Best products from r/computerforensics

Every practitioner has his/her favourite toolset but try not to limit yourself to any one tool (appreciate that your company isn't going to buy more than one platform at this stage for you). Learn EnCase by all means and go for your ENCE, practically all job adverts ask for either ENCE or ACE but aren't usually fussy about which. The reality is if you can evidence that you can use EnCase, FTK, or X-ways to a good professional level, if you are being interviewed by a practitioner they should understand that it wouldn't be a huge leap to learn another toolset. Ultimately, they all do a similar job in slightly different ways. My personal preference is for FTK, then X-ways, and lastly EnCase (too many wasted hours/days getting back to where I was when it crashed out on me back in the day).

Ultimately more important than any tool or cert is going to be proving that you have a proper, deep understanding of CF principles, filesystems and so forth, know your hardware and are confident pulling things apart to image them and all that good stuff. Get yourself a book or three such as https://www.amazon.co.uk/Incident-Response-Computer-Forensics-Third/dp/0071798684 and think about answers to questions that a good interviewer will ask you - tell me how you would evidence that this user did a certain thing, show me where you would look for this particular file and what its significance might be, explain to me when/how this data got deleted etc. If you become a practitioner, these are the sorts of questions that will get thrown at you on a daily basis, sometimes by opposing counsel, and you will want to have the answers in your back pocket.

Good luck with your study. This is an awesome industry to get into...

I don't think there are really an prerequisites to get a good amount of learning out of the class. Understanding the types of attacks is a great start. In 2004 (at least I think it was that year), they only had one class (508) and on day 3, after we had gone over the bulk of how filesystems and computers work, we were doing an exercise based on hand rebuilding a usb thumb drives filesystem (it had been tampered with). A guy raises his hands as says "You keep using the words rootkit, what is that"? The instructor thought he was being trolled at first. So having a pentesting cert will certainly help you (both as a pentester and with learning forensics since you will learn that there is always evidence of some sort left behind).

All that being said though, you should at least be a little familiar with the following (though they do a great job of explaining these in the class):

• windows registry
  
• different filesystems (exfat, ntfs, fat*)
  
• a general understanding of how windows works
  
  Right now (well as of last year when I took the cert/class) the books are titled:
  
  
• Windows Digital Forensics and Advanced Data Triage
  
• Core Windows Forensics Part 1 - Registry and USB Device Analysis
  
• Core Windows Forensics Part 2 - Email Forensics
  
• Core Windows Forensics Part 3 - Window Artifact and Log File Analysis
  
• Core Windows Forensics Part 4 - Web Browser Forensics (Firefox, IE & Chrome)
  
  
  Harlan Carvey's books are an excellent resource.
  
  Windows Registry Forensics, 2nd
  
  Windows Forensic Analysis Toolkit 4th
  
  My first time using the formatting features, so hopefully I didn't screw that up. Feel free to PM me if you have more questions. I have a bunch of SANS certs and have been doing this for ages. I am always happy to help someone who's learning!
  
  Edit: the 2nd book link isn't showing up, so fixed that.

Aside from SANS FOR508 (the course on which the cert is based) the following helped me:

Windows Registry Forensics

Windows Forensic Analysis Toolkit 2nd ed

Windows Forensic Analysis Toolkit 4th ed

The 2nd edition covers XP, the 4th covers 7/8

Digital Forensics with Open Source Tools

File System Forensic Analysis

This is a new book, but I imagine it'll help as well:

The Art of Memory Forensics

I read many of these in preparation for taking mine, but your best resource are the SANS class/books which is what the cert tests after. Having a good index is key.

There may be other classes out there that might help, but I have no firsthand experience with them, so I can't say what I recommend. All the above books, however, are amazing. Very much worth your time and money.

For CAINE, standard USB3.0 2.5" external HDDs would be fine. 2.5" drives so that you don't need to find additional power.
The older computer won't have USB3.0.

