When I first started examining smartphones (in a galaxy far, far away), there wasn’t much to it. For criminal investigations, it was more of the phone call logs and cell tower dumps that were important since not that much data was on the phones. Most phones at that time practically had no data anyway because they were just portable phones, not portable computers.

Fast forward to today and a mobile device examination can take longer and be more labor-intensive than any typical workstation examination. Plus, mobile devices have a ton of difficulties just to reach the data if you can access it all.  Considering that a mobile phone may have dozens of apps more than the user’s home computer, it is easy to be overwhelmed by the sheer amount of user data, storage capacity, and near 24/7 logged activity on the typical mobile device.

At one point of fighting to

Read more

I’m going to show you how you can impress bosses, clients, and courts with your work being as professional and smooth as a well-rehearsed rangers-delta-seal-recon-swat operation.

We in DFIR use quite a few military and law enforcement terms to describe our work. From “red teams” to “battlefield forensics”, we tend to absorb the cool words to describe the work or even to glamorize it more than describe it. That’s all fine and dandy.

But of all the borrowed terminology, the most important military and law enforcement process that everyone in DFIR should fully incorporate is communication. Boring subject? Nope!

You already know that communication in the workplace is important (at home too..). But I am not talking about the social aspects of communication, but rather the tactical and strategic interactions that directly affect your tasks at hand before you even start.  This is the one area where we in DFIR

Read more

TL:DR

Here is the WinFE website with build instructions: www.winfe.net .

Brief overview of some details that may be helpful to know

Developed by Troy Larson of Microsoft in 2008, further developed into a GUI build (WinBuilder) by a number of developers in 2009, with a great write protect tool written by Colin Ramsden in 2012, noted in digital forensic books such as Computer Forensics InfoSec Pro Guide and Computer Forensics and Investigations , taught by FLETC , SEARCH , IACIS , and DFIR Training , documented in dozens of blogs and magazines, WinFE has become a widely accepted and commonly used digital forensics tool. And now you can boot an ARM device and image it with WinFE 10.

Windows Forensic Environment Training available

Typically, WinFE has mostly been law enforcement or association-membership only. Actually, there are no training courses outside of government training. Government training courses have been provided

Read more

In this post..

How to save your job. How to save your reputation. A chance to win a 3-year license of Forensic Notes.

Notetaking is boring.

Many jobs require writing in some form or another. Writing can range from documenting inventory of empty boxes to full-blown and extremely detailed legal briefs of a complex criminal investigation.  Your basic report writing and notetaking falls somewhere between these two ends of the spectrum. Generally when we write, we suck at it. <I might be speaking only for myself…>. We suck at it because we don't like doing it as it is boring.

“If you don’t document it, it never happened.”

One thing about history is that history has been documented.  There is probably a lot of world history that no one will ever know because it wasn’t documented. All we know is that which has been documented in stone, parchment, or paper. 

Read more

There are few things cooler than finding that one of your forensic tools was updated with new features.  It does not matter which tool, or which new feature. There are times when some of the new features don’t apply to what I work on but are cool nonetheless as it shows that a tool is constantly being developed.  Small, new features are neat, but the major updates are usually so good that I have to immediately test it out.

Using Belkasoft Evidence Center (BEC) as an example, the latest version, 9.7 added quite a bit of new features. I previously blogged about BEC as an all-in-one forensic suite that has a place in my forensic analysis right next to other tools, and the mobile device features added really expand upon the all-in-tool suite concept.

BEC added a lot, which you can read the bullet points here: https://belkasoft.com/whats_new_in_version_9_7

The mobile acquisition

Read more

I have an upcoming review of Forensic Notes . Here’s the summary:

Forensic Notes does exactly what it says it does.

I’ll get into the details later this week, but after corresponding and debating (in a good way) with the developer over notetaking for some time, I’ve been swayed toward better ways to document my work. I’ll discuss some of the things that changed my mind in the review, but fair to say that you may want to take a look at your documentation methods for improvements.

GIVEAWAY !

With that, Forensic Notes is giving away THREE 1-user professional licenses for THREE YEARS . That means you have 3 chances to win a 3-year license. This is a substantial giveaway.

Giveaway date : Oct 28, 2019

Rules : (1) Answer the winning email on Oct 28, 2019 if you win, (2) agree to maybe receive an email from Forensic Notes

Read more

Experts, Thought Leaders, Influencers

The short version

Don’t mistake the misuse and abuse of these terms as a reason to avoid using them all together.

The longer version

The social media negativity given to the terms of expert , thought leader , and influencer makes this a risky topic to write. However, given that is National Cybersecurity Awareness Month (NCSAM), I find it relevant to talk about them in order to bring back usefulness to these terms for both the public good and professional development. 

Definitions

Let’s get this out of the way first. None of the formal definitions for any of these terms are negative. The terms are what they are. They are simply descriptive words like any other word, and like any word, can be used, abused, and misused.

Myth: I don’t like that word or its definition; therefore, if you use it, you are bad

Internet social

Read more
If you don’t already have a DeepSpar Guardonix, you might want to get one.

DeepSpar has a solid reputation in regards their products for recovering data from bad drives. It goes to figure that anything with DeepSpar’s name on it should be just as good, andin the case of the Guardonix, this is true.

Short version

  1. The DeepSpar Guardonix does what it says it does.
  2. You should have one if you have any chance of doing forensic disk imaging.
  3. The price is reasonable. You can even get 25% off before the end of this year*.

 

Side note: If you want a chance to win the DeepSpar Guardonix with Professional Upgrade and set of adapters, enter your contact info before September 15, 2019 here:

https://www.dfir.training/dfir-training-blog/enter-to-win-a-deepspar-guardonix

Longer version

This longer version doesn’t include an extensive “how to use” tutorial, but rather my overall opinion of the Guardondix.  The DeepSpar videos explain how everything works much better than I could do justice for it. Take

Read more

Tip: There is a limited-time special offer at the end of this post :)

We work with an ocean of data and tools. Virtually unlimited in both aspects of the amount data and the number of tools to deal with the data. If you jump in the middle of this ocean of data and randomly grab any tool within arm’s reach, you will become overwhelmed, be ineffective, and wear yourself out. And at that, your complaints may be "there was too much data" and "the tools were terrible".  But practically, it is the preparation that makes all the difference in how well you can handle the data *.  With the right tools, immense amounts of data can be culled and analyzed without breaking too much of a sweat.

*By handle the data , I mean conducting forensic processes in the manner your job requires.

For example, if you know that

Read more

Testing software, researching forensic analysis, teaching forensics, and learning how to use forensic tools all require one common thing: test images .

There are so many forensic test images scattered across the Internet, that finding something that you need takes time. So…I have curated into categories all that I have found and add new sources as I find them or informed of them.

