Top products from r/computerforensics

Every practitioner has his/her favourite toolset but try not to limit yourself to any one tool (appreciate that your company isn't going to buy more than one platform at this stage for you). Learn EnCase by all means and go for your ENCE, practically all job adverts ask for either ENCE or ACE but aren't usually fussy about which. The reality is if you can evidence that you can use EnCase, FTK, or X-ways to a good professional level, if you are being interviewed by a practitioner they should understand that it wouldn't be a huge leap to learn another toolset. Ultimately, they all do a similar job in slightly different ways. My personal preference is for FTK, then X-ways, and lastly EnCase (too many wasted hours/days getting back to where I was when it crashed out on me back in the day).

Ultimately more important than any tool or cert is going to be proving that you have a proper, deep understanding of CF principles, filesystems and so forth, know your hardware and are confident pulling things apart to image them and all that good stuff. Get yourself a book or three such as https://www.amazon.co.uk/Incident-Response-Computer-Forensics-Third/dp/0071798684 and think about answers to questions that a good interviewer will ask you - tell me how you would evidence that this user did a certain thing, show me where you would look for this particular file and what its significance might be, explain to me when/how this data got deleted etc. If you become a practitioner, these are the sorts of questions that will get thrown at you on a daily basis, sometimes by opposing counsel, and you will want to have the answers in your back pocket.

Good luck with your study. This is an awesome industry to get into...

I don't think there are really an prerequisites to get a good amount of learning out of the class. Understanding the types of attacks is a great start. In 2004 (at least I think it was that year), they only had one class (508) and on day 3, after we had gone over the bulk of how filesystems and computers work, we were doing an exercise based on hand rebuilding a usb thumb drives filesystem (it had been tampered with). A guy raises his hands as says "You keep using the words rootkit, what is that"? The instructor thought he was being trolled at first. So having a pentesting cert will certainly help you (both as a pentester and with learning forensics since you will learn that there is always evidence of some sort left behind).

All that being said though, you should at least be a little familiar with the following (though they do a great job of explaining these in the class):

• windows registry
  
• different filesystems (exfat, ntfs, fat*)
  
• a general understanding of how windows works
  
  Right now (well as of last year when I took the cert/class) the books are titled:
  
  
• Windows Digital Forensics and Advanced Data Triage
  
• Core Windows Forensics Part 1 - Registry and USB Device Analysis
  
• Core Windows Forensics Part 2 - Email Forensics
  
• Core Windows Forensics Part 3 - Window Artifact and Log File Analysis
  
• Core Windows Forensics Part 4 - Web Browser Forensics (Firefox, IE & Chrome)
  
  
  Harlan Carvey's books are an excellent resource.
  
  Windows Registry Forensics, 2nd
  
  Windows Forensic Analysis Toolkit 4th
  
  My first time using the formatting features, so hopefully I didn't screw that up. Feel free to PM me if you have more questions. I have a bunch of SANS certs and have been doing this for ages. I am always happy to help someone who's learning!
  
  Edit: the 2nd book link isn't showing up, so fixed that.

Aside from SANS FOR508 (the course on which the cert is based) the following helped me:

Windows Registry Forensics

Windows Forensic Analysis Toolkit 2nd ed

Windows Forensic Analysis Toolkit 4th ed

The 2nd edition covers XP, the 4th covers 7/8

Digital Forensics with Open Source Tools

File System Forensic Analysis

This is a new book, but I imagine it'll help as well:

The Art of Memory Forensics

I read many of these in preparation for taking mine, but your best resource are the SANS class/books which is what the cert tests after. Having a good index is key.

There may be other classes out there that might help, but I have no firsthand experience with them, so I can't say what I recommend. All the above books, however, are amazing. Very much worth your time and money.

I highly suggest this book: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

While it's been out a bit, as far as I know, it still stands as the definitive source for NTFS file systems.

I went to X-Ways training last year in New York. Take good notes. I mean really good notes. X-Ways is very different than Encase or FTK. You need to understand how file systems work. It is NOT a push button tool. However, you will get way more information for your cases by using X-Ways; it's a great tool.

