A very cool software review, a new giveaway, updated lists, new downloads, DFIR Case Studies, and even more to come. There is so much going on in the DFIR online world now since all of us are adjusting to the world's current situation. But to never lose an opportunity, if you are have the fortune to be at home to work, take the time to take care of yourself and take advantage of all the opportunities that are being given by those in the DFIR community. From training, reading, podcasts, and blogs, spend time to keep your skills up and learn new skills.
Probably most important is to keep yourself healthy and safe.
One of the neatest things that I have done this week was play around, I mean test Belkasoft's checkm8 feature. My oh my. I ran a half dozen iOS devices through it and every single time was a joy to connect, enter DFU mode, and create an awesome image of each device. Awesome in that getting an image from an iPhone with such ease and completeness is simply too cool and absolutely helpful.
Next week, I will be putting Foxton Forensics' through the grinder and write up my thoughts of their tool. To be honest, I've been using it...really like it...but will writing it up for you to read. Be sure to enter the contest to win a license!
I did a dozen runs with Belkasoft’s support of Checkm8. Outstanding work on Belkasoft’s part on supporting the latest iPhone exploit. Very easy to use. Very quick. Very effective. Check out my review for the details at Belkasoft’s Checkm8 . After that, check out Belkasoft .
The Great DFIR Tool Giveaway
Submit your entry now for a chance to win Foxton Forensics’ Browser History Examiner . I have an upcoming review and when the review is posted, I’ll be drawing the winner. Open to all and the only thing you need to submit is your name and contact information. If you don’t win, you might be contacted by Foxton Forensics to see if you have any questions, but the winner certainly will be contacted for download and licensing instructions. Free to enter. Free to win. But you have to enter for a chance.
By now you might be looking for things to do around the house…so with that, I am releasing a few DFIR Case Studies that may be of interest. The case studies are publicly available cases where I make personal assumptions on how the case was investigated and how I may or may not have worked the case the same. I have more than a dozen of these at the DFIR Training Patreon page and create a new one ever so often when I find (or informed of) good cases that would work for a DFIR Case Study. Take a look here: https://www.youtube.com/playlist?list=PL9irkLlgx28f9MJbL_ini0p1ZAGsHiKa5.
By the way, Patreon subscribers receive proof of DFIR Case Study training with a printable cert of completion. No, I am not certifying anyone for anything with DFIR Case Studies, but I am giving subscribers proof of the time spent learning how to investigate DFIR related cases. Bosses like those pieces of paper, I mean, proof of training. So do courts. And future employers.
To save you some work on building a DFIR RSS feed list, you can download DFIR Training’s feed to import into your reader. Be prepared tho…there are a ton of DF/IR feeds ?
Download the Ultimate DFIR RSS Feed from the Ultimate List of DFIR Bloggers page and import into your RSS reader. All the hard work has been done for you.
Speaking of the Ultimate List of DFIR Bloggers, the entire list has been updated. Unfortunately, some blogs have completely disappeared from the Internet. But fortunately, I found a few new and inspiring bloggers!
If your DFIR blog is not listed, let me know! Seriously. I want to add your blog, but just don’t know about it or I overlooked it.
I received a few lists to upload and created a bunch more, all for the taking (or downloading…). There is no better publicly available keyword list in the galaxy and I’ll keep adding list as I get ideas and as I am sent lists (or ideas for lists). Check out the lists here: https://www.dfir.training/popular-lists
What’s a keyword list, if you were wondering..? Simple a text file, with a single category that you can use to import into your forensic or ediscovery application to search for “hits” or “files”. Simply, if you have a cocaine case, import the cocaine list to more easily find all references to all things related to cocaine. Same with weapons, or software code, or violence or etc…
It goes without saying to stay safe, keep your family safe, and take advantage of every situation that comes your way.
The current giveaway: Latent Wireless!
If you missed the review, catch it here: https://www.dfir.training/dfir-training-blog/latent-wireless-review
The long and short of the review and giveaway is that I have 10-user licenses to giveaway to one law enforcement agency (local, state, federal, or military). The reason that Latent Wireless is this is practically only useful for law enforcement, but at that, it is not only practical, but awesome! It’s like ‘wardriving for cops’ for locating stolen WiFi devices. I say that it is “like” wardriving because wardriving includes sniffing packets for everything (like content, etc…). Latent Wireless doesn’t do that. It sniffs and filters out everything except the device that is being looked for, like a stolen smartphone or even WiFi tv. Check out my review for more information and be sure to enter to win! Enter below (drawing is on Feb 28, 2020):
The next software giveaway
The giveaway in March is open to all, and certainly worth it. I will be giving away a license to Foxton Forensics’ Browser History Examiner . I have already been using the Browser History Examiner and will write up my opinion of it in March while also giving away a license. Be sure to check back to enter in March for your chance to win. Much gratis to Foxton Forensics for donating the license.
The DFIR Bookshare Challenge continues!
I recently caught up some reading and will be giving away Hacking Theology by Marcus Guevara as soon as I write up a review to post on DFIR Training. The entry form will be posted with the review.
The latest book that I am reading and will give away is Applied Incident Response by Steve Anson. This may take me a little longer to finish due to the content being very well detailed. So far, very nice. Potentially, I may post both the books at the same time to make it easier to enter to win the books; depends on how soon I can finish and write up both books.
Side note on the #DFIRBookShareChallenge
The books that I am giving away are the only copies of each title that is (1) signed by the author, and (2) has personally highlighted passages for you by the author, and (2) signed by me to give to you with personally highlighted passages for you that I chose. The winner can either keep the book or read and pass it on to someone else.
My intention with the DFIR BookShareChallenge is to you a unique opportunity to engage in the DFIR community by personally being part of the chain of a DFIR book from author to you to another to another. And if you can sign your name and highlight a passage (paragraph or sentence) in the book that was meaningful to you, that book becomes more than a book. Read more of my thoughts about this endeavor here: https://www.dfir.training/dfir-training-categories-k2/item/160-free-dfir-books
I have an updated DFIR Glossary for your perusal. It’s a little different than other online DFIR glossaries or lists that you may find, and I would argue it is a little bit better too. The biggest benefit of this glossary is that the references to the sources are included with the definition. A few more features will be added in time. Also, for some terms, I am including several definitions with each respective source so that you can choose that which may better define your needs.
Since there are multiple variations of definitions, I am open to receiving more. Send a message with the link and I can add it to a definition.
Want to be famous? If you have your own variation of a DFIR term, and it is posted somewhere (like in a book or your blog or a white paper), send it and I’ll add it. There are some vendors who have written great definitions of DFIR terms and those would be welcomed as well.
Finding what you need on DFIR Training
There is quite a bit of stuff on DFIR Training. Downloads, lists, white papers, search warrants, templates, cheat sheets, software, hardware, education, training, books, and more. How do you find what you need?
Use the SEARCH menu. If you don’t see what you need at first glance, you can either browse the site or go straight to the SEARCH menu. I encourage browsing the site because you will find something that you need but didn’t know until you saw it. Otherwise, when time is short, search for it ?
2020 Media Kit
The 2020 DFIR Training Media Kit is available to DFIR companies desiring to market their products on dfir.training. Send a message to receive more details and the kit: https://www.dfir.training/contact-dfir-training
There is limited space on the website to not turn DFIR Training into an advertising billboard, and not every company may be approved (sorry..) due to space, relevance to the DFIR community, or other reasons.
The Arsenal Giveaway is complete and Thomas Eesles is the winner! Congrats to Tom!
