AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

AboutDFIR Blog Posts Archive

04 Aug 2020
By Andrew Rathbun

SANS FOR508: A Review

Introduction I recently attended the SANS DFIR Summit 2020 and took FOR508 with Chad Tilbury. I elected to take the GCFA certification which I am currently preparing for and creating my index similar to how I laid out in a previous blog post. At Kroll, FOR500 and FOR508 are our daily bread and butter so I was very excited to finally take FOR508. LiveOnline Review First things first, let's cover the new format SANS is…
Read More
31 Jul 2020
By Andrew Rathbun

AboutDFIR Content Update 7/31/2020

Greetings! Short update this week: Jobs - lots of new jobs added Tools & Artifacts - iOS - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I recently put out a guide that covers KAPE in great detail with lots of animated GIFs to paint a better picture on how to use it! Check it out here. Also, if you're not…
Read More
23 Jul 2020
By Andrew Rathbun

AboutDFIR Content Update 7/23/2020

Greetings! Yet another content update: Awards - page updated to reflect 2020 Forensic 4:cast Awards results Social Media - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I recently put out a guide that…
Read More
18 Jul 2020
By Andrew Rathbun

Introducing AboutDFIR’s KAPE Guide

Greetings everyone! I've been working on a detailed guide geared towards LE/Private Sector examiners who've never used KAPE before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The guide can be found here. It can also be currently located in the site's recently redesigned menu via Tools & Artifacts -> Tools ->…
Read More
18 Jul 2020
By Andrew Rathbun

AboutDFIR Content Update 7/18/2020

Greetings! A smaller update this week:  Annual Industry Reports - new entries added Tools and Artifacts - menu section reworked in preparation for upcoming additions to the site AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The Forensic 4:cast Awards' were presented today and the community voted the Digital Forensics Discord Server as DFIR Resource of the Year! Thank you to all the support…
Read More
10 Jul 2020
By Tony Knutson

DFIR Without Certs – What Books Can Help You

This has been an absolute long time coming from me, I think! The reason for this is during the crazy times we currently live in here in 2020, this is probably something I should have worked on much earlier to give folks a bit of a leg up on some reading material. Coming full circle, I feel this is something that really needs to be updated within our field. One of the few places where…
Read More
08 Jul 2020
By Andrew Rathbun

AboutDFIR Content Update 7/8/2020

Greetings! A smaller update this week:  Tools & Artifacts - macOS - new entries added Tools & Artifacts - Linux - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: REMINDER! The 2020 SANS DFIR Summit is FREE! Register here! It starts next week so don't miss out. The Forensic 4:cast Awards' will be presented at the end of the 2nd day…
Read More
02 Jul 2020
By Andrew Rathbun

AboutDFIR RSS Starter Pack v2 released!

Greetings! I am happy to share a new version of the AboutDFIR RSS Starter Pack! The AboutDFIR RSS Starter Pack was first introduced earlier this year in March 2020. Since then, lots of new content channels have been created largely thanks to the forced stay-at-home experiment brought on by the COVID-19 pandemic. As always, the AboutDFIR RSS Starter Pack can always be found on its dedicated page on the site. For those who already have…
Read More
02 Jul 2020
By Andrew Rathbun

AboutDFIR Content Update 7/2/2020

Greetings! Yet another content update:  AboutDFIR RSS Starter Pack - v2 released with new feeds! Tools & Artifacts - Windows - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: REMINDER! The 2020 SANS DFIR Summit is FREE! Register here! The Forensic 4:cast Awards'…
Read More
24 Jun 2020
By Andrew Rathbun

AboutDFIR Content Update 6/24/2020

Greetings! A very small content update this week, but there's lots in the pipeline:  Tools & Artifacts - Windows - cleaned up table contents, more changes to come AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: REMINDER! The 2020 SANS DFIR Summit is FREE! Register here! The Forensic 4:cast Awards' nomination period has concluded and voting is open! Cast your final vote here. Feel…
Read More
16 Jun 2020
By Andrew Rathbun

AboutDFIR Content Update 6/16/2020

Greetings! More new content this week:  Annual Industry Reports - more new Annual Reports added Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Videos/Webinars -new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: BREAKING NEWS! The 2020 SANS DFIR Summit is FREE! Register here! The Forensic 4:cast Awards' nomination period has concluded…
Read More
10 Jun 2020
By Andrew Rathbun

