What's New (13)
What’s New at DFIR Training?
The website is approaching pure awesomeness. Lots of input, some help as well. Here are a few of the most dynamic changes being made that benefit your work directly.
Connecting the dots
This is the goal: Search for “x” and have connectivity to “y” and “z” that directly relate to your search of “x”. In any professional field, everything is connected to everything. This is the goal of DFIR Training: connect the dots for you. Search for one thing and have everything related to it at your fingertips.
For example, let’s use the Paraben E3: Universal forensic suite as an example in the DFIR Tool database.
The tool’s page shows the (1) basic information of the tool, (2) the direct link to the developer or download, (3) whether free or not, (4) link to training, (5) link to legal case references, (6) type of tool, (7) a brief summary of the tool, and (8) videos about the tool. If I can find publicly available tests of the tool, this will also be listed on the same page!
You can see the end goal is to have everything you need about a tool in one place;
-- training events ,
-- court cases and legal references ,
-- tool tests , and
-- video demos .
As of now, completing this for every tool will take lots of time, but the wheel has begun to roll to connect the dots, collect the affidavits and court records, and encourage providers to list their tools, events to support dfir.training. It will be about a month before I categorize all of the current tools due to the switch from the prior database that I was using.
If you see a tool that needs to be added, please do ?
Forensic Artifact database example
Let’s take another example using the prefetch artifact.
The artifact listings, like the tool listings, are being populated with information, so you’ll have to be a little patient before the database will always have something that you are looking for. But the intention is to have it like the tools, in that you can get in one place (1) name of artifact, (2) path, (3) operating system, (4) list of forensic tools that can pull the artifact, (5) white papers about the artifact, (6) category, (7) a citable definition for your reports and affidavits, (8) references from blogs, and (9) video tutorials on the artifact.
Again, you can see the point of dfir.training is to tie everything together in a neat package. Need a tool? Search for a tool and have everything you need about it to make a decision as to whether or not to use it based on tool tests, court cases, and function. Researching an artifact? No problem. Citable definitions for your reports or court, tools that can analyze the artifact, and tutorials about the artifact.
If you would like to contribute to the forensic artifacts, you are not only welcome but encouraged! https://www.dfir.training/submit-artifact
Case study released
I have a few new case studies to release on DFIR Training’s Patreon’s page, and with a new subscriber release, here is one of the past case studies that you might gain a bit of insight on how others investigate cases that could benefit your cases.
DFIR Subcontracting work
I have seen more than a few DFIR folks being laid off due to COVID-19. Any loss of any job is disheartening, and maybe to help bridge the gap between jobs, if you are looking for work as a contractor, you can submit a listing on dfir.training and I will help get the word out to companies that could use subcontractors.
Any arrangements will be between a company and the subcontractor, and DFIR Training won’t be involved in any agreements or disagreements. Simply submit your information on what you are able to sub (expertise, location, etc...) and maybe have some work to help during this COVID-19 disruption of work.
Any company is also free to submit their business (and/or tool) listings too!
Featured tools, events, and listings
Companies that wish to have more exposure are encouraged to have featured listings. For more information, request a media kit https://www.dfir.training/contact-dfir-training to see the options available.
As of now, you can check for the latest 10 uploads at the resources page ( https://www.dfir.training/resources-dir ). All of the downloads are available through respective links, such as tool testing uploads will be associated with the respective tools, etc…
DFIR Training supporters!
This website would not exist if not for the DFIR Training Patreons at https://www.patreon.com/DFIRTraining ! My gratitude goes out to each of them, which is why I give everything that I can to them in form of ebooks, courses, and podcasts, of which, I am due this month to release a few courses and podcasts!
CARLOS J MALDONADO
Dan, D-List Super Villain
Hector Antonio Soto
John M Wilson
John Patrick Slattery, Jr
Learn Japanese Kanji
Michael F McGowan
The Crimson CHIM
Tomas M. Castrejon
What a month! It's been busy and some of the projects that were in motion are incomplete and in the process of being completed. This includes this website and courses. But here is the current status of big changes.
One thing about "big" changes is that the labor is immense on the backend but the frontend looks easy...still, I am excited for the changes being made to the DFIR Training website. Many of the upcoming features won't be mentioned until closer to full release of the new features.
A DFIR Training Webinar!
Yuri Gubanov from Belkasoft and I will be doing a webinar together showing off some cool features of Belkasoft. Putting it together now, and already looking neat to show off a forensic tool with updated and cool features. Belkasoft continues to impress.
Uh oh! Another cool giveaway that you do not want to miss!
I am about to get my hands on a DeepSpar Guardonix to give away this month. If you missed your chance last time, you might want to try this time. Here’s the thing about the Guardonix, I will be posting an update to Guardonix soon that is such an improvement with a unique feature and gives the Guardonix a big edge in imaging compared to any other write blocker. I have been testing the soon-to-be-released firmware for a few weeks now and in short, it is FASTER. The newly added feature (which I will announce soon) is something that other write blockers do not do. Kudos to DeepSpar!
