Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 

Comments

Popular posts from this blog

Studying for the AWS Certified Cloud Practitioner Certification (CLF-C02)

As a solution's architect, I want to keep up on my cloud skills. As noted in my previous New Year's Resolution post , I'm looking to get the AWS Certified Solutions Architect Associate (SAA-C03) exam, and the Cloud Practitioner (CLF-C02) certification is the one that precedes this SAA-C03 exam.  After speaking to others who have passed the SAA-C03 exam, they mentioned more than half the content is the same as the CLF-C01 exam. The exam has been updated last September and has changed content moving to the C02 edition. So I believe it's foundational to take this exam first.  As a former academic, I have a high standard to passing the exam. While I'm already passing some practice exams, I don't want to sit for the exam until I'm getting over 90% on the practice exams. What's the point of barely scraping by when I'm doing this to truly gain skills and knowledge? Below I'm going to outline what I've been using to study. AWS Skill Builder I do pa...

2024 Resolutions

Welcome back! It's another New Year's blog post. Let's get right into my goals for this year. 1. Obtain the AWS Solutions Architect certification Right now, I'm working as a Solutions Architect, and I'm all about boosting my career with the right certification. I absolutely love what I do and want to get even better at it, so I can be an even more valuable part of my company. Even though I've got a master's degree, I'm hungry to learn more and up my game. I'm currently getting ready for the AWS Cloud Practitioner exam, which is set for February 23rd. What's interesting is that a big chunk of the stuff in this exam is also in the Solutions Architect (SA) exam. I'm making good progress with my studies, and I'm pretty confident that I'll be all set to tackle the exam by the end of the year. I'm on a mission to move up in my career, prove my worth, and pick up some fresh skills along the way. Some folks really value high...

2023 Resolutions

Welcome to my New Year's Resolutions! I feel a little vulnerable sharing my goals publicly and auditing if I failed or succeeded over the year.  My 2023 Resolutions 1) HACK THE PLANET! 2) Upload to WiGLE every month 3) Post to the blog at least once a month 4) Continue to follow and maintain my vision board. Don't judge me! I thought they were cheesy and weird, but it's been so effective. I made a blog post about it already, but just as a refresher my current board is below. A vision board is almost a resolution list in of itself. These are all the things I want to achieve in the near future.  5) Pass the HAM radio exam 6) Continue in content creation and make articles or a podcast Let's go over what my resolutions where last year: My 2022 Resolutions 1) Make it to 500,000 unique wifi networks I made it in November! I achieved this goal and obtained the gold WiGLE badge.  2) Upload to WiGLE every month I made this most months, but not every month. I will try again! 3) W...