Digital Forensics: Complete Guide to Investigation and Analysis
Digital forensics is the scientific collection, analysis, and preservation of digital evidence from electronic devices and digital media. This comprehensive guide covers essential forensics techniques, tools, and methodologies used by cybersecurity professionals and investigators.
Introduction to Digital Forensics
Digital forensics involves the application of computer science and investigative procedures for legal purposes. The field encompasses several specialized areas:
- Computer Forensics: Analysis of computers and storage devices
- Network Forensics: Investigation of network traffic and communications
- Mobile Forensics: Examination of smartphones and tablets
- Memory Forensics: Analysis of system memory and volatile data
- Malware Forensics: Investigation of malicious software
Digital Forensics Process Model
1. Identification Phase
Evidence Recognition:
# Document the scene
# Photograph all devices and connections
# Create detailed inventory of equipment
# Identify potential sources of evidence
# Initial assessment checklist:
- Type of incident (malware, data breach, insider threat)
- Systems involved (workstations, servers, mobile devices)
- Time frame of incident
- Potential evidence sources
- Legal requirements and constraintsChain of Custody:
- Document who collected evidence
- Record when evidence was collected
- Note where evidence was stored
- Track who accessed evidence
- Maintain detailed logs of all activities
2. Preservation Phase
Creating Forensic Images:
# Using dd for disk imaging
dd if=/dev/sda of=/forensics/evidence.img bs=512 conv=noerror,sync
dd if=/dev/sda of=/forensics/evidence.img bs=4096 status=progress
# Using dcfldd for enhanced imaging
dcfldd if=/dev/sda of=/forensics/evidence.img bs=512 hash=md5,sha1 hashlog=/forensics/hashes.txt
# Using ewfacquire for Expert Witness Format
ewfacquire /dev/sda -t /forensics/evidence
# Verify image integrity
md5sum /dev/sda > /forensics/original.md5
md5sum /forensics/evidence.img > /forensics/image.md5Memory Acquisition:
# Using LiME (Linux Memory Extractor)
sudo insmod ./lime.ko "path=/forensics/memory.lime format=lime"
# Using avml for Linux
./avml /forensics/memory.dmp
# Using DumpIt for Windows
DumpIt.exe /output C:\forensics\memory.dmp
# Using winpmem for Windows
winpmem-2.1.post4.exe memory.dmp3. Collection Phase
Live Data Collection:
# System information
uname -a > system_info.txt
date >> system_info.txt
uptime >> system_info.txt
# Running processes
ps aux > running_processes.txt
ps -ef >> running_processes.txt
# Network connections
netstat -tulpn > network_connections.txt
ss -tulpn >> network_connections.txt
# Open files
lsof > open_files.txt
# System users
who > logged_users.txt
last > login_history.txt
# Environment variables
env > environment_vars.txtNetwork Traffic Capture:
# Using tcpdump
tcpdump -i eth0 -w network_capture.pcap
# Using tshark
tshark -i eth0 -w network_capture.pcapng
# Continuous capture with rotation
tcpdump -i eth0 -w capture_%Y%m%d_%H%M%S.pcap -G 3600 -C 1004. Analysis Phase
File System Analysis:
# Mount forensic image read-only
sudo mount -o ro,loop evidence.img /mnt/forensics
# File system information with The Sleuth Kit
fsstat evidence.img
# List allocated and deleted files
fls -r evidence.img
# Timeline creation
fls -r -m / evidence.img > timeline.bodyfile
mactime -b timeline.bodyfile > timeline.txt
# File recovery
icat evidence.img 12345 > recovered_file.txtRegistry Analysis (Windows):
# Using regripper
rip.pl -r NTUSER.DAT -f ntuser
# Registry hive analysis
hivex-sh SYSTEM
hivex-sh SOFTWARE
hivex-sh SAM
# Registry timeline
regtime.pl SYSTEM > registry_timeline.txtLog Analysis:
# System logs analysis
grep -i "error\|fail\|deny" /var/log/syslog
journalctl --since "2024-01-01" --until "2024-01-31"
# Web server logs
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr
grep "POST" /var/log/apache2/access.log | grep -v "200"
# Authentication logs
grep "Failed password" /var/log/auth.log
grep "Accepted publickey" /var/log/auth.logMemory Forensics
Volatility Framework
Basic Volatility Commands:
# Determine OS profile
volatility -f memory.dmp imageinfo
# List running processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 pstree
# Network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan
volatility -f memory.dmp --profile=Win7SP1x64 connections
# Process memory dump
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p 1234 -D output/
# Command line history
volatility -f memory.dmp --profile=Win7SP1x64 cmdscan
volatility -f memory.dmp --profile=Win7SP1x64 consolesAdvanced Memory Analysis:
# Registry analysis from memory
volatility -f memory.dmp --profile=Win7SP1x64 hivelist
volatility -f memory.dmp --profile=Win7SP1x64 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
# Malware detection
volatility -f memory.dmp --profile=Win7SP1x64 malfind
volatility -f memory.dmp --profile=Win7SP1x64 hollowfind
# Timeline analysis
volatility -f memory.dmp --profile=Win7SP1x64 timeliner --output=body > memory_timeline.txtVolatility 3 (Modern Framework)
Volatility 3 Usage:
# List available plugins
vol.py -h