You can find them all here: https://www.dfir.training/resources/downloads/ctf-forensic-test-images

 

Links by category:

CTF/Challenges

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/ctf

Malware

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/malware

More images

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images

Registry Samples

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/registry-samples

Windows Event Samples

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/windows-event-samples

As to the details of each category, there really isn’t much to elaborate beyond the category title. However, an important point to remember is that any one of the links to a dataset usually includes gigabytes, if not terabytes of forensic images sub-categorized by the respective providers.

Summary of each category

CTF/Challenges

Plenty of challenges involving all aspects of forensics, steganography, cryptography,

Read more

How do you know if you improved your skill and knowledge base over the past years, or even over the past week? Did you even improve anything from yesterday? And if you did, how do you know?  Are you better working the DFIR today than yesterday? There is something you can do to check.

Pit yourself against your most fearsome opponent: Yourself !

We are our own worst enemy in many facets of life. We are the most critical of ourselves compared to anyone, even compared against the most overprotective parents or the strictest music teacher you’ve ever had or seen. We are tough on ourselves. Let’s take that toughness and use it for a benefit!

To see how much you have grown and developed in DFIR skills, block out a day to check yourself against a younger version of yourself. If you have a case or analysis from years

Read more

TL:DR

Belkasoft Evidence Center lives up to its tagline of “forensics made easier”.  For a near complete automated case work, it works. An intuitive interface and automated processes make processing practically user-error free.

The review

I took Belkasoft Evidence Center (BEC) for a test drive, ran it across several images, and validated what I saw with a different forensic suite.  Everything that I tested, worked. Plus, it did a few things that my other tools do not.

At this point of digital forensics software development, especially with name brand companies such as Belkasoft, I am not going to get into the things that every forensic suite should be able to do, such as; adding images or imaging or data carving or creating bookmarks of items, unless there is something substantially different.  If a tool cannot do the basics, then I don’t want to touch that tool or let it touch

Read more

Only 10 ways? Probably a lot more. But these are the top 10 that I have seen (some that I have experienced!) that can make a DFIR case go in a direction that you rather it not go; downhill!

  1. Collection

If the data collection is “wrong”, the analysis only goes downhill from there.  The many ways that “wrong” can go include: Failing to reasonably protect the data, not collecting the relevant data, not safeguarding the data, altering the data, or using inappropriate data collection tools or methods. Anything that can taint the collection that is unreasonable adds to the risk of ruining an investigation.

Tip: What is reasonable in one situation may not be reasonable in another, so case specificity is important to articulate when anything strays from a perfect collection. Also, not every collection is perfect, because every situation is different. That means a change in how data is

Read more

The best forensic test image is the image that you personally create, and this is probably not the answer you want to hear because you know just how long it will take to create an image from scratch.  I'm not talking about imaging your personal machine, but rather, building an entirely new system from scratch, filling it full of data and user activity, and subsequently creating a forensic image of it. Lots of effort. Lots of time. But you get the perfect test image. There are few things you can do to minimize your time and maximize the effectiveness of creating your own test images, as well as other options of using test images.

First, let's talk about alternatives to building your own forensic test images.

3rd party images

A reminder that you can find terabytes of test images and data at https://www.dfir.training/resources/downloads/ctf-forensic-test-images.

The images are organized as CTFs, malware,

Read more

Reviews!

I have a few items to review that I am about to have time to get to. DeepSpar, ForensicNotes, and a few others to finish up testing to talk about.

Forensic Artifact Database

Available only to Patreon patrons now as early access, but it is coming along (screenshot below this post of one artifact example). Please please please do not create an account on dfir.training unless you are a patron ( https://www.patreon.com/DFIRtraining ). I am only approving patrons at this point and plan on opening the database to the public in a few months. Patrons are early access and contributors at this point. It will be freely available when it will have enough artifacts to be useful most every time you access it.

Also, I will have a new thing on DFIR Training that is closely associated and integrated with the forensic artifacts: Self learning lesson plans (see #5

Read more

Trying to get into the DFIR world, at least at first, is overwhelming. Even after being in the field for some time, it just seems that information comes in tidal waves when looking for relevance in all the information that is generated every day. So, how can you meet those in the field?

One of the best ways to get into the field as well as stay connected to the field is through organizations, associations, clubs, and informal meetups. The question is, where are they and which one to join?

The short answer

Go here: https://www.dfir.training/directory/associations

The longer answer

All you need to do is find a group that already exists that caters to your needs and is local to you.  DF/IR/Infosec organizations can be very general and broad in scope, or they can be highly specific. Decide what you need and consider joining that organization.

Generally you have access

Read more

Jessica Hyde came up with a really good idea on putting together free resources to learn DF/IR/Infosec in a manner that would make it easy for someone to self-learn. I’m taking a few minutes to punch the idea out a little further with my opinion on one way on how to do this easily when you don’t know where to start.

Housecleaning

There are three major methods to learn DFIR

You can be told how to do it:

  • Colleges/universities
  • Vendors (developers of software, training companies)

You can be shown how to do it:

{source}
<ul class="favth-list-circle">
<li>Internships</li>
<li>On the job

Read more

I have been revisiting creating a forensic artifact database for some time now. I have started and re-started several times and finally realized why no-such-thing exists outside a PDF or spreadsheet: there is just so much information in forensic artifacts that can be cross-referenced across so many categories and some so specific to a sole operating system that makes it difficult to create. But I think I have finally figured out a way to make this usable.

Here’s where it stands right now.

I started (re-started…) the database and have a system where these are the things you will be able to do with it:

  • Search by artifact name (easy enough)
  • Search by category (such as “system artifacts”, “user artifacts”, “Windows artifacts”, etc…)

From there, you will have one artifact per page that gives you:

{source}
<ul class="favth-list-circle">
<li>Citable definitions (so you don’t have to

Read more

There comes a time in this line of DFIR work where any of us, or all of us, stand to make a judgment on what the world of DFIR is as it relates to our work. Be prepared for this to happen to you, but don’t let it.

No profession is immune to the perceptions of the practitioners to bleed into their outlook of the world. For example, law enforcement officers who work a particular type of crime may begin to see the world stained by that crime, such as working the digital forensics end of child exploitation cases.  Narcotics detectives go through the same thing.  Practically everyone that a narcotic investigator will contact (outside of law enforcement) is somehow related to the drug trade, which can tend to color their world as contaminated with drug traffickers.

In the DFIR world, working any type of case or incident will eventually

Read more

This is totally an opinion piece on my part. To be honest, I think every person presenting in DFIR (or presenting on anything to anyone at any place) has different fears, or more or less fears, and there might be one person without any fear in presenting in front of others. I say ‘one person’ because I have not yet met that one person and I even question the existence of such a human.

For those who haven’t presented much, or at all, or wonder what other presenters are afraid when they are speaking, this is for you.