AboutDFIR Content Update 6/10/2020

Greetings! Lots of new content this week:  Annual Industry Reports - many new 2020 Annual Reports added Tools & Artifacts - Windows - new entries added and page overhauled separating Artifacts and Tools Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Videos/Webinars -new entries added Jobs - new jobs added, old ones purged, and added Date Added to the table Tool Testing - new entries…
Read More
02 Jun 2020
By Andrew Rathbun

AboutDFIR Content Update 6/2/2020

Greetings! Lots of new content this week:  Tools & Artifacts - iOS - new entries added Tools & Artifacts - Android - new entries added Challenges & CTFs - new walkthroughs added Videos/Webinars - added TeelTech's YouTube channel Tool Testing - new entries added A new month brings a new featured page of the month. This month is the AboutDFIR RSS Starter Pack! This was introduced back in March of this year and it's a…
Read More
27 May 2020
By Andrew Rathbun

AboutDFIR Content Update 5/27/2020

Greetings! Lots of new content this week:  DFIR Research - new completed research added, great job Adhirath Kapoor! Tools & Artifacts - macOS - new entries added Tools & Artifacts - iOS - new entry added Tools & Artifacts - Windows - new entries added Tools & Artifacts - File Systems - new entry added Tools & Artifacts - Android - new entries added Tools & Artifacts - Linux - new entries added The Magnet…
Read More
21 May 2020
By Andrew Rathbun

AboutDFIR Content Update 5/21/2020

Greetings! Another short content update this week:  Tools & Artifacts - macOS - new entry added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added Men of #DFIR - various entries updated As stated previously, updates will be sparse this month due to the Magnet Virtual Summit 2020 taking place currently that has been keeping me busy most days of the week. However, look for some…
Read More
14 May 2020
By Andrew Rathbun

AboutDFIR Content Update 5/14/2020

Greetings! A very short content update this week:  Tools & Artifacts - iOS - new entries added Updates will be sparse this month due to the Magnet Virtual Summit 2020 taking place currently that has been keeping me busy most days of the week. However, look for some larger-scale changes to come in June. There's only so much time in the day! However, there's plenty of other things going on right now. Speaking of the Magnet Virtual…
Read More
07 May 2020
By Mary

InfoSec News Nuggets 5/7/2020

DigiCert hit as hackers wriggle through (patched) holes in buggy config tool DigiCert, slinger of SSL/TLS certificates, has warned that it too has suffered at the hands of Salty miscreants as a key used for Signed Certificate Timestamps (SCT) was potentially compromised. The company joins Ghost.org and LineageOS in being the target of ne'er do wells as attackers exploited a disclosed (and patched) vulnerability in the Salt configuration tool over the weekend, spraying exposed infrastructure with cryptocurrency mining software.…
Read More
05 May 2020
By Andrew Rathbun

AboutDFIR Content Update 5/5/2020

Greetings! The first week of May brings new site content as detailed below:  Tools & Artifacts - iOS - new entries added Tools & Artifacts - File Systems - new entries added Tools & Artifacts - Linux - new entries added Tools & Artifacts - Windows - new entries added as well as every 13Cubed video relating to a Windows artifact Challenges & CTFs - new entries added DFIR Research - new entry added under…
Read More
29 Apr 2020
By Andrew Rathbun

AboutDFIR Content Update 4/29/2020

Greetings! A short update this week:  Certifications & Training - new entry added (Harvard's FREE CS50: Introduction to Computer Science course) Tools & Artifacts - Windows - new entries added Tools & Artifacts - iOS - new entries added In case you missed them, check out my latest blog posts: A General Overview of DFIR Resources and A Beginner’s Guide to the Digital Forensics Discord Server!  Make sure you're keeping up on Kevin Ripa's 3MinMax…
Read More
29 Apr 2020
By Mary

InfoSec News Nuggets 4/29/2020

Online auction of record-breaking whisky collection hit by cyber-attack A record-breaking online auction of rare whiskies has been postponed indefinitely after being targeted in a cyber-attack. The sale of Richard Gooding’s “The Perfect Collection” was marketed as “the largest and most unprecedented private whisky collection ever to be offered for public sale”. The first phase of the auction, consisting of more than 1,900 bottles, fetched more than £3.2m earlier this year. The second phase of…
Read More
23 Apr 2020
By Andrew Rathbun

