The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts
The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts
A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Server
About the Book
DFIR = Digital Forensics and Incident Response
This is a book written for the DFIR community, by the DFIR community.
This book will continue to be updated as the authors complete more chapters. For more information on the development and progress of this book, go here.
Version 1.0 was released on 8/15/2022 with an introduction and ten chapters. As more chapters are completed, subsequent versions will be released. When all is said and done, the final chapter count should be around twenty. The completion percentage will be based on twenty chapters for the time being. Every chapter published is a completed work product, but the book itself is still building up to its end goal of twenty chapters.
Profits from this book have been and will continue to be donated to the National Center for Missing & Exploited Children (NCMEC). Thank you for your support!
About the Contributors
Table of Contents
- Authors
- Contributors
-
2023 Forensic 4:cast Awards
- DFIR Book of the Year
-
Chapter 0 - Introduction
- Purpose of This Book
- Community Participation
- Final Thoughts
-
Chapter 1 - History of the Digital Forensics Discord Server
- Introduction
- Beginnings in IRC
- Move to Discord
- Mobile Forensics Discord Server ⇒ Digital Forensics Discord Server
- Member Growth
- Hosting the 2020 Magnet Virtual Summit
- Community Engagement Within the Server
- Impact on the DFIR community
- Law Enforcement Personnel
- Forensic 4:cast Awards
- Future
- Conclusion
-
Chapter 2 - Basic Malware Analysis
- Introduction
- Basic Malware Analysis Tools
- Basic Malware Analysis Walkthrough
- Analysis Wrap-Up
- Conclusion
-
Chapter 3 - Password Cracking for Beginners
- Disclaimer & Overview
- Password Hashes
- Useful Software Tools
- Hash Extraction Techniques
- Hash Identification
- Attacking the Hash
- Wordlists
- Installing Hashcat
- “Brute-Forcing” with Hashcat
- Hashcat’s Potfile
- Dictionary (Wordlist) Attack with Hashcat
- Dictionary + Rules with Hashcat
- Robust Encryption Methods
- Complex Password Testing with Hashcat
- Searching a Dictionary for a Password
- Generating Custom Wordlists
- Paring Down Custom Wordlists
- Additional Resources and Advanced Techniques
- Conclusion
- References
-
Chapter 4 - Large Scale Android Application Analysis
- Overview
- Introduction
- Part 1 - Automated Analysis
- Part 2 - Manual Analysis
- Problem of Scale
- Part 3 - Using Autopsy, Jadx, and Python to Scrap and Parse Android Applications at Scale
-
Chapter 5 - De-Obfuscating PowerShell Payloads
- Introduction
- What Are We Dealing With?
- Stigma of Obfuscation
- Word of Caution
- Base64 Encoded Commands
- Base64 Inline Expressions
- GZip Compression
- Invoke Operator
- String Reversing
- Replace Chaining
- ASCII Translation
- Wrapping Up
-
Chapter 6 - Gamification of DFIR: Playing CTFs
- What is a CTF?
- Why am I qualified to talk about CTFs?
- Types of CTFs
- Evidence Aplenty
- Who’s Hosting?
- Why Play a CTF?
- Toss a Coin in the Tip Jar
- Takeaways
-
Chapter 7 - The Law Enforcement Digital Forensics Laboratory
- Setting Up and Getting Started
- Executive Cooperation
- Physical Requirements
- Selecting Tools
- Certification and Training
- Accreditation
-
Chapter 8 - Artifacts as Evidence
- Forensic Science
- Types of Artifacts
- What is Parsing?
- Artifact-Evidence Relation
- Examples
- References
-
Chapter 9 - Forensic imaging in a nutshell
- What is a disk image?
- Creating a disk image
- Memory forensics
- Next Steps and Conclusion
-
Chapter 10 - Linux and Digital Forensics
- What is Linux?
- Why Linux for Digital Forensics
- Choosing Linux
- Learning Linux Forensics
- Linux Forensics in Action
- Closing
-
Chapter 11 - Scaling, scaling, scaling, a tale of DFIR Triage
- What is triage?
- What should be included in a triage?
- Forensic triage of one or a limited amount of hosts
- Scaling up to a medium-sized subnet
- Scaling up to an entire network
- Other tools
- Practicing triage
- Contributions and sources
-
Chapter 12 - Data recovery
- Logical data recovery
- Physical data recovery
- How to approach a data recovery case
- Imaging of unstable HDDs
- Flash drive data recovery
-
Chapter 13 - Detecting Modified PCAP Files
- Overview
- Introduction and Motivation
- Background on PCAP Files and Approach to Detecting Modifications
- MAC Address and IP Address Correlation
- Addressing Overview
- Dynamic Host Configuration Protocol
- Address Resolution Protocol / Neighbor Discovery Protocol
- Transmission Control Protocol
- Domain Name System
- Discussion of Detection Scripts
- Conclusion and Future Work
- Acknowledgement
- References
-
Chapter 14 - IoT Forensics
- 1. Introduction
- 2. Challenges related to IoT Forensics
- 3. IoT Forensics Competencies
- 4. Location of data
- 5. Resources on how to get started
- 6. Conclusion
- References
-
Errata
- Reporting Errata
- Changelog
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them