Digital Forensics:eLearnSecurity Certified Digital Forensics Professional (eCDFP) – a friendly dive into digital forensics
เตรียมความพร้อมเพื่อสอบ Certified Digital ForensicseLearnSecurity Certified Digital Forensics Professional |
June 19, 2018
Through the ongoing war raged against the security community by big name companies who want to charge my kidneys for a certification I have found solace in eLearn’s platform. As such I will be taking multiple of their courses, though this is the first I have seen to the end (yes I got certified, woot). The course itself was very well done, having very straightforward material (sans multiple spelling/grammatical errors, if you are a Grammar Nazi this course may bug you a bit) and labs (though the test was a little iffy, which I’ll get into later). Another nice part about this course is that all of the tools used are open source/freeware, so you don’t need to buy some fancy product to do your job (though I will admit some of them can be nice). The course itself covers the following sections:- Introduction to Digital Forensics
- Data Acquisition
- Data Representation & Files Examination
- Disks
- File Systems
- Windows Forensics
- Network Forensics
- Log Analysis
- Timeline Analysis
- Reporting (important but.. yawn)
- The main goal of a digital investigation is to answer the 5 “W’s”, i.e. the What, Where, When, Who, and How related to a digital incident. This may seem kind of obvious, but it is extremely important to help out the client and build a strong case so you can charge a criminal if it goes to court or even just help them get their insurance claim (as is the case for a lot of ransomware cases). Those 5 “W’s” are a great guide to help start a forensics investigator throughout the investigation.
- Digital forensics goes beyond just “finding out what the attacker did” and forensics investigators can work in a plethora of different fields, from law enforcement agencies, internal investigation teams, consulting, and even larger scope international investigative teams (whether through law enforcement or an international organization).
- Digital forensics has a life cycle, and like most things it can be repeated over and over again. This life cycle is “Acquisition <> Analysis <> Presentation” and it is important to remember that each step could be revisited multiple times throughout an investigation as new pieces of evidence are brought to light or old ones need to be re-examined.
- Forensics (in general) takes a scientific method approach, and if you remember from high school that means lots of note taking as a process should be able to be repeated to lead to the same result or conclusion. This is highly important and depending on the scope of the case or type of the case it may be extremely important to document everything that you do, so find a note taking method that works for you and stick with it.
The rest of the course is pretty
straightforward and I won’t dive to deep into it here or go into exactly
what each step is as I figure the module names are pretty descriptive
of what they are all about. What I do think this course lacks is some
more in depth experience with some of the artifacts that you come
across. Like some of the labs could have been made (especially the
Windows’ ones) a little bit longer and little bit less straightforward,
more real life scenario. For example, MFT in NTFS file systems is a huge
forensic artifact for seeing what was on disk and when. I’ve always
used it to help build a timeline for cases irl, and though it is talked
about in the course, it isn’t really explored in the labs or in the
exam. Another thing that this course lacks is a look at linux forensics,
though parts may be slightly covered (think log analysis) in some
modules there is no talk about location, per say or meaning. Though in
the wild, let’s be honest, you will definitely encounter some nix boxes
(including mac), but you will most definitely encounter Windows, a lot
of Windows boxes. That being said the course does do a good job of
covering that, including older systems and going into detail about
artifact differences between different versions.
Let’s talk about the exam. There are
30 questions total, all multiple choice, since I had to take it twice I
can tell you that they are not the same each time. You get one 24 hour
period to take it and the first 15 questions are completely theory; and
if you have gone through the material they will be pretty
straightforward to answer, though some you may have to look back at the
material for. The last 15 are a little trickier as they require actual
hands on forensics. There were a few questions that I complained about
(like one question suggesting that “bad” images contain “kittens”, when
really the only suspicious photos were of things from the tv series “Mr.
Robot”, and there was no photos of kittens or options to select 0).
Other than that though I’d suggest taking it slow, and thinking through
each artifact. What is nice is that you don’t have to write up a report
(I’m sure version 2 may change this), so get it while you can.
Overall, it was an enjoyable
experience and I think it would be beneficial for noobs and 1337s alike.
I also found that if you are a red teamer this may be a good/cheaper
way to get an inside scoop on the artifacts that forensic examiners look
at, and their process, which may in turn help you cover your tracks
when performing an exercise. That being said, if you do decide to take
the course, glhf, and take it slow, really ingesting what each artifact
is and how it affects the investigation will help in the long run
outside of the course.
Digital Forensics Professional (DFP) — Launch Webinar
Some Tools Gone Over:
Autopsy | https://www.sleuthkit.org/autopsy/ |
OSFMount | https://www.osforensics.com/tools/mount-disk-images.html |
FTK Imager | http://accessdata.com/product-download/ftk-imager-version-3.4.3 |
dd | https://linux.die.net/man/1/dd |
DCode | http://www.digital-detective.net/digital-forensic-software/free-tools/ |
Volatility | http://www.volatilityfoundation.org/ |
HashCalc | http://www.slavasoft.com/hashcalc/ |
Bambiraptor | https://www.brimorlabs.com/tools/ |
ExifTool | https://www.sno.phy.queensu.ca/~phil/exiftool/ |
ExifReader | http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/ |
PhotoRec | http://www.cgsecurity.org/wiki/PhotoRec |
Active Disk Editor | http://www.disk-editor.org/ |
WinHex | https://www.x-ways.net/winhex/ |
bulk_extractor | https://github.com/simsong/bulk_extractor |
MFTCarver | https://github.com/jschicht/MftCarver |
SleuthKit | http://www.sleuthkit.org/ |
PowerForensics | https://github.com/Invoke-IR/PowerForensicshttps://github.com/Invoke-IR/PowerForensics |
Immunity | http://www.immunityinc.com/products-immdbg.shtml |
WinDBG | https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk |
Wireshark | https://www.wireshark.org/ |
I really love your post.
ReplyDeleteDigital forensics course