Episode 1 - Digital forensics trends and preparations, learning from real life case studies & DFIR training for getting started

Show Notes

In this first episode we kick off with Clint Marsden, the host of Traffic Light Protocol (TLP) where he talks about what its like to work in DFIR, how to get started with Cyber training, what to expect in future episodes, and of course a light touch on AI Forensics!

Join us for the first episode. The next episodes coming up talk about the NIST SP 800-61 where we break down Preparation, Detection, Eradication and Recovery.

Highlights:

Current trends and best practices in digital forensics, emphasizing the importance of preparation, experience across different domains, and the challenges of acquiring artifacts. Clint highlights the need for a wide breadth of experience and stressed the importance of continuous learning, while  emphasising the need for a broad range of tools and methods. 
Finally, we also discussed various methods for learning cybersecurity without spending money, including exploring free resources and leveraging AI.

Transcript

Hi, my name is Clint Marsden. And I am the host of TLP traffic light protocol, the digital forensics podcast, just want to thank you for listening to our first and inaugural episode of the TLP podcast. And I wanted to kick off by talking about the website that we have that's aligned to TLP. And that's the blog that I'm running called dfirinsights.com and on dfirinsights.com It's a focus on digital forensics and incident response as the URL would imply. And it is designed as a resource for people to learn a little bit more about digital forensics. And not just from a typical perspective of this is how we will perform a standard analysis on a Windows or Linux host. 
End to end, it's not designed as a replacement for proper forensic training. But what I'm really trying to achieve there is to give some different perspectives based on my experience in it, which has been over 20 years now. And in cyber for almost 10 years, doing a myriad of things. And with those unique perspectives, hopefully I can help you, if you're looking to start get into forensics yourself or your you've got a keen interest in, in incident response. Because what I've found is that this training, and learning and researching is most important, before there's an incident. 
So if we talk about NIST, and what's really, you know, if we're talking about the NIST Incident Response lifecycle, what is the first item, first item is preparation. And I believe that part of that is getting skilled up knowing bit of a workflow on how we want to do things. And that is a lot easier to do. When you are not under the pump, feeling the pressure, having multiple stakeholders ask you for updates every half an hour, as can be the case sometimes.
But there's only so much that you can learn. And you do need to get to a point where you're in the crucible. Feeling the Heat. So definitely check out as many resources as you can, including the DFIR  insights site come and take a look and add that to your  ongoing repertoire of of digital forensics learning and then take it to the next level and start doing some CTFs do some forensics podcast, do some forensics ETFs and challenges.
 And over time, you will develop your own understanding of what you want to be doing. And that is the best way to learn by doing so don't get too caught up in, learning, learning forever, it's at some point you will need to take some action. So in terms of the format and the structure of these episodes, there's there's going to be no real structure. And occasionally, it will just be me talking. Occasionally we'll have people on to share their experiences. And I'd like to get a wide breadth of experience from the industry because everyone has unique specialties.
 And at a high level if we talk about the types of forensics that are available or the domains that you could perform forensics in, we are looking at Host Based OS, server-based OS, and then Windows, Linux OSX, mobile, Android iPhone, and then we've got network forensics as well. And those are the five or six that I just rattled off are huge and are all their own discipline and all deserve their own time to spread out. So the idea is that we'll be hearing from some different professionals in those fields that have that that depth of experience across those different domains. 
And what I really want to get to is understanding the current trends in for an in digital forensics as well so A lot of the blogs that are being produced are really quite unique. And it's, it's not just people talking about the same techniques or what they've read on a poster or what is popular in the media. And the news, which is not always going to be the latest information available either probably most of the time, keeps it a bit more broad, but more high level.
But some of the trends and developments that are happening in forensics now are quite groundbreaking, and it is new, and it will provide some different ideas and provide some different areas of focus for investigations, which can be useful because as much as we would like to the artifacts that we want to locate, are not always available. Now that could be because logs are overwritten. It could be because logs just aren't captured in the first place. It could be the willful destruction of artifacts and a bit of anti-forensics. And they just some. So by trying different techniques by expanding what is formerly known and has been tried and tested, moving into a new domain looking for new artifacts to acquire, it might get you out of trouble. And that's something that's going to be worthwhile. 