The giveaway will be free to enter, just like every other giveaway. I have been impressed with DeepSpar for many years and their Guardonix is another product that just surpasses so many other competitors, especially with the current upgrade. I will post the giveaway on the normal social media circuit of Twitter, Facebook, Instagram, and this website.
Two times online
Jessica Hyde and Lee Reiber both asked me on their respective channels and I had a great time on both talking about the DF/IR field. Thank to both for the opportunity to speak with you! And if you like the videos, hit the Like button and give both Magnet and Oxygen some love :)
Be sure to read my post on DFIR Review: https://www.dfir.training/dfir-training-blog/you-did-a-dfir-thing-and-wrote-a-blog-post-what-now . In short, DFIR Review is for practitioners, by practitioners. Although we recently started DFIR Review, this is the method of practitioner peer-review that will be around a long time, perhaps for as long as we have DF/IR. It has been two years to the month that I wrote a blog post about a new peer review method ( https://www.dfir.training/dfir-training-blog/here-s-a-potential-new-method-in-how-you-can-get-your-research-peer-reviewed ) for practitioners and now, here we are. The lesson is that any project that you start, help, inspire, or bring to fruition takes time. Even though behind the scenes involves a lot of labor and patience, and a group effort, you can focus on the end result and it will come to pass. Meaning, don't quit any project that you have a passion in finishing, especially if the benefit can impact many!
Check DFIR Review out!
DFIR Training is now a faster website with easier to find information!
Hosting plan - Visits to the site kept overloading the server. The highest month in 2020 has been April with over 1.0M hits, 900K pages viewed, and 200K unique visitors. The hosting plan has been upgraded with more CPUs and RAM added so downtown should be less than 1% if at all.
Database/s – The amount of curated information grew out of control! Each individual database ( Joomla databases and extensions) didn’t connect with each other, required lots of duplicative effort to link categories together, didn’t correctly search across the databases, and slowed down the website. Now, there is one database for everything, however, it is taking time to transfer from the old to the new.
RSS feeds – Multiple requests to put RSS feeds back on the site, so now the frontpage shows feeds that are updated every 10 minutes. A YouTube DFIR feed has also been added.
Tools – The tool listings are there, but I am adding multiple categories to each tool. There are quite a few with only one category but fit multiple categories, so I am getting to each one. The most common request that I had was categorizing the tools with free and paid , which has been added as a filter option to find free tools that do a specific thing that you are looking for.
Artifacts – sadly, this is going to take some time to re-do because of the amount of information to pull over and update. But, it will always be a work in progress regardless of how much I put in it.
Downloads – Easier to find! The Resources link organizes all the downloads and references in one place. Easy to find. Easy to browse. Lots of downloads.
Directories – Associations, schools, and businesses. Still, lots to transfer over, but much easier to find what you are looking for in each category.
Events – Again…moving everything over to make it easier to find what you need in events, courses, conferences, and on-demand training.
Books – Same thing. It is better and easier.
That wraps up the new stuff for now.
I appreciate the content submissions. So far, everything that I have been sent has been uploaded. If you don't see yours listed somewhere, let me know. Maybe I missed your email or the content should be in a different category. All content is free on DFIR Training and will continue to be freely accessible. The intention is to share and be a good source of DF/IR information for you to learn, improve, and do a good job at your job.
Lots of classroom events have been canceled and removed from the calendar because of COVID-19 with the remaining classes being unknown. Until officially canceled, the calendar will keep each class.
However, the virtual online classes category on the calendar has grown in direct response to physical classes being canceled. Until further notice, there is no charge to list virtual events, including webinars, live online classes, and virtual conferences. Send in yours here: https://www.dfir.training/add-your-listing
Search term lists and Regular Expressions
Several lists have been submitted, so check back regularly if you need either search term lists or regex for your cases. Free to submit, free to download, free to use, no EULA required. More will be uploaded as I get to them.
A few courses and another DFIR Case Studies are being added for DFIR Patreon subscribers this month.
One of the courses that will be released is OSINT + Forensics . This is different than the OSINT courses you may find elsewhere. Not better or worse, but different. I’ve been through quite a bit of OSINT training over the past few years (and of course forensics….), but I have not seen an OSINT course specific to forensic analysis. So here it is. A course for the forensic analyst, using OSINT for the analysis and investigation.
Another course is a FTK Imager course. You would think that such an intuitive tool doesn't need any training, but there are some features and workflows that many are not aware. As far as "exploiting" FTK Imager, I mean that in a way of maxing out its use for your casework and actually knowing more about a forensic app that you have been using for years but never really were taught much more than using it for imaging.
