Thanks to visit codestin.com
Credit goes to github.com

Skip to content

digital-forensics.md

Latest commit

 

History

History
229 lines (177 loc) · 13.8 KB

digital-forensics.md

File metadata and controls

229 lines (177 loc) · 13.8 KB

Digital Forensics

Digital forensics is the application of scientific methods to the identification, preservation, analysis, and presentation of digital evidence. It spans disk forensics (file system analysis, deleted file recovery, timeline reconstruction), memory forensics (live capture of volatile data, malware hunting in RAM), network forensics (packet capture analysis, flow reconstruction), mobile forensics, and cloud forensics. Unlike incident response — which prioritizes rapid containment — forensics prioritizes evidence integrity and legal defensibility. The two disciplines overlap significantly in DFIR (Digital Forensics and Incident Response) roles.

Where to Start

Start with the foundational skill: disk forensics. Learn the evidence handling chain of custody before touching any tools. Then move to memory forensics since most active threats live in RAM, and then to network forensics for traffic analysis.

  1. Understand evidence handling: chain of custody, write blockers, hash verification (MD5/SHA-256)
  2. Learn the Sleuth Kit / Autopsy — the most accessible open-source forensic platform
  3. Work through Eric Zimmermann’s tools — the definitive Windows artifact toolkit
  4. Learn Volatility 3 — the standard for memory forensics
  5. Practice on CyberDefenders — free DFIR challenges with real forensic images
  6. Work through SANS Posters & Cheat Sheets for Windows and Linux forensics quick reference

Free Training

Resource What You Learn
CyberDefenders Free DFIR challenges: memory dumps, disk images, PCAP analysis, incident reconstruction
Blue Team Labs Online Free forensic investigation and log analysis labs
DFIR.training Community-maintained registry of free DFIR tools and training resources
13Cubed YouTube Windows forensics, Volatility, and DFIR walkthroughs — practitioner-level
TCM Security — Practical Malware Analysis & Triage (free tier) Malware analysis and basic DFIR methodology
Volatility Foundation Documentation Official Volatility 3 plugin reference and usage guides
SANS Digital Forensics Blog Regular posts from SANS instructors on current forensic techniques
OpenSecurity Training 2 Advanced x86/x64 and malware analysis courses — free

Tools & Repositories

Disk & File System Forensics

Tool Purpose Link
Autopsy / Sleuth Kit GUI-based disk forensics platform — timeline, file recovery, keyword search sleuthkit/autopsy
Eric Zimmermann Tools (EZ Tools) Suite of 30+ Windows artifact parsers: MFT, Registry, LNK, Prefetch, Amcache, ShimCache ericzimmerman.github.io
KAPE — Kroll Artifact Parser and Extractor Triage collection and artifact parsing — most widely used in enterprise DFIR github.com/EricZimmerman/KapeFiles
FTK Imager (free) Disk imaging, evidence acquisition, hash verification AccessData / Exterro
Plaso / log2timeline Supertimeline generation from disk artifacts, logs, browser history log2timeline/plaso
Velociraptor Endpoint triage, artifact collection, live forensics at scale Velocidex/velociraptor

Memory Forensics

Tool Purpose Link
Volatility 3 The standard memory forensics framework — Windows, Linux, macOS volatilityfoundation/volatility3
MemProcFS Virtual file system over memory dump — browse processes, files, registry from a memory image ufrisk/MemProcFS
Rekall (archived) Memory forensics framework — largely superseded by Volatility 3 google/rekall

Network Forensics

Tool Purpose Link
Wireshark Packet capture analysis — the universal PCAP tool wireshark/wireshark
NetworkMiner Passive network sniffer and PCAP parser — reconstructs files and credentials from traffic netresec.com/networkminer
Zeek (formerly Bro) Network protocol analyzer generating structured logs — used heavily in DFIR and NSM zeek/zeek
Arkime (formerly Moloch) Full-packet capture and PCAP indexing at scale arkime/arkime

Artifact Analysis & Utilities

Tool Purpose Link
Hayabusa Windows event log threat hunting and timeline generation Yamato-Security/hayabusa
Chainsaw Fast Windows event log triage using Sigma rules WithSecureLabs/chainsaw
RegRipper Windows Registry artifact extraction and analysis keydet89/RegRipper3.0
Hindsight Chrome/Chromium browser artifact forensics obsidianforensics/hindsight
UAC — Unix-like Artifacts Collector Triage collection for Linux/macOS/Unix systems tclahr/uac

Commercial & Enterprise Platforms

Platform Category Key Capabilities
EnCase Forensic — OpenText Disk & Enterprise Forensics Court-accepted evidence acquisition and analysis, comprehensive Windows/Linux/macOS support
Magnet AXIOM All-in-One DFIR Disk, mobile, cloud, and memory forensics in a single platform; widely used by law enforcement and corporate investigators
Cellebrite UFED Mobile Forensics Industry standard for mobile device extraction — physical, logical, cloud acquisition
Nuix Large-Scale Evidence Processing eDiscovery-grade processing of massive evidence sets; used in high-stakes litigation and government investigations
Oxygen Forensic Detective Mobile & Cloud Forensics Mobile devices, cloud services, drones, and IoT forensics
Exterro (FTK Suite) Enterprise DFIR & eDiscovery Full forensic investigation platform with legal hold and eDiscovery integration
Cado Security Cloud & Container Forensics Automated forensic acquisition for AWS/Azure/GCP — addresses the ephemeral evidence challenge in cloud environments
CrowdStrike Falcon Forensics EDR-Based Forensics Remote forensic collection from CrowdStrike-managed endpoints at enterprise scale

