Beginner's Guide to the Forensics Lifestyle

(Yes, this title is supposed to read like the “Hitchhiker’s Guide to the Galaxy”, but it’s a lame attempt to be funny. After your read this blog post, you should head on over to your favorite bookstore to buy the book.)

WELCOME!

I asked one of my professors in college "how can I be successful after college? I seem to be struggling with things my classmates are not.” His response was simple: “The fact that you’re standing in my office means you’ll be successful. You’re passionate.” I started out my career in Digital Forensics right out of school. I was lucky enough to attend a pretty awesome college that had an undergraduate degree in the subject, but in actuality, most of what I learned was all self taught. I wanted to write a blog post to help others figure out where to start.

One thing that I’ve learned is that it’s really difficult gain practical experience until I have hands on experience. I did this two ways. I built my own images - this requires some experience in exploitation (Personally, I'm a fan of using Kali Linux), or l've also used old CTF challenges, or images that are on the internet. Here are some links to get you started.

Disclaimer: None of these are mine, and I can not vouch for what is on them. So proceed at your own risk.

Now, once you identify which images you are going to use for practice, we have to understand how to tackle a case. When I was interviewing for my current job, my now boss recommended that I read Computer Forensics and Incident Response to educate myself a little bit more of how cases are actually worked. This is not something they taught me in school. Sure, we had classes where we talked about Attack Lifecycle, Cyber Kill Chain, and ATT&CK, but what wasn’t taught was all of the other things to look for evidence wise. And that's what this book outlines really well. It gives case studies from the actual cases and the authors explain in great detail how they came to those conclusions.

This article gives a wonderful overview of all of three methods of depicting the lifecycle of an attack.

Now, once we learn about how to attack a case, we’re ready to dive into more of the fun stuff. Let's talk about artifacts. Virtually everything that happens on a computer, leaves a trail. However, some threat actors are more advanced than others, which is what makes forensics fun! But we’re just going to focus on the basics now. Let’s start with windows. I’ll do a post on Linux later, and if you want to get SUPER fancy, head on over to Sarah Edwards' website: http://www.mac4n6.com to learn about Mac Forensics.

But now, for the main event. Let’s talk about some artifacts! And remember, the purpose of this post is not to hold your hand, its to give you some reading to start you off on this marathon of forensics.

$MFT:

My favorite tools - MFT2CSV, mftdump, log2timeline

Event Logs:

https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949

  • Security.evtx
  • Terminal services (Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational)
  • System.evtx
  • Application.evtx
  • Powershell.evtx

Registry Hives:

My favorite tool: RegRipper

Internet History

My favorite tool: BrowsingHistoryView

Recycling Bin

Unallocated space

INDX files

Amcache/RecentFileCache.bcf -

Usnjrnl

My favorite tool: NTFS-log-tracker

I know that there are a lot of links here - and it's a lot to get through. But starting to learn about these areas, will give you a great place to start your research. Remember that this just scratches the surface of the digital forensics surface: this is only a handful of artifacts that can be found on a windows system. Honestly, as long as you have the passion and the dedication to learn, VirtualBox, and a tool like FTK Imager or SIFT Workstation, you can break into the world of forensics and be successful in no time. I wish you the best of luck! Thanks for stopping by!

capt. kirk