These courses are only available with a subscription, and the good news is that the subscription is discounted from $125 to $50 until further notice! The promotion is to help you to have documented training that you can provide to your employer as proof of training and put on your credentials for training credit. All my other courses are included in the subscription (Windows Forensic Environment, DFIR Case Study series, and more). You can subscribe here: https://www.patreon.com/DFIRtraining
One of the bonuses for DFIR Training Patreon subscribers is that they get early access to other things too, like getting access to the WinFE latest release weeks before it was public. And downloads of ebooks for some of the courses, like the X-Ways Cheats ebook , WinFE Cheats ebook , and Geolocation Cheats ebook . Just sayin…a pretty good thing :)
About that WinFE...
I am keeping all things "WinFE" at https://winfe.wordpress.com/ . This includes all downloads, guides, manuals, and everything else related to WinFE. The only other location that I will maintain for WinFE is for DFIR Training Patreon subscribers. Patreon is where early releases of WinFE will be posted and later released publicly on the WinFE blog. Also, Patreon subscribers can download the WinFE cheats ebook for free, as well as take the only WinFE online course created by one of few developers of WinFE (and download the accompanying slidedeck from the course). The only thing you need for WinFE is a Windows OS source; you can build and it use it freely.
I am pulling out a phone this week and will be going through it with Yuri from Belkasoft in the upcoming weeks. The checkm8 incorporation in Belkasoft is so cool that I can’t help but be excited having the ability to capture iPhone data now compared when not so long ago, “excited” was not the best way to describe having to examine an iPhone.
Case Study released
Here is a case study (#5) released in a DFIR Training public playlist. More than a dozen more are available to DFIR Training Patreon subscribers who receive these months earlier. I am a big fan of doing case studies to improve skills and critical thinking.
These case studies show how I generally look at cases done by others. The cases that I choose are those that are publicly available and do not usually have substantial forensic analysis details, but that is also not the point of doing these either. It is the mindset of the investigator that is my target.
Speaking of investigative mindsets, be sure to check out DFIR Training’s latest blog post, “ The DFIR Investigative Mindset: Getting out of a rabbit hole ”.
There is so much that you can do to prevent falling into investigative traps, but until you can digest a dozen books on the subject, I have a list of tips that I promise will have at least one which will help you in your casework. Most likely, there are several tips that will help get your mind into a good investigative mindset.
Upcoming software reviews
Something of a surprise was being told that my "masks were sold out".... I actually didn't know that I was selling masks, but it was correct that I was and that I was sold out. I created a few DFIR Training designs for stickers and clothing at https://www.teepublic.com/user/dfirtraining and the vendor added some of the designs to face masks. That is actually pretty cool. The masks are back in stock now with nine different designs/colors. I also got a request to put together something for underwear...but I think I will pass on that one :)
Upcoming DFIR Bookshare Challenge giveaway
The next book has not arrived yet…so I am waiting for it. COVID-19 has interrupted the author’s travels and shipping, but I have been assured that it will arrive for me to review and give away!
And speaking of which, if you wrote a DFIR book within the last ten years or so, and want to be part of the DFIR Bookshare Challenge, send me a message. I WANT TO GIVEAWAY YOUR BOOK! That does not sound too good unless you read what this is all about here: https://www.dfir.training/dfir-training-categories-k2/item/160-free-dfir-books
From my home to yours, I give my optimism for our world will become a better place after this pandemic is controlled. We have grown closer together as a community, with neighbors and with family. I hope you and yours will be well through this time.
Useful updated content from DFIR Training that you can use today
Free online training in the form of webinars, courses, and virtual conferences are listed at https://www.dfir.training/webinars-listings . This list is ever-growing as I find the events posted online. There is no better time to take advantage of online training than now. To give advance warning of "I told you so" after we eventually and surely will back in our offices at some point, anyone who did not take advantage of the freely shared DFIR information during this time will regret it. Those who took advantage will be very happy that they did. Just saying....
There is no cost to list a free event, so if you see one, have one, or know of one, send it to me and I'll add it. All I need is the URL.
Foxton Forensics' Browser History Examiner
You can check out my review of BHE here https://www.dfir.training/dfir-training-blog/foxton-forensics-browser-history-examiner. If you submitted an entry, I have drawn a winner ( Robert Rhyne ). For everyone else, stand by for the next giveaway!
If you are short on time, the meat-n-potatoes of the review is that BHE works, it's fast, I like it, and I will be using it. Oh yeah, there is a remote collection ability that you can do with BHE, which fits well in our current world's situation.
But take a look at the review anyway and be sure to check out Foxton Forensics .
Free Downloads at DFIR Training!
Some very useful downloads are being added that can be put to use right away. No registration, no user account, no spam email, no anything needed to download.
