Key Takeaways
- Chain of custody maintains evidence integrity
- Memory first - volatile evidence disappears
- Write blockers prevent evidence modification
- Timeline analysis reconstructs events
Contents
1. Digital Forensics Fundamentals
Digital forensics is the recovery and investigation of material found in digital devices. It's used in criminal investigations, incident response, and civil litigation.
Key Principles
- Preserve: Don't modify original evidence
- Document: Record everything you do
- Chain of custody: Track evidence handling
- Repeatability: Others should get same results
2. Evidence Collection
Order of Volatility
- CPU registers, cache
- Memory (RAM)
- Network state
- Running processes
- Disk storage
- Removable media
- Backups, logs
# Memory acquisition (do this FIRST!)
# Windows
winpmem_mini_x64.exe memory.raw
# Linux
sudo ./linpmem memory.lime
# Disk imaging
# Use write blocker first!
dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M status=progress
# Or use FTK Imager, Guymager
# Verify hash
md5sum disk.img
sha256sum disk.img3. Disk Forensics
# Mount image read-only
mount -o ro,loop disk.img /mnt/evidence
# Autopsy - GUI forensic platform
# Creates cases, analyzes images
# Keyword search, hash lookup, timeline
# Sleuth Kit commands
fls -r disk.img # List files
icat disk.img 12345 # Extract file by inode
mmls disk.img # Partition layout
blkcat disk.img 0 1000 # Raw block extraction
# File carving for deleted files
photorec disk.img
scalpel disk.img4. Memory Forensics
# Volatility 3 - memory analysis framework
vol -f memory.raw windows.info
vol -f memory.raw windows.pslist # Running processes
vol -f memory.raw windows.pstree # Process tree
vol -f memory.raw windows.cmdline # Command lines
vol -f memory.raw windows.netscan # Network connections
vol -f memory.raw windows.filescan # Open files
vol -f memory.raw windows.dlllist # Loaded DLLs
vol -f memory.raw windows.malfind # Injected code
# Extract suspicious process
vol -f memory.raw windows.memmap --pid 1234 --dump
# Look for:
# - Suspicious process names
# - Unusual parent-child relationships
# - Hidden processes
# - Network connections
# - Injected code5. Windows Forensic Artifacts
# Key locations:
# Registry hives
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SOFTWARE
C:\Users\*\NTUSER.DAT
# Event logs
C:\Windows\System32\winevt\Logs\
# Prefetch
C:\Windows\Prefetch\
# Browser history
C:\Users\*\AppData\Local\Google\Chrome\User Data\
# Recent files
C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\
# Parse with RegRipper
rip.exe -r NTUSER.DAT -p userassist
rip.exe -r SYSTEM -p shimcache6. Timeline Analysis
# Create super timeline with Plaso
log2timeline.py timeline.plaso disk.img
psort.py -o dynamic timeline.plaso > timeline.csv
# Timeline Explorer for analysis
# Filter by date range, artifact type
# Look for clusters of activity
# Key timestamps:
# - File creation (B)
# - Modification (M)
# - Access (A)
# - MFT change (C)7. Network Forensics
# PCAP analysis
wireshark capture.pcap
# Extract files from PCAP
tcpxtract -f capture.pcap -o extracted/
foremost -i capture.pcap -o carved/
# Zeek for network metadata
zeek -r capture.pcap
# NetworkMiner
# Automatic host identification
# File extraction
# Image reconstruction8. Essential Forensic Tools
- Autopsy: GUI forensic platform
- Volatility: Memory analysis
- Sleuth Kit: Disk analysis CLI
- FTK Imager: Disk imaging
- Plaso/Log2Timeline: Super timeline
- KAPE: Fast evidence collection
- Eric Zimmerman's tools: Windows artifact parsing
FAQ
What certifications are valuable for forensics?
GCFE (GIAC Certified Forensic Examiner), EnCE (EnCase Certified Examiner), CFCE (Certified Forensic Computer Examiner), and GCFA for advanced analysis.