Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Digital Forensics on a (less than) shoestring budget--Part 1

It has often been said that the best things in life are free. Could it be that that old saying can be applied to digital forensics? In many cases, the answer is a resounding yes!

But first, a little history on just how I know the above to be true. I am a police officer in a small, rural mid-western department. As is the case most everywhere, my department started seeing a rise in complaints related to "cybercrime", such as email threats and harassment, child sexual abuse and scams. Since I was already very much into computer use, I took an interest in pursuing these cases and requested various training courses related to their investigation. The farther I got into it, the more I learned about computer forensics and I set up the first lab for my department.

I have no doubt there are many others out there in the same boat. You may want to do forensics, whether it be for a police agency, a private firm or just something of a personal interest, but you don't have the funds to dive into the deep end. I decided I would detail some of my experiences here in hopes I might help someone else trying to go down the same road I've already traveled.

Before I ever attempted to do any actual forensic work on a real case, it was quite evident to me that training was an absolute necessity. Sure, you can download some stuff, go to work and maybe fumble your way through it without guidance, but odds are your methods will be shoddy and your success lacking. SANS, as well as a few other organizations and colleges, provides high quality forensics education programs, but perhaps you're not in a position to pay what they cost just yet. Maybe you have a goal to enroll in those courses as soon as you can, but first you need to get your feet wet, so to speak, and see if this is for you. Would you believe some forensics training is free? There is free training out there, although some of it is restricted to law enforcement only.

The first actual forensic training I ever took was the Basic Data Acquisition and Recovery (BDRA) course given by the National White Collar Crime Center (NW3C). The NW3C provides outstanding free courses to law enforcement agencies all over the country. This course was an excellent starting point for those just beginning in the field. A year later, I was able to attend their Intermediate Data Recovery and Analysis (IDRA) course. Once again, the training was free to law enforcement, but well worth paying for.

The SANS organization often offers discounts and special deals to those enrolling in their courses. I've seen discounts available ranging from 20 to 50 percent, depending on the course. They offer a 50 percent discount on all of their forensics training courses to local and state law enforcement officers, a deal I personally took advantage of when I took the SANS For 508 Intrusion Forensic and Incident Response class. The discount code, again available for all the forensic courses at SANS only to local and state law enforcement officers, is "locallaw50".

The Department of Defense Cyber Crime Center offers free forensic training to a limited audience. Their courses are limited to those working in the following fields: Federal Law Enforcement, Counterintelligence, Inspector General or Computer Forensics Examiner. They also run the annual DC3 Digital Forensic Challenge, which I am participating in for the first time this year as a learning experience.

But what about the non-police readers of this post? Unfortunately, there aren't many free courses that I'm aware of, but there are other avenues for learning. One of the resources I don't hear much about, but that has been quite valuable to me is the SANS Reading Room . There are an amazing number of research papers written by SANS students pursuing certification of one type or another. There are papers on all kinds of computer forensics, security and other related topics.

Other training opportunities come in the form of webcasts. SANS regularly holds free webcasts on all sorts of computer forensics and security topics. Of course, SANS provides very high quality training courses that do cost money, but they also give back to the community in many ways, including the Reading Room and these webcasts.

The first good training I ever had on disk imaging using something other than the "raw" format was Rob Lee's SANS webcast entitled "Imagine This!". I learned imaging and image mounting techniques in that webcast that I still use today. Likewise, another free webcast I learned from was Memory Analysis for Incident Responders and Forensic Analysts . There have been countless other webcasts provided by SANS and all are still available on their webcasts page and in the archives. All are available at no cost, only requiring you register for a free portal account.

Another source of training videos for forensics and other types of computer security is the Virtual Training Environment Library provided by Software Engineering Institute at Carnegie Mellon. A large amount of material is available for free in the library and other paid-content courses are available as well.

Other sites give excellent training opportunities through the use of webinars on a regular basis. Mandiant and DFInews both hold webinars from time to time and maintain archives of those sessions for later viewing.

Finally, another excellent source for learning may be in your own city, or at least not far away. Many local forensics organizations exist all over the world. A check with your favorite search engine may turn up such a group in your area. These groups often hold meetings with featured speakers and other exercises available for participation.

I welcome any comments to this post. If you know of other learning opportunities I haven't mentioned, please let me know. In part 2 of this post, I'll get into free and low cost forensic software you can use to get started.


Posted January 12, 2011 at 6:25 PM | Permalink | Reply

Rob Lee

This is a great post Ken! Thanks!!

Posted January 13, 2011 at 5:23 AM | Permalink | Reply

Joe Garcia

Great post Ken. Nice to see you expand on some of the stuff we talked about on Episode 23 of Cyber Crime 101. Can't wait for Part II of this.

Posted January 17, 2011 at 2:53 AM | Permalink | Reply

Paul Harper

A good free site aimed at Law Enforcement is the Law Enforcement and Forensic Examiner's Introduction to Linux. It has a free tutorial with some simple practice cases.

Posted January 17, 2011 at 5:34 PM | Permalink | Reply

Ken Pryor

Thanks Rob and Joe!

Thanks Paul, that is a great site. I actually talk about it some in part 2 of this post which was just posted today. I used Barry's Linux Leo guide quite a bit when I was first getting started.

Post a Comment

* Indicates a required field.