For everyone else, even if you didn't enter, Arsenal is having a Black Friday Special on their tools. 20% off! All you need is the discount code, which is: DFIRTraining20
Another Black Friday/Cyber Monday Special
On another Black Friday front, DFIR Training's Patreon page is having a Black Friday/Cyber Monday, 60% off special for the next 25 subscribers (or Dec 2 , whichever comes first). Regular subscription is $125, but through Dec 2, it's only $50 . You get full access to all the courses, podcasts, and ebooks, including upcoming courses and upcoming ebooks). Plus, you will be supporting DFIR Training's website for updated and constant content.
No tools to giveaway at this moment, but some are planned throughout 2020. I have one DFIR book drawing coming up in December, and will be reaching out to more DFIR book authors to check if they want to jump in the DFIR Book Giveaway Challenge . It's been a while since I gave out any books, so time to get back on it!
More Black Friday Specials!
I would like to list more, but instead of duplicating what someone else is doing, check out https://twitter.com/Infosec_Taylor/status/1199686855362351111 for a thread of cool DFIR Black Friday specials. Nice job, Ashley :)
Black Friday Deals Thread!— Ashley (@Infosec_Taylor) November 27, 2019
The next few days I will be posting any sales I come across on infosec or tech-related stuff that I find interesting. Feel free to contribute!
All deals are in no particular order.
Stand by to stand by. Another great forensic software giveaway by Arsenal Recon!
No cost to enter. No cost to win. Arsenal Recon might contact you if you don’t win to see if you have any questions about their tools, or maybe they won’t. If you don’t already have Arsenal’s tools, take a look at what you are missing, and throw your email in the hat for the drawing. https://arsenalrecon.com/products/
The rules : You must answer your email (if you win) on the day of the drawing on NOVEMBER 29 , no later than 5pm (Pacific Standard Time). If you don’t answer your email by 5pm, it goes to the runner up. The runner up will be happy if you don’t answer, so be sure to check your email. And you spam folder, just in case.
Oh yeah. Just enter your email and name once. No multiple (different) email addresses with different names to increase the odds of winning. The license goes to the name and email entered, so be sure to enter yours correctly.
Drawing is closed.
Halloween special expired
The Halloween special expired this weekend, and the regular subscription is back at $125. Still, at $125, you get access to all the courses and ebooks and podcast and anything else I can throw at you with rewards and neat stuff. Subscribe here: https://www.patreon.com/DFIRTraining
To start, I’ve gone ahead and opened the DFIR Training’s forensic artifact database prior to its completion or even near completion. It is now fully integrated into dfir.training.
I know that the DFIR Training Forensic Artifact Database is not a “wiki”, but I also know that the forensic wiki was rarely updated (by anyone, including users). I plan on updating the artifact database for as long as I work in this field, and probably beyond that time too.
A forensic artifact repository has been talked about for years (one example: https://windowsir.blogspot.com/2008/01/artifact-repositories.html ), and I’ve seen several attempts of repositories come and go. Part of the reason that I believe this is a difficult talk is that:
-SOOOOO MANY ARTIFACTS
-Difficult to organize as many artifacts can fit in many categories
-They change and may be different based on OS, version of OS, etc…
-Difficult to present in an easy to use manner, as in, click on an artifact to get the information
Here is what you can expect from this database:
-Ever changing (Some ideas won’t work, so they will be removed)
-Ever growing (So much to add! So many new artifacts discovered!)
-Some bugs with the display and layout (it is a work in progress!)
As with everything on DFIR Training, suggestions and complaints are welcome to help make it better. And the database is free, no login or account required.
I would appreciate taking a few minutes to answer some pol l questions about the database here:
Upcoming online course: OSINT + Forensics
A short course, and not strictly “OSINT”, but only that which benefits the analysis, not a complete OSINT course will be published this month. Basically, if you do forensic analysis, there are some OSINT tricks that can benefit your examination, without going all-out OSINT on non-forensic analysis Internet hunting. Available to DFIR Training subscribers only .
