Reddit reviews Incident Response & Computer Forensics, Third Edition
We found 6 Reddit comments about Incident Response & Computer Forensics, Third Edition. Here are the top ones, ranked by their Reddit score.
McGraw-Hill Osborne Media
We found 6 Reddit comments about Incident Response & Computer Forensics, Third Edition. Here are the top ones, ranked by their Reddit score.
This is your curriculum:
1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.
Next get yourself and/or your organization to participate in FIRST
Read this book front to back, if you don’t understand something ask on reddit/twitter. Use the second link to find training images and the tools to analysis them for active training. Bury your nose in this and you’ll land a job within 6 months, even at a firm like Mandiant (the book was coauthored by the founder).
https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684
https://www.dfir.training/
There are a ton of different things you can do on the defensive side. The path here is a bit less defined because you can specialize in each of these areas with out ever really touching the other ones. But I think these are the most important skills as a defender, so I’ll break it up into three smaller chunks. For the most part, defender/Blue-team concepts draw from these skills, I’ve setup the courses in order, as some of these skills may feed into other areas.
IR:
Forensics:
Reverse Engineering (Dynamic and Static):
I know there’s not a lot of certs here, and unfortunately, that’s how it is across the blue team. Certs here are usually very vendor-specific, and not applicable to defense as a whole. Those certifications exist, but I’m not listing them here.
If people are interested, I can also do a similar write-up on Mobile Forensics and Cloud Forensics (which is my direct background).
Lastly, here are some of my favorite news sources across the InfoSec community -
News Sources
Every practitioner has his/her favourite toolset but try not to limit yourself to any one tool (appreciate that your company isn't going to buy more than one platform at this stage for you). Learn EnCase by all means and go for your ENCE, practically all job adverts ask for either ENCE or ACE but aren't usually fussy about which. The reality is if you can evidence that you can use EnCase, FTK, or X-ways to a good professional level, if you are being interviewed by a practitioner they should understand that it wouldn't be a huge leap to learn another toolset. Ultimately, they all do a similar job in slightly different ways. My personal preference is for FTK, then X-ways, and lastly EnCase (too many wasted hours/days getting back to where I was when it crashed out on me back in the day).
Ultimately more important than any tool or cert is going to be proving that you have a proper, deep understanding of CF principles, filesystems and so forth, know your hardware and are confident pulling things apart to image them and all that good stuff. Get yourself a book or three such as https://www.amazon.co.uk/Incident-Response-Computer-Forensics-Third/dp/0071798684 and think about answers to questions that a good interviewer will ask you - tell me how you would evidence that this user did a certain thing, show me where you would look for this particular file and what its significance might be, explain to me when/how this data got deleted etc. If you become a practitioner, these are the sorts of questions that will get thrown at you on a daily basis, sometimes by opposing counsel, and you will want to have the answers in your back pocket.
Good luck with your study. This is an awesome industry to get into...
This
This book is also given out in the class.
Source: Multiple Co-workers took the course recently.