Top products from r/computerforensics
We found 52 product mentions on r/computerforensics. We ranked the 59 resulting products by number of redditors who mentioned them. Here are the top 20.
2. Digital Forensics with Open Source Tools
Sentiment score: -3
Number of reviews: 4
Syngress Publishing
3. Incident Response & Computer Forensics, Third Edition
Sentiment score: 2
Number of reviews: 3
McGraw-Hill Osborne Media
4. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Sentiment score: 1
Number of reviews: 3
No Starch Press
5. X-Ways Forensics Practitioner’s Guide
Sentiment score: 2
Number of reviews: 3
Syngress Publishing
6. Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8
Sentiment score: 2
Number of reviews: 3
Syngress
8. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Sentiment score: 2
Number of reviews: 2
Wiley
11. Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Sentiment score: 1
Number of reviews: 2
Used Book in Good Condition
12. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 3rd Edition
Sentiment score: -2
Number of reviews: 2
13. Handbook of Digital Forensics and Investigation
Sentiment score: 1
Number of reviews: 2
Academic Press
14. Computer Forensics: Incident Response Essentials
Sentiment score: -1
Number of reviews: 1
15. Real Digital Forensics: Computer Security and Incident Response
Sentiment score: 1
Number of reviews: 1
16. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Sentiment score: 0
Number of reviews: 1
Wiley Publishing
18. Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Sentiment score: 1
Number of reviews: 1
Syngress Publishing
Every practitioner has his/her favourite toolset but try not to limit yourself to any one tool (appreciate that your company isn't going to buy more than one platform at this stage for you). Learn EnCase by all means and go for your ENCE, practically all job adverts ask for either ENCE or ACE but aren't usually fussy about which. The reality is if you can evidence that you can use EnCase, FTK, or X-ways to a good professional level, if you are being interviewed by a practitioner they should understand that it wouldn't be a huge leap to learn another toolset. Ultimately, they all do a similar job in slightly different ways. My personal preference is for FTK, then X-ways, and lastly EnCase (too many wasted hours/days getting back to where I was when it crashed out on me back in the day).
Ultimately more important than any tool or cert is going to be proving that you have a proper, deep understanding of CF principles, filesystems and so forth, know your hardware and are confident pulling things apart to image them and all that good stuff. Get yourself a book or three such as https://www.amazon.co.uk/Incident-Response-Computer-Forensics-Third/dp/0071798684 and think about answers to questions that a good interviewer will ask you - tell me how you would evidence that this user did a certain thing, show me where you would look for this particular file and what its significance might be, explain to me when/how this data got deleted etc. If you become a practitioner, these are the sorts of questions that will get thrown at you on a daily basis, sometimes by opposing counsel, and you will want to have the answers in your back pocket.
Good luck with your study. This is an awesome industry to get into...
I don't think there are really an prerequisites to get a good amount of learning out of the class. Understanding the types of attacks is a great start. In 2004 (at least I think it was that year), they only had one class (508) and on day 3, after we had gone over the bulk of how filesystems and computers work, we were doing an exercise based on hand rebuilding a usb thumb drives filesystem (it had been tampered with). A guy raises his hands as says "You keep using the words rootkit, what is that"? The instructor thought he was being trolled at first. So having a pentesting cert will certainly help you (both as a pentester and with learning forensics since you will learn that there is always evidence of some sort left behind).
All that being said though, you should at least be a little familiar with the following (though they do a great job of explaining these in the class):
Right now (well as of last year when I took the cert/class) the books are titled:
Harlan Carvey's books are an excellent resource.
Windows Registry Forensics, 2nd
Windows Forensic Analysis Toolkit 4th
My first time using the formatting features, so hopefully I didn't screw that up. Feel free to PM me if you have more questions. I have a bunch of SANS certs and have been doing this for ages. I am always happy to help someone who's learning!
Edit: the 2nd book link isn't showing up, so fixed that.
