by Christa M. Miller
Digital forensics is a tough job. Forensicators must evolve as rapidly as the technology does, which means being in a constant state of learning. Formal education is costly and can’t keep up. The next best alternative: learn from others’ experience.
It can be a challenge, however, to share one’s forensication expertise on an ongoing basis. Nondisclosure agreements, time, and effort all present a challenge when you’re a forensicator with a life. Those who make it work, however, deserve special recognition for fueling the DFIR community with the information examiners need to understand where their results come from, how to do better, more accurate work, and overall keep moving forward.
These ten blogs are among the very best, selected for their post frequency, validation by community members throughout social media and venues like the Forensic 4cast Awards, and links from other blogs.*
10. A kilo of forensic resources
The result of digital forensic research conducted on his own time, Dan Pullega’s 4n6k posts only about two or three times per year, but is rich with technical detail, even the succinctly explained “Forensics Quickies” and information about his own and others’ scripts. Pullega also links to his active DFIR Subreddit from this page.
9. Forensication in the Arizona desert
Tuscon (Arizona)-based incident responder Mari DeGrazia has run Another Forensics Blog since 2012. Although she offers only a few updates per year, those she publishes are tutorials rich with how-tos. DeGrazia also offers a number of her own tools for download, together with blog tutorials on how to use them. She’s responsive to commenters who pinpoint errors, encourages requests for updates and even help with parsing artifacts, and meticulously documents her tools’ place in the larger DFIR ecosystem.
8. DFIR from the City of Angels
Posting an average of once or twice per month, James Habben’s 4n6ir, a newer blog (it just celebrated its first blogoversary, or is that birthday?) that mixes problem-and-solution technical posts with more career-oriented information about report-writing, soliciting peer reviews of reports, and dealing with the most difficult of cases. Habben also offers a short list of Python scripts for those interested in learning the language.
7. Vendor-neutral Mac forensics
It might appear difficult to separate Mac forensics from the vendors who develop tools to perform it, which is why Sarah Edwards’ Mac4n6 blog is on this list. Edwards, a SANS instructor, has long been known for her expertise. Once or twice a month since 2015, she has aggregated resources from other blogs, papers, presentations in video and printed form, other media such as webcasts, and tools, including her own, which include tutorials and extensive documentation for her own scripts. Edwards also publishes calls for papers from around the community, so if you’re interested in publishing research on Apple forensics, be sure to subscribe to Sarah’s blog!
6. Mixing technical and business value
New kid on the block Gillware Digital Forensics is the brainchild of Cindy Murphy, a noted expert on mobile device forensics. This blog is the youngest of this set, but already has accolades from the community as a strong resource. Mobile malware, NAND memory data recovery, and artifacts from popular apps have all been covered in the two months since the blog’s inception, along with case studies, best practices, and more personal reflections from Murphy’s 30-year career.
5. A six-year journey through DFIR
Corey Harrell’s Journey into Incident Response has been around since 2010, and has enough content that he’s divided his “Search” function into four different custom categories: digital forensics, vulnerabilities, active threats, and malware analysis. Harrell has posted less in recent years, but still tells great stories and might even be considered one of DFIR’s great philosophers. Be sure to check out Harrell’s “Journey into IR Methodology” aggregation of the posts he’s written about the six levels of incident response; there are many more posts than just six, making this a valuable resource for those interested or just beginning in IR.
4. A steady team effort on memory forensics
Memory is about the only volatile aspect of the blog run by Volatility Labs’ AAron Walters, Jamie Levy, Andrew Case, and Michael Ligh. It’s been one of the DFIR community’s go-to resources for memory forensics and malware analysis since 2012. It offers tutorials as well as updates for Volatility training and tools, and, of course, the annual Volatility plugin contest. You can also find details on projects that build on the Volatility framework, as well as events where you can plan to attend team members’ presentations. Be sure to check out the authors’ book “The Art of Memory Forensics”, and of course, access the Volatility code from GitHub!
3. In search of forensic spoils
A newer, but fairly prolific blog with two to three posts per month, Eric Zimmerman’s Binary Foray offers in-depth forensic tool testing, as well as his own open-source tools for download and testing. His work builds on both direct feedback from the community, as well as his own response to other forensicators’ work. Be sure to look for Zimmerman’s forensic suite benchmarks, including his recent post comparing X-Ways, various EnCase versions, and Autopsy, and his imaging speed tests.
2. Monkeying around with digital forensics
Adrian Leong, the Cheeky 4n6 Monkey, has blogged on average once a month since 2011. Leong is the author of a great many Python and Perl scripts available from his GitHub (you can find them from his blog); in addition to in-depth technical posts, he has good information about the professional side of forensic work. In particular, Leong’s follow-up from his panel at the SANS DFIR Summit delves into creativity, the scientific method, perseverance, collaboration, and luck. Read it with the same attention you would devote to his technical posts!
1. An online forensicators’ community
Weekly community updates can be essential to an informed and involved populace, which is why Phill Moore’s This Week in 4n6 stands out. Since January 2016, Moore has run this regular roundup of the industry’s latest tools and releases, malware research, presentations, and other goodies from the community. The extent of activity across the industry is apparent from this in-depth blog; big-picture thinkers will appreciate the ability to see context and connections in the different groupings.
No “top 10 DF / IR blogs” list would be complete without a mention of the true lions of blogging, the people who consistently post in sharing their experiences and expertise. Harlan Carvey has maintained Windows Incident Response for more than a decade, as has Didier Stevens with his blog; meanwhile, Hacking Exposed Computer Forensics editors Dave Cowen and James Alwood haven’t posted since April of this year — but Cowen, along with Matthew Seyer, is also behind the twice-a-month Forensic Lunch video stream and podcast.
Other blogs to watch: Digital Forensics Tips, Larry Daniel’s Ex Forensis, Brian Moran’s BriMor Labs, Champlain College’s Computer & Digital Forensics Blog, Chad Tilbury’s Forensic Methods, Ken Pryor’s Digital Forensics Blog, and Jamie Levy’s JL’s Stuff all update less frequently than those listed above, but nonetheless have valuable information that’s worth checking out.
*Disclaimer: it’s impossible to work in and around the digital forensics community for long without coming to know people personally. I’ve interacted with everyone on this list and have known most for some time; while my methods may have been less than purely scientific, they do represent an intent to be as objective as possible. If I’ve missed any, please be sure to share in the comments!
Christa M. Miller has worked as a marketing and public relations professional for digital forensics and incident response vendors for the past seven years. While seeking new employment, she continues to write and edit in both personal and professional pursuits. She is based with her family in South Carolina, USA and, besides writing, enjoys traveling, reading, hiking, storms, and breezy summer afternoons in her hammock.