First up are the Regular Expression (regex) downloads . The Internet is rife with regex spread out across websites much like dumping a can of tomato sauce on pizza dough, as in, no order of where everything is! I've made a page and uploaded a few text files and have been given some as well to upload. One thing about regular expressions is that (1) you can write your own, (2) yours may look different than mine, and (3) some work better than others. With that, if you see a regex already uploaded but yours is different, I encourage you to have it added because as you know, some work well, some don't work as well, and some tools will work with some or give errors. Send me your regex!
The next popular download updates are Keyword Search Lists . These lists are pre-made text files that you can either modify are import directly into your forensic tool for searching. One thing that I have been asked is OPSEC concerning keyword search lists. Here is my opinion:
(1) It is just a list of words.
(2) A list can be made with an Internet search, like "drug terms" and copied into a text file.
(3) Even if a criminal used the same lists to make sure none of the words were on their computer, it would be virtually impossible for the criminal to selectively wipe every file with every term on the list.
(4) It is impossible to commit crimes without using the terminology used in planning or committing crimes.
The benefit of everyone having access to these lists is that everyone becomes more effective in finding the bad stuff in exams. So, if you have a list, I encourage sharing with the community because a keyword list saves time in searching and creating the same list that everyone else is using. Send me your list! https://www.dfir.training/contact-dfir-training
DFIR Training Events
Classroom events have been canceled worldwide, and this was expected. When checking the DFIR Training event list, be aware that the courses may or may not happen if it is not online, depending upon the safety of having live classes in the near or anticipated future. However, the events will be listed until otherwise confirmed to be canceled or changed. Personally, I would expect at some point that we will be back to attending live training events, but with some changes. Perhaps a drastically reduced limit of attendees, protective masks, no more buffets or snack tables, etc... Or maybe DFIR training remains online. I am curious as to where we end up with training events, both classroom and online.
Did you catch the latest Windows Forensics Environment (WinFE) release?
If not, you can check out the details here: https://brettshavers.com/brett-s-blog/entry/mini-winfe-10-and-winfe-10-updated . Along with Colin Ramsden's WinFE 10 update, where his build is tailored to boot (and image!) ARM devices, the other newest update is the alternative build method using PE Bakery. PE Bakery is an easier method of building WinFE and now includes Colin Ramsden's updated write protect tool using an improved and updated build project with PE Bakery. Curated WinFE build and updates are here: https://winfe.wordpress.com/ . WinFE is free since you build it yourself.
If you want documented training in WinFE, Patreon subscribers at https://www.patreon.com/DFIRTraining have access to the only online WinFE course , the only WinFE course available outside of law enforcement , and the only course created by a founding developer of the WinFE project . Subscribers also get the ebook of the Ultimate Cheats! Windows Forensic Environment and have access to the slidedecks used in the course. Better yet, until further notice, subscriptions are over 60% off at $50 .
Oh yeah, about that X-Ways Forensics Practitioner's Guide Second Edition.
It took nearly a year to get the publishing rights released, but I finally have it done. Eric Z and I will be working to get the updated X-Ways Forensics book out this year. If you didn't hear, Syngress isn't publishing new editions (or new DFIR books at all!) anymore due to a new business model. After hearing that bad news, I have been asking for the rights back so that we can do a new edition. Now I have it in my hand, figuratively speaking. Be on the lookout for the next edition of the X-Ways Forensics Practitioner's Guide! You can keep up with the progress of the book at: https://xwaysforensics.wordpress.com/
Here's to the second edition!
Your time to shine is now
Given the abrupt move from the physical office to our home offices (whether that be your living room, kitchen, den, garage, or bedroom), many workers of the world were caught completely off guard and unprepared to work from home. Those in the computer field didn't skip a beat. We, especially those in DFIR, have perfected working from anywhere on the planet, to include while traveling in the air, one the land, and over the sea. Much of the rest of the world is not as fortunate and this is where you can shine. First, get your family online , and I don't mean social media. Connect them to the world of video conferencing, in whichever app you see best. And your neighbors . Make sure they have connections to the world and their work. And then businesses . There are businesses that can operate somewhat online but never had the need. Now is the time to help them too.
I am not advocating that you go door-to-door to make this happen. A phone is all that is needed to walk a non-tech person into the video conferencing world. Are your local schools having a difficult time planning for online teaching? You are a pro in this field and if I guess right, you had more than a few video meetings just this past week alone.
So shine and help whoever you can to connect to the world. You might be able to save someone's job. Or someone's business. Or even someone's life. Shine on.
Lots of updates and new content at DFIR Training!
A very cool software review, a new giveaway, updated lists, new downloads, DFIR Case Studies, and even more to come. There is so much going on in the DFIR online world now since all of us are adjusting to the world's current situation. But to never lose an opportunity, if you are have the fortune to be at home to work, take the time to take care of yourself and take advantage of all the opportunities that are being given by those in the DFIR community. From training, reading, podcasts, and blogs, spend time to keep your skills up and learn new skills.
Probably most important is to keep yourself healthy and safe.
