Forensics on a budg...
 
Notifications
Clear all

Forensics on a budget.

15 Posts
9 Users
0 Likes
1,293 Views
(@renx215)
Posts: 9
Active Member
Topic starter
 

So I have 63 credits of a CF degree I took in the first year of the program. It was hastily put together, learned basics not much beyond that.

I am looking to start on a budget for learning and being able to do data recovery (a skill that is always good to have)

So I have some options, Access Data/EnCase excluded. I have been considering Forensic Explorer which academic pricing is 699, and OSForensics which is 679 with said academic pricing.

I have used Pro Discover basic in the past, However it seems hard to find PD Basic beyond v7.

I have played around with Autopsy for Win and on Kali as Well Paladin, However while I am trying to learn Linux it is not yet my strong suit.

For write blocking, I know how to do the registry method, but I have one of those $40 coolgear USB 3.0 write blockers which are actually decent. However on one website I found the forensic dock by CRU for 279…

So my question Community, Is it better to bite the bullet and fully embrace linux do to the suite of free tools? Or are any of the packages I mentioned above worthwhile? I really want to learn more but dropping 2-3 grand on EC council or infosec is out of the question. I am currently testing in a VMBox,

Suggestions, advice, encouragement and discouragement are all welcome =)

 
Posted : 02/08/2017 5:07 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

All in all many good ideas. But just best start fast and focus on mobile devices - people's external heart & soul. For this go for Cellebrite.

Just start fast.

 
Posted : 02/08/2017 1:35 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Free stuff you can do

* Learn the basics of Linux, learn how some tools work, maby some coding (python is the flavour of the moment language for infosec)

* Learn where to find artifacts in Windows, i.e. prefetch, registry, shellbags, logs.

* Learn some network forensics, run tshark and learn its switches for parsing pcaps. Try network miner and netwitness (it is still around, just checked).

* Try different tools and find out what is useful (now when you have the time. later on when you have a job, time is expensive)

* Write blockers is something you do not need to learn, you plug in everything and off you go.

* Make up a case, write down artifacts, learn to write a report (i'm sure there are templates somewhere).

* Write blockers is something you do not need to learn, you plug in everything and off you go. There are some limitations of each piece of hardware and it helps learning about those.

* Play around with volatility, do some memory dump forensics.

* Read lots of stuff. Blogs are good. Go on twitter, check the #dfir hashtag, find out who to follow. Stay on top of current knowledge.

* Run some malware, find out what kind of traces it leaves.

 
Posted : 02/08/2017 2:10 pm
(@randomaccess)
Posts: 385
Reputable Member
 

If you can get a work-study spot on the FOR500 course that teaches you a lot of the artefacts you need to know about as well as gives you a weibetech write blocker - work-study makes it a lot more affordable

Also you can get a lot done with the free tools (both linux and windows based)…the only thing that might be slightly harder is internet history. but using a combination of autopsy/eric zimmerman's tools/ftk imager/and the variety of other tools available on dfir.training you can get by

 
Posted : 02/08/2017 2:16 pm
(@renx215)
Posts: 9
Active Member
Topic starter
 

All in all many good ideas. But just best start fast and focus on mobile devices - people's external heart & soul. For this go for Cellebrite.

Just start fast.

Yes, it would seem mobile forensics is where it would be at, People are attached to those ubiquitous devices.

 
Posted : 02/08/2017 4:25 pm
(@renx215)
Posts: 9
Active Member
Topic starter
 

I'd recommend Forensic Explorer. I use Magnet Axiom and Forensic Explorer on most of my cases. Forensic Explorer is a really powerful tool and flexible if you know how to code in Delphi. If I'd purchase one tool, it would be FEX.

Autopsy and other open source software are really cool also. I'd also try the open source software mentioned above. If you are on a budget you can cut software costs to buy more hardware.

I read a post on FF about cheap Write Blockers and bought CoolGear's WB. I didn't test it enough but so far it works fine.

Regards

It actually works, its basic with no frills. People may seem put off by the low price but realistically speaking its basically an adapter that write blocks, no different then external enclosure. And those are cheap, simply blocking the ability to write to the drive does not make the device expensive to manufacture.

 
Posted : 02/08/2017 4:28 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

It actually works, its basic with no frills. People may seem put off by the low price but realistically speaking its basically an adapter that write blocks, no different then external enclosure. And those are cheap, simply blocking the ability to write to the drive does not make the device expensive to manufacture.

Researching ATA standards to block all ways to write to a bunch of drives who may or may not follow the specification and may implement their own functionality to remain competitive, that can be expensive.

This is what i mentioned above about shortcomings in writeblockers.

Do not assume that "hey it block writes, it must be good". A sandwich on the floor may still taste like a sandwich but it may have a dead fruitfly, dust and some grit caught up on the butter.

If you're gonna use it for research purposes, fine. Just don't take that mindset with you to a job.

 
Posted : 02/08/2017 7:36 pm
(@renx215)
Posts: 9
Active Member
Topic starter
 

It actually works, its basic with no frills. People may seem put off by the low price but realistically speaking its basically an adapter that write blocks, no different then external enclosure. And those are cheap, simply blocking the ability to write to the drive does not make the device expensive to manufacture.

Researching ATA standards to block all ways to write to a bunch of drives who may or may not follow the specification and may implement their own functionality to remain competitive, that can be expensive.

This is what i mentioned above about shortcomings in writeblockers.

Do not assume that "hey it block writes, it must be good". A sandwich on the floor may still taste like a sandwich but it may have a dead fruitfly, dust and some grit caught up on the butter.

If you're gonna use it for research purposes, fine. Just don't take that mindset with you to a job.

point well taken.

 
Posted : 02/08/2017 8:17 pm
(@thefuf)
Posts: 262
Reputable Member
 

Researching ATA standards to block all ways to write to a bunch of drives who may or may not follow the specification and may implement their own functionality to remain competitive, that can be expensive.

This is what i mentioned above about shortcomings in writeblockers.

Do not assume that "hey it block writes, it must be good". A sandwich on the floor may still taste like a sandwich but it may have a dead fruitfly, dust and some grit caught up on the butter.

If you're gonna use it for research purposes, fine. Just don't take that mindset with you to a job.

I saw a Tableau forensic duplicator (TD3) writing to a drive attached to a "write blocked" port. I saw a Tableau forensic bridge (T356789iu) blocking some read requests because of a bad sector on a drive.

So, hardware write blockers are overestimated.

For write blocking, I know how to do the registry method, but I have one of those $40 coolgear USB 3.0 write blockers which are actually decent. However on one website I found the forensic dock by CRU for 279…

There are some attempts to create an open source hardware write blocker (for example https://github.com/leetobin/firebrick3 ).

People may seem put off by the low price but realistically speaking its basically an adapter that write blocks, no different then external enclosure.

Well, some hardware write blockers are based on the same or similar hardware components as enclosures, but with custom (modified) firmware.

 
Posted : 02/08/2017 10:22 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Suggestions, advice, encouragement and discouragement are all welcome =)

There are numerous free and open source tools, based on Win and Linux available. The only free full blown "suite" might be autopsy, but there are dozens of tools for single, dedicated forensic tasks.
Carving? Scalpel or foremost. Extracting MFT records? mft2csv and other tools from Joakim Schicht. Searching Alternate Data Streams? stream64.exe from Sysinternals. Ask for a task here at ForensicFocus and you will get the name of a compiled tool or python script.

And yes, Python is "in" for Digital Forensics, Perl is "out". Learning Python is a very good idea and you should find plenty of sources for learning this language as a student. MDCR made a good post about this.

best regards,
Robin

 
Posted : 02/08/2017 10:22 pm
Page 1 / 2
Share: