DFIR Resources #
I am quite often asked if there are sites, training, and/or books that I would recommend to get into DFIR and of course, continue to learn. So I have created a sub-page Resources with my recommendations. I will continue to update this page over time.
Last Updated: 6 November 2023
Podcast & Blogs #
| Name | |
|---|---|
| This Week in 4n6 | This Week in 4n6 is a collection of everything that happens on a weekly basis in the Digital Forensics and Incident Response community. |
| Risky Business | Published weekly, the Risky Business podcast features news and in-depth commentary from security industry luminaries. Hosted by award-winning journalist Patrick Gray, Risky Business has become a must-listen digest for information security professionals. |
| Darknet Diaries | True stories from the dark side of the Internet. This is a podcast about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all the things that dwell on the hidden parts of the network. |
| Stark4n6 Forensics Startme Page | One stop shop for DFIR resources and links, from tools, cheatsheets, hardware, blog feeds and more. Blog also has a load of CTF write ups. |
| BlueMonkey 4n6 | BlueMonkey 4n6 focuses on digital forensics and incident response using open-source tools. It covers various aspects of forensics on different platforms and tools. |
| Forensics Reformatted Podcast | Forensics Reformatted is a Digital Forensics podcast by former Chewing the FAT hosts, Adam Firman & Phil Cobley. The show is self-funded and aimed at supporting the DFIR community through insights, humour, and bringing together others from in and around the industry. |
Communities #
| Communities | |
|---|---|
| ComfyCon Discord | ComfyCon AU was originally constructed as a conference in March 2020 as a response to the cancellation of Cyber Security conferences due to the COVID-19 pandemic. |
| Digital Forensics Discord | A Discord server ran by and for the DFIR Community! |
Books & reading materials #
| Industry Reports | |
|---|---|
| Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack Lifecycle | This is a must read whitepaper by Dr. Marina Krotofil. This technical white paper serves as an introduction to cyber-physical security science and the art of cyber-physical attacks from an adversarial viewpoint. It aims to provide a comprehensive yet accessible overview of industrial control systems, their security needs, and cyber attacks. Chapter 4, which delves into the cyber-physical attack lifecycle, is a technical exploration of the attack surface of ICS. The paper provides insights into incidents like the Maroochy Shire sewage treatment and Los Angeles traffic control breaches, where malicious actors exploited radio-controlled systems. |
| Digital Investigation Techniques: A NIST Scientific Foundation Review | This document is an assessment of the scientific foundations of digital forensics. We examined descriptions of digital investigation techniques from peer-reviewed sources, academic and classroom materials, technical guidance from professional organizations, and independently published sources. |
| Verizon DBIR | Verizon’s Data Breach Investigations Report (DBIR) provides an annual analysis of security incidents and data breaches. The information and analysis are categorized by sector. Public sector organizations are key contributors to the report each year. |
| Mandiant APT1 Report | APT1 is one of dozens of threat groups Mandiant tracks around the world, and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen. |
Must have books #
| Book | |
|---|---|
| Digital Forensics with Open Source Tools | Digital Forensics with Open Source Tools is the definitive book on investigating and analysing computer systems and media using open source tools. The book is a technical procedural guide, and explains the use of open source tools on Mac, Linux, and Windows systems as a platform for performing computer forensics. |
| File System Forensic Analysis | Most digital evidence is stored within the computer’s file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed. |
| The Art of Memory Forensics | Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst’s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics―now the most sought after skill in the digital forensics and incident response fields. |
Training courses #
| Online Training | |
|---|---|
| Free Short Course: Digital Forensics | Cyber criminals saw their opportunity and made the most of it in 2020. With such a drastic shift to online everything for everyone, we saw cyber criminals make some pretty daring moves. Due to these increasingly sophisticated cyber-attacks, forensic investigations are becoming more and more common. This short course offers an introduction to our full Digital Forensics subject, including a high-level view of the emerging and evolving digital forensics field, investigating, detecting, and preventing digital crimes, formulating a digital forensics process, and more. |
| Free Short Course: Cyber Warfare and Terrorism | This four-week short course introduces you to the rise of state-sponsored cyber attacks, a concept that only a few years ago seemed within the realm of science fiction. You will be introduced to the major classes of cyber weapons: trojans, worms, and distributed denial of service, as well as sophisticated hacking. You will also learn the history of nation-state involvement in cyber attacks and the looming threat of cyber attacks from terrorist organizations. |
| Free - DFIR Diva IR Training | Elan, aka DFIR Diva, provides free incident response training for entry-level Incident Response Analysts who want to learn more about digital forensics and analysis on a limited budget. |
| Free - Hal Pomeranz’s Linux Forensics Intro | This course offers course materials and a lab virtual machine for an introductory course in Linux Forensics. |
| Free - MITRE ATT&CK Training | This training is designed to teach students how to apply the MITRE ATT&CK framework to help mitigate current threats. It covers the 12 core areas of the framework, helping students develop a thorough understanding of various attack vectors. Training is free and if you want to be certified you need to pay. |
| Malware Unicorn’s Reverse Engineering 101 | This workshop provides the fundamentals of reversing engineering (RE) Windows malware using hands-on experience with RE tools and techniques. It covers RE terms, processes, basic x86 assembly programming, RE tools, and malware techniques. |
| Splunk Fundamentals 1 | This course teaches you how to search and navigate in Splunk, use fields, get statistics from your data, create reports, dashboards, lookups, and alerts. It includes scenario-based examples and hands-on challenges. |
| Binary Analysis Course | This course provides a detailed explanation of each step taken when analyzing malware. It focuses on the thought process and technical analysis involved in the process. |
| TryHackMe Cyber Security Training | TryHackMe offers interactive lessons for hands-on learning. It includes network simulations and technology based on real-world examples. |
| Become a Microsoft Sentinel Ninja: The complete level 400 training | This training program includes 16 modules with presentations and supporting information for each module. |
| DFIR Cheatsheet | Curated by Jai Minton, this page contains a variety of commands and concepts known through experience, education, tutorials, blogs, videos, professional training, and more. |
| Google Technical Writing Course | Learn the basics of technical writing through this course. |
Blueteam training platforms #
I have not personally used any of these platforms, but am sharing the list, if you have any feedback on these feel free to let me know!
| Online Training | |
|---|---|
| Blue Team Labs Online | This platform offers gamified challenges for defenders to practice security investigations in areas such as incident response, digital forensics, security operations, reverse engineering, and threat hunting. Free and paid tiers are available. |
| CyberDefenders: Blue Team CTF Challenges | This platform provides free access to gamified security challenges for defenders. It covers incident response, digital forensics, security operations, reverse engineering, and threat hunting. |
| LetsDefend: Blue Team Training Platform | Online SOC analyst and incident response training platform for blue team members. |
Capture the flag archives #
| Capture The Flag Competitions (Archives) | |
|---|---|
| ACSC cyber security challenge | The ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021. |
| Metaspike Email Forensics CTF Competition | Email forensics CTF challenges from 2021-2022 are available with solutions. Sign up to be notified when the next CTF challenge is run. |
| MUS2019 DFIR CTF | The DFIR CTF that was run at the Magnet User Summit in 2019 is now open to the public. |
| About DFIR Challenge Links | This site provides a much larger and more comprehensive list of DFIR CTF challenges and archives. |