(Part 2) Top products from r/computerforensics

I don't think there are really an prerequisites to get a good amount of learning out of the class. Understanding the types of attacks is a great start. In 2004 (at least I think it was that year), they only had one class (508) and on day 3, after we had gone over the bulk of how filesystems and computers work, we were doing an exercise based on hand rebuilding a usb thumb drives filesystem (it had been tampered with). A guy raises his hands as says "You keep using the words rootkit, what is that"? The instructor thought he was being trolled at first. So having a pentesting cert will certainly help you (both as a pentester and with learning forensics since you will learn that there is always evidence of some sort left behind).

All that being said though, you should at least be a little familiar with the following (though they do a great job of explaining these in the class):

• windows registry
  
• different filesystems (exfat, ntfs, fat*)
  
• a general understanding of how windows works
  
  Right now (well as of last year when I took the cert/class) the books are titled:
  
  
• Windows Digital Forensics and Advanced Data Triage
  
• Core Windows Forensics Part 1 - Registry and USB Device Analysis
  
• Core Windows Forensics Part 2 - Email Forensics
  
• Core Windows Forensics Part 3 - Window Artifact and Log File Analysis
  
• Core Windows Forensics Part 4 - Web Browser Forensics (Firefox, IE & Chrome)
  
  
  Harlan Carvey's books are an excellent resource.
  
  Windows Registry Forensics, 2nd
  
  Windows Forensic Analysis Toolkit 4th
  
  My first time using the formatting features, so hopefully I didn't screw that up. Feel free to PM me if you have more questions. I have a bunch of SANS certs and have been doing this for ages. I am always happy to help someone who's learning!
  
  Edit: the 2nd book link isn't showing up, so fixed that.

Computer Forensics InfoSec Pro Guide was the first book I read when I landed my first DFIR job. It's a quick read, but it gave me a great foundation to work from.

If you haven't done so already, start messing around with Linux. As your coursework evolves, you will probably spend a lot of time in that type of environment, so it pays to become familiar with it now.

Lastly, and this may be an old way of thinking, but if your degree is entirely focused on forensics, you may be spreading yourself too thin when it comes to finding a job after graduation. Having a well-rounded computer science background will make you much more marketable. With that in mind, I recommend checking out the Open Source CS Degree as it's a free way to gain that knowledge on your own.

Generally speaking, your IT background should allow you to get into an entry level forensic position (though there aren't a ton of those). Public sector would be your best chance, but as has been stated most of those positions are sworn if it isn't a large agency. At one training, as we discussed our backgrounds, an officer stated that he was sent because he was able to help the Chief at his agency put an icon on his desktop. A lot of it is push button with procedures being the thing we worry about most. It's the non-lowhanging fruit that will require some IT skill.

​

3 to 4 years of IT experience should get you an interview. From there I would just read of on forensics in general and not worry too much about certifications. Most are vendor specific and each department/company is going to dictate what you use and most likely pay to train you.

​

On the mobile side I would suggest this book:

https://www.amazon.com/Mobile-Forensic-Investigations-Collection-Presentation/dp/1260135098/ref=sr_1_4?keywords=mobile+forensics&qid=1559139135&s=gateway&sr=8-4

I read the first edition and it was really spot on. Covers everything from seizing the device properly to performing an extraction and then presenting the data.

​

You should also start learning Python. The above book covers part of it and I use it almost daily to make things easier. Also, I build tools to help myself and other investigators so it is really a tool you should have in your arsenal.

​

Good luck!

Your question is not very specific (as to whether you are asking about hardware, software or physical requirements), and therefore I'll reply with a general answer.

UNDERSTAND WHAT YOU NEED:
I suggest you first gather the requirements for the lab as your requirements could vary depending on the type of lab you are setting up. (is it for an SME or big company? what type of cases are you going to work on? civil, corporate, legal etc. Depending on that, what type of hardware do you need, the software required, tools to investigate legacy software, how secure should your lab be, do you require a tempest protected facility? etc.)

The book 'Guide to Computer Forensics and Investigation' has a chapter dedicated to setting up a digital forensics laboratory. I have read it and it provides some really good insight into setting up a forensics lab. Here is a link to the book:
http://www.amazon.com/Guide-Computer-Forensics-Investigations-Book/dp/1435498836

You'll find many similar resources out there. Another book is:
http://store.elsevier.com/Building-a-Digital-Forensic-Laboratory/Andrew-Jones/isbn-9780080949536/

One thing to note is, depending on the location, you may need a license (some states in the US restrict forensic activity only to licensed orivate investigators).

PROCEDURES:
The SWGDE documentation provides best practise documents and procedures that you can use as formal procedure documents for your company. (Check their terms and conditions before using them.)
Again, there may be several similar documents provided by other bodies.

