Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Started on the Windows Forensics course from Belkasoft and I was happy to see that they explicitly mention that you can use other tools besides Belkasoft X. I did use Belkasoft X to work on the problems in order to get familiar and learn the software. What follows are some quick thoughts.
I have realized that I am far more comfortable using more “manual” tools like KAPE, Autopsy, DB Browser for SQLite, etc. I had this same “hangup” during my classes at Champlain. When we used tools like Magnet Axiom they made me feel disconnected from the artifacts. I liked knowing where the files existed on the filesystem as opposed screens providing views of artifacts grouped by types. I found it was easier for me to navigate the artifacts this way. There are definite speed benefits to using tools like Belkasoft X and Magnet Axiom. They really are good at letting you get a big picture and quickly narrow down to the important artifacts. It is important to get comfortable using as many tools as possible to be efficient.
The course has served as a great refresher from what I’ve learned previously. Always great to have new scenarios to practice on and Belkasoft is using one of the datasets from a previous CTF that they put on. Each section in the course has some quizzes on the information presented and lab quizzes that have you examining the data for artifacts to answer questions. I feel like the difficulty is just right and you can’t shortcut anything. Some of the answers could be “right” if you interpret the evidence incorrectly. Attention to detail is key!
I was very happy to see that Belkasoft explained the artifacts and their locations so that one could manually find and parse the data. It is important to understand the artifacts and how they work in order to correctly interpret what any tools presents. Afterwards, they would show you how to get that information with Belkasoft X.
Hopefully I’ll be able to tackle the final exam on later this week. I’ll also have to tackle some of the older Belkasoft CTFs.
tags: training - certification