One of the neatest things that I have done this week was play around, I mean test Belkasoft's checkm8 feature. My oh my. I ran a half dozen iOS devices through it and every single time was a joy to connect, enter DFU mode, and create an awesome image of each device. Awesome in that getting an image from an iPhone with such ease and completeness is simply too cool and absolutely helpful.
Next week, I will be putting Foxton Forensics' through the grinder and write up my thoughts of their tool. To be honest, I've been using it...really like it...but will writing it up for you to read. Be sure to enter the contest to win a license!
Checkm8 and Belkasoft!
I did a dozen runs with Belkasoft’s support of Checkm8. Outstanding work on Belkasoft’s part on supporting the latest iPhone exploit. Very easy to use. Very quick. Very effective. Check out my review for the details at Belkasoft’s Checkm8 . After that, check out Belkasoft .
The Great DFIR Tool Giveaway
Submit your entry now for a chance to win Foxton Forensics’ Browser History Examiner . I have an upcoming review and when the review is posted, I’ll be drawing the winner. Open to all and the only thing you need to submit is your name and contact information. If you don’t win, you might be contacted by Foxton Forensics to see if you have any questions, but the winner certainly will be contacted for download and licensing instructions. Free to enter. Free to win. But you have to enter for a chance.
DFIR Case Studies
By now you might be looking for things to do around the house…so with that, I am releasing a few DFIR Case Studies that may be of interest. The case studies are publicly available cases where I make personal assumptions on how the case was investigated and how I may or may not have worked the case the same. I have more than a dozen of these at the DFIR Training Patreon page and create a new one ever so often when I find (or informed of) good cases that would work for a DFIR Case Study. Take a look here: https://www.youtube.com/playlist?list=PL9irkLlgx28f9MJbL_ini0p1ZAGsHiKa5.
By the way, Patreon subscribers receive proof of DFIR Case Study training with a printable cert of completion. No, I am not certifying anyone for anything with DFIR Case Studies, but I am giving subscribers proof of the time spent learning how to investigate DFIR related cases. Bosses like those pieces of paper, I mean, proof of training. So do courts. And future employers.
DFIR RSS Feeds
To save you some work on building a DFIR RSS feed list, you can download DFIR Training’s feed to import into your reader. Be prepared tho…there are a ton of DF/IR feeds ?
Download the Ultimate DFIR RSS Feed from the Ultimate List of DFIR Bloggers page and import into your RSS reader. All the hard work has been done for you.
DFIR Bloggers list
Speaking of the Ultimate List of DFIR Bloggers, the entire list has been updated. Unfortunately, some blogs have completely disappeared from the Internet. But fortunately, I found a few new and inspiring bloggers!
If your DFIR blog is not listed, let me know! Seriously. I want to add your blog, but just don’t know about it or I overlooked it.
I received a few lists to upload and created a bunch more, all for the taking (or downloading…). There is no better publicly available keyword list in the galaxy and I’ll keep adding list as I get ideas and as I am sent lists (or ideas for lists). Check out the lists here: https://www.dfir.training/popular-lists
What’s a keyword list, if you were wondering..? Simple a text file, with a single category that you can use to import into your forensic or ediscovery application to search for “hits” or “files”. Simply, if you have a cocaine case, import the cocaine list to more easily find all references to all things related to cocaine. Same with weapons, or software code, or violence or etc…
It goes without saying to stay safe, keep your family safe, and take advantage of every situation that comes your way.
The current giveaway: Latent Wireless!
If you missed the review, catch it here: https://www.dfir.training/dfir-training-blog/latent-wireless-review
The long and short of the review and giveaway is that I have 10-user licenses to giveaway to one law enforcement agency (local, state, federal, or military). The reason that Latent Wireless is this is practically only useful for law enforcement, but at that, it is not only practical, but awesome! It’s like ‘wardriving for cops’ for locating stolen WiFi devices. I say that it is “like” wardriving because wardriving includes sniffing packets for everything (like content, etc…). Latent Wireless doesn’t do that. It sniffs and filters out everything except the device that is being looked for, like a stolen smartphone or even WiFi tv. Check out my review for more information and be sure to enter to win! Enter below (drawing is on Feb 28, 2020):
The next software giveaway
The giveaway in March is open to all, and certainly worth it. I will be giving away a license to Foxton Forensics’ Browser History Examiner . I have already been using the Browser History Examiner and will write up my opinion of it in March while also giving away a license. Be sure to check back to enter in March for your chance to win. Much gratis to Foxton Forensics for donating the license.
The DFIR Bookshare Challenge continues!
I recently caught up some reading and will be giving away Hacking Theology by Marcus Guevara as soon as I write up a review to post on DFIR Training. The entry form will be posted with the review.
The latest book that I am reading and will give away is Applied Incident Response by Steve Anson. This may take me a little longer to finish due to the content being very well detailed. So far, very nice. Potentially, I may post both the books at the same time to make it easier to enter to win the books; depends on how soon I can finish and write up both books.