The DFIR Training Social Network Page☹
In brief, the DFIR Training social networking page is going offline. I think the social networking aspect of the page was a good idea, but it turned out not to be what I wanted to do mostly due to time required and the number of online options available (Discord, Slack, forums, etc..). I also was using it to manage giveaways, but it turns out creating an online form is much easier to manage.
There is a new social network, “ The Cyber Social Hub ” created by Kevin DeLong , which has some good promise. I joined and plan on spending time poking around soon. Any source of DFIR information and networking is worth taking a look at, to give and share information.
Winner of the Forensic Notes Giveaway
The three winners have been chosen! Justin Bartshe, Matt Bertsch, and Michael Callan each won a 3-year license of Forensic Notes, and I can’t wait to hear how their notetaking opinions are going to change for the better (not that they are doing it wrong, but we can all do better).
DFIR Training Trick or Treat Special
The regular price of $125 is dropping 60% in a Trick or Treat Special that starts on October 31 at 11:59PM and ends on November 7, 2019 at 11:59PM. Limited to only the first 50 subscribers. Current subscribers can drop down to $50 too!
Dozens of hours of training, as much as you want, for as long as you want to subscribe, including ebooks, podcast, and more upcoming courses. And when you complete a course, you get printable proof of completion to document your hours formally.
Tools and new blog
Ian Whiffin both started a new DFIR blog and released several forensic tools worth checking out at https://www.doubleblak.com/index.php .
Why is this notable on DFIR Training? Because if you are not listed on dfir.training like Ian, you should be :)
More events added, with a large group of courses by MSAB scheduled well into 2020.
Another Directory Map
In process is a DFIR business directory map, exactly like the DFIR Association Directory map. Should be done soon. The point of the map is that you will be able to zoom down to where you want to find a local DFIR business (software, hardware, services). If you haven’t seen the DFIR Associations Map, check it out!
DFIR Training Newsletter
Sign up to get the first newsletter coming out soon. This is not your daddy’s DFIR newsletter by the way.
The Official DFIR Training sticker
It’s the best-selling merch item so far that I have, with ‘Digital Forensics is a lot like being a medical examiner, but without the blood’ t-shirt taking up a close second.
The Next DFIR Tool Giveaway….
It’s coming…details being worked out. Stay tuned!
Collected, embedded, sorted, and presented to you for ease of learning the DFIR. More videos coming, webinars, and featured videos too. Stay tuned as more get added!
That’s it for this week! But guess what..more coming next week!
On October 28, 2018, I will be choosing THREE entries to win a 3-year license of Forensic Notes . That means, 3 chances to win a 3-year license. This is quite the giveaway, worth the price of entry, which is FREE.
A review of Forensic Notes is upcoming, but to enter now , check out the post here: https://www.dfir.training/dfir-training-blog/forensic-notes-giveaway
New bloggers added! It’s good to see new blogs and hopefully this will encourage more to write, ie, share knowledge. Still the most comprehensive DFIR blog list in the galaxy.
Patreons at https://www.patreon.com/DFIRtraining heard me talk personally about my path, thoughts, and reasons for me working in DFIR in my latest podcast. https://www.patreon.com/posts/10-10-2019-30663648
A new case study (#13) available to all Patreon subscribers. https://www.patreon.com/posts/case-study-13-30644671
Speaking of Patreon...
By subscribing, you’ll support DFIR Training’s resource website! And in return, get access to online training courses, a podcast, and other cool things. Courses like
And more courses coming in the next months. The current subscription is $125/month, cancel anytime. Pick back up where you left off anytime.
This is a work in progress. I started it a few weeks ago, didn’t like the way that it was organized, so I’m redoing it. The map will match the directory https://www.dfir.training/directory/associations and you can search and filter the listings to find exactly what you are looking for.
By popular request, I made a sticker. And then I made some t-shirts. And coffee cups. Take a look at the DFIR Training swag store here https://www.teepublic.com/user/dfirtraining .
