The Hitchhiker’s Guide to DFIR: Experiences From Beginners and Experts 0000000001, 0000002047, 0000002048, 0001023999, 0001021952, 9798986335902
A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Serve
206 90 12MB
English Year 2022
Table of contents :
Table of Contents
Authors
Andrew Rathbun
ApexPredator
Barry Grundy
Guus Beckers
Jason Wilkins
John Haynes
Kevin Pagano
Nisarg Suthar
s3raph
Tristram
Contributors
Chapter 0 - Introduction
Purpose of This Book
Community Participation
Final Thoughts
Chapter 1 - History of the Digital Forensics Discord Server
Introduction
Beginnings in IRC
Move to Discord
Mobile Forensics Discord Server Digital Forensics Discord Server
Member Growth
Hosting the 2020 Magnet Virtual Summit
Community Engagement Within the Server
Impact on the DFIR community
Law Enforcement Personnel
Forensic 4:cast Awards
Future
Conclusion
Chapter 2 - Basic Malware Analysis
Introduction
Basic Malware Analysis Tools
Basic Malware Analysis Walkthrough
Analysis Wrap-Up
Conclusion
Chapter 3 - Password Cracking for Beginners
Disclaimer & Overview
Password Hashes
Useful Software Tools
Hash Extraction Techniques
Hash Identification
Attacking the Hash
Wordlists
Installing Hashcat
``Brute-Forcing'' with Hashcat
Hashcat's Potfile
Dictionary (Wordlist) Attack with Hashcat
Dictionary + Rules with Hashcat
Robust Encryption Methods
Complex Password Testing with Hashcat
Searching a Dictionary for a Password
Generating Custom Wordlists
Paring Down Custom Wordlists
Additional Resources and Advanced Techniques
Conclusion
References
Chapter 4 - Large Scale Android Application Analysis
Overview:
Introduction:
Part 1 - Automated Analysis
Part 2 - Manual Analysis
Problem of Scale:
Part 3 - Using Autopsy, Jadx, and Python to Scrap and Parse Android Applications at Scale
Chapter 5 - De-Obfuscating PowerShell Payloads
Introduction
What Are We Dealing With?
Stigma of Obfuscation
Word of Caution
Base64 Encoded Commands
Base64 Inline Expressions
GZip Compression
Invoke Operator
String Reversing
Replace Chaining
ASCII Translation
Wrapping Up
Chapter 6 - Gamification of DFIR: Playing CTFs
What is a CTF?
Why am I qualified to talk about CTFs?
Types of CTFs
Evidence Aplenty
Who's Hosting?
Why Play a CTF?
Toss a Coin in the Tip Jar
Takeaways
Chapter 7 - The Law Enforcement Digital Forensics Laboratory
Setting Up and Getting Started
Executive Cooperation
Physical Requirements
Selecting Tools
Certification and Training
Accreditation
Chapter 8 - Artifacts as Evidence
Forensic Science
Types of Artifacts
What is Parsing?
Artifact-Evidence Relation
Examples
References
Chapter 9 - Forensic imaging in a nutshell
What is a disk image?
Creating a disk image
Memory forensics
Next Steps and Conclusion
Chapter 10 - Linux and Digital Forensics
What is Linux?
Why Linux for Digital Forensics
Choosing Linux
Learning Linux Forensics
Linux Forensics in Action
Closing
Errata
Reporting Errata
Table of Contents
Authors
Andrew Rathbun
ApexPredator
Barry Grundy
Guus Beckers
Jason Wilkins
John Haynes
Kevin Pagano
Nisarg Suthar
s3raph
Tristram
Contributors
Chapter 0 - Introduction
Purpose of This Book
Community Participation
Final Thoughts
Chapter 1 - History of the Digital Forensics Discord Server
Introduction
Beginnings in IRC
Move to Discord
Mobile Forensics Discord Server Digital Forensics Discord Server
Member Growth
Hosting the 2020 Magnet Virtual Summit
Community Engagement Within the Server
Impact on the DFIR community
Law Enforcement Personnel
Forensic 4:cast Awards
Future
Conclusion
Chapter 2 - Basic Malware Analysis
Introduction
Basic Malware Analysis Tools
Basic Malware Analysis Walkthrough
Analysis Wrap-Up
Conclusion
Chapter 3 - Password Cracking for Beginners
Disclaimer & Overview
Password Hashes
Useful Software Tools
Hash Extraction Techniques
Hash Identification
Attacking the Hash
Wordlists
Installing Hashcat
``Brute-Forcing'' with Hashcat
Hashcat's Potfile
Dictionary (Wordlist) Attack with Hashcat
Dictionary + Rules with Hashcat
Robust Encryption Methods
Complex Password Testing with Hashcat
Searching a Dictionary for a Password
Generating Custom Wordlists
Paring Down Custom Wordlists
Additional Resources and Advanced Techniques
Conclusion
References
Chapter 4 - Large Scale Android Application Analysis
Overview:
Introduction:
Part 1 - Automated Analysis
Part 2 - Manual Analysis
Problem of Scale:
Part 3 - Using Autopsy, Jadx, and Python to Scrap and Parse Android Applications at Scale
Chapter 5 - De-Obfuscating PowerShell Payloads
Introduction
What Are We Dealing With?
Stigma of Obfuscation
Word of Caution
Base64 Encoded Commands
Base64 Inline Expressions
GZip Compression
Invoke Operator
String Reversing
Replace Chaining
ASCII Translation
Wrapping Up
Chapter 6 - Gamification of DFIR: Playing CTFs
What is a CTF?
Why am I qualified to talk about CTFs?
Types of CTFs
Evidence Aplenty
Who's Hosting?
Why Play a CTF?
Toss a Coin in the Tip Jar
Takeaways
Chapter 7 - The Law Enforcement Digital Forensics Laboratory
Setting Up and Getting Started
Executive Cooperation
Physical Requirements
Selecting Tools
Certification and Training
Accreditation
Chapter 8 - Artifacts as Evidence
Forensic Science
Types of Artifacts
What is Parsing?
Artifact-Evidence Relation
Examples
References
Chapter 9 - Forensic imaging in a nutshell
What is a disk image?
Creating a disk image
Memory forensics
Next Steps and Conclusion
Chapter 10 - Linux and Digital Forensics
What is Linux?
Why Linux for Digital Forensics
Choosing Linux
Learning Linux Forensics
Linux Forensics in Action
Closing
Errata
Reporting Errata