Following up as well. What I'd love to get into is some case studies, and looking at some real life case studies, things that we might be reading in the latest annual reports from the major cybersecurity vendors. So we're looking at the horizons of the world, the mandates of the world, the CrowdStrike for the world, and the various threat groups that they're tracking. In those reports, sometimes we do get treated to some real life case studies. And they're quite fascinating. And as we look back retrospectively on the way that the incident handlers or the incident responders worked on those cases, we can also get some tips and some methodologies of what it might be like to deal with a large-scale cyber intrusion at your workplace as well.
 So we can always learn from other professionals in the industry. And that's, that's keeping the guest the hacker culture alive. And while we're blue teamers and not hackers, that information sharing and at times a bit of purple teaming, red and blue, coming together, comparing notes, red saying, This is how we got in blue saying, This is how we detected you. We all grow together, and we all become better.
So learning about those different challenges, learning about those methodologies, hearing about the outcomes, we can then distill that take what we like, maybe even build that into some playbooks ever own. And then ideally, running some TTX's, some tabletop exercises, doing a bit of a live fire kind of exercise with the team is really good as well. Because as I touched on before, we don't want to be in a situation where an incident occurs. And the first time that you're looking at the playbook is when the incident happens. Because the worst thing that can happen is that the tools that you have don't actually work. Not necessarily. They're not going to work at all. But sometimes things happen. Sometimes some configurations exist, sometimes there might be dependency problems, and there might be ways of evidence acquisition that aren't working when you expect them to, particularly if you're doing it remotely, if you're doing it over the wire in the office, but even doing their box or dead box forensics, it doesn't always work the way that you expect. And sometimes if you're, for example, if you're doing a full hard drive acquisition.
If that takes 4 to 6, 8 to 12 hours, maybe you've gone home for the night. The last thing you want is to come back the next day. The acquisitions are the failed, or deceptively the acquisition has completed. And then when you go to analyze it, you can't get in, or there's something that's broken with encryption or the image hasn't taken, all that kind of stuff. 
So really, what you need to be doing is to have these things in place coming back to preparation, having the procedures in place, having your forensic lab built, having your tools tested Knowing how to use your tools, in the same way that if you're preparing for an exam, you would. And it's an interactive exam, for example, you wouldn't just have the command written out, you would understand how the tool works, because there are variables, and may not be the same thing every time. So I can't recommend that highly enough, test your tools, get it ready.
 And when it does come when you do have an incident, it makes it so much more comfortable. One, you're ready to go. So you can respond quicker to you know, figuring it out on the fly. So you're not dealing with the pressure of getting answers, potentially, if there's lateral movement, dealing with an attacker who is moving around the environment, and continuing to do bad things while you're still trying to extract IOCs and get it contained. And that takes time. And it takes practice. But the best way we can do that is to get on the front foot. There's a lot of tools that exist for forensics on Windows, and Linux and mobile and OSX, of course. And sometimes those tools kind of kind of date, you could you could say that they age like milk, sometimes some projects shut down, they're abandoned, they're no longer, no longer viable. 
Sometimes people discover that particular artifact acquisition tools, causing more problems than they're solving, for example, especially in the realm of memory acquisition. Sometimes, that can be a bit of a problem where as the as the live memory has been captured, it is modified. And that's, that's common amongst, I would say, most live memory acquisition tools. A portion of that of that live memory will be modified. It is varying in the amount of modification. But it is it is an issue. And a little while ago, someone wrote an article and did some research on what was modified and compared some tools between FTK, dumpit, axiom memory capture, and a few others. And those those stats were interesting. For me personally, the type of forensic work that I've done in the past and still do today, it's not super critical that the memory is not modified. Because this is for internal incident response and digital forensics. It's not a case that is going to court. And the expectation that I have when I'm capturing memory is that it will be a full and complete memory image to the best of the tools ability. 
But it allows me to figure out what happened, how they got in what they did. And so I'm okay with that. variance of modification of the memory space from those tools. So it's not as important to me that it is a perfect bit by bit copy there. As far as I know, no tools are absolutely perfect in that space. I touched on before how we're going to have some interviews with experts. And I think there'll be a huge amount of value getting some some guest experts on the podcast to discuss digital forensics and where it is taking their careers and where the future of forensics is going. Everyone is talking about AI these days. It will be very interesting. Once we start to see AI forensic tools being released. 
I wonder how much testing they will need to go through and how rigorous it will need to be before we can trust AI. But what a concept. Imagine being able to quickly detect pool IOC please complete our forensic investigations. As quickly as the bad guys are using AI to generate new methods of code obfuscation to detect new attack pods. What does the future hold for us? It sounds like it will be it could be a war between machines and the machines that are generating the bad code or generating the code to do evil and AI to go out and hunt and stop it from happening. Block them as they're coming through the future of a SOC will be will be very interesting and and in so many other areas of of digital forensics and incident response.
I also want to talk about training and education. And if you're someone who's looking into looking to get into cyber and and move into that space as a career, I think there's never been a better time to do it. I think we are spoilt for choice in terms of whether you want to do commercial training at a very high end, there's some vendors in the space who provide some great digital forensics training. There are vendors at the low end. So we can be anywhere from, you know, a level of about $11,000, Australian, for for some quality forensics training, all the way down to maybe a few $1,000, down to 500. And then there are some online providers that have monthly subscription fees, you can get in the game for, you know, under $50 a month. But then, of course, there's also YouTube. And there's some incredible researchers and incredible people who have created content that you can access for free to get trained up on forensics. 
And what does it take? It takes having a home lab, which doesn't need to be complicated, getting some open source tools and get started. So there's so much and it's, if you if you're looking to get started. And you say well, where do I Where do I go, I think you need to be clear on if you want to get into solver, you need to be clear on what you want to do. You're gonna go blue team, we're gonna go red team, Blue Team, digital forensics professionals, incident responders, we are the fire truck who are coming in after there's been a fire, there's been an incident, we're mopping up, we're investigating, we're figuring out what happened. 
We're eradicating the attackers if they're still in, not all attacks, getting set up persistence, some of them get in and get out. In the case of like a data theft type experience. That's that's the MO and there are there are many different types of investigations we couldn't, couldn't possibly cover them all. Or are you looking to get into more of an offensive side, rather than defensive, offensive Red Team, looking at becoming a professional hacker, essentially a pen tester. They're your options. But once you've made that decision, say, you want to get into cyber, and you don't have a lot of money. So maybe you're still in school. And you're getting prepared for your career after school. I left high school at 15. And I got my first IT job and started working on a helpdesk. And that's what got me started in it, you know, I was able to get into cyber about 10 years later. But what you can do is, look at all the websites look at all the vendors who are providing cybersecurity training. And over time, as you start researching and spreading out and reading what they're offering,
you'll be able to tap into a little bit of the methodologies and the tools sometimes that they're using, and kind of spinning off that, creating a bit of a, I guess, like a bit of a spiderweb. As you expand like the like a Google search engine crawler, you find one resource, and then you pivot from that, and then start researching those keywords that you found. And what you can do is you can actually learn quite a bit by just looking at those tools, that's methodologies. And you can actually get the training yourself for free. And so then using a combination of things like well, you could use AI, you could use Gemini use chat JpT to ask questions about methods of doing digital forensic investigations. And then also just looking at Reddit, looking at forums, YouTube, and that will get you started. And there are so much free content content out there that you will, you'll be well covered. You will be well covered for before you before you need to engage in paid training. paid training is great. They've done all the hard work for you. They've distilled it into maybe a five, seven day, sometimes even shorter courses or even longer courses as well for something a bit more formal that It provides a well recognized certification or degree if you go into the higher education route, of course. So, there's no excuse to not get started, you can, you can find everything you need it is it is available online. If you have any questions, if you if you're struggling to find some resources, happy for you to reach out, shoot me an email to the show notes. And I'll come back to you and, and just let me know what your what you're trying to do and where you want to be. And I would be more than happy to give you a steer on on where to go. Of course, what makes this valuable to everyone is for me to be talking about things that you enjoy things that you want to learn about in that in that DFI our space. And so if you've got any special requests, if you've got topics that you'd like me to cover, if you want to hear from particular people and then specific interview questions when they're a guest on TLP, just let me know. That's that's what I'm here I'm here to create something that you can listen to on the on the train or on the bus or if you're driving and you have an interest in in cyber, maybe maybe you don't know anything about cyber but you're you're considering jumping in or just for for casual interest. But I will do my best to bring relevant knowledge based on everything that I've already discussed. But always open to suggestions. And I really look forward to bringing some new information to the table and sharing some experiences and some use cases and just building it out. So I really want to thank you for your time and listening to the first episode of TLP. I will see you in the next episode. Take care