DFIR Training Blog



You have an opportunity pounding on your door

We have plenty of negative news in the media, and our lives have changed. I foresee the future of our workplaces and education evolving into something drastically different. We are already seeing the amazing ability to operate businesses with more remote workers than ever thought possible. Educational institutions seamlessly flipped a switch and turned classrooms into online learning, effectively eliminating all the problems associated with travel on the roadways.

Gain New Skills and Knowledge. Make Your Own Experience. Increase Your Competence.

Many of us have no choice but to work from home during this pandemic.  Some of us may not even have working-from-home as an option. But both situations can benefit from the changes the world is going through, specifically in being granted more time and more opportunity to learn .

The important stuff

If your employer is trying to find ways to pay you if you have been sent home, there are few easier methods than by taking training or conducting research. It is to the benefit of you and your employer to be able to pay you while you take job-relevant training, and maybe even pay for your training and research!

Learn by reading : Pull out that DFIR book that you bought last year and never got around to reading. Or order that DFIR book that you keep putting off. Get the print copy delivered in a few days or get the ebook version delivered instantly. And read it! Take advantage of the time you have been given, because soon enough, this newly given time will be eaten up as it was before. White papers are another great source of learning by reading.

Side note: Mark up that DFIR book! Write notes all over it as you read. When you come across something new, something that affects you directly, or something you want to try out later, highlight that passage and write a note in your book. You own the book. The book is there for you as a reference that you personalize as you need. Every single (DFIR) book that I have has personal notes scribbled everywhere. Kinda makes me feel like a scientist ?

Now treat your book reading like it is: Study .

Learn by doing : You know where to find test images . You know where to find the tools .  You know where to find the research .  And you have the books . Download and run those tools through the images!

Treat it like it is: Practice .

Learn by being a student : This is the time to jump into the on-demand and online classroom training world of DFIR. Many of us already realized the benefits of online training before today, but it is never too late to take advantage of it. Taking an on-demand DFIR course relieves you of all the stressors and expenses of leaving home for land/air/sea travel, lodging, meals, and other incidental expenses. The biggest expense can be the loss of time , traveling for hours, only to spend nights in a hotel room.

Treat online training for what it is: Learning.

Learn by discovering : If you do the above, and you treat all of these for what they are (opportunities!), you might have the gift of connecting dots together that you didn’t see before, of where a forensic artifact fits in the scheme of DFIR.  And even more incredible is if you make a connection of artifacts and activity that no one else has discovered. You have the opportunity to innovate a solution, discover a previously unknown causation and effect in DFIR, and publish your findings!

Treat your Aha! discoveries for what they are: Moving the DFIR community forward.

Online Training Resources for you to jump on!

Online/on-demand training

Quick tip on paying for any DFIR Training: You get what you pay for. Sometimes it is worth more than you paid, other times less. Factors depend on what you want, what you need, and the actual cost. If you pay a high price in dollars, you risk a great loss in expenses if the course wasn’t for you, or possibly you may receive a great benefit of learning despite the cost.

DFIR Training Patreon – I’ll throw this out there first because I can give a discount to make sure you have another opportunity of taking advantage of your time.  I am giving a 60% subscription for membership to 40+ hours of courses, DFIR case studies, DFIR Cheats ebooks, Investigative courses, early access to special rewards, and the only podcast that I do.  

$125 is now $50 for the next few weeks (once you subscribe, the price never increases for your subscription) stay as long as you like, and for those who subscribed at the higher $125 can change their subscription to $50. It’s a win-win for new and current subscribers.

Each course completion comes with a printable proof of completed training hours. This is one of those important things to keep in mind for court proof of training, resume building, and making your employer happy of documenting your job-related training.

Udemy – Udemy hosts quite a few DFIR courses.  The prices are reasonable. I am not a big fan of Udemy as I have seen where courses have been stolen and resold by copyright thieves, and that some courses are taught by virtually unknown and I hesitate to say, but unskilled presenters. My advice is to check out the instructor’s background to be sure you are getting what you are looking for.

SANS – High-quality training! SANS has been providing online training for some time, but if you were already set to go with the classroom training, SANS probably contacted you about changes to your registered courses to be online.

I am a fan of the quality of SANS, but the price can only be described as really expensive. I recommend SANS to those that will benefit from the training at the price that they are paying to attend. I have spoken to those who regretted spending so much because they were not ready for the level of course that they paid. I also know many who received benefits equal to or higher than the price paid. Be sure that the course you want is the course that you need, and that will make the price worthwhile.

DFIR Vendors – Practically all vendors offer on-demand training ( Magnet Forensics , Accessdata , OpenText , etc…). The only drawback is that most vendor courses are software training courses. This is not a negative if you own a license of the software. If you don’t have a license, some vendors have ‘general forensic’ courses that are not software specific, so be sure to choose wisely.

DFIR vendor training is generally separate from the vendor-agnostic training you find elsewhere, such as SANS or sources like the DFIR Training Patreon page.

YouTube – I watch YouTube. I refer to YouTube as an entertainment source, a news source, and an educational source. But I do not refer to it as a documented educational source. As an example, I have watched several YouTube videos on how to fix a dryer so that I could fix my dryer. That worked great. I didn’t need a course on how dryers worked. I just needed to know how to replace a bearing.

The same concept goes with forensics for me. I’ll watch a DFIR YouTube video to learn something that I didn’t know, but for documentation of a credible source, I place YouTube closer to entertainment than education. I do foresee YouTube eventually creating some educational platform in the future, just to capitalize on the online training market. But for now, I choose to spend documented online learning with providers that provide documentation and from credible (ie: known) instructors or providers.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="129"}