Jessica Hyde came up with a really good idea on putting together free resources to learn DF/IR/Infosec in a manner that would make it easy for someone to self-learn. I’m taking a few minutes to punch the idea out a little further with my opinion on one way on how to do this easily when you don’t know where to start.
But yes - that is what i am thinking. Throwing together informal resources for self-learning. Totally DIY. But those getting started may not know which resources to cobb together.— Jessica Hyde (@B1N2H3X) June 9, 2019
There are three major methods to learn DFIR
You can be told how to do it:
- Vendors (developers of software, training companies)
You can be shown how to do it:
- On the job training
You can teach yourself
Most everyone in their DFIR career jumps around doing any combination of these methods. But starting out, here is an idea (even for someone not starting out, this works for you as well). Create your own self-teaching course. Here is an example if you want to be self-taught on registry forensics.
- Get online and search for all things Windows Registry forensics.
- Find courses that post the syllabus online.
- Research every topic in that syllabus to find the materials you need.
- Document all of what you find in “your” Windows Registry Forensics course.
- Take your course.
I found this in less than a minute searching for registry forensics:
That is a decent start!
Now go through each topic and find an online resource. There are plenty of blogs, YouTube videos, and books (library is free!) to fill every topic that you need. If you are looking for free software, there is plenty listed at www.dfir.training. Same with test images, plenty on www.dfir.training to download. As you go through your course, if you have questions, www.forensicfocus.com is an outstanding forum to post questions to what you are learning. Simply state you are learning about “x” and have a question about what you are seeing or doing. If you search online, you can also find low cost training, as in less than $50 or even $10 to teach you something in your course that you can't find online or want to have instruction in)=.
I promise if you do this in the beginning of your learning, when you do have the opportunity to take courses, training, or college programs in these topics, you will learn faster and with more clarity than others. I have taught college programs where some students were completely new to the topic, so new in fact, that at the end of the programs, they did not learn as much as others who had a better grasp on the subject matter. It makes a huge difference in education and even vendor courses when you have some foundation of learning ahead of time.
One thing about self-learning in DFIR, is that ‘the data is what the data is’. Meaning, when you run “x” tool against “y” media, the results are in front of you. Interpretation is one thing, but the output is what it is. Using forensic challenges, you can run tests and check your results against the answers of the challenges.
Is this a lot of work?
Is it worth it?
You bet it is.
I practically do this all the time myself, for many things that I want to learn. To make this even easier for you, I have the start of a Wiki....I'll help put some of these DIY DFIR courses on it, hopefully with help from others. If it is a useful thing, I'll keep it going, but like everything else in the world, it is up to you to do the work. Maybe if striking the match with a wiki will help start your fire, then we'll give this a go: http://www.wiki.dfir.training.
Given the massive amount of materials on www.dfir.training , plus the to-be-released public forensic artifact database , everyone will have a totally free, one-stop shop for DIY DFIR training at www.dfir.training . If you are new to the field, one thing you'll quickly learn is that no matter how long you work in DFIR, you are always learning, which makes something like www.dfir.training a continually re-visited resources. That's pretty cool.