Resources to Skill Up and Collaborate in DFIR

This week I had the amazing opportunity to deliver a keynote presentation at the United States Secret Service (USSS) National Computer Forensics Institute (NCFI) Cyber Week. As part of the presentation and during the Questions and Answers portion, I shared several resources that folks requested - so I figured it would make the most sense to share them here in some categories.

Skill Up

There are three key areas that I recommend forensic examiners sharpen or obtain skills as I believe they will be differentiators for success in the future.

Python

Alexis Brignoni’s You Tube based DFIR Python Study Group is a fantastic self-paced python class that several folks I have mentored have used to successfully learn Python as it pertains to digital forensics. Those folks have gone on to contribute to open source projects.

YARA

YARA allows you to write pattern matching rules. You can use these to look for anything and they are coomonly used to search for Indicators of Compromise. Here are some starting points to learn about YARA

• Twitter #100DaysOfYara

• DMFR Security 100 Days of Yara

Awesome YARA

Cloud

Cloud forensics, specifically the analysis of data hosted by platforms such as AWS, Azure, and GCP, will become a more common data source in investigations. Additionally, digital forensics and incident response teams may transition their analysis infrastructure to these platforms. Understanding the architecture, security, and logs that can be analyzed will become a critical skill moving forward. I suggest folks learn both the basics of cloud platforms as well as more about forensics. I appreciate the classes on A Cloud Guru for getting the basics down of the different platforms.. Additionally the authors of the SANS FOR 509 course have posted several useful scripts on David Cowen’s SANS FOR 509 Public Github.

Getting Started

While I recommend the above resources for practitioners and students alike, there are some great resouces that will help folks getting started. Some of those resources include DFIR Diva - an incredible site from Elan Wright that shares free and low cost websites and trainings for those looking to get started in digital forensics and Incident Response. I also recommend the Intro to Forensics courses on Cyber5W. For a general resource list of rescourses - check out Kevin Pagano’s Forensic Start Me Page.

Keeping Current

There are two things critical to keeping current - learning what is new and practicing. To keep current I recommend subscribing to the following:

To keep practicing, I recommend participating in Capture the Flag (CTF) events. I am excited to once again be working on two challenges for the Magnet Forensics Summits this year! In addition, you can find several CTFs on Cyber Defenders to play on line including some of the previous Magnet CTFs.

Collaborate with the DFIR Community

Regardless of where you are in your career, it is important to collaborate witht he DFIR Community. I have broken down some resources, publications, and organizations - admittedly most of which I participate - that I think are beneficial. Check out these resources to get involved with the community, find valuable resources, and hopefully share and contribute back to our incredible body of work and information.

Standards Groups

The Scientific Working Group on Digital Evidence and the NIST Organization of Scientific Area Committees for Forensic Science which puts out a variety of standards for Digital Evidence. A great way to participate with these groups is to provide feedback during the comment periods for draft documents!

Peer- Reviewed Publications

There are multiple peer-reviewed publications that publish whitepapers, conferences, and blogs. This is an opportunity to contribute content provide peer review, or learn about the newest research from the community. DFIR Review reviews practitioner created blogs!

Community Organizations

There are amazing community orgs that help forensic examiners communicate. The High Tech Crime Investigation Association (HTCIA) and IACIS have fantastic community listservs for their members. HTCIA also has local chapters that put on regional networking and training meetings in addition to a Learning Management System with prior content, an International Conference, and a Canada Cyber Summit. The DFIR Discord has over 10,000 DFIR practitioners and academics participating in a variety of DFIR topics. There is also the #DFIR community on Twitter. Check out this blog on Twitter for DFIR professionals. Fantastic places to share your thoughts!

Summary

I hope these resources will be of value to you as you add to your skill set and share with others. I encourage you all to participate in the community. Have other sources you use? Share them on with me on Twitter or via our contact form.

Previous
Previous

Top 10 places to search for a Digital Forensics Job

Next
Next

Peer Review for Mobile Forensics