Everyone knows more than you

This is true. Everyone does know more than you. But you most certainly know your topic better than anyone else in the room. That is how this presenting-a-topic thing works. They are there to learn from you and the work you did to get onto that stage.

Read more

I cannot overstate the benefit that everyone, and I mean everyone, receives with DFIR Review. That includes YOU, whether you submit research to DFIR Review, or if you read research published on DFIR Review, or if you need to cite research on DFIR Review.

Refresher on DFIR Review

This is a merge of the traditional “academic peer review system” and “blogging your research ”.  In short, we have taken the benefits of academic peer review and the benefits of DFIR blogging, to create a simple and fast way to have your work peer reviewed.

Academic peer review is important and should be considered for most research as it is peer reviewed by academia. But it takes a long time and is typically used for longer research projects.

DFIR blogging is also important and should be considered for most research as it is quick to publish and instantly available for others

Read more

Every now and then (actually, more often than not), I come across a short statement or question on Twitter that packs more punch on second glance than you would first think about.

Justin Boncaldo tweeted yesterday, “What is your favourite way to start an analysis? Mine is with the registry!”

This is an important question to ask because if you start on the wrong path of an analysis, the best result will be that you realize the wrong start, re-start, and accomplish the analysis objective. The worst result is never finding out and not coming to a reasonable conclusion, or any conclusion, or a wrong conclusion in that analysis.

Everyone has their own way of doing things, even in

Read more

For those in the DF/IR world who started in this business way back when (or maybe you were part of the crowd who actually  started this business), you'll know exactly what I mean when I say...

"That which was impossible yesterday, is possible today."

What I mean is that the tools of yesterday were great at the time, but today, not so much, or actually not at all. I remember the first time that I carved out images (pictures) from an image (as in disk image) using a DOS software. I was amazed. Then I was running around the entire City Hall finding any floppy disk laying around to practice magic . Word documents! Spreadsheets! I WAS ON TOP OF THE WORLD! Oh yeah, the stuff I found those 'formatted' floppies was really neat too.....

There were a lot of impossibilities back then, or at least things that just weren't

Read more

Over the past year, many articles, blogs, and actual news stories have talked about the extreme shortage of “cyber” applications. Yes, I said the word “cyber”, and I am using that term to encompass everything in information security (like the DF and the IR and the infosec).

Lately, many blogs have been talking about the shortage not actually existing, and that it is the fault of hiring departments not hiring the available pool of applicants.

There is the split in the road, and as far as I am concerned, I agree with the pool of qualified applicants being WWWAAAAYYYYY larger than the available jobs. This goes directly against all the talk that we have a shortage.  Looking at it from both perspectives, each side (the HR side and the ‘looking for a job’ side) both see a shortage on the other side. In reality, I believe the shortage is manufactured

Read more

If you have been keeping up with online conversations about DFIR research being peer-reviewed outside the academic review process, then this post is for you because…

DFIR Review is here!

Check DFRWS's public announcement:  https://dfrws.org/dfir-review  

What is DFIR Review?

Short version : Your DFIR research can be peer-reviewed in less than a month, published as peer-reviewed by a committee, you get the credit for your effort, the community shares (and grows with) your work, and you are encouraged to further develop your research as you see fit.  

Longer version : Back in June of last year, I posted an idea of peer-reviewing DFIR bloggers’ research .  The idea evolved through several additional posts (and response posts from others) until finally reaching today’s jump off of DFIR Review.  There has been lots of effort, lots of online conversations, and lots of coordination to get this off the ground. Joshua

Read more

An interesting Twitter thread popped up on forensic imaging. Good points were made on whether or not to create full disk images, sparse images, or even to image at all.

There are so many factors to consider in such a decision, that I believe it unreasonable to have a simple catch-all solution. Civil vs criminal case. Legal authority. Resources and time available. Type of case. Type of system. Amount of data. Number of systems. And other unforeseen situations.

But I believe that quite simply, if legal authority exists, and resources are available, why not create full disk images? To clarify, "available resources" means that you have the time, the tools, the staff, the storage, the funding,

Read more

Another list of resources added to DFIR Training: Patreon!

What is Patreon?

Patreon allows anyone to create a personal webpage, create and post content to the page, and charge visitors (patrons) to access the content. That’s all there is to it.

Patreon is one of the first of these types of platforms to take a foothold in this space, and is still working through growing pains. But, all in all, it works as advertised. The vast majority of content on Patreon is not computer related. That which is computer related, even less is DF/IR related. But it is there, I have seen more DFIR pages being created and expect more to be created. You could be next to create your own Patreon page!

Of course, I’m talking about Patreon because DFIR Training has its own Patreon page where I am creating content, giving access to courses, podcasting, and blogging exclusively

Read more

Here is something I do. I make it a point to write down something that I learned each month. No, I don’t sit and think about what I learned, then write a poem about it. When I learn something that impacts what I do in DFIR, I write it down as I soon as I “learned” it.  By learning, I mean either I figured it out through research, or watched it in a video, or a class, or a blog. This happens several times a month…but I want to have at least one thing that I learned per month.

At the end of a year, I can look at the major things I learned and put an importance on newly learned thing by simply writing a few words about it. From this, I personally share with or teach others.  I call these the “neat things”.

I know that you also

Read more

What to Expect with DFIR Training in 2019?

TL:DR

Everything you need for DFIR is ending up on www.DFIR.training.  Software. Hardware. Artifacts. Resources. References. Citations. Forms. Templates. Affidavits. Keyword lists. Forensic Test Images. White papers. Books. Jobs. Videos. Podcasts. Infographics. Blogs. RSS feeds. Events. Research. And Community!

What's coming in 2019?

More tool listings!

Of course.  More categories too since there are just so many tools to search through. If you don’t see a tool, let me know and I will add it. No tool too big or too small. Currently, there are 1,400 tool listings in 238 categories. Even cooler is that all tools are cross-referenced between the categories :)

The one field that I recently added for license type (commercial, free, multi-license) is still be populated, but when finished, you can search for tools with a filter by license type. I should have started this early on rather

Read more

First the bad news

I’m re-doing the database and starting from scratch.

Now the good news

It will be so much better than I originally planned.

The intention of the artifact database

The forensic artifact database is not intended to get into the weeds of forensics. Some aspects may be detailed, but generally, this database is not going to replicate that which has already been done elsewhere and everywhere else.

With that, the database is intended to point you in the right direction to what you are looking for, quickly and easily.  As an example, each category will have topics that will give you a broad overview of the artifact, training resources, software, published resources (books and papers), videos, and other direct links to citations that you can use. It's like Google, but faster, and curated specifically for each artifact. And cross-referenced as needed with other artifacts, operating systems, and

Read more

I participated in an interesting thread on the Forensic Focus forum regarding software licensing recently.

https://www.forensicfocus.com/Forums/viewtopic/t=17257/postdays=0/postorder=asc/start=0/

There were good points made in response, such as suggestions to use open source tools and that the answer to the question is an unquestionable “NO”.

