating their own trainin
A police officer called me about a private sector case referral that ended up being a hornet’s nest of problems. The story goes: Victim company fires an IT employee.  Rather than escorting him out at the same time of revoking all access to the company network, they gave him the afternoon to clean out his desk.  In that time frame of unsup
I’m on the second day of a conference for the second time this year and 90% of the time, I am hearing information that is more or less, a “refresher”.  Before you take that as a complaint, stop right there.  If anything, I am complimenting that there is 10% that is super great information, in effect, “refreshing” information.  My goa
Sadly, dfir.training didn’t make it as a nomination for Digital Forensics Organization of the Year Award, but still, I’ll be there for the award presentations (I have a ticket in hand, or rather, in my email).  I suggest that you vote in the awards to show appreciation for those in the field who do a lot for the rest of us in the field. 
I just finished reading “The Art of Invisibility ” by Kevin Mitnick.  The book is full of tips on how to be anonymous on the Internet.  Nothing in the book was a surprise or new information to me and most likely won’t be new to anyone who works in DFIR/Infosec, which leaves the information on how to be anonymous out of the comprehension r
Have someone else take a look at it. That’s the best tip you can do for any problem that you cannot solve; have another set of eyes take a look.  I personally know investigators (in LE, or DFIR, or LE DFIR) who refuse to ask for help because, as I am told, they can do it better than anyone else. This reasoning is understandable, especially if
1. Be the Bloodhound. The Bloodhound has the best nose to find anything.  A DFIR’er should be like the Bloodhound, in that if the evidence exists, you can find it. Evidence : Where is it? Tools : Where can I find the tools? Training : Where is the training? 2. Think like the Squirrel. Squirrels may look cute and innocent, but they are always t