Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 

Comments

Popular posts from this blog

Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie. There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot.  Tracking What wardriving can’t do = track people via Bluetooth devices Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again.  But sometimes they don't turn over to a randomized MAC. Do what you will with that. If you want to see how easy it is to make a random MAC go here . But what if you only need a short-term answer? Better start stumblin’. Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the

The big list of remote job openings

From a conversation in my Discord ; one member brought up a lot of the best remote jobs and job boards come from Twitter. This is a decentralized way of distributing information, which is better than not sharing the information but can be hard to find.  This list is not a replacement for that, but it's pretty close. Here's the master remote vacancy list for remote jobs in the United States. This job board is in no way just for IT jobs, there are all sorts of jobs from sales, teaching, upper management, data entry, design, customer service, and more. Take a look if you're looking for a new job.  Some Tips: Try searching the full row for the job in Google. There are better job boards where the job posting is more up to date; instead of using the link provided. Don't spam one company, make sure if you're using the shotgun approach, you aren't letting the companies you're applying for know that There's a lot of advice on how to get a job online. Some of you

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them. What is a fake 404 page? It’s pretty easy to make a fake 404 page to display. <html><head> <title>404 Not Found</title> </head><body><h1>Not Found</h1>                  <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>                    <hr>                    <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80                                <style>