The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts
Minimum price
Minimum paid price

The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts

A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Server

About the Book

DFIR = Digital Forensics and Incident Response

This is a book written for the DFIR community, by the DFIR community.

This book will continue to be updated as the authors complete more chapters. For more information on the development and progress of this book, go here.

Version 1.0 was released on 8/15/2022 with an introduction and ten chapters. As more chapters are completed, subsequent versions will be released. When all is said and done, the final chapter count should be around twenty. The completion percentage will be based on twenty chapters for the time being. Every chapter published is a completed work product, but the book itself is still building up to its end goal of twenty chapters.

Profits from this book have been and will continue to be donated to the National Center for Missing & Exploited Children (NCMEC). Thank you for your support!

About the Editors

Andrew Rathbun
Andrew Rathbun

Andrew Rathbun is a DFIR professional with multiple years of experience in law enforcement and the private sector. Andrew is involved in multiple community projects, including but not limited to: the Digital Forensics Discord Server, AboutDFIR, and multiple GitHub repositories.


ApexPredator is a cybersecurity professional who also happens to be the top of the food chain. ApexPredator holds several cybersecurity related certifications to include OSCE3, OSCP, GPEN, GWAPT, GREM, GXPN, GCIA, GCIH, GSLC, and GSEC.

Kevin Pagano
Kevin Pagano

Kevin Pagano is a digital forensics analyst, researcher, blogger and contributor to the open-source community. He holds a Bachelor of Science in Computer Forensics from Bloomsburg University of Pennsylvania and a Graduate Certificate in Digital Forensics from Champlain College. Kevin is a member of the GIAC Advisory Board and holds several industry certifications, including the GIAC Advanced Smartphone Forensics (GASF), GIAC Certified Forensic Examiner (GCFE), and GIAC Battlefield Forensics and Acquisition (GBFA), and the Certified Cellebrite Mobile Examiner (CCME) among others.

Kevin is the creator of the Forensics StartMe page and regularly shares his research on his blog He is a published author with multiple peer-reviewed papers accepted through DFIR Review. Kevin also contributes to multiple open-source projects, including but not limited to ALEAPP, iLEAPP, RLEAPP, CLEAPP and KAPE.

Kevin is a regular competitor in the digital forensics CTF circuit. He has won First Place in the Magnet User Summit DFIR CTF 2019, the Magnet Virtual Summit DFIR CTF 2021, the Magnet User Summit DFIR CTF 2022, the Magnet Weekly CTF 2020, the Wi-Fighter Challenge v3 CTF, the Belkasoft Europe 2021 CTF, and the BloomCON CTF in 2017, 2019, 2021 and 2022. He additionally is a SANS DFIR NetWars Champion and NetWars Tournament of Champions winner and has earned multiple Lethal Forensicator coins. Kevin is a 4-time Hacking Exposed Computer Forensic (HECF) Blog Sunday Funday Winner.

In his spare time, Kevin likes to drink beers and design DFIR-themed designs for stickers, clothing, and other swag. You can find him lurking on Twitter ( and on the DFIR Discord.

Nisarg Suthar
Nisarg Suthar

Nisarg is an independent researcher, a blue teamer, CTF player and a blogger. He likes to read material in DFIR; old and new alike, complete investigations on platforms like CyberDefenders and BTLO, and network with other forensicators to learn and grow mutually.

John Haynes
John Haynes

John Haynes works in law enforcement with a focus on digital forensics. John holds several digital forensics certs including Cellebrite Certified Mobile Examiner (CCME) and Magnet Certified Forensics Examiner (MCFE) and also holds the networking Cisco Certified Network Associate (CCNA) certification. Having only been active in digital forensics since 2020, his background as a curious nerd has served him well as he has just started exploring what digital forensics has to offer.

Guus Beckers
Guus Beckers

A life long IT aficionado, Guus Beckers (1990), completed the Network Forensic Research track at Zuyd University of Applied Sciences as part of his bachelor’s degree. In 2016 he attained his university master degree at Maastricht University by completing the Forensics, Criminology and Law master’s program. Guus currently works as a security consultant at Secura where he leads the forensic team in addition to performing penetration testing. 

Barry Grundy
Barry Grundy

Barry Grundy has been working in the field of digital forensics since the mid 1990s. Starting at the Ohio Attorney General's office as a criminal investigator, and eventually joining U.S. Federal Law Enforcement as a digital forensics analyst and computer crimes investigator in 2001. He holds a Bachelor of Science in Forensic Science from Ohio University, and A Master's Degree in Forensic Computing and Cybercrime Investigations from University College Dublin.

Barry is the author and maintainer of the Law Enforcement and Forensic Examiner's Introduction to Linux ([LinuxLEO ( This practical beginner's guide to Linux as a digital forensics platform has been available for over 20 years and has been used by a number of academic institutions and law enforcement agencies around the world to introduce students of DFIR to Linux. Teaching, particularly Linux forensics and open source DFIR tools, is his passion.


An avid blue team leader helping to secure the healthcare industry. Despite being blue team focused, Tristram brings the enemy mindset to the table through various offensive skillsets in order identify gaps and validate existing controls. Cybersecurity is a field that will always have its place as the threat of cybercrime continues to grow, and through knowledge sharing we can help bridge that gap; Be the resource you always wish you had, and we will all be better off for it.

Victor Heiland
Victor Heiland

Breaker of things (mostly things that they shouldn't break). Writer of broken code. s3raph has worked in DFIR, Threat Hunting, Penetration Testing, and Cyber Defense and still somehow has a job in this field.

