DF Industry Happenings
We’ve enjoyed diving into some great DFIR resources this month! Building on this theme for November, we want to make training and resources within the community easily accessible for all users. One resource we find extremely useful is DFIRDIVA. You can find free and affordable training on any budget through DFIRDIVA. Simply search “Digital Forensics” and “free” here and find 59 different options offered for the community. Check it out for yourself. What a good deal!
Looking to hit the books instead? Try Investigating Windows Systems by Harlan Carvey. This book walks users through an investigation rather than artifacts and log files without any back story. The guide provides a walk-through of the analysis process and thought process behind these investigations. We would recommend this book to users with a fundamental understanding of Digital Forensics concepts and topics.
Another favorite in ArcPoint Forensics’ library is Placing the Suspect Behind the Keyboard: Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects by Brett Shavers. This resource is similar to Harlan Carvey’s book previously referenced, but Shavers' book acts as a guide that focuses more on the story and connection between the system artifacts and the person behind cybercrime by proving and showing intent of these nefarious actors.
ArcPoint Company and Product News
ArcPoint Presents: Unallocated Space
We’ve been busy working behind the scenes to get our LiveCast ready to launch this month! Unallocated Space is a live conversation about current issues and solutions within the Digital Forensics and Incident Response (DFIR) Community. Each month on our youtube channel, the audience will learn more about the space from industry leading experts and passionate individuals supporting the DFIR community.
This month we will be hosting, Jessica Hyde! Jessica is an experienced forensic examiner in both the government and commercial sectors having worked as a contractor providing forensics services to the Department of Defense and Intelligence Community. She is the founder of Hexordia, a digital forensics contracting and training organization. Jessica is also an Adjunct Professor teaching Mobile Forensics in the graduate program at George Mason University, where she earned a Masters in Computer Forensics. She was most recently the Director of Forensics at Magnet Forensics and the host of Cache Up. She is also involved in several community efforts including as a volunteer for the Marine Corps Cyber Auxiliary, Chair of DFIR Review, President of the New York Metro High Tech Crime International Association Chapter, advisory board for Cyber Sleuths Lab, and a member of the Editorial Board for the Forensic Science International: Digital Investigations Journal. Her previous roles included performing forensic examinations as a Sr. Mobile Exploitation Analyst for Basis Technology, Senior Analyst at EY, and Senior Electrical Engineer at American Systems. Jessica is also proud to be a veteran of the United States Marine Corps. We are very excited to have her on Unallocated Space to discuss making resources more accessible to the #DFIR community & beyond.
Want a Demo? Just ask!
ATRIO™ is an all-in-one digital forensics hardware/software solution that performs full physical imaging and data exploitation. It is designed to be intuitive and easy to use. Output is immediately accessible in universally-compatible, non-proprietary format and can be viewed on any computer. There are no additional software programs, dongles, or other peripherals required to operate ATRIO™. Interested in getting demo? Sign up on our demo page.
Monthly Tech Tip
When creating an image or a backup using dd it is important to include the block size when executing the command. The block size will tell dd how much data to copy with each read. The impact of not providing a block size can lead to slower duplication times. There are a few different numbers that we’ve seen people use. The most common is a block size of 4096. This is common for today's file systems. We can apply the block size to dd using the switch bs=XXXX.
The dd command without a block size indicates a read speed of around 64M under KB_reads/s:
dd if=/dev/sdb of=/media/mydrive
The dd command with the block size of 4096 for the same drive and we see healthy and consistent speeds of just under 200M:
dd if=/dev/sdb of=/media/mydrive bs=4096