Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 

Comments

Popular posts from this blog

Goal Setting: Creating a vision board

 Hey y'all! I know I've missed my 2022 resolution to post once a month on the blog. It's something I think about frequently. I have been pouring my efforts into other areas of my life and haven't set enough time to create content or write blog posts. I've recently been reinvigorated after coming back from GrrCON 2022. Not only was GrrCON so much fun, I presented a pretty good talk: Hey Ma' Where's Malware Come From? It'll have it's own blog post once all the content is ready.  If you want to follow along, make your own vision board for free here .  I have a lot on my plate of tasks I don't attend to; things I want to do and things I need to do. I decided to help me clarify my goals and give myself some good mile markers via a vision board. Here's what the board means to me: (from left to right) Fox: I want to strive to do my best a work and position myself for future career growth and opportunities. I value where I work and want to be a helpf

My next talk: Come see me at CactusCon 2023!

Your smartphone is your best friend and worst enemy. Are you being listened to? Do you want to listen to someone else? This apps on your phone know more about you than you think, and there are more tools to make you cringe. Yes and no, “they are listening.” The apps are gathering so much information it seems like they are listening. This talk will discuss what privacy concerns you should have with your smartphone and will discuss how you can use your smartphone to do some surveillance of your own.  

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet