Saturday, 02 May 2020 14:23

What's New at DFIR Training

Written by
Rate this item
(0 votes)

Training listings

Lots of classroom events have been canceled and removed from the calendar because of COVID-19 with the remaining classes being unknown. Until officially canceled, the calendar will keep each class.

However, the virtual online classes category on the calendar has grown in direct response to physical classes being canceled. Until further notice, there is no charge to list virtual events, including webinars, live online classes, and virtual conferences.  Send in yours here:

Search term lists and Regular Expressions

Several lists have been submitted, so check back regularly if you need either search term lists or regex for your cases. Free to submit, free to download, free to use, no EULA required. More will be uploaded as I get to them.

A few courses and another DFIR Case Studies are being added for DFIR Patreon subscribers this month.

One of the courses that will be released is OSINT + Forensics . This is different than the OSINT courses you may find elsewhere. Not better or worse, but different. I’ve been through quite a bit of OSINT training over the past few years (and of course forensics….), but I have not seen an OSINT course specific to forensic analysis. So here it is. A course for the forensic analyst, using OSINT for the analysis and investigation.

Another course is a FTK Imager course. You would think that such an intuitive tool doesn't need any training, but there are some features and workflows that many are not aware. As far as "exploiting" FTK Imager, I mean that in a way of maxing out its use for your casework and actually knowing more about a forensic app that you have been using for years but never really were taught much more than using it for imaging.

These courses are only available with a subscription, and the good news is that the subscription is discounted from $125 to $50 until further notice! The promotion is to help you to have documented training that you can provide to your employer as proof of training and put on your credentials for training credit.  All my other courses are included in the subscription (Windows Forensic Environment, DFIR Case Study series, and more). You can subscribe here:

One of the bonuses for DFIR Training Patreon subscribers is that they get early access to other things too, like getting access to the WinFE latest release weeks before it was public.  And downloads of ebooks for some of the courses, like the X-Ways Cheats ebook , WinFE Cheats ebook , and Geolocation Cheats ebook .  Just sayin…a pretty good thing :)


 About that WinFE...

I am keeping all things "WinFE" at . This includes all downloads, guides, manuals, and everything else related to WinFE.  The only other location that I will maintain for WinFE is for DFIR Training Patreon subscribers. Patreon is where early releases of WinFE will be posted and later released publicly on the WinFE blog. Also, Patreon subscribers can download the WinFE cheats ebook for free, as well as take the only WinFE online course created by one of few developers of WinFE (and download the accompanying slidedeck from the course).  The only thing you need for WinFE is a Windows OS source; you can build and it use it freely.


Upcoming webinar

I am pulling out a phone this week and will be going through it with Yuri from Belkasoft in the upcoming weeks. The checkm8 incorporation in Belkasoft is so cool that I can’t help but be excited having the ability to capture iPhone data now compared when not so long ago, “excited” was not the best way to describe having to examine an iPhone.

I will post the webinar link via Facebook and Twitter , so be sure to follow!

Case Study released

Here is a case study (#5) released in a DFIR Training public playlist. More than a dozen more are available to DFIR Training Patreon subscribers who receive these months earlier.  I am a big fan of doing case studies to improve skills and critical thinking.

These case studies show how I generally look at cases done by others. The cases that I choose are those that are publicly available and do not usually have substantial forensic analysis details, but that is also not the point of doing these either. It is the mindset of the investigator that is my target.

Speaking of investigative mindsets, be sure to check out DFIR Training’s latest blog post, “ The DFIR Investigative Mindset: Getting out of a rabbit hole ”.

There is so much that you can do to prevent falling into investigative traps, but until you can digest a dozen books on the subject, I have a list of tips that I promise will have at least one which will help you in your casework.  Most likely, there are several tips that will help get your mind into a good investigative mindset.

Upcoming software reviews

Next up, Paraben . Stay tuned. I am happy to be working on Paraben’s upcoming release. On top of that, if you know Amber , you know how awesome she is to work with!


Something of a surprise was being told that my "masks were sold out".... I actually didn't know that I was selling masks, but it was correct that I was and that I was sold out. I created a few DFIR Training designs for stickers and clothing at and the vendor added some of the designs to face masks. That is actually pretty cool.  The masks are back in stock now with nine different designs/colors. I also got a request to put together something for underwear...but I think I will pass on that one :)

Upcoming DFIR Bookshare Challenge giveaway

The next book has not arrived yet…so I am waiting for it. COVID-19 has interrupted the author’s travels and shipping, but I have been assured that it will arrive for me to review and give away!

And speaking of which, if you wrote a DFIR book within the last ten years or so, and want to be part of the DFIR Bookshare Challenge, send me a message. I WANT TO GIVEAWAY YOUR BOOK! That does not sound too good unless you read what this is all about here:





Read 1234 times Last modified on Saturday, 02 May 2020 16:23

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.