Jason Wilkins
Jason Wilkins

After serving in the US Navy for five years, Jason Wilkins began a career in firefighting and emergency medicine. While serving the community in that capacity for fourteen years he obtained associates degrees in criminal justice and computer networking from Iowa Central Community College online. He left the fire department in 2014 to pursue a network analyst position working for a global tire manufacturer. Disillusioned by a lack of mission and purpose, he returned to public safety in 2019 and began working as a crime & intelligence analyst for the local police department. It was there that he developed the agency's first digital forensics lab and started the N00B2PR04N6 blog. In 2020 he was nominated as Newcomer of the Year in the Digital Forensics 4:Cast awards and has spoken at both the SANS Digital Forensics and Magnet Forensics Summits. He currently works as an overseas contractor teaching digital forensics and is also an adjunct instructor for digital forensics and incident response at Iowa Central Community College.

Mark Berger
Mark Berger

Mark Berger is a data recovery professional, author and trainer which also holds several digital forensics related certifications, including but not limited to CDFE and CDFP. He is also involved in a few opensource-projects in the data recovery and digital forensics field.

About the Contributors

Table of Contents

  • Authors
  • Contributors
  • Chapter 0 - Introduction
    • Purpose of This Book
    • Community Participation
    • Final Thoughts
  • Chapter 1 - History of the Digital Forensics Discord Server
    • Introduction
    • Beginnings in IRC
    • Move to Discord
    • Mobile Forensics Discord Server ⇒ Digital Forensics Discord Server
    • Member Growth
    • Hosting the 2020 Magnet Virtual Summit
    • Community Engagement Within the Server
    • Impact on the DFIR community
    • Law Enforcement Personnel
    • Forensic 4:cast Awards
    • Future
    • Conclusion
  • Chapter 2 - Basic Malware Analysis
    • Introduction
    • Basic Malware Analysis Tools
    • Basic Malware Analysis Walkthrough
    • Analysis Wrap-Up
    • Conclusion
  • Chapter 3 - Password Cracking for Beginners
    • Disclaimer & Overview
    • Password Hashes
    • Useful Software Tools
    • Hash Extraction Techniques
    • Hash Identification
    • Attacking the Hash
    • Wordlists
    • Installing Hashcat
    • “Brute-Forcing” with Hashcat
    • Hashcat’s Potfile
    • Dictionary (Wordlist) Attack with Hashcat
    • Dictionary + Rules with Hashcat
    • Robust Encryption Methods
    • Complex Password Testing with Hashcat
    • Searching a Dictionary for a Password
    • Generating Custom Wordlists
    • Paring Down Custom Wordlists
    • Additional Resources and Advanced Techniques
    • Conclusion
    • References
  • Chapter 4 - Large Scale Android Application Analysis
    • Overview
    • Introduction
    • Part 1 - Automated Analysis
    • Part 2 - Manual Analysis
    • Problem of Scale
    • Part 3 - Using Autopsy, Jadx, and Python to Scrap and Parse Android Applications at Scale
  • Chapter 5 - De-Obfuscating PowerShell Payloads
    • Introduction
    • What Are We Dealing With?
    • Stigma of Obfuscation
    • Word of Caution
    • Base64 Encoded Commands
    • Base64 Inline Expressions
    • GZip Compression
    • Invoke Operator
    • String Reversing
    • Replace Chaining
    • ASCII Translation
    • Wrapping Up
  • Chapter 6 - Gamification of DFIR: Playing CTFs
    • What is a CTF?
    • Why am I qualified to talk about CTFs?
    • Types of CTFs
    • Evidence Aplenty
    • Who’s Hosting?
    • Why Play a CTF?
    • Toss a Coin in the Tip Jar
    • Takeaways
  • Chapter 7 - The Law Enforcement Digital Forensics Laboratory
    • Setting Up and Getting Started
    • Executive Cooperation
    • Physical Requirements
    • Selecting Tools
    • Certification and Training
    • Accreditation
  • Chapter 8 - Artifacts as Evidence
    • Forensic Science
    • Types of Artifacts
    • What is Parsing?
    • Artifact-Evidence Relation
    • Examples
    • References
  • Chapter 9 - Forensic imaging in a nutshell
    • What is a disk image?
    • Creating a disk image
    • Memory forensics
    • Next Steps and Conclusion
  • Chapter 10 - Linux and Digital Forensics
    • What is Linux?
    • Why Linux for Digital Forensics
    • Choosing Linux
    • Learning Linux Forensics
    • Linux Forensics in Action
    • Closing
  • Chapter 11 - Scaling, scaling, scaling, a tale of DFIR Triage
    • What is triage?
    • What should be included in a triage?
    • Forensic triage of one or a limited amount of hosts
    • Scaling up to a medium-sized subnet
    • Scaling up to an entire network
    • Other tools
    • Practicing triage
    • Contributions and sources
  • Chapter 12 - Data recovery
    • Logical data recovery
    • Physical data recovery
    • How to approach a data recovery case
    • Imaging of unstable HDDs
    • Flash drive data recovery
  • Chapter 13 - Detecting Modified PCAP Files
    • Overview
    • Introduction and Motivation
    • Background on PCAP Files and Approach to Detecting Modifications
    • MAC Address and IP Address Correlation
    • Addressing Overview
    • Dynamic Host Configuration Protocol
    • Address Resolution Protocol / Neighbor Discovery Protocol
    • Transmission Control Protocol
    • Domain Name System
    • Discussion of Detection Scripts
    • Conclusion and Future Work
    • Acknowledgement
    • References
  • Errata
    • Reporting Errata
  • Changelog

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub