Hello all! Back again, though not as soon as I had thought. Anyway, today I want to tell those who haven't already heard about the training offered by Brett Shavers. His courses have recently moved to a new home at https://www.patreon.com/DFIRtraining. This is where you will find all his current courses, as well as new courses as they come out. All courses are bundled and available for a monthly subscription.
I reviewed his old WinFE course four years ago. You can read it HERE, although that course is no longer active. I have also had access to his older X-Ways Forensics course and learned a lot from it.
While I haven't taken any of his newest training, the courses I've seen were great. The material itself is very well prepared and presented. The video and audio quality is also good, with items on screen easy to see and understand.
DFIR training is usually very expensive, as we all know. Brett is offering some high quality training at a fraction of the cost of many other courses. I plan to become one of his Patreon supporters soon and experience his newest offerings.
Brett also started a DFIR oriented social network at https://social.dfir.training/. There are currently three groups on the site. One group is for DFIR Book Giveaways. Group members have the opportunity to win DFIR related books on a monthly basis. The other two groups are a SANS FOR 508 study group and a WinFE group.
Kudos to Brett for all he's doing with these sites. I encourage you to support him on his Patreon page and take part in some good DFIR training.
Tuesday, December 4, 2018
Tuesday, August 28, 2018
Life Update, a little Object ID research and More
It's been just over two years since I retired from the police department. As a retiree, I've enjoyed a lot of time with my wife, kids and grandkids, spent a lot of hours on my tractor, taken many walks in the woods and generally enjoyed life. As much as I've enjoyed my time off, I've realized I'm too young to be "really" retired.
While trying to figure out what I want to be when (if) I grow up, the field of digital forensics is always at the top of my list. I've missed the fun of learning cool new things and I miss solving cases. I often think back to my first case and how much I enjoyed doing that investigation. Finding what was on the computer and being able to report how and when it got there was so cool. Doing my own testing to find how artifacts were created and using that testing to help me tie the illegal materials in question to a certain user account, eventually getting a conviction was something I'll never forget.
I know that getting into forensics in the private sector won't be easy for me. I've accepted the possibility that it may never happen, but I'm going to give it a try. I know I have much to learn and catch up on. But honestly, learning the material is at least half the fun, right?
-------------------------
Speaking of learning, I watched the Forensic Lunch Test Kitchen with David Cowen a few days ago. In the video, he demonstrated the difference between Windows 7 and Windows 10 when it comes to the creation of an Object ID for a file. I recreated the test he did here and got the same results of course. But I started thinking about what may or may not change those results.
I wondered what might happen if I created the file as David did and then copied it to another location on the disk. I created a file called Never-opened.txt in my Documents folder. It was automatically given an object ID as expected from the earlier test. Next, I copied the file to another folder and used fsutil once again to check for an object ID for the copied file. In this case, no object ID was assigned.
Finally, I cut the file from it's original location and pasted it to another folder. the object ID traveled with the file to its new location. I went back and opened the copied file and as expected, a new object ID was created for it. This testing all occurred on a Windows 10 Home system.
After talking with David, I've got a few other things I want to test as well. I'll post more when that's been done.
-------------------------
Finally, Brett Shavers wrote an excellent post on his blog How to start a digital forensic lab in your police department. The experiences he talked about were very similar to mine. He's absolutely right that you can make it happen, but it takes a lot of work and commitment to get it done. I was fortunate to have a chief who was very receptive to my ideas and helped me make it happen.
I wrote several grants to get funding for software and hardware. In addition to Federal grants, I was able to obtain funding from two different local foundations and one corporation. I like writing anyway, so getting to write a grant narrative explaining what I wanted and why was an enjoyable part of the process
Brett also talked about training. Like he mentioned, I paid my own way through some of my training (SANS FOR 508, 526 (old version) and 558 (old network forensics course). However, being in law enforcement, I also had the opportunity to attend training put on by the National White Collar Crime Center (NW3C). I took the NW3C BDRA and IDRA courses and those gave me an excellent introduction to the world of forensics prior to my SANS course attendance. If you are in in law enforcement, make sure you take advantage of the courses available to you for free through the NW3C.
-------------------------
That's it for now. I hope to start posting a little more often as time allows. Be well!
While trying to figure out what I want to be when (if) I grow up, the field of digital forensics is always at the top of my list. I've missed the fun of learning cool new things and I miss solving cases. I often think back to my first case and how much I enjoyed doing that investigation. Finding what was on the computer and being able to report how and when it got there was so cool. Doing my own testing to find how artifacts were created and using that testing to help me tie the illegal materials in question to a certain user account, eventually getting a conviction was something I'll never forget.
I know that getting into forensics in the private sector won't be easy for me. I've accepted the possibility that it may never happen, but I'm going to give it a try. I know I have much to learn and catch up on. But honestly, learning the material is at least half the fun, right?
-------------------------
Speaking of learning, I watched the Forensic Lunch Test Kitchen with David Cowen a few days ago. In the video, he demonstrated the difference between Windows 7 and Windows 10 when it comes to the creation of an Object ID for a file. I recreated the test he did here and got the same results of course. But I started thinking about what may or may not change those results.
I wondered what might happen if I created the file as David did and then copied it to another location on the disk. I created a file called Never-opened.txt in my Documents folder. It was automatically given an object ID as expected from the earlier test. Next, I copied the file to another folder and used fsutil once again to check for an object ID for the copied file. In this case, no object ID was assigned.
Finally, I cut the file from it's original location and pasted it to another folder. the object ID traveled with the file to its new location. I went back and opened the copied file and as expected, a new object ID was created for it. This testing all occurred on a Windows 10 Home system.
After talking with David, I've got a few other things I want to test as well. I'll post more when that's been done.
-------------------------
Finally, Brett Shavers wrote an excellent post on his blog How to start a digital forensic lab in your police department. The experiences he talked about were very similar to mine. He's absolutely right that you can make it happen, but it takes a lot of work and commitment to get it done. I was fortunate to have a chief who was very receptive to my ideas and helped me make it happen.
I wrote several grants to get funding for software and hardware. In addition to Federal grants, I was able to obtain funding from two different local foundations and one corporation. I like writing anyway, so getting to write a grant narrative explaining what I wanted and why was an enjoyable part of the process
Brett also talked about training. Like he mentioned, I paid my own way through some of my training (SANS FOR 508, 526 (old version) and 558 (old network forensics course). However, being in law enforcement, I also had the opportunity to attend training put on by the National White Collar Crime Center (NW3C). I took the NW3C BDRA and IDRA courses and those gave me an excellent introduction to the world of forensics prior to my SANS course attendance. If you are in in law enforcement, make sure you take advantage of the courses available to you for free through the NW3C.
-------------------------
That's it for now. I hope to start posting a little more often as time allows. Be well!
Subscribe to:
Posts (Atom)