Side note on the #DFIRBookShareChallenge
The books that I am giving away are the only copies of each title that is (1) signed by the author, and (2) has personally highlighted passages for you by the author, and (2) signed by me to give to you with personally highlighted passages for you that I chose. The winner can either keep the book or read and pass it on to someone else.
My intention with the DFIR BookShareChallenge is to you a unique opportunity to engage in the DFIR community by personally being part of the chain of a DFIR book from author to you to another to another. And if you can sign your name and highlight a passage (paragraph or sentence) in the book that was meaningful to you, that book becomes more than a book. Read more of my thoughts about this endeavor here: https://www.dfir.training/dfir-training-categories-k2/item/160-free-dfir-books
I have an updated DFIR Glossary for your perusal. It’s a little different than other online DFIR glossaries or lists that you may find, and I would argue it is a little bit better too. The biggest benefit of this glossary is that the references to the sources are included with the definition. A few more features will be added in time. Also, for some terms, I am including several definitions with each respective source so that you can choose that which may better define your needs.
Since there are multiple variations of definitions, I am open to receiving more. Send a message with the link and I can add it to a definition.
Want to be famous? If you have your own variation of a DFIR term, and it is posted somewhere (like in a book or your blog or a white paper), send it and I’ll add it. There are some vendors who have written great definitions of DFIR terms and those would be welcomed as well.
Finding what you need on DFIR Training
There is quite a bit of stuff on DFIR Training. Downloads, lists, white papers, search warrants, templates, cheat sheets, software, hardware, education, training, books, and more. How do you find what you need?
Use the SEARCH menu. If you don’t see what you need at first glance, you can either browse the site or go straight to the SEARCH menu. I encourage browsing the site because you will find something that you need but didn’t know until you saw it. Otherwise, when time is short, search for it ?
2020 Media Kit
The 2020 DFIR Training Media Kit is available to DFIR companies desiring to market their products on dfir.training. Send a message to receive more details and the kit: https://www.dfir.training/contact-dfir-training
There is limited space on the website to not turn DFIR Training into an advertising billboard, and not every company may be approved (sorry..) due to space, relevance to the DFIR community, or other reasons.
The Arsenal Giveaway is complete and Thomas Eesles is the winner! Congrats to Tom!
For everyone else, even if you didn't enter, Arsenal is having a Black Friday Special on their tools. 20% off! All you need is the discount code, which is: DFIRTraining20
Another Black Friday/Cyber Monday Special
On another Black Friday front, DFIR Training's Patreon page is having a Black Friday/Cyber Monday, 60% off special for the next 25 subscribers (or Dec 2 , whichever comes first). Regular subscription is $125, but through Dec 2, it's only $50 . You get full access to all the courses, podcasts, and ebooks, including upcoming courses and upcoming ebooks). Plus, you will be supporting DFIR Training's website for updated and constant content.
No tools to giveaway at this moment, but some are planned throughout 2020. I have one DFIR book drawing coming up in December, and will be reaching out to more DFIR book authors to check if they want to jump in the DFIR Book Giveaway Challenge . It's been a while since I gave out any books, so time to get back on it!
More Black Friday Specials!
I would like to list more, but instead of duplicating what someone else is doing, check out https://twitter.com/Infosec_Taylor/status/1199686855362351111 for a thread of cool DFIR Black Friday specials. Nice job, Ashley :)
Black Friday Deals Thread!— Ashley (@Infosec_Taylor) November 27, 2019
The next few days I will be posting any sales I come across on infosec or tech-related stuff that I find interesting. Feel free to contribute!
All deals are in no particular order.
Stand by to stand by. Another great forensic software giveaway by Arsenal Recon!
No cost to enter. No cost to win. Arsenal Recon might contact you if you don’t win to see if you have any questions about their tools, or maybe they won’t. If you don’t already have Arsenal’s tools, take a look at what you are missing, and throw your email in the hat for the drawing. https://arsenalrecon.com/products/
The rules : You must answer your email (if you win) on the day of the drawing on NOVEMBER 29 , no later than 5pm (Pacific Standard Time). If you don’t answer your email by 5pm, it goes to the runner up. The runner up will be happy if you don’t answer, so be sure to check your email. And you spam folder, just in case.
Oh yeah. Just enter your email and name once. No multiple (different) email addresses with different names to increase the odds of winning. The license goes to the name and email entered, so be sure to enter yours correctly.
Drawing is closed.
Halloween special expired
The Halloween special expired this weekend, and the regular subscription is back at $125. Still, at $125, you get access to all the courses and ebooks and podcast and anything else I can throw at you with rewards and neat stuff. Subscribe here: https://www.patreon.com/DFIRTraining
To start, I’ve gone ahead and opened the DFIR Training’s forensic artifact database prior to its completion or even near completion. It is now fully integrated into dfir.training.