Anything stored on a server, unless newly updated, won't have USB3.0. Consider a laptop and doing some sort of network gigabit file transfer instead for the PST/email files. Gigabit vs USB2.0...gigabit wins hand down. Companies / enterprises have great networks and fast server storage so network is the way to go. Consider a crossover cable, might be necessary for direct server to laptop transfer, but better yet - get one of these: https://www.amazon.com/Cables-Unlimited-Cat6-Crossover-Adapter/dp/B00030BYJI
Wrap everything up in a logical image file (AD1 - FTK Imager).
Anything imaged using DD - create a compress E01 of it afterwards to save space and time later.
Get a USB3.0 Hardware write blocker for Thumb drives - then attach any USB card reader to it for other types. You can then use one of these as well for Hard Drives - https://www.amazon.com/StarTech-com-External-Docking-Station-Drives/dp/B00U8KSLA8/ref=sr_1_8?s=pc&ie=UTF8&qid=1504501191&sr=1-8&keywords=sata+hard+drive. Might be able to find something cheaper.
Tableau is a popular brand, expensive: https://www.forensiccomputers.com/tableau-t8u.html
Wibitech as well: https://www.cru-inc.com/products/wiebetech/usb-3-0-writeblocker/

With boot disks/bootable thumb drives - their equipment can do the work. Hardware write blocker now means you need a laptop to do on scene acquisition so that bumps your cost up. Make multiple disks and thumb drives - and you can do multiple things at once as opposed to a single laptop.

Computer Forensics InfoSec Pro Guide was the first book I read when I landed my first DFIR job. It's a quick read, but it gave me a great foundation to work from.

If you haven't done so already, start messing around with Linux. As your coursework evolves, you will probably spend a lot of time in that type of environment, so it pays to become familiar with it now.

Lastly, and this may be an old way of thinking, but if your degree is entirely focused on forensics, you may be spreading yourself too thin when it comes to finding a job after graduation. Having a well-rounded computer science background will make you much more marketable. With that in mind, I recommend checking out the Open Source CS Degree as it's a free way to gain that knowledge on your own.

I highly suggest this book: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

While it's been out a bit, as far as I know, it still stands as the definitive source for NTFS file systems.

I went to X-Ways training last year in New York. Take good notes. I mean really good notes. X-Ways is very different than Encase or FTK. You need to understand how file systems work. It is NOT a push button tool. However, you will get way more information for your cases by using X-Ways; it's a great tool.

Are you doing regular forensic case work? If not, consider purchasing Brett Shaver's course: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course and book: https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?s=books&ie=UTF8&qid=1492443886&sr=1-1&keywords=xways+forensics+practitioner. They will be invaluable resources while you learn.

Good luck and have fun!

Generally speaking, your IT background should allow you to get into an entry level forensic position (though there aren't a ton of those). Public sector would be your best chance, but as has been stated most of those positions are sworn if it isn't a large agency. At one training, as we discussed our backgrounds, an officer stated that he was sent because he was able to help the Chief at his agency put an icon on his desktop. A lot of it is push button with procedures being the thing we worry about most. It's the non-lowhanging fruit that will require some IT skill.

​

3 to 4 years of IT experience should get you an interview. From there I would just read of on forensics in general and not worry too much about certifications. Most are vendor specific and each department/company is going to dictate what you use and most likely pay to train you.

​

On the mobile side I would suggest this book:

https://www.amazon.com/Mobile-Forensic-Investigations-Collection-Presentation/dp/1260135098/ref=sr_1_4?keywords=mobile+forensics&qid=1559139135&s=gateway&sr=8-4

I read the first edition and it was really spot on. Covers everything from seizing the device properly to performing an extraction and then presenting the data.

​

You should also start learning Python. The above book covers part of it and I use it almost daily to make things easier. Also, I build tools to help myself and other investigators so it is really a tool you should have in your arsenal.

​

Good luck!

Your question is not very specific (as to whether you are asking about hardware, software or physical requirements), and therefore I'll reply with a general answer.

UNDERSTAND WHAT YOU NEED:
I suggest you first gather the requirements for the lab as your requirements could vary depending on the type of lab you are setting up. (is it for an SME or big company? what type of cases are you going to work on? civil, corporate, legal etc. Depending on that, what type of hardware do you need, the software required, tools to investigate legacy software, how secure should your lab be, do you require a tempest protected facility? etc.)