Are you doing regular forensic case work? If not, consider purchasing Brett Shaver's course: http://courses.dfironlinetraining.com/x-ways-forensics-practitioners-guide-online-and-on-demand-course and book: https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?s=books&ie=UTF8&qid=1492443886&sr=1-1&keywords=xways+forensics+practitioner. They will be invaluable resources while you learn.

Good luck and have fun!

Do you have the image file itself?
If yes, open it in a tool like Active @ disk-editor.(http://www.disk-editor.org/) This tool highlights disk information in colours and gives verbose information for you to easily understand what parts on the disk/image you're looking at. Great way to start off and learn things about filesystems. Also I highly recommend the File System Forensics book by Brian Carrier. (https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172)

Brian Carriers book on File System Forensics is a must, http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

Next, any of Harlan Carvey's Books. These cover the basic (as well as advanced) Windows Artifacts such as the Registry, Event Logs and Timeline creations. He also has lots of open source tools that he demonstrates in the books:

http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=sr_1_5?s=books&ie=UTF8&qid=1414266778&sr=1-5&keywords=harlan+Carvey

Check out the free SANS Webcasts in their archives. Lots of good videos on forensic and security related topics. They also have a free forensic tool called "SIFT" which is a VM loaded with free/open source forensic tools (LINUX based)

https://www.sans.org/webcasts/archive

Start with reference data sets: https://www.cfreds.nist.gov/

and free tools like Autopsy and SleuthKit: https://www.sleuthkit.org/autopsy/

And the bible on digital forensics: https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

before worrying about proprietary tools like EnCase. Autopsy is like free EnCase. Same principles apply.

Computers will never go away. The trend right now is that everything is going mobile and that is why there is much more emphasis on mobile devices in general. However, depending on what you decide to do (private v. public sectors) you will always see computers come in. Not to mention, before I would advocate someone move to HFS+ or ext2-4 file systems, they have an understanding of how FAT and NTFS work anyways. They are the easiest to understand and it will definitely help later on when you need to start traversing through an iOS or Android device.

http://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676

Hands down my favorite book when I was starting out

Since this is the subreddit for DFIR, that's what you're going to end up with as far as suggestions go. For pentesting stuff, checkout:

-Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 (this has some labs, but just reading through the various weaknesses in WebApps will be a great start)

-The Hacker Playbook: https://www.amazon.com/dp/1512214566/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1118026470&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1NSA1RZZ3WQTP374S9WK

Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_img_2?ie=UTF8&psc=1&refRID=S7FG8F9TCMZMM9HVX2TN

Those two are good general pentesting books. You might also try /r/AskNetsec for other suggestions.

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Short answer: yes. Scripting is helpful in DF, especially if you're in an IR role where you're dealing with data from many different systems. Python is far and away the most common, although plenty of folks use other languages.

You could go the conventional "take a class about it" route: http://classlist.champlain.edu/course/description/number/dfs_510/register/false

Or you could just teach yourself: https://www.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230

Check this out. Goes from really beginner levels stuff to more experienced by the end of the first section. This book will answer all your question about tool during all phases of forensics analysis. Hope it helps.

Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.

Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.

Practical Malware Analysis

Wireshark Network Analysis

This one (i am eric Z)

https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051/ref=sr_1_1?ie=UTF8&qid=1505388350&sr=8-1&keywords=x-ways

you can also look at the official youtube videos X-Ways has done as well as http://www.xwaysclips.co.uk/

again, feel free to hit me up with any questions

Read this book front to back, if you don’t understand something ask on reddit/twitter. Use the second link to find training images and the tools to analysis them for active training. Bury your nose in this and you’ll land a job within 6 months, even at a firm like Mandiant (the book was coauthored by the founder).

https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684

https://www.dfir.training/

• The entirety of the The Art of Memory Forensics.
  
  
• https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf
  
  
• The DFRWS papers are always good references, as well. - http://www.dfrws.org/archives.shtml
  
  
• http://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/
  
  
• Google "Order of Volatility"
  
  

Mind sharing the links? There's a few "Hack this site" websites ranging from user uploaded files and I've seen one which is more based on javascript and SQL injection.

