Lot of people asking how to gain forensics skills right off the street now. I got myself into this 🤷🏻♀️🍸. Best way to start to learn forensics is to *do it on your own Windows computer* (preferably physical). Start with basic sysinternals tools. @markrussinovich’s books are great.
You have a handy piece of evidence to examine right in front of you, and understanding how your own activity appears in memory, registry, caches, and MFT can often be much more memorable and educational than some VM lab. Lots of great free Windows forensics tools out there.
The tools we use day to day to do memory forensics are widely free, like Volatility. Disk forensics is still kind of controlled by a few expensive software powerhouses, but just learning how your own computer stores, processes, executes is a huge educational leap forward.
(Linux forensics is very important too, but not as incredibly well documented and equipped. Mobile forensics, also very relevant, but is often in expensive tool space. Windows is an easy and corporate-applicable start)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Hey, so I want to talk about something that riles up or disheartens a lot of jr cybersecurity people and raises questions about gatekeeping, my perspective, and why I don't think it's as catastrophic as it looks from the outside. It has to do with experience required to do IR.
There is this unwritten set of rules that are constantly bandied about by senior DFIR people, and they go something like this:
"To do IR, you need 1-2 years of experience in cybersecurity (usually SOC)"
&
"To lead IR engagements you need 1-2 years of experience in DFIR"
OK, so is this gatekeepy? If you make it a static part of your hiring process, probably. Is it a bad guideline? No, and that's not so bad.
Let's talk about what Digital Forensics and Incident Response (DFIR) entails.
I love @SouthwestAir *tons*, but flying into O’Hare instead of Midway is an awful experience. One baggage carousel for all flights in the crowded international arrivals, and not even anywhere to get a bottle of water while waiting after McDonalds closes. Midway is so much nicer…
Terminal 5 rideshare pickup is free for all chaos, too 😢😑
I don’t get people who bash Midway. It’s a really nice and manageable airport since the refurb. Great food, too.
Sometimes instead of blogging I feel like making a big old Twitter thread, so let's talk about Cobalt Strike for people only vaguely familiar (or misinformed) with the concept. Maybe I'll blog it later.
Cobalt Strike is an adversary enumeration tool used to train teams how to do incident response and threat hunting. It was made by a genius I genuinely like and will not disparage, Raphael Mudge. The first time I met him he flew across the floor air-guitaring in his dress clothes.
A lot of you are familiar with the easy-button hacking tool, Metasploit. Well, he made this shnazzy GUI for Metasploit called Armitage.
But, he realized it was still tough for a lot of defenders to get highly skilled Red Teams to train them. Or sommat, I'm not in his head...
One of the most talented young martial artists I’ve ever worked with burnt out and suddenly quit after a decade today. I’m reeling.
I don’t know if any teens at all read my account at all but like... if there are a bunch of adults really invested in mentoring you it’s... (1/x)
... totally okay to say you’re like, overwhelmed, need a break, you need to switch learning styles or speed, or just that you need more support.
Please don’t just give up and vanish because you don’t think you can meet our expectations, or because you think you messed up.
This goes for like your hobbies, infosec, hacking, whatever. Like, people who mentor can be self-centered jerks, but most of us really just want you to succeed - even if your measure of success changes over time! We are emotionally invested in you.