Countering the good suggestions were some terrible replies. Like, it’s okay to use cracked versions of software and that playing around with hacked versions of commercial tools as long as you don’t make money from it. And don’t forget the cover all excuse of ‘ everyone does it’ . Holy smokes!

Here’s my take: Abide by the EULA .

That’s it. Generally, there is a software licensing agreement for all software. Some is written explicitly and specifically by the developer (name your commercial tool as any example), and other software may be uploaded to repositories using one standard licensing agreement to cover everyone’s uploaded software.

https://en.wikipedia.org/wiki/Software_license  

In

Read more

I'm putting together a list of guests for the DFIR Training podcasts for 2019. The podcasts will be different than podcasts currently being done. Short and sweet. To the point with a dash of humor. 

The goal is to have something you can listen from start to finish in less than 15 minutes, in which you can get some nuggets to help you in your job or help get you through the next committee meeting, or while you watch a progress bar not move...you know what I mean ;)

I am open to practically guest, which means practically any guest, in addition to those I am personally seeking out. Be forewarned that I may be sending an email to you to come onto the podcast, but also, don't worry. It'll be less than 10 minutes of your time, which is less time to microwave a lunch. 

The podcast will be

Read more

DFIR Book Share Challenge

So far, in my opinion….this DFIR Bookshare Challenge is awesome

Sure, there is some work to it. Getting the books (and signed by the authors!), getting the word out, managing the hundreds of entries, making random drawings, getting confirmation from winners, then getting the addresses, then the mailing of each book (in and out of the USA). But even at that, this is totally awesome! Awesome because so far, the winners are welcoming the challenge to share after reading the books. That is so super cool. Even cooler is that you don't need to spend a dime in buying the book, shipping fees, or anything. Just the time to enter is all that is needed and I'll mail the book to you if you win.

To get one entry per drawing, be sure to create a free account here:  https://www.social.dfir.training/groups/viewgroup/3-dfir-book-giveaways . I am only requiring

Read more

We each have our own preferences in what we want to see in forensic tools. Some live and die by the CLI , where any GUI is blasphemy to the cause. Others demand that a button exist for everything and don’t even give a sideways glance at anything that requires typing a command or right-clicking to get to a function.

By the way, there’s nothing wrong with anyone’s preferences, as long as you can do the job with the tool you use. But there is something to keep in mind when you stand wholeheartedly fast in your software belief system, and it probably stems from your introduction to the tools.  One thing that I have seen in introducing forensic tools, is that the manner of introduction has a long-term effect on future users. If the introduction is poorly done, the odds are that unless the student makes an effort to correct

Read more

There's been quite the bit of comms on Twitter, Linkedin, and blogs about 'what constitutes basics in DFIR'. There are a lot of things to break down in this question, and I hope to see more conversations about it.

Harlan Carvey posted an important question ( http://windowsir.blogspot.com/2018/11/basic-skillz.html ) asking for opinions on what should be the basic skills in DF, which moved people to quite a bit of comments and blog posts.

Following up on Harlan's post, I wrote this one ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ) to talk about basic  skills  in DF/IR, as in, the skills needed to achieve in at a basic, but competent, level.

But I think breaking apart "basic" is the first step in this conversation. By breaking apart, I mean that we have  basic skills and  basic knowledge  to discuss.

  • Basic skills are those competencies specific to a job or task.

  • Basic knowledge is that information or

Read more

Following up on the DFIR Basic Skillz conversation ( http://windowsir.blogspot.com/2018/11/basic-skillz-pt-ii.html )  and post ( https://www.dfir.training/dfir-training-categories-k2/item/164-wax-on-wax-off ), I want to drill down deeper to the basics. First, let me define basics as I refer to the term in this post.

Basics = foundation, fundamental, starting point

( SWGDE defines this topic as "awareness..designed to provide the student with a general knowledge of the major elements..." ) 

To make this short and sweet, I believe that any attempt to create a basic core competence  for a specific job in DFIR is way beyond problematic; it may be impractical. Far too many specific jobs have varying degrees of skill levels required in a basic sense, and different skills needed in some jobs but not another.  To be accurate, every single job title would need to have its own basic foundation determined individually. Think about the varying degrees of responsibility and job titles in

Read more

Some great discussions on Twitter and Linkedin this week about the basics of DFIR. Harlan Carvey’s short but poignant post brought this important topic: “ Basic Skillz ”.

“… ..what constitutes "basic skills" in digital forensics?” – Harlan Carvey

As to my opinion, basic skills in DFIR are those skills that are common across the broad spectrum of the DFIR field. Or put another way, all the things that everyone in DF and IR should know as a foundation.  Basics like, imaging a drive or memory acquisition. Knowing the components of a basic computer. Or basic network protocols. Or operating systems, file systems, data carving, and evidence protocols. These are the things that we should all know through training, experience, or formal education. Much of the basic skills are very basic to some. As an example, evidence control for experienced police officers is a no-brainer. Building a standard computer for

Read more

Advertising!

Hang on a second before assuming that DFIR Training will be going all ‘pop up crazy’ and inundate you with Adobe Flash, signups, opt ins and opt outs, and embedding spammy links everywhere. None of that is going to happen.

And don’t think that anyone will ever be charged to view anything on www.dfir.training . Everything that has been free, will still be free, and nothing will be put on www.dfir.training that requires paying anything for access. No change whatsoever.

The advertising will be things that you may really want to see. Like more event listings and extensive event listing details . And company listings . And featured tools and featured events . You’ll not see anything that detracts from the Website and only see that which probably interests you, like the same things you are seeing now. Software listings, hardware listings, and RSS feeds that are updated every

Read more

Here is the challenge that I continually give myself: Create a project that benefits the DFIR community and won’t require much effort (on the part of the community) but will contribute to the community by generating positive conversations and sharing .

TL/DR (too long, didn’t read)

The project: Give away DFIR books . Lots of them.

If you want to be in the drawing, sign up here: http://social.dfir.training/groups/viewgroup/3-dfir-book-giveaways .

The details

This challenge goes way beyond just giving away books. There is no secret motive behind the books or the challenge. Simply, I am going to review all of the books in detail. I will be putting the reviews on Amazon, https://www.dfir.training , www.patreon.com/dfirtraining , and anywhere else I can that will make a difference to someone looking for information on the books. I’ll be making video reviews of the books too and demonstrating some of the exercises and topics. Then

Read more

I am certainly not a founder in the field of forensics, and didn’t really get into it until the ball was already rolling forward. However, I will say that I am a proud member of the Floppy disc imaging with Safeback club  and its sister club Looking in disks using Norton Disk Editor

Besides the technology advances, which are to be expected, the most incredible change that I have seen is that of resources available today that never existed until the recent years. If you can imagine searching online for ‘forensic software’ in 1999 compared to today, you can see the vast difference in what we have available today for resources.

