How do I get into DFIR and OSINT

Hi everyone, there were so many people asked me about how to start and what to learn in Forensic or OSINT (actually no one asks). I have been in these fields for a long time and I don’t want to see anyone feel confused about their future, so if you’re curious, then this article will be for you!

A. What are exactly Forensic and OSINT?

1. What is Forensic?

I am sure you have read many posts about the definitions of Forensic and OSINT, it is very important that I should mention them again. Basically, Forensic is relating to or denoting the application of scientific methods and techniques to the investigation of crime. For instance, when the police wants to catch someone, they need evidences then they will combine them together, collect the result and they will base on that result to make the plan for catching crime. In computer science, Forensic is still same, the difference is we will work on digital evidence, including disk, RAM, ROM, file, network, event log… When you touch something, your fingerprint will be appeared in that thing and in computer, every your actions will be recorded definitely and we will use these information to trace the footprint of the cyber crime!

2. What is OSINT?

I’m working mainly on this category because of its interesting. OSINT stands for Open Source Intelligence, it’s a category using all information: magazines, articles in real life or on the Internet or coming from Forensic process to find who they are, where threat actors come from… This category was exist long time ago, since the beginning of human society, in every wars between kingdoms. The key for winning in a war is that kingdom has a good strategy and to create it, they must collect information from opponent, that’s why Intelligence appears. By the time Intelligence is updated for more efficient and flexible and that has created OSINT.

B. How will we learn and work?

I’m sure you have understood all content of them. Listening theories without practicing is no use, so below is how I’m learning and working on them. Let’s go!

Forensic and OSINT have several same propeties, they are collecting information for investigation: finding crime, recovering system… For that, the first thing you have to learn is how to collect information and the best way is that playing CTF which contains many challenges from many categories, you can find forensic and OSINT challenges to solve. You should play CTF as much as possible because it is easy to follow. Although your university will bring you a syllabus what to learn in Cyber Security, it is still difficult to keep track because they will teach you each thing a little and these things are very basic. Moreover, the company’s expectation is very high, they want you to have at least 1-2 years when you graduate, so nothing’s better than practicing on CTF. My experience is that, taking your univeristy’s syllabus and learning by yourself, that’s the most stable!

For instance, you play a challenge, you cannot solve it then you look for its solution, you will base on that solution and try to complete the challenge by yourself, then you will look for what is the signature of that challenge: tool, tactic,… then you should note them somewhere such as Notepad, HackMD, Obsidian,… then you repeat it many times for many challenges. I’m sure that you will see the difference inside you! When you do much enough, you will have the reflexes: “Oh in this situation I should use this tool, code this script…“.

How about working? In my opinion, CTF displays around 90% how you will work in Cyber Security, remember it’s just 90%, other 10% is company’s policies and how you deal with real cases. In CTF, authors can warn you about: “Oh this sample is malicious and you should run it on VM” but when you start working, you must know exactly how your samples are, how your targets are and how to resolve them without leaving any damages. It is very dangerous if you deal with something without following leader’s recommendation or company’s rule. For instance, you’re testing a malware to write a report for your company, if you run it on your real machine accidentally, it will affect not only your computer but also others. Depending on the severity of the problem you may be warned or at worst fired and even held legally responsible. Or if you are working on OSINT, the key for success is you investigate something without detected by cyber crimes. You have to do everything to hide your identity or it’s very dangerous that threat actors will delete all fingerprints and worse they can k*ll you if they find you! So to work well, you must remove some your bad habits like “Oh I’m running this sample on my real machine because it’s convenient” or Oh I found this information by using my real machine and I’m confident that they cannot find me!, those will ruin you day by day and you will regret if the baddest things happen and you must obey all rule of company. Combine them with your CTF skills fluently, I believe that you will have a good position in their eyes!

C. Conclusion

If you read till this line, then I feel very happy. We are lying in the ocean of knowledge and sharing together is the best way to complete ourselves. This is my experience so far and I hope that these knowledge will help you be better in your way ahead. Finally, I wish you all success in your career! See you in the next article, bye 💙💙💙