Getting started in Digital Forensics
A lot of people have asked how to get started with digital forensics. It’s great that so many people from so many different places are interested. There are many different paths available. To try to help aspiring digital forensic scientists, I put together the following recommendations for a good theoretical and practical background.
The Basics
First, learn how operating systems work. You might know how to use Windows, but have you really explored it? Can you explain how clicking on an icon starts a program? Play around with other operating systems too, like OSx and Linux1.
- A good beginner book on operating systems: Operating System Concepts - Currently 9th ed.
- A good beginner certification on operating systems: CompTIA A+ Certification
Virtualization
Learn how to use virtualization software. This software will let you create many virtual computers that you can test/play with. You won’t have to worry about breaking your own computer, and resetting a virtual machine is easy. Learn how to use “snapshot” features.
- I recommend Virtualbox (free)
- Once you have Virtualbox, I recommend installing Linux Mint in a virtual machine (also free).
Command Line and Basic Forensics
Once you have Linux installed in your virtual machine, have a look at the Linux Leo Beginner’s Guide to learn how to use Linux command line and some basic digital forensic tools. You can finish the guide in about 1 week.
Once you know the basics of Linux command line, have a look at Windows command line. If you have Windows 10, you may want to start directly with Windows Powershell Why all this command line (CLI)? Learning basic cli can help you understand how computer systems work. You’ll also be able to do some tasks much faster on the CLI.
At this point you should know the basics of operating systems, be able to use VMs, have basic knowledge of Windows and Linux command line. If you have that, you have a pretty strong base for computer science / engineering related areas.
Programming
Programming is not necessary to do digital forensics, but it will help you a lot (as well as in other fields).
There are basically two types of programming languages; scripted and compiled. Scripted usually runs slower, but tends to be faster to write, fix and easier to learn. Compiled programs run faster and are usually more efficient. General programming concepts are the same for almost all languages. Knowing a scripting language and a compiled language is useful.
Personally, the languages I use the most (in order) are:
- Linux Bash Scripting (almost daily, easy): tutorial
- Python scripting (many projects, easyish): tutorial
- HTML5/CSS3/Javascript (many projects, easy): tutorial also see Electron
- Go lang (compiled, medium difficulty): Intro, Book
I think most investigators know at least a little bit of some of these languages. Other popular languages are:
- Rust (Book) / C / C++ (Start with Rust)
- Java - I don’t like it, but a lot of people use it.
- Perl - scripted, easy, I think Python kinda beat Perl in forensics
Cybercrime and Digital Forensics
There are a lot of books on digital forensics. One of my favorite books is ‘Digital Evidence and Computer Crime’, but it is getting a bit dated. The digital forensic practice sections is still very relevant.
I recommend looking for videos, tutorials and challenges online. Some resources:
- My youtube channel: https://www.youtube.com/DFIRScience
- Follow the #DFIR and #infosec tags on Twitter (Follow me on Twitter)
- Cybrary has some good information security and (a few) forensics lectures
- SANS Digital Forensics - Great resources, super expensive
You need to learn:
- Data preservation (various data sources)
- Data acquisition (various data sources)
- Forensic documentation (standards of court & chain of custody)
- Basic data processing (basic investigation process)
- For basic data processing, I recommend the tool Autopsy (free, a very powerful tool that is also easy to use).
Once you know have a good idea about what that means, then you can focus on different types of analysis. There are actually a lot of different ‘types’ of digital forensics. Very basically, the areas are2:
- Computer forensics
- Mobile device forensics
- Network forensics
- Forensic data analysis
- Database forensics
Areas that are extremely related, but are either not ‘forensics’ per se, or are combination areas:
- Malware analysis
- Memory forensics
- Cloud / IoT forensics
- eDiscovery
- Vehicle forensics
While most investigators know a little about each area, many focus on a particular specialty. Almost every investigator can do a basic analysis of a computer and probably a mobile device. I strongly recommend starting with computer forensics, then memory analysis, then mobile forensics then network. That will give you a lot of the background you need to do the other areas.
Challenges (Practice)
Of course, you need to practice digital forensics to understand it. Recently a lot more forensic challenges have been released. I encourage you to participate in these as much as you can.
Ask questions
An of course, the best way to learn is to ask questions. Most dfir and infosec people I know are willing to answer some questions and help beginners. There are, however, bad questions.
The most common question I get is “tell me how to hack.” This question is so general that it can’t be answered. It also shows that you didn’t take the time to read the thousands of resources online about hacking. A similar question is “how to do digital forensics.”
When asking questions do a quick search first to see if the answer is already online. If you found an answer, but don’t understand it, great. Send your question plus a link to the answer and ask for clarification. I would love to help you with a problem you are stuck on. The more specific you are with questions, and the more effort you put in to finding the answer, the more likely someone is to help you solve your problem.
Where to ask questions? Well you can contact me. I also recommend Forensic Focus. A lot of the community is also on Twitter #dfir. Also, StackExchange is sometimes helpful.
Finally
This post is about starting digital forensics. A lot of it was really about ‘starting technology’. Notice I only mentioned one certification (A+). Certifications can be helpful, but they are also expensive. Before you commit to a lot of certifications, I’d recommend getting basic OS, computing and programming skills first. There are a lot of free resources on line. Once you have the basics, then think more about certifications you are interested in based on need and where your interests are.
I hope these resources help you start thinking about how you can get into digital forensics. Of course, there are many ways to begin. Digital forensics requires a lot of study just to keep up with the current technology. It’s not impossible though, especially if you have the basics down.