I know that the DFIR Training Forensic Artifact Database is not a “wiki”, but I also know that the forensic wiki was rarely updated (by anyone, including users). I plan on updating the artifact database for as long as I work in this field, and probably beyond that time too.
A forensic artifact repository has been talked about for years (one example: https://windowsir.blogspot.com/2008/01/artifact-repositories.html ), and I’ve seen several attempts of repositories come and go. Part of the reason that I believe this is a difficult talk is that:
-SOOOOO MANY ARTIFACTS
-Difficult to organize as many artifacts can fit in many categories
-They change and may be different based on OS, version of OS, etc…
-Difficult to present in an easy to use manner, as in, click on an artifact to get the information
Here is what you can expect from this database:
-Ever changing (Some ideas won’t work, so they will be removed)
-Ever growing (So much to add! So many new artifacts discovered!)
-Some bugs with the display and layout (it is a work in progress!)
As with everything on DFIR Training, suggestions and complaints are welcome to help make it better. And the database is free, no login or account required.
I would appreciate taking a few minutes to answer some pol l questions about the database here:
Upcoming online course: OSINT + Forensics
A short course, and not strictly “OSINT”, but only that which benefits the analysis, not a complete OSINT course will be published this month. Basically, if you do forensic analysis, there are some OSINT tricks that can benefit your examination, without going all-out OSINT on non-forensic analysis Internet hunting. Available to DFIR Training subscribers only .
The DFIR Training Social Network Page☹
In brief, the DFIR Training social networking page is going offline. I think the social networking aspect of the page was a good idea, but it turned out not to be what I wanted to do mostly due to time required and the number of online options available (Discord, Slack, forums, etc..). I also was using it to manage giveaways, but it turns out creating an online form is much easier to manage.
There is a new social network, “ The Cyber Social Hub ” created by Kevin DeLong , which has some good promise. I joined and plan on spending time poking around soon. Any source of DFIR information and networking is worth taking a look at, to give and share information.
Winner of the Forensic Notes Giveaway
The three winners have been chosen! Justin Bartshe, Matt Bertsch, and Michael Callan each won a 3-year license of Forensic Notes, and I can’t wait to hear how their notetaking opinions are going to change for the better (not that they are doing it wrong, but we can all do better).
DFIR Training Trick or Treat Special
The regular price of $125 is dropping 60% in a Trick or Treat Special that starts on October 31 at 11:59PM and ends on November 7, 2019 at 11:59PM. Limited to only the first 50 subscribers. Current subscribers can drop down to $50 too!
Dozens of hours of training, as much as you want, for as long as you want to subscribe, including ebooks, podcast, and more upcoming courses. And when you complete a course, you get printable proof of completion to document your hours formally.
Tools and new blog
Ian Whiffin both started a new DFIR blog and released several forensic tools worth checking out at https://www.doubleblak.com/index.php .
Why is this notable on DFIR Training? Because if you are not listed on dfir.training like Ian, you should be :)
More events added, with a large group of courses by MSAB scheduled well into 2020.
Another Directory Map
In process is a DFIR business directory map, exactly like the DFIR Association Directory map. Should be done soon. The point of the map is that you will be able to zoom down to where you want to find a local DFIR business (software, hardware, services). If you haven’t seen the DFIR Associations Map, check it out!
DFIR Training Newsletter
Sign up to get the first newsletter coming out soon. This is not your daddy’s DFIR newsletter by the way.
The Official DFIR Training sticker
It’s the best-selling merch item so far that I have, with ‘Digital Forensics is a lot like being a medical examiner, but without the blood’ t-shirt taking up a close second.
The Next DFIR Tool Giveaway….
It’s coming…details being worked out. Stay tuned!
Collected, embedded, sorted, and presented to you for ease of learning the DFIR. More videos coming, webinars, and featured videos too. Stay tuned as more get added!
That’s it for this week! But guess what..more coming next week!
Forensic Software License Giveaway
On October 28, 2018, I will be choosing THREE entries to win a 3-year license of Forensic Notes . That means, 3 chances to win a 3-year license. This is quite the giveaway, worth the price of entry, which is FREE.
A review of Forensic Notes is upcoming, but to enter now , check out the post here: https://www.dfir.training/dfir-training-blog/forensic-notes-giveaway
New bloggers added! It’s good to see new blogs and hopefully this will encourage more to write, ie, share knowledge. Still the most comprehensive DFIR blog list in the galaxy.
DFIR Training Patreon
Patreons at https://www.patreon.com/DFIRtraining heard me talk personally about my path, thoughts, and reasons for me working in DFIR in my latest podcast. https://www.patreon.com/posts/10-10-2019-30663648
A new case study (#13) available to all Patreon subscribers. https://www.patreon.com/posts/case-study-13-30644671
Why become a subscriber to DFIR Training’s Patreon Page?