TOOLS:
If you require information on the tools, there are numerous resources online that you could look up for guidance. A good starting point could be http://resources.infosecinstitute.com/computer-forensics-tools/

Certs. Most computer forensics jobs require at least one or more of the computer forensics certifications. Begin with ACE (Accessdata Certified Examiner) it's free. Next, buy some textbooks with exercises and practice them. Here's an example: https://www.amazon.com/Guide-Computer-Forensics-Investigations-DVD/dp/1285060032/ref=sr_1_2?ie=UTF8&qid=1469102726&sr=8-2&keywords=computer+forensics

I also encourage you to learn about mobile forensics. A good amount of investigations relate to mobile device.

Since this is the subreddit for DFIR, that's what you're going to end up with as far as suggestions go. For pentesting stuff, checkout:

-Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 (this has some labs, but just reading through the various weaknesses in WebApps will be a great start)

-The Hacker Playbook: https://www.amazon.com/dp/1512214566/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1118026470&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1NSA1RZZ3WQTP374S9WK

Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_img_2?ie=UTF8&psc=1&refRID=S7FG8F9TCMZMM9HVX2TN

Those two are good general pentesting books. You might also try /r/AskNetsec for other suggestions.

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.

Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.

Practical Malware Analysis

Wireshark Network Analysis

Windows Forensics and Linux Forensics by Phil Polstra are 2 books about Forensics and IR that came out in 2015-2016. They go real in-depth about filesystems and teach you how to understand the parsing/processing and forensic analyses proces by creating your own python scripts instead of just running tools and rely on those. I can really recommend these books for starters.

https://www.amazon.com/Windows-Forensics-Dr-Philip-Polstra/dp/1535312432

https://www.amazon.com/Linux-Forensics-Philip-Polstra/dp/1515037630/ref=pd_sbs_14_t_2?_encoding=UTF8&psc=1&refRID=ZZV0H8ZCEWQDX1HNX8TW

Mind sharing the links? There's a few "Hack this site" websites ranging from user uploaded files and I've seen one which is more based on javascript and SQL injection.

Have you thought about looking at crackme? There's also the Microsoft Blue Hat Challenge. Forensic Focus also provide a list of resources to practice with.

There's always books as well. I'm currently working through Real Digital Forensics that comes with files used in the book and explain how it was gathered and how to view it.

There's plenty of resources out there, but you've got to be a bit more specific on what challenge you're looking for, as there's a range of subjects.

My recommendations then for self study:

• http://www.amazon.com/The-Rootkit-Arsenal-Evasion-Corners/dp/144962636Xl
  
  
• http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Edition/dp/0124171575
  
  
• http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
  
  
• http://www.amazon.com/Malware-Rootkits-Botnets-Beginners-McGraw/dp/0071792066
  
  
• http://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
  
  
• http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901
  
  
• http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
  
  
• http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898
  
  
• http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
  
  Read all those and you will be in good shape ;)
  EDIT: I hate trying to get reddit to do what I want.

My bible.

http://www.amazon.com/EnCase-Computer-Forensics-Official-EnCE/dp/0470901063

There's a few videos from EnCase on getting started with V7 too.

Youtube has some videos from various folks on En6-7 and FTK, but your milage may vary there.

I suggest Harlan Carvey’s new book:

Investigating Windows Systems

https://www.amazon.com/dp/0128114150/ref=cm_sw_r_cp_api_i_omwACb023MNYY

Tcp/up basics But seriously, TCP/up illustrated by Stevens

No problem at all, I'll explain.

I'm new to the forensic department mt past experience has been with areas not directly related to computers, the below is one such example of a field that contains almost no computer related content:
https://www.amazon.com/How-Be-Invisible-Protect-Children/dp/1250010454

This book is pretty much the top in the feild despite being a few years old, and metions very little (if anything) about computers.

Warren Kruse and Jay Heiser. Computer Forensics: Incident Response Essentials. Addison Wesley, 2001. You can purchase At https://www.amazon.com/Computer-Forensics-Incident-Response-Essentials/dp/0201707195

Carrier, B. File System Forensic Analysis. Addison-Wesley, Reading, PA., Mar. 2005. (Available at https://www.kobo.com/us/en/ebook/file-system-forensic-analysis-1)

Carvey, H. (2014). Windows forensic analysis toolkit: Advanced analysis techniques for Windows 8; Waltham, MA: Syngress. 

Altheide, C., Carvey, H. A., & Davidson, R. (2011). Digital forensics with open source tools. Amsterdam: Elsevier/Syngress. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Carvey, H. A. (2005). Windows forensics and incident recovery. Boston: Addison-Wesley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Bunting, S. (2012). EnCase computer forensics: the official EnCE: EnCase certified examiner; study guide. Indianapolis, IN: Wiley. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linu. John Wiley & Sons. (Available at https://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)

Casey, E. (2017). Digital evidence and computer crime: forensic science, computers, and the Internet. Vancouver, B.C.: Langara College. Available at https://www.amazon.com/Digital-Evidence-Computer-Crime-Computers/dp/0123742684