DFIR knowledge and resources

DFIR Resources #

I am quite often asked if there are sites, training, and/or books that I would recommend to get into DFIR and of course, continue to learn. So I have created a sub-page Resources with my recommendations. I will continue to update this page over time.

Last Updated: 6 November 2023

Podcast & Blogs #

This Week in 4n6This Week in 4n6 is a collection of everything that happens on a weekly basis in the Digital Forensics and Incident Response community.
Risky BusinessPublished weekly, the Risky Business podcast features news and in-depth commentary from security industry luminaries. Hosted by award-winning journalist Patrick Gray, Risky Business has become a must-listen digest for information security professionals.
Darknet DiariesTrue stories from the dark side of the Internet. This is a podcast about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all the things that dwell on the hidden parts of the network.
Stark4n6 Forensics Startme PageOne stop shop for DFIR resources and links, from tools, cheatsheets, hardware, blog feeds and more. Blog also has a load of CTF write ups.
BlueMonkey 4n6BlueMonkey 4n6 focuses on digital forensics and incident response using open-source tools. It covers various aspects of forensics on different platforms and tools.
Forensics Reformatted PodcastForensics Reformatted is a Digital Forensics podcast by former Chewing the FAT hosts, Adam Firman & Phil Cobley. The show is self-funded and aimed at supporting the DFIR community through insights, humour, and bringing together others from in and around the industry.

Communities #

ComfyCon DiscordComfyCon AU was originally constructed as a conference in March 2020 as a response to the cancellation of Cyber Security conferences due to the COVID-19 pandemic.
Digital Forensics DiscordA Discord server ran by and for the DFIR Community!

Books & reading materials #

Industry Reports
Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack LifecycleThis is a must read whitepaper by Dr. Marina Krotofil. This technical white paper serves as an introduction to cyber-physical security science and the art of cyber-physical attacks from an adversarial viewpoint. It aims to provide a comprehensive yet accessible overview of industrial control systems, their security needs, and cyber attacks. Chapter 4, which delves into the cyber-physical attack lifecycle, is a technical exploration of the attack surface of ICS. The paper provides insights into incidents like the Maroochy Shire sewage treatment and Los Angeles traffic control breaches, where malicious actors exploited radio-controlled systems.
Digital Investigation Techniques: A NIST Scientific Foundation ReviewThis document is an assessment of the scientific foundations of digital forensics. We examined descriptions of digital investigation techniques from peer-reviewed sources, academic and classroom materials, technical guidance from professional organizations, and independently published sources.
Verizon DBIRVerizon’s Data Breach Investigations Report (DBIR) provides an annual analysis of security incidents and data breaches. The information and analysis are categorized by sector. Public sector organizations are key contributors to the report each year.
Mandiant APT1 ReportAPT1 is one of dozens of threat groups Mandiant tracks around the world, and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen.

Must have books #

Digital Forensics with Open Source ToolsDigital Forensics with Open Source Tools is the definitive book on investigating and analysing computer systems and media using open source tools. The book is a technical procedural guide, and explains the use of open source tools on Mac, Linux, and Windows systems as a platform for performing computer forensics.
File System Forensic AnalysisMost digital evidence is stored within the computer’s file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.
The Art of Memory ForensicsMemory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst’s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics―now the most sought after skill in the digital forensics and incident response fields.

Training courses #

Online Training
Free Short Course: Digital ForensicsCyber criminals saw their opportunity and made the most of it in 2020. With such a drastic shift to online everything for everyone, we saw cyber criminals make some pretty daring moves. Due to these increasingly sophisticated cyber-attacks, forensic investigations are becoming more and more common. This short course offers an introduction to our full Digital Forensics subject, including a high-level view of the emerging and evolving digital forensics field, investigating, detecting, and preventing digital crimes, formulating a digital forensics process, and more.
Free Short Course: Cyber Warfare and TerrorismThis four-week short course introduces you to the rise of state-sponsored cyber attacks, a concept that only a few years ago seemed within the realm of science fiction. You will be introduced to the major classes of cyber weapons: trojans, worms, and distributed denial of service, as well as sophisticated hacking. You will also learn the history of nation-state involvement in cyber attacks and the looming threat of cyber attacks from terrorist organizations.
Free - DFIR Diva IR TrainingElan, aka DFIR Diva, provides free incident response training for entry-level Incident Response Analysts who want to learn more about digital forensics and analysis on a limited budget.
Free - Hal Pomeranz’s Linux Forensics IntroThis course offers course materials and a lab virtual machine for an introductory course in Linux Forensics.
Free - MITRE ATT&CK TrainingThis training is designed to teach students how to apply the MITRE ATT&CK framework to help mitigate current threats. It covers the 12 core areas of the framework, helping students develop a thorough understanding of various attack vectors. Training is free and if you want to be certified you need to pay.
Malware Unicorn’s Reverse Engineering 101This workshop provides the fundamentals of reversing engineering (RE) Windows malware using hands-on experience with RE tools and techniques. It covers RE terms, processes, basic x86 assembly programming, RE tools, and malware techniques.
Splunk Fundamentals 1This course teaches you how to search and navigate in Splunk, use fields, get statistics from your data, create reports, dashboards, lookups, and alerts. It includes scenario-based examples and hands-on challenges.
Binary Analysis CourseThis course provides a detailed explanation of each step taken when analyzing malware. It focuses on the thought process and technical analysis involved in the process.
TryHackMe Cyber Security TrainingTryHackMe offers interactive lessons for hands-on learning. It includes network simulations and technology based on real-world examples.
Become a Microsoft Sentinel Ninja: The complete level 400 trainingThis training program includes 16 modules with presentations and supporting information for each module.
DFIR CheatsheetCurated by Jai Minton, this page contains a variety of commands and concepts known through experience, education, tutorials, blogs, videos, professional training, and more.
Google Technical Writing CourseLearn the basics of technical writing through this course.

Blueteam training platforms #

I have not personally used any of these platforms, but am sharing the list, if you have any feedback on these feel free to let me know!

Online Training
Blue Team Labs OnlineThis platform offers gamified challenges for defenders to practice security investigations in areas such as incident response, digital forensics, security operations, reverse engineering, and threat hunting. Free and paid tiers are available.
CyberDefenders: Blue Team CTF ChallengesThis platform provides free access to gamified security challenges for defenders. It covers incident response, digital forensics, security operations, reverse engineering, and threat hunting.
LetsDefend: Blue Team Training PlatformOnline SOC analyst and incident response training platform for blue team members.

Capture the flag archives #

Capture The Flag Competitions (Archives)
ACSC cyber security challengeThe ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021.
Metaspike Email Forensics CTF CompetitionEmail forensics CTF challenges from 2021-2022 are available with solutions. Sign up to be notified when the next CTF challenge is run.
MUS2019 DFIR CTFThe DFIR CTF that was run at the Magnet User Summit in 2019 is now open to the public.
About DFIR Challenge LinksThis site provides a much larger and more comprehensive list of DFIR CTF challenges and archives.