Speaking of Patreon...
By subscribing, you’ll support DFIR Training’s resource website! And in return, get access to online training courses, a podcast, and other cool things. Courses like
And more courses coming in the next months. The current subscription is $125/month, cancel anytime. Pick back up where you left off anytime.
This is a work in progress. I started it a few weeks ago, didn’t like the way that it was organized, so I’m redoing it. The map will match the directory https://www.dfir.training/directory/associations and you can search and filter the listings to find exactly what you are looking for.
DFIR Training Stickers and shirts!
By popular request, I made a sticker. And then I made some t-shirts. And coffee cups. Take a look at the DFIR Training swag store here https://www.teepublic.com/user/dfirtraining .
I have some shirts on Amazon too at https://www.amazon.com/s?rh=n%3A7141123011%2Cp_4%3ADFIR+Training&ref=w_bl_sl_s_ap_web_7141123011 .
DFIR businesses! Request a media kit before the year is out to get 2020 marketing packages at the 2019 prices :)
And as always, more content added regularly!
All DFIR Training Patreon’s were given the promotion code for 25% off (basically gives you the adapter set free as part of the Standard + Pro firmware purchase, which comes out to 25% off).
On that DeepSpar Guardonix…
I’ve been running it over images that I made in cases that had bad sectors, but weren’t bad enough to send off for recovery (mostly due to client budgets). I used reverse imaging (X-Ways) which was helpful at the time, but with the 3 drives that I tried, 2 out of 3 were able to be fully imaged and the 3 rd drive recovered more than half of what was skipped prior. That is pretty good for not having a clean room and extensive hard drive repair training using just a write blocker.
There are 3 more forensic software applications coming up for giveaways, one per month. As I clarify the details for each giveaway, I’ll be posting about them as well as testing them myself. I also will be getting back to some book giveaways as I’ll have time on a half dozen flights to finish reading them.
More events have been added to the calendar. https://www.dfir.training/calendar . Get your event listed or featured on DFIR Training here: https://www.dfir.training/add-your-listing (conferences are listed free!).
Updated list of DFIR podcasts. There’s a lot. A whole lot. https://www.dfir.training/resources/dfir-social/dfir-podcasts . Some are no longer being updated, but the archives hold some really good content. Did I miss your podcast? Guess what..let me know and I’ll add it ? https://www.dfir.training/contact-dfir-training
More content planned :)
DFIR Training Podcast
New Podcast uploaded to Patreon subscribers, where I talked about some recent news, a software test that I doing with Dan Mares, DeepSpar and the giveaway and 25% promotion code, and a few other things.
DFIR Training has a new logo. Probably will be a sticker soon...actually, going to be a sticker soon.
Thanks to all for your input!
DeepSpar Guardonix Giveaway
Updates on the DeepSpar Guardonix giveaway . If you entered, be sure to check your email on Sept 15. I'll give the winner until Sept 16 to respond, but then if no response, the Guardonix goes to the runner-up. Runner-ups love it when the winner misses out. Don't miss out!
As to how I pick the winners to the giveaways...I let the Internet do it. Specifically, every entry (your email) is on a spreadsheet, and is numbered in order (1, 2, 3, etc...). If I have 300 entries, I let Google pick a number between 1 and 300. That's the winner. I do it again if the winner doesn't respond. Your email is not put online to randomly pick it, only your number on the spreadsheet. You'll also get one, and only one email from me for the entry to let you know that you won or didn't win.
DeepSpar Guardonix Promotion Code - 25% off
I have a promotion code to give out on Sept 15 for 25% off the DeepSpar Guardonix (Professional Edition with adapters). This comes to about $250 off from a tad more more than $1000 purchase for the set. The promotion code is Patreon subscribers only, but if you were looking to purchase the Guardonix, you could join Patreon for just one month to get the discount and still come out $125 ahead. Plus, you'd get access to the courses, podcasts, ebook downloads, and everything else during that time. Just sayin... https://www.patreon.com/DFIRtraining
New Courses at DFIR Training via Patreon
I am working on finishing an OSINT & Forensics online course this month. This is a shorter version of any OSINT course you can find online as it is specific to using OSINT to a forensic analysis. Not everyone is tracking criminals across the Internet, but those working a forensic analysis can use some of the techniques to help in analysis.
The current Placing the Suspect Behind the Keyboard course is being completely revamped. This will be an Instructor-Trainer course, which will include downloadable materials (images, data, lesson plans, slidedecks, quizzes) that you can use to teach internally at your organization or university forensics program. Basically, you'll have everything to teach the course in a turn-key solution. Patreon subscribers only.
Forensic Artifact Database
Now that I have help with the DFIR Training website content, the forensic artifact database will be getting populated faster than before. Still, it is early access for Patreon subscribers only , but will be open publicly when it is at least twice as populated with artifacts as it is now. This may take a month or so, but eventually will be open.