Aside from SANS FOR508 (the course on which the cert is based) the following helped me:
Windows Registry Forensics
Windows Forensic Analysis Toolkit 2nd ed
Windows Forensic Analysis Toolkit 4th ed
The 2nd edition covers XP, the 4th covers 7/8
Digital Forensics with Open Source Tools
File System Forensic Analysis
This is a new book, but I imagine it'll help as well:
The Art of Memory Forensics
I read many of these in preparation for taking mine, but your best resource are the SANS class/books which is what the cert tests after. Having a good index is key.
There may be other classes out there that might help, but I have no firsthand experience with them, so I can't say what I recommend. All the above books, however, are amazing. Very much worth your time and money.
I highly suggest this book: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
While it's been out a bit, as far as I know, it still stands as the definitive source for NTFS file systems.
I went to X-Ways training last year in New York. Take good notes. I mean really good notes. X-Ways is very different than Encase or FTK. You need to understand how file systems work. It is NOT a push button tool. However, you will get way more information for your cases by using X-Ways; it's a great tool.
Are you doing regular forensic case work? If not, consider purchasing Brett Shaver's course: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course and book: https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?s=books&ie=UTF8&qid=1492443886&sr=1-1&keywords=xways+forensics+practitioner. They will be invaluable resources while you learn.
Good luck and have fun!
Do you have the image file itself?
If yes, open it in a tool like Active @ disk-editor.(http://www.disk-editor.org/) This tool highlights disk information in colours and gives verbose information for you to easily understand what parts on the disk/image you're looking at. Great way to start off and learn things about filesystems. Also I highly recommend the File System Forensics book by Brian Carrier. (https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172)
Brian Carriers book on File System Forensics is a must, http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
Next, any of Harlan Carvey's Books. These cover the basic (as well as advanced) Windows Artifacts such as the Registry, Event Logs and Timeline creations. He also has lots of open source tools that he demonstrates in the books:
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=sr_1_5?s=books&ie=UTF8&qid=1414266778&sr=1-5&keywords=harlan+Carvey
Check out the free SANS Webcasts in their archives. Lots of good videos on forensic and security related topics. They also have a free forensic tool called "SIFT" which is a VM loaded with free/open source forensic tools (LINUX based)
https://www.sans.org/webcasts/archive
Start with reference data sets: https://www.cfreds.nist.gov/
and free tools like Autopsy and SleuthKit: https://www.sleuthkit.org/autopsy/
And the bible on digital forensics: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
before worrying about proprietary tools like EnCase. Autopsy is like free EnCase. Same principles apply.
Computers will never go away. The trend right now is that everything is going mobile and that is why there is much more emphasis on mobile devices in general. However, depending on what you decide to do (private v. public sectors) you will always see computers come in. Not to mention, before I would advocate someone move to HFS+ or ext2-4 file systems, they have an understanding of how FAT and NTFS work anyways. They are the easiest to understand and it will definitely help later on when you need to start traversing through an iOS or Android device.
http://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676
Hands down my favorite book when I was starting out
Since this is the subreddit for DFIR, that's what you're going to end up with as far as suggestions go. For pentesting stuff, checkout:
-Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 (this has some labs, but just reading through the various weaknesses in WebApps will be a great start)
-The Hacker Playbook: https://www.amazon.com/dp/1512214566/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1118026470&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1NSA1RZZ3WQTP374S9WK
Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_img_2?ie=UTF8&psc=1&refRID=S7FG8F9TCMZMM9HVX2TN
Those two are good general pentesting books. You might also try /r/AskNetsec for other suggestions.
This is your curriculum:
1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.
Next get yourself and/or your organization to participate in FIRST
Short answer: yes. Scripting is helpful in DF, especially if you're in an IR role where you're dealing with data from many different systems. Python is far and away the most common, although plenty of folks use other languages.