AboutDFIR Content Update 4/23/2020

Greetings! This week's update is detailed below:  Some Home Page updates first: New site feedback form added under the Submit menu, let us know what you think here New AboutDFIR Blog Posts Archive added under the Reading menu, check it out here Added More button underneath the last 12 blog posts at the bottom of the home page which will link to the AboutDFIR Blog Posts Archive  Now for the usual content updates: Tool Testing…
Read More
22 Apr 2020
By Andrew Rathbun

A Beginner’s Guide to the Digital Forensics Discord Server

Introduction This post has been a long time coming for me. I will use this post to address all newbie questions I've fielded in regard to the use of Discord, or how to join the server successfully. Believe it or not, we have a lot who join the server but never gain access due to not following through with the brief verification process new members have to go through. This post is aimed to help…
Read More
18 Apr 2020
By Andrew Rathbun

A General Overview of DFIR Resources

Introduction The world of Digital Forensics and Incident Response (DFIR) is so expansive that it's impossible for one person to know it all, let alone a fraction of it. To combat this, one must first be aware of and second utilize the resource that's best catered to the issue at hand. There are multiple resources out there that digital forensic examiners and incident responders should be aware of.  Not all resources are created equal nor…
Read More
14 Apr 2020
By Andrew Rathbun

AboutDFIR Content Update 4/14/2020

Greetings! This week's update is detailed below:  Tool Testing - new memory image added by Alissa Torres Videos/Webinars - new entries added  Certifications & Training - new entries added (Hal Pomeranz' Intro to Linux Forensics course) Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added Social Media - multiple new Discord servers added Jobs - multiple new jobs posted Brian Carrier, the author of File System…
Read More
09 Apr 2020
By Andrew Rathbun

AboutDFIR Content Update 4/9/2020

Greetings! This week's update is detailed below:  Tools & Artifacts - Windows - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia - new entries added Challenges & CTFs - new entries added Podcasts - new entries added If there's something you think should be on the website, let us know! Per usual, you can reach me via…
Read More
04 Apr 2020
By Andrew Rathbun

AboutDFIR Content Update 4/4/2020

Greetings! This week's update is detailed below:  Social Media - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Certifications & Training - new entries added Tool Testing - new entries added Tune in to this upcoming Monday's episode of "Life Does Not Have a Ctrl+Alt+Del" hosted by Heather Mahalik where I am the featured guest! I will be talking about the Digital…
Read More
27 Mar 2020
By Andrew Rathbun

AboutDFIR Content Update 3/27/2020

Happy Friday! This week's update is detailed below:  Mobile/Tablet home page menus fixed, sorry for the inconvenience Awards - page updated to reflect that nominations for the Forensic 4:cast Awards are now open Tools & Artifacts - Android - new blog posts added Tools & Artifacts - File Systems - new blog posts added Tools & Artifacts - iOS - new blog posts added Tools & Artifacts - Linux - new blog posts added In…
Read More
19 Mar 2020
By Andrew Rathbun

Introducing the AboutDFIR RSS Starter Pack!

Greetings! I am excited to share something that has been in the back of my mind for a while now. Introducing the AboutDFIR RSS Starter Pack! Basically, this is a curated list of blogs, DFIR vendor websites, and other cyber security related websites categorized for your convenience. A simple import into your Feedly account (or RSS app of choice) and you're up and running! This is the first iteration of this project and will be…
Read More
18 Mar 2020
By Andrew Rathbun

AboutDFIR Content Update 3/18/2020

Greetings! Here's another site content update:  Research Ideas - new research ideas added based on user submission Women of #DFIR - new entries added Social Media - new hashtags added to Twitter Tools & Artifacts - macOS - renamed to macOS, URL updated, and new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added If there's something you think should be on the website,…
Read More
11 Mar 2020
By Andrew Rathbun

AboutDFIR Content Update 3/11/2020

Greetings! Yet another content update:  Annual Industry Reports - new report added Tools & Artifacts - DVR/Multimedia - new blog post added Tools & Artifacts - Windows - new blog posts added Tools & Artifacts - iOS - new blogs post added Robert Chesney recently released a 137-page book titled Cybersecurity Law, Policy, and Institutions. Download the free PDF here! I'm currently working on a blog post that'll analyze the pros and cons of all…
Read More
02 Mar 2020
By Andrew Rathbun