The book 'Guide to Computer Forensics and Investigation' has a chapter dedicated to setting up a digital forensics laboratory. I have read it and it provides some really good insight into setting up a forensics lab. Here is a link to the book:
http://www.amazon.com/Guide-Computer-Forensics-Investigations-Book/dp/1435498836

You'll find many similar resources out there. Another book is:
http://store.elsevier.com/Building-a-Digital-Forensic-Laboratory/Andrew-Jones/isbn-9780080949536/

One thing to note is, depending on the location, you may need a license (some states in the US restrict forensic activity only to licensed orivate investigators).

PROCEDURES:
The SWGDE documentation provides best practise documents and procedures that you can use as formal procedure documents for your company. (Check their terms and conditions before using them.)
Again, there may be several similar documents provided by other bodies.

TOOLS:
If you require information on the tools, there are numerous resources online that you could look up for guidance. A good starting point could be http://resources.infosecinstitute.com/computer-forensics-tools/

Do you have the image file itself?
If yes, open it in a tool like Active @ disk-editor.(http://www.disk-editor.org/) This tool highlights disk information in colours and gives verbose information for you to easily understand what parts on the disk/image you're looking at. Great way to start off and learn things about filesystems. Also I highly recommend the File System Forensics book by Brian Carrier. (https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172)

I'm LE and DFIR Examiner. What QuietForensics said is absolutely right. Your private sector gigs are mainly going to be Incident Response. For instance, JPMorgan Chase has been expanding their teams which are comprised of IR (e.g. Breaches) and Digital Forensics (in support of Internal Investigations/Insider Threat). If your experience is limited to Dead-Box Forensics, you will have a number of hurdles to overcome insofar as initial assessments for interviews. For instance, would you be able to tell what artifacts (on a Windows System) you would examine in order to collect evidence associated with an individual accessing a network shared drive and viewing files remotely (the files were never transferred and they were never opened. They were simply previewed.) What artifacts would you leverage?

These are the kind of rudimentary questions you would have to know. You will also have to be familiar with basic knowledge associated with Networking (e.g. Ports, Protocols, etc). If it's a position that deals strictly with Dead-Box Forensics, you have to be very comfortable with explaining artifacts and not just show that you know what I like to refer to as Nintendo-Level Forensics where one pushes a button and the solution images the device and spits out a report (e.g. Cellebrite). You really need to know your Registry Hives, ShellBags, etc.

My suggestion...start putting in for those positions, do a couple of interviews, and see where you are at insofar as to your level. There are a lot of skills that are transferable from the LE sector to private (e.g. Chain of Evidence, Case Filing, Court Testimony, Risk Management, etc). If you feel that you are short on the more technical skills, consider studying the domains of Sec+ and Incident Response & Computer Forensics - Third Edition.

Good luck.

Brian Carriers book on File System Forensics is a must, http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

Next, any of Harlan Carvey's Books. These cover the basic (as well as advanced) Windows Artifacts such as the Registry, Event Logs and Timeline creations. He also has lots of open source tools that he demonstrates in the books:

http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=sr_1_5?s=books&ie=UTF8&qid=1414266778&sr=1-5&keywords=harlan+Carvey

Check out the free SANS Webcasts in their archives. Lots of good videos on forensic and security related topics. They also have a free forensic tool called "SIFT" which is a VM loaded with free/open source forensic tools (LINUX based)

https://www.sans.org/webcasts/archive

Start with reference data sets: https://www.cfreds.nist.gov/

and free tools like Autopsy and SleuthKit: https://www.sleuthkit.org/autopsy/

And the bible on digital forensics: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

before worrying about proprietary tools like EnCase. Autopsy is like free EnCase. Same principles apply.