I have some shirts on Amazon too at https://www.amazon.com/s?rh=n%3A7141123011%2Cp_4%3ADFIR+Training&ref=w_bl_sl_s_ap_web_7141123011 .
DFIR businesses! Request a media kit before the year is out to get 2020 marketing packages at the 2019 prices :)
All DFIR Training Patreon’s were given the promotion code for 25% off (basically gives you the adapter set free as part of the Standard + Pro firmware purchase, which comes out to 25% off).
On that DeepSpar Guardonix…
I’ve been running it over images that I made in cases that had bad sectors, but weren’t bad enough to send off for recovery (mostly due to client budgets). I used reverse imaging (X-Ways) which was helpful at the time, but with the 3 drives that I tried, 2 out of 3 were able to be fully imaged and the 3 rd drive recovered more than half of what was skipped prior. That is pretty good for not having a clean room and extensive hard drive repair training using just a write blocker.
There are 3 more forensic software applications coming up for giveaways, one per month. As I clarify the details for each giveaway, I’ll be posting about them as well as testing them myself. I also will be getting back to some book giveaways as I’ll have time on a half dozen flights to finish reading them.
More events have been added to the calendar. https://www.dfir.training/calendar . Get your event listed or featured on DFIR Training here: https://www.dfir.training/add-your-listing (conferences are listed free!).
Updated list of DFIR podcasts. There’s a lot. A whole lot. https://www.dfir.training/resources/dfir-social/dfir-podcasts . Some are no longer being updated, but the archives hold some really good content. Did I miss your podcast? Guess what..let me know and I’ll add it ? https://www.dfir.training/contact-dfir-training
More content planned :)
New Podcast uploaded to Patreon subscribers, where I talked about some recent news, a software test that I doing with Dan Mares, DeepSpar and the giveaway and 25% promotion code, and a few other things.
DFIR Training has a new logo. Probably will be a sticker soon...actually, going to be a sticker soon.
Thanks to all for your input!
Updates on the DeepSpar Guardonix giveaway . If you entered, be sure to check your email on Sept 15. I'll give the winner until Sept 16 to respond, but then if no response, the Guardonix goes to the runner-up. Runner-ups love it when the winner misses out. Don't miss out!
As to how I pick the winners to the giveaways...I let the Internet do it. Specifically, every entry (your email) is on a spreadsheet, and is numbered in order (1, 2, 3, etc...). If I have 300 entries, I let Google pick a number between 1 and 300. That's the winner. I do it again if the winner doesn't respond. Your email is not put online to randomly pick it, only your number on the spreadsheet. You'll also get one, and only one email from me for the entry to let you know that you won or didn't win.
I have a promotion code to give out on Sept 15 for 25% off the DeepSpar Guardonix (Professional Edition with adapters). This comes to about $250 off from a tad more more than $1000 purchase for the set. The promotion code is Patreon subscribers only, but if you were looking to purchase the Guardonix, you could join Patreon for just one month to get the discount and still come out $125 ahead. Plus, you'd get access to the courses, podcasts, ebook downloads, and everything else during that time. Just sayin... https://www.patreon.com/DFIRtraining
I am working on finishing an OSINT & Forensics online course this month. This is a shorter version of any OSINT course you can find online as it is specific to using OSINT to a forensic analysis. Not everyone is tracking criminals across the Internet, but those working a forensic analysis can use some of the techniques to help in analysis.
The current Placing the Suspect Behind the Keyboard course is being completely revamped. This will be an Instructor-Trainer course, which will include downloadable materials (images, data, lesson plans, slidedecks, quizzes) that you can use to teach internally at your organization or university forensics program. Basically, you'll have everything to teach the course in a turn-key solution. Patreon subscribers only.
Now that I have help with the DFIR Training website content, the forensic artifact database will be getting populated faster than before. Still, it is early access for Patreon subscribers only , but will be open publicly when it is at least twice as populated with artifacts as it is now. This may take a month or so, but eventually will be open.