AboutDFIR Content Update 3/2/2020

Greetings! The first update of March 2020 is detailed below:  Preservation Letter/Search Warrant Templates - all templates got a once over with some new language relating to US Code 2703(f), plus Google, Twitter, and Microsoft were added to the bunch Podcasts - new podcast added (SANS GIAC Podcast) Tools & Artifacts - Windows - new blog post entry added Challenges & CTFs - multiple new entries added Jobs - data table has been cleaned up…
Read More
28 Feb 2020
By Andrew Rathbun

My Take on Preparing for GIAC Certification Exams

Introduction SANS GIAC Certifications are highly sought after because of the technical expertise required for completing them successfully. They are not to be taken lightly and are held in high regard due to them not being a “gimme” for the test taker. If you do not prepare, your score will reflect that and you risk not passing. The stakes are high due to the cost of the certification ($789 per attempt as of this writing…
Read More
23 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/23/2020

Greetings! Another content update in the wake of Phill Moore's new This Week in 4n6 post:  Challenges & CTFs - new entries with walkthroughs added Men of #DFIR - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added White Papers - new entry added (DFRWS Papers & Presentations) Did you know that you can add AboutDFIR's newsfeed easily to your Feedly account? Just…
Read More
22 Feb 2020
By Devon

I want to see your Resume!

Do you know of someone just graduating with their college degree in #DFIR or #CyberSecurity or #security looking for their first job? I am interested! Send me a resume -> devon.ackerman@kroll.com with Resume in the subject line. Tag your friends, tag your colleagues.
Read More
20 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/20/2020

Greetings! A relatively small site content update but please see other important items below:  Scholarships - added SANS' Ken Johnson Scholarship 2020  Tools & Artifacts - Linux - added new GitHub resource by ashemery First off, the 2020 Forensic 4:cast Awards Nominations are now open! Be sure to cast your nominations before May 15th, 2020. In the meantime, brush up on the past years' winners on the Awards page.  Secondly, Humble Bundle, one of my…
Read More
17 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/17/2020

Greetings! Yet another update as detailed below:  Annual Industry Reports - added new entries Tool Testing - added Josh Hickman's new Android 10 Image  Tools & Artifacts - Windows - new blog post entries added Tools & Artifacts - DVR/Multimedia - new blog post entries added Tools & Artifacts - iOS - new blog post entries added Infographics - added an awesome link containing many useful cheatsheets, be sure to check it out If there's…
Read More
11 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/11/2020

Greetings! Small update this week but there are bigger things coming:  Certifications & Training - added Brian Carrier's Autopsy course (Free for LE!) Tools & Artifacts - File Systems - reworked data table entirely and added new entries Tools & Artifacts - iOS - new blog post entries added Tools & Artifacts - Android - new blog post entries added I'm working on a blog post regarding my take on preparing for GIAC Certification exams. Look…
Read More
05 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/5/2020

Greetings! Yet another AboutDFIR Content Update:  Preservation Letter/Search Warrant Templates - Discord - updated this page with a section about how Discord Nitro factors into the #XXXX discriminator at the end of a subject's username. I also added a fancy GIF created with my favorite GIF creation tool, ShareX. Also, I added another line in the language asking for historical usernames and discriminators for a specified account Awards - added links to each respective award…
Read More
02 Feb 2020
By Andrew Rathbun

AboutDFIR Content Update 2/2/2020

Greetings! Yet another AboutDFIR Content Update:  Certifications & Training - added KAPE certification course listing and corrected a few errors within the data table Social Media - added a link to Metaspike Community Tool Testing - added a link to new memory images courtesy of Alissa Torres (@sibertor) Tools & Artifacts - iOS - added new blog post entries Tools & Artifacts - Windows - added new blog post entries Tools & Artifacts - Android…
Read More
28 Jan 2020
By Andrew Rathbun

AboutDFIR Content Update 1/28/2020

Greetings! The site continues to evolve as detailed below:  Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - lots of new entries added including Sarah Edwards' fantastic mac4n6 blog posts Lots of data table standardization has taken place with better consistency in column titles across all pages Awards - added headings for the two awards to increase readability on mobile and in general Home Page - RSS feed link…
Read More
24 Jan 2020
By Andrew Rathbun