Books & Learning

Resource Focus
The Art of Memory Forensics — Ligh, Case, Levy & Walters The definitive memory forensics textbook — Volatility-based, covers Windows/Linux/macOS
File System Forensic Analysis — Brian Carrier Deep coverage of FAT, NTFS, ext, HFS+ file systems and their forensic artifacts
Digital Forensics with Open Source Tools — Altheide & Carvey Practical open-source forensics methodology
Placing the Suspect Behind the Keyboard — Brett Shavers Windows artifact investigation for attribution
Intelligence-Driven Incident Response — Beyer & Cloppert Combining forensics with threat intelligence for structured DFIR
Windows Forensics Cookbook — Scar de Courcier & Others Practical recipes for Windows artifact analysis

Certifications

Certification Issuer What It Validates
GCFE — GIAC Certified Forensic Examiner GIAC/SANS Windows forensics, artifact analysis, incident timeline reconstruction
GCFA — GIAC Certified Forensic Analyst GIAC/SANS Advanced memory forensics, malware analysis, intrusion investigation
GASF — GIAC Advanced Smartphone Forensics GIAC/SANS Mobile device forensics — iOS and Android acquisition and analysis
GNFA — GIAC Network Forensic Analyst GIAC/SANS Network traffic analysis, protocol dissection, intrusion reconstruction from PCAP
GREM — GIAC Reverse Engineering Malware GIAC/SANS Malware analysis in forensic context — static and dynamic techniques
CCE — Certified Computer Examiner ISFCE Vendor-neutral computer forensics examination certification
CFCE — Certified Forensic Computer Examiner IACIS Law enforcement-focused computer forensics certification
EnCE — EnCase Certified Examiner OpenText EnCase platform proficiency — widely recognized in legal proceedings

YouTube Channels

Channel Focus
13Cubed Windows forensics, Volatility, KAPE, registry analysis — best free DFIR channel
SANS Digital Forensics SANS instructor content — memory, disk, and network forensics
CyberDefenders DFIR challenge walkthroughs
John Hammond CTF and forensic challenge walkthroughs
Forensic Focus Professional DFIR webinars — mobile, cloud, legal

Who to Follow

Handle Focus
@EricZimmermann Windows forensic artifacts — creator of EZ Tools and KAPE
@hexacorn Windows internals, persistence research, forensic artifacts
@mattnotmax Hayabusa, threat hunting, Windows forensics
@iamevltwin macOS and iOS forensics
@TheHexNinja Memory forensics and Volatility
@4n6lady Forensics practitioner and educator
@forensicmike1 Mobile forensics practitioner

DFIR Investigation Methodology

Order of Volatility (collect most volatile first)

  1. CPU registers, cache, running processes
  2. RAM / memory contents
  3. Network connections (active)
  4. Running processes with open files
  5. Disk (filesystem, MFT, prefetch)
  6. Remote logging / SIEM (before log rotation)
  7. Physical media (offline backups)

Disk Forensics

Evidence Acquisition

  • Physical: dd if=/dev/sda of=/path/to/image.dd bs=512 + SHA256 hash before/after
  • Forensic tools: FTK Imager (Windows, free), Guymager (Linux), dcfldd (hash-while-imaging)
  • Write blockers: Tableau, Wiebetech — always use hardware write blocker before imaging
  • Chain of custody: Document every step, hash evidence at acquisition

Windows Artifact Locations

Artifact Path Forensic Value
Prefetch C:\Windows\Prefetch*.pf Program execution evidence (last 8 run times)
NTFS MFT $MFT Every file ever on volume, timestamps
Recycle Bin C:$Recycle.Bin Deleted files with original path + deletion time
LNK Files %APPDATA%\Microsoft\Windows\Recent File access history
Jump Lists %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations Application-specific recent files
Shimcache/AppCompatCache SYSTEM hive Program execution (AppCompat layer)
Amcache C:\Windows\AppCompat\Programs\Amcache.hve SHA1 hashes of executed programs
Registry Run Keys HKLM/HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Persistence
NTFS Journal ($UsnJrnl) $Extend$UsnJrnl File system change log
Browser History %APPDATA%\Local[Browser]\User Data\Default Web activity
Event Logs C:\Windows\System32\winevt\Logs\ Security, System, Application events
Windows Timeline C:\Users[user]\AppData\Local\ConnectedDevicesPlatform App and file activity
SRUM C:\Windows\System32\sru\SRUDB.dat Network and app resource usage

Key Windows Event IDs for DFIR

  • 4624/4625: Logon success/failure
  • 4648: Explicit credential logon (runas)
  • 4688: Process creation
  • 4698/4702: Scheduled task created/modified
  • 7045: New service installed
  • 4776: NTLM authentication
  • 4768/4769: Kerberos TGT/service ticket request
  • 1102: Security audit log cleared
  • 4657: Registry key value modified

DFIR Tooling

Tool Use Case Platform
Volatility 3 Memory analysis Cross-platform
Autopsy Disk forensics GUI Cross-platform
KAPE Triage artifact collection Windows
Velociraptor Enterprise DFIR at scale Cross-platform
Chainsaw Fast Windows event log hunting Windows
Hayabusa Sigma-based Windows event log analysis Windows
Eric Zimmermann Tools (EZTools) Windows artifact parsing (MFT, LNK, Registry, Prefetch) Windows
FTK Imager Evidence acquisition Windows
WinPMem Memory acquisition Windows
NetworkMiner PCAP analysis Cross-platform
Zeek Network traffic analysis Linux/Mac

Key Resources