At times, it feels like I will never be able to keep up. First, there is the sheer amount of resources that come online all the time. New blogs , forums , websites. Then there is the new

Read more

I had a neat opportunity to speak on The Many Hats Club podcast this week. Thanks to @ cybersecstu for the invite!

One point that I brought up in the podcast, which I know is going to rub someone the wrong way is that ‘you are not really doing forensics if it is not a legal case’.

What I mean by this is that if someone works in DFIR ( as in anywhere in the field of DFIR ), and the work they are doing has absolutely nothing to do with a legal matter, or potential legal matter, and will never see a legal complaint regardless of what is found in the data, then it isn’t really forensic work. Before the darts come at me, hang on a second and hear me out…

Definitions matter

Forensics ” generally is meant to apply to “ legal ”.  

On top

Read more

Take a look. There’s something new happening.

First things first: What’s Patreon?

Patreon is a way that you can support DFIR Training and at the same time, get some real benefits. With support, DFIR Training (the website and Patreon page) will be able to grow and try to reach the expectations I want. By try, I mean that I have high expectations with what I want to do with both the DFIR Training website and Patreon.

Next thing. Support = donations.

By supporting the DFIR Training website and Patreon page, I mean that donations are needed. The website is free to access everything on it, and will always be free . Nothing will ever be behind a paywall.  However, to help it grow to way more than it is, I need support. Your support means that I can dedicate more time outside of my regular time to give more content

Read more

In searching for DFIR tools over the years, I have found lots of “Top 10” lists. I feel that there can be a few improvements made with many of these lists. Here are some pointers on what to look for when looking for the “best DFIR tools”, which is what I look for.

List Purpose

Any list with a “Top Ten” without an accompanying specific purpose is not as useful as a list that is specific.  “Top 10 Registry Forensics Tools” is much better than “Top Ten Forensic Tools”.  A generic list is practically useless if you are looking for something specific to accomplish a specific task. I’ve also seen lists that had such incorrect information, that the writer could not possibly have even tried the tool chosen as a “top 10” along with tools chosen that were clearly inappropriate to the list.

Software Licensing

Even more specific, and just as important, is

Read more

If you didn’t catch Jessica Hyde on RallySecurity this week, you really should take a look. Not just to hear Jessica speak, but to catch the nuance that those who are not in “DF” might not really understand the intricacies of the work, even as they may be intimate specialists in the “IR”. Pretty much everyone on RallySec are extreme experts, and it is cool to see the areas each person overtly has expertise in.

Watch Forensics with Jessica Hyde | RallySec Live! EP93 from rallysecurity on www.twitch.tv

Personally, I am a D igital F orensic person who has enough I ncident R esponse training and experience to know that I am first and foremost, a digital forensics person. That means I know where my boundaries of knowledge reside. My respect goes out

Read more

kitchen I've not yet had the pleasure to meet David Cowen , but certainly look forward to that day to give him a hug. He has consistently created great DFIR content over the years and his latest video productions of a Forensic Lunch Test Kitchen is another win for everyone. 

If you have not seen the Forensic Lunch Test Kitchen, I highly recommend it, not just for the topic, but also for the subtle clues you can learn from observing critical thinking in action. I am a big fan of figuring things out on your own, a huge supporter of learning how others do it (so that I can improve that what I do), and seeing how someone else processes infomation to make decisions which is most always different than how I would have done it. Not that one way is

Read more

Just some thoughts on “vendor” marketing.

sales In just about every DFIR email list, social media thread, or forum, there is the sporadic appearance of a vendor who mentions their software in response to a problem someone has, and within seconds of the vendor response, the vendor gets bashed for simply saying, "Hey, maybe my software can help."

I totally get it. I don’t know anyone who wants sales people knocking on their front door, trying to sell something that they didn’t ask for in the first place.  Doesn’t matter if it is encyclopedia sales or vacuum cleaner sales, unsolicited sales can be annoying.

The conferences

Anyone who has been to even one major tech conference quickly learns that if you let a vendor scan your badge in return of getting a free pen or toy, you will probably have emails sent to you for years by that vendor.  The cost

Read more

datawiping I want to expand a little on David Cowen’s Daily Blog #442: Anti Forensic Tools in the Wild , in regards to terminology I prefer to use.

Like David said, we encounter data wiping in cases on occasion, sometimes on many occasions. Specifically, I mean the cases where the suspect/custodian has intentionally wiped files to prevent recovery by folks like us. Sometimes it works. Sometimes it doesn’t. 

When I state in a report or give testimony that someone used anti/counter forensic software, I explain that the person intentionally used software (or hardware) in a manner to thwart forensic recovery or obstruct the investigation and analysis. I am specific when calling out “anti” or “counter” forensics activity, based on several factors.

Name of the software

One of the factors is the name of the software used to wipe the data. Dave’s list has a few good ones. “Evidence Eliminator” is a

Read more

The Digital Corpora was updated with some new forensic test images !  The list of forensic test images on  https://www.dfir.training/resources/references/test-images-and-challenges/test-images-and-challenges/all  is a very popular page as it links to multiple TERABYTES of forensic test images .  So, when a new test image is added, it is quite exciting to start downloading to test your tools or use in a class, or just for plain practice.

images

 

This new set of forensic images include: cell phones, tablets, hard drives, and packet dumps!  And it's not just random images of devices as they are all based on a scenario.  Just as neat....you can download a teacher's guide with the images. How cool is that?

 " The scenario was created during the summer of 2012 as part of a joint collaboration between the U.S. Naval Postgraduate School and the U.S. Military Academy at West Point." -  http://digitalcorpora.org/corpora/scenarios/national-gallery-dc-2012-attack  

 

The availability of

Read more

Some DFIR tools are terrible…if not used correctly.

I saw an engaging discussion online about tool choices that inspired this post about tools. I particularly enjoyed how someone gave an example of how tools are referred. I changed the example a little, but the more I look at it, the more I can remember this happening all the time:

Person 1: What tool can I use for “X”?

Person 2: Use this one.

Person 3: No, this one is better.

Person 4: But I like this other one better.

Person 5: That one sucks. Use this one instead.

Person 6: Why don’t you write your own tool?

Person 7: What’s wrong with my tool?

Person 1: Uh...thx?

This is great advice if:

-The question included specific details of the issue to be solved, and

-The tool(s) recommended can do the task, and

-The user knows how to use the tool.

Read more

Few clichés are more worn out than the tired “ think outside the box ”. I still stay it, but when I do, I say it to literally mean do not conduct an analysis solely within the physical box (CPU). Remember, everything that happens with data has happened because a person or persons made it happen.  People do not live in a box. They live and operate in the outside world.