AboutDFIR Content Update 1/24/2020

Happy Friday! The site continues to evolve as detailed below:  Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows, Linux, MacOS - Velociraptor hands-on video added Jobs - new jobs are being posted on an almost daily basis Challenges & CTFs - added links to and solutions for every SANS Holiday Hack Challenge in the 2010s as well as a few other new challenges Tools & Artifacts - DVR/Multimedia - new…
Read More
15 Jan 2020
By Andrew Rathbun

AboutDFIR Content Update 1/15/2020

Greetings! The site continues to evolve as detailed below:  Home Page - added a Featured Page of the Month. Look for this to update on or around the beginning of each month for a new featured article Tools & Artifacts - iOS - added Checkm8 and Checkra1n Cellebrite Webinar to the data table as well as a link to iDevice firmware downloads Certifications & Training - updated Belkasoft's training offerings Password Cracking - added PDFCrack…
Read More
12 Jan 2020
By Andrew Rathbun

AboutDFIR Content Update 1/12/2020

Greetings! The site continues to evolve as detailed below:  Home Page - a favicon has been added to the site  Tool Testing - added a blurb about Arsenal Image Mounter for mounting forensic images Social Media - added a few more subreddits relevant to the DFIR world Men of #DFIR/Women of #DFIR - new entries added and old ones removed Submit a Job - added a link to the beginning of the job submission process…
Read More
04 Jan 2020
By Andrew Rathbun

AboutDFIR Content Update 1/4/2020

Greetings! First update of the year/decade below:  Forensic Terms - added the definition for Firehose Programmers per a request from the Digital Forensics Discord Server Men of #DFIR - multiple new entries added Tool Testing - new entries added Challenges & CTFs - lots of old entries removed, new entries added, Walkthrough column added and entries added for challenges that have walkthroughs I'm continuing to chip away at the to-do list as well as keeping…
Read More
30 Dec 2019
By Andrew Rathbun

AboutDFIR Content Update 12/30/2019

Greetings! The last update of the decade is detailed below: Men of #DFIR - new entries added Instagram - added Search Warrant and Preservation Letter template language for Instagram Mobile Devices/Computers - added Search Warrant and Preservation Letter template language for Mobile Devices/Computers Every data table should now be mobile friendly with collapsing columns to fit the respective width of your mobile devices. If there are any that aren't translating well on the mobile experience,…
Read More
18 Dec 2019
By Andrew Rathbun

AboutDFIR Content Update 12/18/2019

Greetings! Lots of updates detailed below: Tool Testing - this is a new page that was added to organize all links to sites that host forensic images that can be used for tool validation. Many of the links were taken from Challenges & CTFs so now their new home is here Tools & Artifacts - Windows - a few new resources were added here that I learned about in a recent Magnet Forensics class (AX250)…
Read More
17 Dec 2019
By Tony Knutson

Jailbreaking – Checkra1n Configuration

In this installment, I felt that I should discuss how to use Checkra1n, and how to actually get into the device via 2 methods: localhost (tethered) and WiFi (untethered). This is not a blog to discuss how Checkra1n is doing, what it is doing, or what Checkm8 is doing prior to the device booting. Additionally, you do this at your own risk. Just because it works on one device does not mean it'll work on…
Read More
16 Dec 2019
By Tony Knutson

Pattern of Life – Tracking Through Mobile Applications

So getting back into blogging finally! Thanks for hanging in there with me.  Unlike my last posts, time to roll up the sleeves and try to make this community better from a technical perspective. To do that, I've decided to look at individual applications from iOS (first) so I can see what we are looking at. This is most important to me, because as we all know, our tools will lie to us if we…
Read More
12 Dec 2019
By Andrew Rathbun

AboutDFIR Content Update 12/12/2019

Greetings! The latest changes are detailed below: Challenges & CTFs - new CTFs have been added Jobs - there's been multiple new postings In other news, I passed the GCFE after a few months of studying! I now have more free time available to work on my ever-growing to-do list for this site. Next on the list is to go through the painstaking process of standardizing the layout of all data tables on the site.…
Read More
06 Dec 2019
By Andrew Rathbun

AboutDFIR Content Update 12/6/2019

Greetings! The site continues to evolve and grow: Tools & Artifacts - Windows - added a few tools and links to videos/blog posts to the data table, removed empty entries Videos/Webinars - added a few new YouTube channels Preservation Letter/Search Warrant Templates - Facebook - I updated quite a bit of this page to cater it more to Facebook since their portal requires a different process than most other companies Jobs - there's been multiple…
Read More