Skip to main content

Practicing the DFIR basics with the Digital Forensics Workbook

Digital Forensics is not a passively learned discipline. Unfortunately, many practitioners are a part of "push button" forensics, which is a necessary evil in some instances to process a high amount of cases. 

My favorite introduction into immediately working with digital forensics in the Digital Forensics Workbook by Michael K Robinson.  This book was published in 2015. Many of the activities are still valid, but some of them no longer work or are no longer valid due to technological change. I would still use this workbook to teach and find 80+% still usable. I applaud Michael Robinson for writing the book that we needed in digital forensics and I hope that he produces a new one in the coming years. 

A complaint I've received from students is that this workbook is very Windows focused. Some do not want to bother with making these exercises work on an operating system that allows them to claim superiority over each other. I do not believe Michael intended his readers to be insistent on only using Black Arch. 

In order to take advantage of the workbook, I would suggest the following Virtual Machine:
- Windows 10 Home (or Education, Pro)
- 4 GB RAM (not more, not less)
- 32 GB harddrive size 
whatever else your heart desires, more threads the better 

There are a few activities that will require you to image your own RAM, and if you have more RAM than this, these activities are going to take a long time. For example, activity 21-1 "Acquisition of Memory and Recovery of File/Password from Memory" is going to take a decent lunch break. Using a virtual machine will give you the flexibility to do these assignments without having to conform to the specific environment Michael had, which some people find difficult to conceptualize. 

Activity 17-2 "File Carving with Carver Recovery" was very useful when I first used the book, but now the tool is archived on Google Code and the author, Christopher Doman, took down his website. The activity still works though, but many not in the coming years. 

This is one of the issues that practitioners will come across frequently in digital forensics, tools are frequently abandoned and out of date and yet some of our most reliable tools are also old and out of date. Take for example, grep. When was the last time grep had an update? But it's still reliable and considered forensically sound. Bahh - different post for a different day. 

In short - I recommend using this book if you want to practice digital forensics, and for those who are brand-new or novice in the field. There are online copies of this book floating around, if the Amazon cost is prohibitive. 

Comments

Popular posts from this blog

Can I re-magnetize my sensory magnets?

Magnets.
I've had sensory magnets installed since November 2016. I bought the magnets and had them installed by Steve Haworth. As of July 2020, you can now buy his magnets for installation elsewhere. https://store.stevehaworth.com/collections/magnets
Since then I have been able to notice some key differences, and in 2018 started to notice sensory loss. I have a very large magnet at home, which before was impossible to touch, and now I can rest my right magnet on it. 
While this is a brief post, I am posting my intention to remagnetise the magnets. I've attempted and gave this up previously, because the process is uncomfortable. However, I must do it in order to keep the magnetic sense. 
I'm using different sized magnets to move the sensory magnets in my finger to strengthen them and break down some of the scar tissue in my finger to let them move freely. 
Reps. This is the big magnet I'm using. I found there's two different things I'm trying 1. Running my finger acro…

Why I really want a walkthrough metal detector

So if you saw my GrrCon 2019 talk, you know that I've been looking for a walkthrough metal detector. I will be working a summer position that will pay me enough to purchase a walkthrough metal detector. Currently, I have a Twitter poll asking if this was a good idea. 
What are you going to do with the metal detector? I used to have access to a walkthrough metal detector (WTMD) through my research lab. My friend Katie and I nicknamed the metal detector Mr. Den City. I had access to the WTMD but of course, within limits. We made certain agreements with those we borrowed the detector from, and it technically wasn't ours, but our leader's. Still, I have some POCs which demonstrated interference and modification of WTMD results, and I want to recreate, improve, and document these findings. 
Is there a specific walkthrough metal detector that you need? I'm looking for a Garrett 6500i or another model in that family. I'm also looking for the networking modules for the device.…

Can you hack a security checkpoint metal detector? Yeah, we already did.

To get straight to the point - walkthrough metal detectors are a security technology to attempt to detect and thus remove weapons and dangerous items from individuals to make a safe space. What if they were much more fallible than expected? 
I'm not here to fear-monger either - these problems are preventable with proper use and changed in guidelines. Like many security controls, their exploitation is commonly due to those who implement and monitor them. However, in order to create these changes, more proof-of-concepts and solutions need to be tested. We already have a few to start. 
The walkthrough metal detector (WTMD) research was not my original idea. It started out of research projects from PHSI and another Garrett 6500i was donated to our lab. This machine was not ours and we did not have permission to modify or conduct digital attacks on the detector. We were supposed to use physical modifications to hide or modify the results of the screening. 
One colleague in particular Pat …