Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 

Comments

Popular posts from this blog

How to program a NTAG215 NFC Tag

Hi! Did you just acquire a NTAG215 NFC tag? Very cool. Maybe you scanned it and it brought you here. Here's how to edit the content on the tag to make it do what you want.  Easy Steps Download an NFC writing app on a smartphone like this one for Android or this one for iPhone. I assume you might have this app already if you're reading this tag. Done Decide what type of data you want to save. If you picked up more than one of the NFC tags, you may have a variety of data saved to them like the ones below: Plain text URL/URI Link to a search Social networks Video File Application Mail Contact Phone number SMS Location Address Proximity search Street View Emergency info Bitcoin address Bluetooth connection WiFi network settings other custom fields Make sure if you select the correct format to make it easier to scan, save the write data, and re-scan the tag. Switch back to the read function and test your tag! Next Method The above method doesn't cover making everything, such a...

Phishing Kits

Let's make a phishing attack (just kidding). The easiest way to do so is obtaining a pre-made phishing kit. Phishing kits represent a significant and growing danger. These tools, readily available in the darker corners of the internet, empower even technically unsophisticated criminals to launch effective phishing campaigns. This post aims to demystify phishing kits, explore their dangers, and provide practical advice on safeguarding against these insidious threats.  Phishing kits are pre-packaged sets of tools and resources designed to facilitate phishing attacks. The parts of a phishing kit can be broken down into the following components: Email templates Webpage clones (usually scraped from the legit site) Scripts and code repositories  Hosting Platforms Delivery Systems Readme & docs Premium services Real-time data analysis tools Customer service* Social engineering tools These kits are designed for ease of use, allowing attackers to launch phishing campaigns with mini...

Anti-Phishing Working Group Report from Q2 2023

 The Anti-Phishing Working Group (APWG) is an international coalition focused on unifying the global response to cybercrime, particularly phishing and e-mail fraud. Established in 2003, APWG brings together businesses, government entities, law enforcement, and non-governmental organizations to combat phishing, crimeware, and e-mail spoofing.They create regular reports on the nature of phishing "in the wild" and share trends in this report. You can download the report here .  I wanted to report on a more recent trend report, but at the time of writing I haven't seen a newer one. It being in the middle of 2023, I believe the report is recent enough.  I found a few areas of interest, and questioned a few pieces. There was a reported downward trend in phishing. Despite the high numbers, there was a notable downward trend in phishing by the end of the quarter, indicating a possible shift in tactics or improved countermeasures. I have doubt that phishing is occurring less,...