Reddit reviews File System Forensic Analysis
We found 11 Reddit comments about File System Forensic Analysis. Here are the top ones, ranked by their Reddit score.
We found 11 Reddit comments about File System Forensic Analysis. Here are the top ones, ranked by their Reddit score.
It really depends on what niche you're looking on covering. It's difficult, I feel, to brush up on "infosec" to any level of practical proficiency without focusing on a few subsets. Based on your interests, I would recommend the following books.
General Hacking:
Hacking Exposed
The Art of Exploitation
The Art of Deception
Intrusion Detection / Incident Response:
Network Flow Analysis
The Tao of Network Security Monitoring
Practical Intrusion Analysis
Real Digital Forensics
Reverse Engineering:
Reversing: Secrets of Reverse Engineering
The Ida Pro Book
Malware Analyst Cookbook
Malware Forensics
Digital Forensics:
File System Forensic Analysis
Windows Forensic Analysis
Real Digital Forensics
The Rootkit Arsenal
Hope this helps. If you're a University student, you might have access to Safari Books Online, which has access to almost all of these books, and more. You can also purchase a personal subscription for like $23 a month. It's a bit pricey, but they have an awesome library of technical books.
Start with reference data sets: https://www.cfreds.nist.gov/
and free tools like Autopsy and SleuthKit: https://www.sleuthkit.org/autopsy/
And the bible on digital forensics: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
before worrying about proprietary tools like EnCase. Autopsy is like free EnCase. Same principles apply.
Aside from SANS FOR508 (the course on which the cert is based) the following helped me:
Windows Registry Forensics
Windows Forensic Analysis Toolkit 2nd ed
Windows Forensic Analysis Toolkit 4th ed
The 2nd edition covers XP, the 4th covers 7/8
Digital Forensics with Open Source Tools
File System Forensic Analysis
This is a new book, but I imagine it'll help as well:
The Art of Memory Forensics
I read many of these in preparation for taking mine, but your best resource are the SANS class/books which is what the cert tests after. Having a good index is key.
There may be other classes out there that might help, but I have no firsthand experience with them, so I can't say what I recommend. All the above books, however, are amazing. Very much worth your time and money.
Check out Brian Carriers book on File System Forensics, http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172. He has three chapters dedicated to NTFS.
There are a ton of different things you can do on the defensive side. The path here is a bit less defined because you can specialize in each of these areas with out ever really touching the other ones. But I think these are the most important skills as a defender, so I’ll break it up into three smaller chunks. For the most part, defender/Blue-team concepts draw from these skills, I’ve setup the courses in order, as some of these skills may feed into other areas.
IR:
Forensics:
Reverse Engineering (Dynamic and Static):
I know there’s not a lot of certs here, and unfortunately, that’s how it is across the blue team. Certs here are usually very vendor-specific, and not applicable to defense as a whole. Those certifications exist, but I’m not listing them here.
If people are interested, I can also do a similar write-up on Mobile Forensics and Cloud Forensics (which is my direct background).
Lastly, here are some of my favorite news sources across the InfoSec community -
News Sources
I highly suggest this book: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
While it's been out a bit, as far as I know, it still stands as the definitive source for NTFS file systems.
I went to X-Ways training last year in New York. Take good notes. I mean really good notes. X-Ways is very different than Encase or FTK. You need to understand how file systems work. It is NOT a push button tool. However, you will get way more information for your cases by using X-Ways; it's a great tool.
Are you doing regular forensic case work? If not, consider purchasing Brett Shaver's course: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course and book: https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?s=books&ie=UTF8&qid=1492443886&sr=1-1&keywords=xways+forensics+practitioner. They will be invaluable resources while you learn.
Good luck and have fun!
Few books for you to consider - I got these for my course and are hugely useful. I've also included the Encase book as I know our forensics guys go back to it all the time:
Computer forensics using open source tools
The essential Brian Carrier - file system forensics
Real Digital Forensics
Encase training book
Digital Forensics Investigation
Forensic Discovery
Also don't you want to advance in the field of computer forensics? Here's a book that gives you some understanding of what you will be dealing with, sounds like good application for your computer skills:
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
And a presentation based on this book to see what it's like:
http://mcgrewsecurity.com/training/extx.pdf
You're going to have a real rough go at it;
That said; 508 is largely derived from the following two sources:
Brian Carrier's File System Forensics (This book is actually given out in the course)
&
The Art of Memory Forensics by MHL, Andrew Case, Jamie Levy, and AAron Walters
That'll get you ~75% the way there. But it's a lot of material to cover and retain without a reference source. I don't know if SANS has an official policy on what specifically you can take in with you during the test outside of your personal notes and their material.
Outside of those two books; get very familiar with The Sleuth Kit and timelining.
Honestly; this would be advice for someone taking the course just as much as it would be for someone not taking the course.
Do you have the image file itself?
If yes, open it in a tool like Active @ disk-editor.(http://www.disk-editor.org/) This tool highlights disk information in colours and gives verbose information for you to easily understand what parts on the disk/image you're looking at. Great way to start off and learn things about filesystems. Also I highly recommend the File System Forensics book by Brian Carrier. (https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172)
> Understanding the types of attacks is a great start.
408 is pretty basic forensics. It is more bad leaver / criminal with a physical device forensics than IR. I would say if you have to read one book, it would be https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172?ie=UTF8&redirect=true . It will give you a nice foundation for what will be talked about.