People are behind actions .

Every bit of evidence you find has a reason to be there. Someone made it happen. There was a thought, a plan, an intention, and an action to make it happen. For evidence that should exist but does not exist, this lack of evidence carries the same weight since it takes someone to make it appear as if it did  not happen .

Sometimes your job requires fixing a problem (such as a breach)

Read more

The new-peer-review-no-name-yet task force is chipping away at the proposal of a new (but extremely different) peer review process for DFIR research, spearheaded by Jessica Hyde .

I’ve gotten a few private messages that teeter on the edge of complaints about even talking about creating a new process of peer review, but each complaint has been relieved of worry after clarifying what we are working to come up with.

Here are some of the things I want to clarify:

  1. We have no name for the new peer review process but use practically anything right now (DFIR Review. Rapid Review. Etc..). The name is the least important thing in the process to create a process, imho.
  2. This new peer review process has absolutely nothing to do with academic publishing . It doesn’t compete with it, attempt to replace it, or attempt to supplement it. Nada. No relation at all.
  3. This new
Read more

What a time to be in the field of DFIR! If you have being doing this work since the days of the floppy, you surely must be as excited as me. If you just entering the field, you will see even more advancements in the future than your predecessors have.

But let’s get on with one of the most important topics that is making our skill levels advance more than anything else has ever done before: Instant documentation and sharing.

Many in the field have written (and keep writing!) and about the importance of sharing and documentation. Without getting into ethical questions in the field about sharing special discoveries, I want to talk about sharing generically, but specifically in the physical manner of sharing.

 

{source}
<blockquote class="twitter-tweet" data-conversation="none" data-lang="en"><p lang="en" dir="ltr">One of the biggest issues in our industry is the dearth of documentation.</p>&mdash; H. Carvey (@keydet89) <a href="https://twitter.com/keydet89/status/1013757497570615297?ref_src=twsrc%5Etfw">July 2,

Read more

What started as a question on twitter, turned into a poll and twitter discussion, has begun to evolve into something interesting: The “ Rapid Peer Review ”.

I’ve had quite a few DMs and emails with several people over the past week on peer reviews in the DFIR world to discuss this topic.

In short, academic reviews take too long to publish and are of limited practical value for practitioners. We need a better system.

During these discussions, Jessica Hyde coined the “RAPID PEER REVIEW” name, so I’m sticking with that.

Since this idea is evolving, here are some of the ideas being discussed, all subject to change:

*  Process should take 30 days or less to be considered Peer-reviewed or rejected

*  Previously peer-reviewed work (as seen in a published journal) would be ineligible

*  Previously written work that has been cited or referenced may be judged as already

Read more

I have posted on this a few times, as well as commented on Twitter, but the short answer is: "We don't peer review because it is too much work and too much time spent with no real personal benefit."  Our jobs are not publishing, but actually practicing the trade of DFIR. 

Now I see another reason why DFIR researchers may not be publishing their work via the 'academic journals'. 

I feel that DFIR had been doing it right all along. Practitioners work. They find something interesting. They blog about it. Then everyone else takes advantage of their discovery. And when it's really good, the practitioner writes up a Word doc, PDFs it, and uploads to

Read more

Here is a brief list of reasons of why I think DFIRrs blog their research rather than formally publish it through a peer review process.

--Blogging is:

     ---faster (minutes to type up and post),

     ---easier (click “post”),

     ---written for the practitioner (“this is how you do it”),

     ---putting out perishable information before it spoils (“applies to the current OS today”).

--Peer review is:

     ---slower (months or years),

     ---more difficult process (lots of steps and hurdles),

     ---written academically (“for the love of all that is good and holy, get to the point!”),

     ---might be outdated by publishing date (“well, no one uses this OS anymore, but when they did…”).

Neither method results in direct a financial gain for the work done.  The time spent will not equal money received, if any money received.  No fame either…

I’m not going to get into the

Read more

Following up on a forensic artifact project database idea , the end result is that the idea is dead before it started.

The twitter poll (one of the most unscientific, but easiest polls to do) didn’t show a lot of promise. Also, there were a LOT of DMs and email discussions.  Thanks to everyone giving me their thoughts. 

Here are the main points that I received, summarized in three statements:

-Publishing research must be in academia (journals)

-Publishing research must be in books (publishers)

-We don’t need project management in research

On top of these points, the fear of lack of contributors holds me back.  According to the Twitter poll, less than

Read more

A weekend Twitter thread about having a lack of citable, peer-reviewed, DFIR research prompted me to volunteer to host a project management website (a sub-domain of dfir.training). I think the need is real for reasons mentioned on the Twitter thread, but whether or not it can work is all together a different matter. 

From what I have seen, peer reviewed DFIR research generally lives within journals and books , or within the walls of academia . Either the research is not freely available and/or not easily found within the walls and halls of educational institutions.  Research is blogged about, presented at conferences, and uploaded to the Internet via any number of websites, with much of this work not being peer reviewed .  There is too much great effort that is never formally published in which the researcher deserves to (1) receive formal recognition and (2) be formally peer-reviewed by the community

Read more

I was speaking to someone at Infosec Europe last week about ‘getting into this field of infosec’.  I kept answering all questions with the same answer of telling the guy to get started and do something.  But the future DFIR’r kept telling me about all the training and schooling that he had completed, the training and schooling that he is planning to do, and what to do next. I was quite impressed with how much training already done, including earning a degree and having taken a dozen vendor courses.  I was disappointed in how much more he was planning to do before ever starting work in the field that he has spent years in learning, but not doing.

In short, I told him to stop his training and education right now and make this conference his last until he puts to work what he has learned so far.

He was

Read more

Like many others working in DFIR, I occasionally get asked questions on how to get a job in DFIR.  By DFIR, I mean the overall field of digital forensics/incident response/electronic discovery. Sometimes, the questions are loosely asked as if it is easy to get in by someone who thinks they are 'good with computers'.  Other times, I am asked by those with computer science graduate degrees and tons of computer experience.  The range is quite wide. I am certain that anyone and everyone looking to make a break into DFIR has already Google'd it, found a lot of blog posts, and still are having a difficult time getting in the door.  That is just the way it is.  Employers feel like they can't find anyone and everyone feels like they can't find an employer to hire them.

I have blogged about this before, and I'm writing again because this is

Read more

I am starting a monthly newsletter to supplement the existing newsletters that many other DFIR contributors are creating.   I intend to make the newsletter different enough to justify having one email a month in your inbox; actually, I intend to create an awesome monthly newsletter.

I initially expected to give this a shot for a month or so and then see if the signups would justify the effort to create a newsletter.  MailChimp has a ‘forever free’ plan that looks to fit what I’m looking for so for testing the water for interest, MailChimp it is then.  However, after just a week, the signups are reaching the limit of the free plan. No biggie as this is a pleasant surprise to see the interest. The first newsletter won’t come out until June, but you can sign up now so that you don’t miss it.

 {source}
<!-- Begin MailChimp Signup Form

Read more

#1 Reason

It has a lot of DFIR stuff

#2 Reason

It really has a lot of DFIR stuff

#3 Reason

Even more DFIR stuff is coming!

I checked the stats for dfir.training for the months of April 2016, April 2017, and April 2018 to get a gauge on what pages are most popular, where most visitors are coming from, and areas to focus on content (based on the pages and page behavior flow).  What I found is that the stats have dramatically increased since April 2016, particularly toward the end of 2017 (The stats do not include bot traffic, which would unnaturally inflate the hits). My conclusion is that so far, everything seems to be in order since the number of visits and hits are higher than ever before.

Even tho the visit rate is high, I am still planning to add more content (new stuff!) that I have

Read more

I visited a DFIR shop and as I was leaving, I asked one of the most experienced examiners in the shop, “ Hey, how do you like *x* tool new functions ?” and the answer was “ Never heard of *x* tool .”  For me, I use *x* tool often and assumed that everyone else does, or at least knows about it.  I was wrong. (I am not naming the *x*, but it can apply to any tool you use).  If you don’t know that a tool exists, you are not going to use it.

The DFIR.training tool database

My opinion is that looking for a DFIR tool that does a specific thing that you need for a specific analysis is either easy or impossible, depending on how you look at it.  If you only use the major name brands, you have an easy choice (because you only want to

Read more

Last week, while tech editing/reviewing a chapter in a book that I believe is destined to be one of the most widely used books in digital forensics, I read a short but important point: ‘know what you want to do before you start’ (paraphrased), along with an example of making this point.  Perhaps this simple suggestion in forensic work is way understated.

Over the past years when I started getting into ‘computer’ forensics at the time when the resources of information were slim, training practically non-existent, and the tools far and few between for much of a choice to use, looking for evidence was pretty much going on fishing trips in data.  For the training courses

Read more

 We have decision-making in every aspect and at every step of a forensic analysis.  When we find something important, such as a user created file, we have decisions to make as to what to do next.  We follow the clues in order to determine what happened on the machine. 

“What ‘bad’ things happened?”
“When did the bad things happen?”
“How did the bad things happen?”
“Who did the bad things?”

For the most part, we had it easier back in the early days of forensics.  If evidence was found on the hard drive, then it was the person who possessed the computer that was the suspect.  At a certain point in time, physical control of computers did not necessarily mean that the possessor of the computer was the suspect.  Remote access via any number of methods (pick your method of installing malware) meant that not only do you know how

Read more

When you work with a lot of forensic tools, there is never a single “that time of year” to renew your annual maintenance fees as it feels like “that time of year” is every month.   Mind you, I’m not complaining one bit, but I did have a conversation today over coffee about the cost of forensic software and listened to a lot of complaints about the cost of the DFIR business with my fellow DFIR buds.

Most of the complaints stemmed from the high initial cost of software, with hardware complaints taking a close second place, and the maintenance fees a distant third place.  Interesting enough, we each knew the current going rates for just about everything because when you have to write big checks*…you tend to remember how much the checks were written for…

Some of the complaining I heard was summed up with:

  • “…they don’t even put it
Read more

I updated the dfir.training RSS feeds and in doing so, discovered what I liked and didn't like about DFIR blogs (including the dfir.training blog...).  It was a learning experience and here are the top 5 ways that will make your blog lonely on the Internet.

1.  Don’t post anything for months (better yet, make it years).

I noticed that many blogs aren’t up dated for months or even years.  I don’t see folks visiting outdated blogs more than once since the content never changes.  That is just the way it is; websites die eventually.  Keeping them online is still appreciated since some things in DFIR never change, or need to be revisited.

2.  Don’t allow anyone to put your blog in their RSS feed reader.

Many blogs did not have a RSS feed link on the blog, and if I had to spend more than a few seconds to check

Read more

Today marks the implementation of a DFIR Social Network  at DFIR Training.  Give it a try and sign up.  I would say that is "like" Facebook or Linkedin, but then again, you won't receive unsolicited emails , and your personal information won't be sold or given away to third parties , and your Internet browsing history won't be tracked , and your phone call logs won't be accessed .  However, it works similar to Facebook and Linkedin in that you can follow and be followed, post links, comments, videos, photos, ideas, questions, and create polls.  Unlike Facebook and Linkedin, it's only DFIR, all about DFIR, and nothing else but DFIR.  Did I mention it is all about DFIR?

My intention is to connect DFIR practitioners, educators, students, and trainers together in a manner that I believe is more respectful than other social media where you are the product.  The DFIR Social Network

Read more

One of the things that work against us in DFIR is the sheer number of tools available.  We have freeware , open source , shareware , commercialware , bundled packages of any combination of these tools, and new tools being written all the time to be posted online in any number of shared hosting sites (Github as a major source).  Some disappear or are no longer supported, others untested, and some law enforcement only.  And the type (freeware - commerciaware) doesn't even determine if the tool is good, effective, or useful to what you need.  

This is not as bad as a problem as we had years ago, because back then, when you needed something that did “email”, the choices were few or expensive, or an expensive few to chose from.  Today, the issue is having so many to choose from.  I’ll take the latter as a better problem

Read more

If you are looking for forensic test images, you have a choice.  You can choose from any of the 2TB of test images linked at https://www.dfir.training/resources/test-images-and-challenges/test-images-and-challenges/all or you can make your own.

Here is my opinion on forensic test images.  Your mileage may vary.

First choice: Make it myself.

If I am teaching a forensic class, I most always create the images myself.  Actually, I only use images that I create myself.  It takes time and effort, but I feel strongly enough about it to do it myself.  The most important reason is that I know what is in my image. I know how it got there. I know what is not there.  And everything about the image is exactly what I wanted.

I have used a publicly available image for a course before, and the result was that students were finding things that I didn’t want them to.  Things

Read more

Working in DFIR, you may find that there are sometimes, many times, or maybe just that one time that a subcontractor is needed outside of your local area.   Either because of time crunches (need it immediately) or lack of resources (client doesn't want to pay for travel?), you really need a local DFIR person.  This is the purpose of the list; find someone local to your matter.    

 The difference with this list compared to other DFIR lists is that everyone on this list is either (1) looking for a DFIR sub or (2) a DFIR sub.  No emails about anything else.  No case questions. No forensic questions. No sales or recruiting for jobs.

To be approved for the list, complete and submit the form .  I'll review the submission and as long as you are a real person (not a bot or spammer), you'll be approved to the list.  Also, to

Read more

I’ve been asked to create a closed e-mail list for sub-contract work with the dfir.training website.  Before I take this on…I created a Twitter poll to get a handle on if it will be worthwhile to enough people.  Please vote, whether or not you are interested (that’s the point of the poll, Yes or No).  Location is irrelevant (purpose is global connections).