# Windows analysis
vol.py -f memory.dmp windows.info
vol.py -f memory.dmp windows.pslist
vol.py -f memory.dmp windows.pstree
vol.py -f memory.dmp windows.netstat
# Linux analysis
vol.py -f memory.dmp linux.bash
vol.py -f memory.dmp linux.check_modules
vol.py -f memory.dmp linux.lsmodMobile Device Forensics
Android Forensics
ADB-based Collection:
# Enable developer options and USB debugging
# Connect device and verify connection
adb devices
# Create logical image
adb shell su -c "dd if=/dev/block/mmcblk0 of=/sdcard/full_image.dd"
adb pull /sdcard/full_image.dd
# Extract APK files
adb shell pm list packages
adb shell pm path com.package.name
adb pull /data/app/com.package.name/base.apk
# Collect system information
adb shell getprop > device_properties.txt
adb shell dumpsys > system_dump.txtAdvanced Android Analysis:
# Using JADX for APK analysis
jadx-gui suspicious.apk
# SQLite database analysis
sqlite3 contacts2.db
.tables
.schema contacts
SELECT * FROM contacts;
# Examine installed certificates
adb shell ls /system/etc/security/cacerts/iOS Forensics
iTunes Backup Analysis:
# Locate iTunes backups
# macOS: ~/Library/Application Support/MobileSync/Backup/
# Windows: %APPDATA%\Apple Computer\MobileSync\Backup\
# Using iphone-backup-tools
iphone_backup_decrypt backup_folder output_folder --password backup_password
# Analyze plist files
plutil -p Info.plist
plutil -convert xml1 binary.plistNetwork Forensics
Packet Analysis with Wireshark
Basic Wireshark Filters:
# HTTP traffic
http
# Specific IP address
ip.addr == 192.168.1.100
# TCP traffic on specific port
tcp.port == 80
# Suspicious activity
tcp.flags.reset == 1
dns.qry.name contains "malware"
http.request.method == "POST"Advanced Network Analysis:
# Extract HTTP objects
tshark -r capture.pcap --export-objects http,extracted_files/
# DNS analysis
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq
# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs
# Conversation analysis
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,ipNetwork Timeline Analysis
Creating Network Timelines:
# Convert pcap to timeline format
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > network_timeline.csv
# Analyze temporal patterns
awk -F',' '{print $1}' network_timeline.csv | cut -d' ' -f1 | sort | uniq -cMalware Analysis
Static Analysis
File Analysis:
# File type identification
file suspicious_binary
hexdump -C suspicious_binary | head -20
# String extraction
strings suspicious_binary > extracted_strings.txt
strings -el suspicious_binary >> extracted_strings.txt
# Hash calculation
md5sum suspicious_binary
sha256sum suspicious_binary
# PE header analysis (Windows)
objdump -h suspicious_binary.exe
readelf -h suspicious_binaryMetadata Analysis:
# Using exiftool
exiftool suspicious_file.pdf
exiftool malware.exe
# Using binwalk for embedded files
binwalk suspicious_firmware.bin
binwalk -e suspicious_document.pdfDynamic Analysis
Sandbox Analysis:
# Using Cuckoo Sandbox
cuckoo submit malware.exe
cuckoo web
# Manual dynamic analysis setup
# Create isolated VM environment
# Configure network monitoring
# Take baseline snapshot
# Execute malware
# Monitor changesBehavioral Analysis:
# Process monitoring
ps aux | grep suspicious_process
strace -p PID > process_syscalls.txt
# Network monitoring during execution
tcpdump -i any -w malware_traffic.pcap &
./suspicious_binary
killall tcpdump
# File system monitoring
inotifywait -mr /home/analyst/analysis/ > file_changes.log &Digital Evidence Processing
Data Recovery
File Carving:
# Using foremost
foremost -i evidence.img -o recovered_files/
# Using scalpel
scalpel evidence.img -o recovered_data/
# Using photorec
photorec evidence.img
# Manual carving with dd
dd if=evidence.img of=carved_file.jpg bs=1 skip=12345678 count=987654Deleted File Recovery:
# Using extundelete for ext3/ext4
extundelete --restore-all /dev/sda1
# Using testdisk
testdisk evidence.img
# Using The Sleuth Kit
ils evidence.img | grep deleted
icat evidence.img inode_number > recovered_fileSteganography Detection
Image Steganography:
# Using steghide
steghide info suspicious_image.jpg
steghide extract -sf suspicious_image.jpg
# Using stegsolve
java -jar stegsolve.jar
# Using zsteg for PNG/BMP
zsteg suspicious_image.pngAdvanced Steganography Analysis:
# Statistical analysis
stegdetect *.jpg
# LSB analysis
python3 -c "
from PIL import Image
import numpy as np
img = Image.open('suspicious.png')
pixels = np.array(img)
lsb = pixels & 1
print(lsb)
"Forensic Reporting and Documentation
Report Structure
Executive Summary:
- Case overview
- Key findings
- Methodology used
- Conclusions and recommendations
Technical Analysis:
## Digital Evidence Analysis
### Case Information
- Case Number: CASE-2024-001
- Investigator: [Name]
- Date: [Date]
- Tools Used: Autopsy, Volatility, Wireshark
### Evidence Items
| Item | Description | Hash (SHA256) | Source |
|------|-------------|---------------|---------|
| E001 | Hard Drive | abc123... | Suspect Computer |
| E002 | Memory Dump | def456... | Server RAM |
### Findings
1. **Malware Infection**
- File: C:\Windows\System32\malware.exe
- First Seen: 2024-01-15 14:32:17 UTC
- Hash: xyz789...
