How do you know if your DFIR case will be an amazing case or a case from hell?

How do you know if your DFIR case will be an amazing case or a case from hell? The worst way to find out is when you check the news and see your name and case blasted everywhere online.

The answer: You won’t know until it is too late.

When you are working a case (or incident), some of the first things that go through your mind are:

**Is this case important?

**Will this case substantially impact my job, career, or organization (negative or positive impact)?

**Will this case become publicly scrutinized?

**Will this case be picked apart at a trial?

Well! Here is the flow chart with the answer before you start the case.

Of course, there are many factors to consider for every case, but one of the most frustrating factors is not knowing if the case will be a great (positively important to the organization or public)

Read more

***UPDATE:    Check out https://www.dfir.training/dfir-training-blog/more-testing-with-the-deepspar-guardonix for additional testing results (hint: Imaging was way faster)***

Short version:

You want this write blocker (because it is not just a write blocker).

Longer version:

I wrote up my personal opinions of the DeepSpar Guardonix here: https://www.dfir.training/dfir-blog/if-you-don-t-already-have-a-deepspar-guardonix-you-might-want-to-get-one . If you don’t know what the Guardonix is, take a look at the post. Basically, this is the most economical data recovery device that recovers bad sectors and works as a write-blocker along with a few other really neat features. It is not just a write-blocker. It is way more.

So then comes an update…and then another update…

As I mentioned, the Guardonix is not just a write-blocker. It is a hardware device that can work through bad sectors better than any write-blocker on the market short of an all-out-data-recovery-device, especially since write-blockers are not designed to recover data from bad drives. They only block writes.

Not

Read more

If you work in DFIR, you are an investigator.

To think otherwise is to do yourself and your cases a disservice. By this, I mean that the most basic task in the DFIR field is to find out what happened, and this is the purest definition of an investigator: find the truth of the matter .

https://www.dictionary.com/browse/investigator

Your specific job function may be completely different from many others in the same field, that is to say the DF might be a world apart from the IR. But for any practical discussion, the entire purpose of DF/IR is to employ an investigative process to uncover, discover, analyze, and interpret clues in order to reassemble the past. Whether the “past” is a breached system or reconstructing a crime that was committed using a computing device, the investigative intention is the same.

If you already had investigative training before getting into DFIR, you

Read more

We have plenty of negative news in the media, and our lives have changed. I foresee the future of our workplaces and education evolving into something drastically different. We are already seeing the amazing ability to operate businesses with more remote workers than ever thought possible. Educational institutions seamlessly flipped a switch and turned classrooms into online learning, effectively eliminating all the problems associated with travel on the roadways.

Gain New Skills and Knowledge. Make Your Own Experience. Increase Your Competence.

Many of us have no choice but to work from home during this pandemic.  Some of us may not even have working-from-home as an option. But both situations can benefit from the changes the world is going through, specifically in being granted more time and more opportunity to learn .

The important stuff

If your employer is trying to find ways to pay you if you have been sent

Read more

One of the coolest things about the DFIR field is the research! For those with time to research some minute detail of forensics, there is no cooler job in the world! Unfortunately, many of us don’t have near the time to research as much as we could, even though there are so many topics and sub-topics and sub-sub-topics that could use a good drilling down to figure out.

We have a plethora of students and researchers who have the time (and sometimes, it is part of their job or homework) to conduct the research that this field needs. The one thing that I have found when you have the time to research is deciding what to research. For some reason, when I am up to my elbows in data, I come up with a dozen topics that I want to research as soon as I get the time. Then….I get

Read more
Want to improve in #DFIR? Study someone else’s case work.

I recently did a case study for a class, using a real case from one of the students in class.  When I get to do this on a real case, it is quite the opportunity to both learn and teach.  I review cases often, both as a peer reviewer and for personal training exercises, but when I say, “real case”, I mean that is where I get to see the entire case and have access to the investigator/examiner.

Three Types of #DFIR Case Studies

The depth of any case study is limited only by the amount and veracity of the case information. Do not discount any of the following types as not being as good as another because as you will see, each type of source material can give you different types of real benefits.

1-Training/Educational/Commercial-Fictional cases, or real cases that are fictionalized.

These types of cases are generally

Read more
The Second Decade of the 2000s is almost over!

We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.

We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”.  Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).

Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few

Read more

How do you know if you improved your skill and knowledge base over the past years, or even over the past week? Did you even improve anything from yesterday? And if you did, how do you know?  Are you better working the DFIR today than yesterday? There is something you can do to check.

Pit yourself against your most fearsome opponent: Yourself !

We are our own worst enemy in many facets of life. We are the most critical of ourselves compared to anyone, even compared against the most overprotective parents or the strictest music teacher you’ve ever had or seen. We are tough on ourselves. Let’s take that toughness and use it for a benefit!

To see how much you have grown and developed in DFIR skills, block out a day to check yourself against a younger version of yourself. If you have a case or analysis from years

Read more