Cyber Crime 101

A listener of the show, Joe Tracy, recently queried me on the Facebook Fan Page asking what my Top 10 – 15 favorite online resources and Top 5 offline resources for entry level forensic analyst are.  So I decided to put a list together for each topic to share with you all.  These lists are not necessarily in any order.

Top Online Resources for Digital Forensics:

1- Windows Incident Response blog (http://windowsir.blogspot.com):   Hands down, one of the most informative blogs covering both forensics & incident response.  It is authored by Harlan Carvey.

2- The SANS Computer Forensics & Incident Response blog (http://computer-forensics.sans.org/blog): This blog is maintained by a host of authors and has new material being posted regularly from some of the top examiners in the field.

3- Apple Examiner (http://appleexaminer.com):  A great resource for all things Mac Forensics.  Lots of great Mac Forensics news & how-to’s posted here.  Maintained by Ryan Kubasiak.

4- A Fistful of Dongles (http://www.ericjhuber.com):  Eric Huber’s blog, which has some great interviews with some of the heavyweights in the field of Digital Forensics, as well as some excellent insight into Information Security & Incident Response.

5- Journey Into Incident Response (http://journeyintoir.blogspot.com): Site maintained by Corey Harrell, with lots of great information on Timelines, batch scripting, triage and even a post on how to get the most out of your DF & IR news feeds.

6-  Forensic Methods blog (http://forensicmethods.com): Chad Tilbury’s blog with lots of great informational posts and links, as well as some book and product reviews.

7-  Zeltser.com (http://blog.zeltser.com): Lenny Zeltser’s blog that covers topics such as Malware analysis, Forensics and Incident Response.  Lenny also posts a list of his 5 favorite security reads each week.

8-  The Digital Standard (http://thedigitalstandard.blogspot.com): Chris (Beefcake!!!) Pogue’s blog.  Chris’ has lots of great posts regarding “Sniper Forensics”, which deal with getting the information you are looking for that is relevant to your examination rather than wasting time getting (and reporting on) the dreaded “Everything”.

9-  Forensics Wiki (http://www.forensicswiki.org/wiki/Main_Page): A Creative Commons wiki dedicated to Digital Forensics.  Lots of information regarding File Systems, File Analysis, Tools and How-To’s among other things.

10-  ForensicKB (http://www.forensickb.com): ForensicKB is a great resource for users of EnCase (which I happen to be).  Maintained by Lance Mueller, there are lots of great how-to’s to help you get the most out of EnCase.  Lance even has a 4-part tutorial on EnScript concepts.

Top Offiline Resources:

1-  SANS Digital Forensics & Incident Response Summit/DoD CyberCrime Conference/CEIC/AD Users Conference: These conferences are a great opportunity to hear about cutting edge techniques, as well as get a chance to network with others in the community.

2-  A Local/Regional DFIR Group:  I am fortunate to have NYC4SEC in my backyard.  Groups like this are a great way of discussing current trends & techniques, and also great networking opportunities.  One just got started recently in Northern Virginia (NoVA Forensics Meetup) and one is getting underway in Boston.

3-  Security Conferences (Insert DefCon/Shmoocon/Any SOURCE con/B-Sides here): Every time I attend a security conference, I always pick up some nugget or two that may help me in future exams/investigations.

4-  Books: There are a ton of excellent books on the subject of DFIR.  Here is a start: http://www.amazon.com/Digital-Forensics-Reads/lm/R1C3BRA0RPR9JE/ref=cm_lm_byauthor_title_full

5-  Your co-workers:  Hopefully, you are as lucky as I am to work with a talented bunch of Forensicators.  The ability to bounce things off of another examiner can help you fine tune your examinations.  It will also give you all a chance to learn from each others experience.

Hope this helps!

Joe