Careers that involve digital forensics have been the common focus of articles in Certification Magazine and on CertMag.com. Some examples of this trend include:
While digital forensics may be a focused career path for specialization, it remains important for many IT professionals to have a baseline knowledge of forensic investigation, particularly as it relates to evidence preservation in situations where “first responder” skills are needed. Hence the rationale for focusing this article on identifying learning resources that are available at no cost.
Winding up in that “first responder” role is typically a result of arriving on the scene as a consequence of a non-technical user identifying an unexpected characteristic, like a visual image on their monitor, or odd computer behavior. Hence a basic understanding of the initial digital forensics steps falls into the “other duties as defined” role.
Where and how far “first responder” responsibilities go is dependent upon an informed recognition of the situation, coupled with an understanding of digital forensics processes. Hence the need to encourage a baseline of digital forensics for IT practitioners.
One limiting financial constraint for digital forensics training is the view that commonly used and expensive commercial tools such as FTK (MSRP: $3,995), EnCASE (MSRP: $2,995), ProDiscover (MSRP: $12,995), and X-Ways Forensics (MSRP: $15,589) should be used for training. This views persists in part because the tools have already been authenticated by experts in many court cases.
This approach certainly makes sense for individuals who are focused on achieving a principal role in the digital forensics field. On the other hand, there are open-source tools and learning resources that provide a working level of understanding of the processes and procedures associated with digital forensics, available at no cost.
For those attempting to make a career out of “first responder” situations, an understanding of industry-standard applications, their proper utilization, and staying familiar with technological advancement for up-and-coming forensic tools is imperative. This is especially important considering those who may be called into court for expert testimony.
Considering the “Daubert Standard,” the expert’s methods and understanding may be called into question by the opposing party. Utilizing free or low-cost tools to gain familiarization with the digital forensics process assists with gaining a strong base from which to pivot into widely accepted tools.
Occasionally, experts will use free or low-cost forensic tools to conduct the initial investigation, gather findings, and then repeat the process of discovery using industry tools so they can be utilized in a court of law. Some low-cost tools are simply preferable for initial investigation, and as long as the results can be acquired by following proper methods on industry-accepted applications without altering the digital evidence, the case will stand up in court.
What follows is a list that provides details about free resources that are worth considering as IT professionals expand their knowledge in digital forensics:
Digital Forensics Basics Course — Produced by Texas A&M Engineering Extension, this seven-hour online course provides broad coverage relating to digital forensics and is available at no cost.
HTICA Free Video Courses — Produced by the High Technology Crime Investigation Association (HTICA), seven online video courses are available at no cost.
13Cubed Episodes — A large collection of videos that relate specifically to digital forensics, available at no cost.
Introduction to Computer Forensics (FedVTE) — Online course introduces the tasks, processes, and technologies to identify, collect and preserve, and analyze data. (FedVTE provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans.)
Advanced Computer Forensics (FedVTE) — Online course focuses on building skills to improve the ability to piece together the various components of the digital investigation. (FedVTE provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans.)
Computer Forensics (RITx) — Online eight-week course that can be “audited” at no cost, with a focus on digital forensics and involves the investigation of computer-related crimes with the goal of obtaining evidence to be presented in a court of law.
O’Reilly Learning — This site provides a multitude of digital forensics books, videos, and practice exams for those looking to become certified. This site offers a free 10-day trial and provides free membership to military members through an enterprise subscription.
DFIR Labs — A current library of 14 virtual forensics labs, available at no cost.
Blue Team Labs Online — This site provides a gamified platform to practice skills in security investigations. There are currently seven free challenges that focus on digital forensics.
Try Hack Me — This site provides a gamified platform to practice skills in security investigations. There are currently five free challenges that focus on digital forensics.
About DFIR — A site providing access to a variety of forensics resources.
Autopsy Sleuth Kit — This site provides a free platform to perform timeline analysis, hash and keyword filtering, web artifacts, EXIF extraction from multimedia, recovery of deleted files, and scanning for Indicators of Compromise. This tool guides users through the practical application of the tools.
Robtex — This site assists in digital forensics investigations (and practice) by aggregating and indexing public information about IP addresses, domain names, hostnames, autonomous systems, and routes in a single database, at no cost.
Shodan Search Engine — This search engine aggregates information about devices connected to the Internet of Things in addition to information concerning regular systems and servers. Free users can obtain up to 50 search results.
Passware Encryption Analyzer — This free tool detects encrypted files and containers on a system and allows a user to filter by decryption complexity, at no cost.
Volatility Framework — The “Art of Memory Forensics” allows users to extract Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate MAC contact databases, calendar data, encrypted mail, chat messages, and analyze Linux rootkits, free of charge. This open-source project can also be found on GitHub.
Belkasoft Live RAM Capture — This free tool allows a user to extract the contents of volatile memory, even if the system is protected against it. This tool focuses on a minimal footprint and can be used with the Live RAM analysis tool, also by Belkasoft.
SIFT — The SIFT VM workstation is an aggregate of updated free forensic tools.
OSFClone — This free tool self-boots and allows a user to create/clone raw disk images, including unused sectors, slack space, and file fragments independent of the installed operating system. This tool can also be used to verify the image is the exact same as the source drive by hash comparison.
Current technology offers a multitude of open-source and free or low-cost tools and educational resources to enable those interested in gaining a baseline understanding of the digital forensics process. The integrity and ease-of-use of many of these tools are comparable to costly industry-standard tools. Despite increased demand, financial constraints should not hinder anyone from building a foundational knowledge in the process of digital forensics.