Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 
Labels:

Comments

Post a Comment

Popular posts from this blog

2023 Resolutions

Welcome to my New Year's Resolutions! I feel a little vulnerable sharing my goals publicly and auditing if I failed or succeeded over the year.  My 2023 Resolutions 1) HACK THE PLANET! 2) Upload to WiGLE every month 3) Post to the blog at least once a month 4) Continue to follow and maintain my vision board. Don't judge me! I thought they were cheesy and weird, but it's been so effective. I made a blog post about it already, but just as a refresher my current board is below. A vision board is almost a resolution list in of itself. These are all the things I want to achieve in the near future.  5) Pass the HAM radio exam 6) Continue in content creation and make articles or a podcast Let's go over what my resolutions where last year: My 2022 Resolutions 1) Make it to 500,000 unique wifi networks I made it in November! I achieved this goal and obtained the gold WiGLE badge.  2) Upload to WiGLE every month I made this most months, but not every month. I will try again! 3) W
Post a Comment
Read more

Remove data from Data Brokers

 If you have a little change from your tax return, I have a suggestion on where you should spend it this year. This is not sponsored, not an advertisement, and I do not benefit from these companies. I paid for these services out of pocket on my own. Okay. We all know how scary OSINT can be, being able to look up public information such as age and home address. We hand over this information readily when we use certain products and services. Some of this information is also kept at a criminal level, such as criminal record lookups.  That's not the only information we hand over, we are tracked and have our data collected every day through data brokers. They profit off of our identities selling it back to one another constantly.  There are services now that will automate the removal of your data from data brokers. I found Aura and Incogni when promoted online. Both of them had a referral code, but also a standard discount for an annual subscription instead of monthly. At the time of wr
Post a Comment
Read more

CactusCon 2023 - Surveillance in your Pocket

  CactusCon Track 1 Day 2 Go to 1:10:30 to the start of the talk. 
Post a Comment
Read more