Digital Forensics
Evidence collection, analysis techniques, forensic tools, and legal considerations.
Overview
Digital forensics investigates cyber incidents for evidence.
Forensic Process
π
Identification
Locate evidence
π
Preservation
Secure evidence
π₯
Collection
Gather evidence
π¬
Examination
Analyze evidence
π
Analysis
Interpret findings
π
Reporting
Document results
Evidence Types
| Type | Source | volatility |
|---|---|---|
| RAM | Memory | High |
| Registry | Windows | Medium |
| Logs | Systems | Medium |
| Disk | Storage | Low |
| Network | Traffic | Medium |
Forensic Tools
| Tool | Purpose |
|---|---|
| Autopsy | Disk analysis |
| Volatility | Memory analysis |
| FTK | Forensic toolkit |
| EnCase | Forensic suite |
| Sleuth Kit | File system analysis |
Memory Analysis
# Volatility analysis
import volatility.conf as conf
import volatility.commands as commands
# List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
# Extract network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan
# Dump process
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p 1234
Disk Forensics
# Create forensic image
dd if=/dev/sda of=/evidence/disk.img bs=4M
# Calculate hash
md5sum /evidence/disk.img
sha256sum /evidence/disk.img
# Mount image
mount -o loop,ro /evidence/disk.img /mnt/evidence
# Search for files
find /mnt/evidence -name "*.doc" -o -name "*.pdf"
Chain of Custody
π·οΈ
Evidence ID
E-2024-001
π
Collected
2024-01-15 14:30
by John Smith
π
Location
Office 101
Sealed in anti-static bag
Legal Considerations
- Authorization β Proper warrants
- Chain of Custody β Evidence tracking
- Documentation β Detailed logs
- Expert Testimony β Court presentation
- Privacy Laws β Data protection
Practice
Analyze a forensic image using Autopsy and document findings.