You could go the conventional "take a class about it" route: http://classlist.champlain.edu/course/description/number/dfs_510/register/false
Or you could just teach yourself: https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230
Check this out. Goes from really beginner levels stuff to more experienced by the end of the first section. This book will answer all your question about tool during all phases of forensics analysis. Hope it helps.
Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.
Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.
Practical Malware Analysis
Wireshark Network Analysis
This one (i am eric Z)
https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?ie=UTF8&qid=1505388350&sr=8-1&keywords=x-ways
you can also look at the official youtube videos X-Ways has done as well as http://www.xwaysclips.co.uk/
again, feel free to hit me up with any questions
Read this book front to back, if you don’t understand something ask on reddit/twitter. Use the second link to find training images and the tools to analysis them for active training. Bury your nose in this and you’ll land a job within 6 months, even at a firm like Mandiant (the book was coauthored by the founder).
https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684
https://www.dfir.training/
Mind sharing the links? There's a few "Hack this site" websites ranging from user uploaded files and I've seen one which is more based on javascript and SQL injection.
Have you thought about looking at crackme? There's also the Microsoft Blue Hat Challenge. Forensic Focus also provide a list of resources to practice with.
There's always books as well. I'm currently working through Real Digital Forensics that comes with files used in the book and explain how it was gathered and how to view it.
There's plenty of resources out there, but you've got to be a bit more specific on what challenge you're looking for, as there's a range of subjects.
My recommendations then for self study:
Read all those and you will be in good shape ;)
EDIT: I hate trying to get reddit to do what I want.
Maybe try the one below:
https://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676
https://smile.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230
I suggest Harlan Carvey’s new book:
Investigating Windows Systems
https://www.amazon.com/dp/0128114150/ref=cm_sw_r_cp_api_i_omwACb023MNYY
50% off the online course, includes a print copy of the book it is based upon if you live within the US/Canada (https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051).
I don't have any ties to the X-Ways company, other than using X-Ways for more than a decade, writing a book about it, and teaching it at universities and other courses, so I can't offer any discounts on the software. Although, I can say you can buy 2 or 3 licenses of X-Ways compared to a single license of FTK or EnCase...
I would get a book on how to use open source tools. This is the one that I have myself.
http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867
No problem at all, I'll explain.
I'm new to the forensic department mt past experience has been with areas not directly related to computers, the below is one such example of a field that contains almost no computer related content:
https://www.amazon.com/How-Be-Invisible-Protect-Children/dp/1250010454
This book is pretty much the top in the feild despite being a few years old, and metions very little (if anything) about computers.
Try these tools and this book.
I'm thinking of starting with Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet by Eoghan Casey.
Warren Kruse and Jay Heiser. Computer Forensics: Incident Response Essentials. Addison Wesley, 2001. You can purchase At https://www.amazon.com/Computer-Forensics-Incident-Response-Essentials/dp/0201707195
Carrier, B. File System Forensic Analysis. Addison-Wesley, Reading, PA., Mar. 2005. (Available at https://www.kobo.com/us/en/ebook/file-system-forensic-analysis-1)
Carvey, H. (2014). Windows forensic analysis toolkit: Advanced analysis techniques for Windows 8; Waltham, MA: Syngress.
Altheide, C., Carvey, H. A., & Davidson, R. (2011). Digital forensics with open source tools. Amsterdam: Elsevier/Syngress. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)
Carvey, H. A. (2005). Windows forensics and incident recovery. Boston: Addison-Wesley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)
Bunting, S. (2012). EnCase computer forensics: the official EnCE: EnCase certified examiner; study guide. Indianapolis, IN: Wiley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linu. John Wiley & Sons. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)
Casey, E. (2017). Digital evidence and computer crime: forensic science, computers, and the Internet. Vancouver, B.C.: Langara College. Available at https://www.amazon.com/Digital-Evidence-Computer-Crime-Computers/dp/0123742684