(Part 2) Best products from r/computerforensics

And when the little old lady is exploiting children in some of those pictures, you're going to wish you had used a write-blocker.

They are cheap enough to have on hand: http://www.amazon.com/WiebeTech-31300-0192-0000-USB-writeblocker-Rohs/dp/B002DH1P0W/ref=sr_1_1?s=electronics&ie=UTF8&qid=undefined&sr=1-1&keywords=cru+usb+write+blocker

Stolen from Hddguru.com:

Most Important thing while doing DATA Recovery / Forensic is source hard disk should not be modified . If source hard disk is connected to windows based machine chances are that windows may write by following means-

1. scandisk / Chkdsk
   
2. System restore / Recycle Bin folders are created
   
3. Swap file creation.
   
4. Conversion on file system like NTFS v 4 is automatically converted to NTFS 5
   
   
   

Since this is the subreddit for DFIR, that's what you're going to end up with as far as suggestions go. For pentesting stuff, checkout:

-Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 (this has some labs, but just reading through the various weaknesses in WebApps will be a great start)

-The Hacker Playbook: https://www.amazon.com/dp/1512214566/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1118026470&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1NSA1RZZ3WQTP374S9WK

Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_img_2?ie=UTF8&psc=1&refRID=S7FG8F9TCMZMM9HVX2TN

Those two are good general pentesting books. You might also try /r/AskNetsec for other suggestions.

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Short answer: yes. Scripting is helpful in DF, especially if you're in an IR role where you're dealing with data from many different systems. Python is far and away the most common, although plenty of folks use other languages.

You could go the conventional "take a class about it" route: http://classlist.champlain.edu/course/description/number/dfs_510/register/false

Or you could just teach yourself: https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230

Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.

Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.

Practical Malware Analysis

Wireshark Network Analysis

This is about the best source on the subject: https://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Third/dp/1597497274

Ensure all your ports and gear are USB 3.0, then buy something like this: SATA->USB3 adapters aren't expensive:

https://www.amazon.com/StarTech-SATA-Drive-Adapter-Cable/dp/B00HJZJI84/ref=sr_1_3?ie=UTF8&qid=1503275696&sr=8-3&keywords=usb+sata+adapter

Windows Forensics and Linux Forensics by Phil Polstra are 2 books about Forensics and IR that came out in 2015-2016. They go real in-depth about filesystems and teach you how to understand the parsing/processing and forensic analyses proces by creating your own python scripts instead of just running tools and rely on those. I can really recommend these books for starters.

https://www.amazon.com/Windows-Forensics-Dr-Philip-Polstra/dp/1535312432

https://www.amazon.com/Linux-Forensics-Philip-Polstra/dp/1515037630/ref=pd_sbs_14_t_2?_encoding=UTF8&psc=1&refRID=ZZV0H8ZCEWQDX1HNX8TW

You might want to see if you can find a copy of this book. Haven't read it myself, but it looks like the only book on XBOX360 Forensics that's currently available.

You said you checked the header, but did you check the footer? PNGs have a clear start and end, anything after that is basically ignored and could be used to hide data.

Look for extraneous data after the IEND chuck. This has been used in the past to obscure a malware payload in an otherwise normal looking PNG.

Also, PoC or GTFO is a newish book that addresses this, so whoever gave you the PNG might of read it recently and thought they'd be clever with you.

"Grey Hat Python" by Justin Seitz has a lot of really good examples.

https://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921

Mind sharing the links? There's a few "Hack this site" websites ranging from user uploaded files and I've seen one which is more based on javascript and SQL injection.

Have you thought about looking at crackme? There's also the Microsoft Blue Hat Challenge. Forensic Focus also provide a list of resources to practice with.

There's always books as well. I'm currently working through Real Digital Forensics that comes with files used in the book and explain how it was gathered and how to view it.

There's plenty of resources out there, but you've got to be a bit more specific on what challenge you're looking for, as there's a range of subjects.

The main tools used are generally Cellebrite, XRY and Oxygen. Some other tools are used too but to a lesser extent, these usually include things like EnCase, Blackbag Blacklight / Mobilyze and a few others.

Actually learning to use the tools can be difficult because few of them have free trials or any kind of training that you don’t have to pay a lot of money for. Cellebrite and XRY do have viewers though and the viewers are very similar to the tools themselves so you can at least get familiar with the interface and how to view and sort the data. If you know someone with the tools they can easily supply you with some test data and a viewer to mess around with and the suppliers themselves might even be willing to share this if you email them.

The tools in general are actually quite simple to use anyway, there is much less in terms of options compared to X-Ways, EnCase etc. The more difficult stuff in the mobile world is learning about the operating systems of the phones, doing manual analysis of unsupported applications and doing chip-off and JTAG.

A couple of books I recommend for learning about mobile forensics in general are these:

https://www.amazon.com/Learning-Android-Forensics-Rohit-Tamma/dp/1782174575/ref=sr_1_1?s=books&ie=UTF8&qid=1485333598&sr=1-

https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/ref=sr_1_1?s=books&ie=UTF8&qid=1485333543&sr=1-

Use a quality USB-C to USB-A data cable.

• This one will work: https://www.amazon.com/BELKIN-F2CU029bt1M-BLK-USB-USB-C-Cable/dp/B00WJSPB5A
  
• Cheaper charger cords like this one will not work. DO NOT buy this: https://www.amazon.com/TriLink-Braided-Charger-Sumsung-Nintendo/dp/B01IQULVZI
  
  T2 will be a challenge. I do not know anything that will detect/flag T2 devices but Apple provides us with a list: https://support.apple.com/en-us/HT208862
  
  Here is a T2 overview with more technical detail: https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

https://smile.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230