I have this one. Haven't run into any issues. Granted this is NOT a rework station. But it's the same model they are issuing in Fed labs. $135 gets you great soldering iron which wide range adjustable temps, set of various tips, though if you are doing ISP you'll want the very fine tips...I'll have to find the number for the ones I use...The only other thing you would want for ISP is decent magnification to work under.

https://www.amazon.com/Hakko-FX888D-T18-B-D24-599-029/dp/B00C2BHTBI/ref=sr_1_1_sspa?s=hi&ie=UTF8&qid=1525274929&sr=1-1-spons&keywords=hakko+soldering+station&psc=1

Computers will never go away. The trend right now is that everything is going mobile and that is why there is much more emphasis on mobile devices in general. However, depending on what you decide to do (private v. public sectors) you will always see computers come in. Not to mention, before I would advocate someone move to HFS+ or ext2-4 file systems, they have an understanding of how FAT and NTFS work anyways. They are the easiest to understand and it will definitely help later on when you need to start traversing through an iOS or Android device.

http://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676

Hands down my favorite book when I was starting out

Certs. Most computer forensics jobs require at least one or more of the computer forensics certifications. Begin with ACE (Accessdata Certified Examiner) it's free. Next, buy some textbooks with exercises and practice them. Here's an example: https://www.amazon.com/Guide-Computer-Forensics-Investigations-DVD/dp/1285060032/ref=sr_1_2?ie=UTF8&qid=1469102726&sr=8-2&keywords=computer+forensics

I also encourage you to learn about mobile forensics. A good amount of investigations relate to mobile device.

Since this is the subreddit for DFIR, that's what you're going to end up with as far as suggestions go. For pentesting stuff, checkout:

-Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 (this has some labs, but just reading through the various weaknesses in WebApps will be a great start)

-The Hacker Playbook: https://www.amazon.com/dp/1512214566/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1118026470&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1NSA1RZZ3WQTP374S9WK

Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_img_2?ie=UTF8&psc=1&refRID=S7FG8F9TCMZMM9HVX2TN

Those two are good general pentesting books. You might also try /r/AskNetsec for other suggestions.

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Check this out. Goes from really beginner levels stuff to more experienced by the end of the first section. This book will answer all your question about tool during all phases of forensics analysis. Hope it helps.

Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.

Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.

Practical Malware Analysis

Wireshark Network Analysis

This one (i am eric Z)

https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?ie=UTF8&qid=1505388350&sr=8-1&keywords=x-ways

you can also look at the official youtube videos X-Ways has done as well as http://www.xwaysclips.co.uk/

again, feel free to hit me up with any questions

Read this book front to back, if you don’t understand something ask on reddit/twitter. Use the second link to find training images and the tools to analysis them for active training. Bury your nose in this and you’ll land a job within 6 months, even at a firm like Mandiant (the book was coauthored by the founder).

https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684

https://www.dfir.training/

You need to use an adapter like this one: https://www.amazon.ca/StarTech-com-Adapter-Converter-Housing-SAT32M225/dp/B00ITJ7U20

​

EDIT: To be clear, this adapter should be used ONLY in the case of having a M.2 SATA drive. M.2 is just an interface and if the drive using it happens to be using a PCIe controller, you will need to use the T7u (or some other PCIe write blocker).

• The entirety of the The Art of Memory Forensics.
  
  
• https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf
  
  
• The DFRWS papers are always good references, as well. - http://www.dfrws.org/archives.shtml
  
  
• http://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/
  
  
• Google "Order of Volatility"
  
  

My recommendations then for self study:

• http://www.amazon.com/The-Rootkit-Arsenal-Evasion-Corners/dp/144962636Xl
  
  
• http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Edition/dp/0124171575
  
  
• http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
  
  
• http://www.amazon.com/Malware-Rootkits-Botnets-Beginners-McGraw/dp/0071792066
  
  
• http://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
  
  
• http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901
  
  
• http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
  
  
• http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898
  
  
• http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
  
  Read all those and you will be in good shape ;)
  EDIT: I hate trying to get reddit to do what I want.

50% off the online course, includes a print copy of the book it is based upon if you live within the US/Canada (https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051).

I don't have any ties to the X-Ways company, other than using X-Ways for more than a decade, writing a book about it, and teaching it at universities and other courses, so I can't offer any discounts on the software. Although, I can say you can buy 2 or 3 licenses of X-Ways compared to a single license of FTK or EnCase...

Maybe try the one below:

https://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676

> Understanding the types of attacks is a great start.

408 is pretty basic forensics. It is more bad leaver / criminal with a physical device forensics than IR. I would say if you have to read one book, it would be https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172?ie=UTF8&redirect=true . It will give you a nice foundation for what will be talked about.