Have you thought about looking at crackme? There's also the Microsoft Blue Hat Challenge. Forensic Focus also provide a list of resources to practice with.

There's always books as well. I'm currently working through Real Digital Forensics that comes with files used in the book and explain how it was gathered and how to view it.

There's plenty of resources out there, but you've got to be a bit more specific on what challenge you're looking for, as there's a range of subjects.

My recommendations then for self study:

• http://www.amazon.com/The-Rootkit-Arsenal-Evasion-Corners/dp/144962636Xl
  
  
• http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Edition/dp/0124171575
  
  
• http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
  
  
• http://www.amazon.com/Malware-Rootkits-Botnets-Beginners-McGraw/dp/0071792066
  
  
• http://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
  
  
• http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901
  
  
• http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
  
  
• http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898
  
  
• http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
  
  Read all those and you will be in good shape ;)
  EDIT: I hate trying to get reddit to do what I want.

Maybe try the one below:

https://www.amazon.com/Handbook-Digital-Forensics-Investigation-Eoghan/dp/0123742676

https://smile.amazon.com/Learning-Python-Forensics-Preston-Miller/dp/1783285230

I suggest Harlan Carvey’s new book:

Investigating Windows Systems

https://www.amazon.com/dp/0128114150/ref=cm_sw_r_cp_api_i_omwACb023MNYY

50% off the online course, includes a print copy of the book it is based upon if you live within the US/Canada (https://www.amazon.com/X-Ways-Forensics-Practitioners-Guide-Shavers/dp/0124116051).

I don't have any ties to the X-Ways company, other than using X-Ways for more than a decade, writing a book about it, and teaching it at universities and other courses, so I can't offer any discounts on the software. Although, I can say you can buy 2 or 3 licenses of X-Ways compared to a single license of FTK or EnCase...

I would get a book on how to use open source tools. This is the one that I have myself.
http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867

No problem at all, I'll explain.

I'm new to the forensic department mt past experience has been with areas not directly related to computers, the below is one such example of a field that contains almost no computer related content:
https://www.amazon.com/How-Be-Invisible-Protect-Children/dp/1250010454

This book is pretty much the top in the feild despite being a few years old, and metions very little (if anything) about computers.

• training. take the vendor's classes, and be prepared to keep up with new releases
  
• more training. join professional societies (e.g. HTCIA) that have chapter meetings or conferences with workshops
  
• network with people. go to the digital forensics conferences and make contacts
  
• tedium. depending on the path you take, you may be completely buried in work that needs fanatical attention (see chain of custody comment) and always 3 years behind
  
• terrible stress. also depends on the path, if you get into cases involving minors, booby-trapped hardware, court testimony
  
  Try these tools and this book.

I'm thinking of starting with Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet by Eoghan Casey.

Warren Kruse and Jay Heiser. Computer Forensics: Incident Response Essentials. Addison Wesley, 2001. You can purchase At https://www.amazon.com/Computer-Forensics-Incident-Response-Essentials/dp/0201707195

Carrier, B. File System Forensic Analysis. Addison-Wesley, Reading, PA., Mar. 2005. (Available at https://www.kobo.com/us/en/ebook/file-system-forensic-analysis-1)

Carvey, H. (2014). Windows forensic analysis toolkit: Advanced analysis techniques for Windows 8; Waltham, MA: Syngress. 

Altheide, C., Carvey, H. A., & Davidson, R. (2011). Digital forensics with open source tools. Amsterdam: Elsevier/Syngress. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Carvey, H. A. (2005). Windows forensics and incident recovery. Boston: Addison-Wesley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Bunting, S. (2012). EnCase computer forensics: the official EnCE: EnCase certified examiner; study guide. Indianapolis, IN: Wiley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linu. John Wiley & Sons. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Casey, E. (2017). Digital evidence and computer crime: forensic science, computers, and the Internet. Vancouver, B.C.: Langara College. Available at https://www.amazon.com/Digital-Evidence-Computer-Crime-Computers/dp/0123742684