Here is the suggestion and how it would work:

 

  • Closed listserv.
    • Entry by verification of each person/company.  You have to be named by company/name to prevent spam in the email list.  The only emails will be those looking for sub-contractors, such as “looking for someone to image a computer in Austin” or “someone to do forensics in Boise”, etc…
  • Closed directory
    • A simple listing of those wanting to be listed on a closed web page offering sub services, such as: John Doe, Austin Texas, Tel xxx-xxx-xxxx, E-mail [email protected]
Read more

It is not lazy to use keyword lists . In fact, keyword lists can be an effective means to find evidence if and when they are used appropriately.  When used haphazardly (ie: without a plan or goal), you most likely will be wasting time by creating more work than you would have otherwise and not accomplish what you wanted in the first place.  With keyword searches, not having a plan or goal, and throwing keyword searches at data is a lazy method that results in doing  more labor  to review the results. Don't do that.  We want to make it easier, not harder, to find evidence.  By the way, not every case needs keyword searches.  It depends on the type of case.

Most digital forensics suites have keyword search capabilities built in.  Simply type a list of keywords or import a text file, click Search , and away you go!

Read more

DFIR.training has a Craigslist style classified ads section.  Rather than let any DFIR gear (software licenses, hardware, books, etc…) gather dust because you don’t need them, sell them to someone who can put them to good use. 

Or if you are looking for something, post a Wanted Ad .  Someone may have just what you are looking for.

You need to create an account to either post or reply to an ad.  You’ll receive no emails from dfir.training, only from interested parties interested in your ad.  The ads are self-expiring and your email address is not shown, but you will receive emails from interested parties only for as long as your ad runs.

As far as money and the shipment of items, dfir.training is totally hands-off.  No commissions, no fees ,  but also no responsibility in ensuring you aren’t getting scammed.  However, in the DFIR line of work, it is

Read more

One thing you won’t find in the DFIR world is an agreement of the what tool is ‘best’.  The thing you that will find are arguments as to which tool over others different examiners believe to be the best.  I’d like to propose that if you find yourself arguing that one tool is better than another, to step back a second and take a breather.   You may be right but you might not be right.

Sometimes we when have a personal affection for a specific tool, we want it to do everything with it and when it doesn’t do what we need, we try to force it.  We end up working twice as hard and getting half as good an end result, all in the name of forcing our favorite tool to do something that another tool can do better.  Worse yet is clinging to a tool long past your

Read more

Working in DFIR is akin to competing in a sports event.   There are winners and losers, but no one dies.  Cases may be lost and PII stolen, but no one is physically killed by a malware attack.  Yes, I know pacemakers can be hacked, but malware isn’t killing the DFIR practitioners when they lose to an attacker.

However, we certainly seem to describe the DFIR field as if we are actually fighting physical battles.  We play “ NetWars ”, conduct “ Tactical Analytics ”, run “ Red Team Ops ”, and take software “ Bootcamp ” courses.  I’m waiting to see the urban assault leaders course for DFIR…

Which brings me to two things:

1-Basic DFIR techniques

2-Advanced DFIR techniques

Advanced is simply perfecting the basics .  In tactical training (as in, the real-life military or police tactical training), the basics are hammered in with slow, methodical, and rehearsed practice.  Slow

Read more

The dfir.training website is coming along, inch by inch.  I am grateful for the emails (more tools, more directories, more training, more, more, more...).  I am going through each as soon as I can to publish on the website, so be patient if I haven't put up your listing yet.

I have more items to put on the website after I finish up some of the major sections, with the Forensic Artifacts being one of the major sections to work on.  The Forensic Artifact section is light on items, but a few are added every day.  The ones that are added are linked to related artifacts (using "keywords").   The intention is that you can review one artifact and easily review a related artifact by clicking any of the related keywords.   Each artifact listing has:

Description (ie: a definition of the artifact)

Tool listing (the full forensic suites are not listed;

Read more

When my son started playing tennis in middle school, he would blame losses on his equipment (“my racket is the problem. my shoes are the problem.” etc…).  His solution was to have a ‘better’ racket and ‘better’ shoes.  To prove a point that it is not the gear, but the user, we gave him ‘better’ gear.

The result was the same.  He quickly learned that blaming the gear didn’t work.  This is not to say that any tennis racket or any pair of shoes works for any game of tennis, but the point is that blaming the tools isn’t the best way to improve.  But as soon as he realized that technique, tactics, and strategy will win the matches, he improved drastically.  Never did I hear about the ‘racket’ or his ‘shoes’ causing a loss of a match.  Losses were blamed on something he did or did not do, or

Read more

 

It has only been a brief period time since I have started to manage http://www.dfir.training , so here's to the first few weeks.

Here is what I have learned so far:

  • I found lots of familiar blogs and resources that haven’t been updated years < sad face >
  • I found lots of new and upcoming blogs and resources with massive potential < happy face >
  • There is more DFIR information scattered on the Internet than you can shake a stick at.
  • Compiling DFIR resources takes time, but is worth it when you need it.

My suggestions to the DFIR crowd:

  • If you have a blog, write something.  Keep writing.  Short or long, we read it.
  • If you don’t have a DFIR blog, consider it.  Seriously. Why not? 
  • Get involved in the community.  You will not regret it.

The DFIR Training website:

I’m designing it the way I like it,

Read more

Out of a dozen different topics to add to the dfir.training website, a directory ( or yellow pages.. .) is one of them.

Here is the importance to you:

Put your DFIR or eDiscovery business in the directory and have more exposure.  ( add your listing )

Do you take on sub-contract work ? List your business and be found.  Contract work is needed everywhere.

Belong to a DFIR association ? Put it in the directory to increase membership exposure.

Do you provide DFIR training or education ? Submit your business or school to increase student enrollment.

Some upcoming plans for the directory:

Once there are enough listings to make the directory effective, I will be sending the directory URL to every law firm I have worked with, and some that I have not with the intention of giving attorneys a place to find an expert quickly and easily.  This

Read more

Greetings!

You may or may not have heard that the ODG (Original DFIR Guy) has passed on his website to me.  I will do my best to maintain the site as intended to remain one of the best resources for those in the DFIR community.  I have made, and will be making, changes to the website.  I expect the changes to be improvements, which I hope to continue changing with new ideas and suggestions.

If there is anything of DFIR value that is not on this website, let me know.  I'll add it.  Stand by as the site continues to develop.  My goal is also keep the resources agnostic without advocating for one 'thing' or against another 'thing', whether that 'thing' be a tool, book, or training course.  Reviews, should I do eventually do them, will be candid and true to how I feel about the item I reviewed.

So

Read more