2. **Data Exfiltration**
- Method: HTTP POST to attacker.com
- Data: customer_database.sql
- Time: 2024-01-15 15:45:23 UTCLegal Considerations
Chain of Custody Documentation:
- Who collected the evidence
- When it was collected
- Where it was stored
- How it was transported
- Who had access to it
Court Admissibility Requirements:
- Proper collection procedures
- Verified integrity (hashes)
- Documented methodology
- Expert testimony preparation
Specialized Forensic Techniques
Cloud Forensics
Cloud Evidence Collection:
# AWS forensics
aws logs describe-log-groups
aws ec2 describe-instances
aws cloudtrail lookup-events
# Azure forensics
az monitor activity-log list
az vm list
az storage account list
# Google Cloud forensics
gcloud logging logs list
gcloud compute instances listDatabase Forensics
Database Analysis:
# SQLite forensics
sqlite3 database.db
.schema
.tables
SELECT * FROM users WHERE deleted=1;
# MySQL forensics
mysqlbinlog mysql-bin.000001
mysqldump --all-databases > full_backup.sql
# PostgreSQL forensics
pg_dump database_name > database_dump.sqlCryptocurrency Forensics
Blockchain Analysis:
# Bitcoin transaction analysis
bitcoin-cli gettransaction txid
bitcoin-cli getblock blockhash
# Address clustering
# Use tools like Chainalysis or OXT
# Analyze transaction patterns
# Identify wallet clustersAutomation and Scripting
Python Forensic Scripts
File Analysis Script:
#!/usr/bin/env python3
import hashlib
import os
import magic
from datetime import datetime
def analyze_file(filepath):
"""Analyze a file and extract metadata"""
# File stats
stat = os.stat(filepath)
size = stat.st_size
created = datetime.fromtimestamp(stat.st_ctime)
modified = datetime.fromtimestamp(stat.st_mtime)
accessed = datetime.fromtimestamp(stat.st_atime)
# File type
file_type = magic.from_file(filepath)
# Hashes
with open(filepath, 'rb') as f:
content = f.read()
md5_hash = hashlib.md5(content).hexdigest()
sha256_hash = hashlib.sha256(content).hexdigest()
return {
'path': filepath,
'size': size,
'created': created,
'modified': modified,
'accessed': accessed,
'type': file_type,
'md5': md5_hash,
'sha256': sha256_hash
}
# Usage
if __name__ == "__main__":
import sys
if len(sys.argv) != 2:
print("Usage: python3 analyze.py <filepath>")
sys.exit(1)
result = analyze_file(sys.argv[1])
for key, value in result.items():
print(f"{key}: {value}")Log Analysis Script:
#!/usr/bin/env python3
import re
from collections import defaultdict
def analyze_access_log(log_file):
"""Analyze Apache access logs for suspicious activity"""
ip_counts = defaultdict(int)
status_codes = defaultdict(int)
suspicious_requests = []
with open(log_file, 'r') as f:
for line in f:
# Parse Apache log format
match = re.match(r'(\S+) - - \[(.*?)\] "(\S+) (\S+) (\S+)" (\d+) (\d+)', line)
if match:
ip, timestamp, method, url, protocol, status, size = match.groups()
ip_counts[ip] += 1
status_codes[status] += 1
# Detect suspicious patterns
if any(pattern in url.lower() for pattern in ['../../../', 'etc/passwd', 'cmd.exe']):
suspicious_requests.append((ip, timestamp, method, url))
# Report findings
print("Top IPs by request count:")
for ip, count in sorted(ip_counts.items(), key=lambda x: x[1], reverse=True)[:10]:
print(f" {ip}: {count}")
print("\nSuspicious requests:")
for request in suspicious_requests:
print(f" {request}")
# Usage
if __name__ == "__main__":
analyze_access_log('/var/log/apache2/access.log')Automated Evidence Processing
Batch Processing Script:
#!/bin/bash
EVIDENCE_DIR="$1"
OUTPUT_DIR="$2"
if [ $# -ne 2 ]; then
echo "Usage: $0 <evidence_directory> <output_directory>"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Process all disk images
for img in "$EVIDENCE_DIR"/*.{img,dd,raw}; do
if [ -f "$img" ]; then
echo "Processing $img..."
# Create timeline
fls -r -m / "$img" > "$OUTPUT_DIR/$(basename $img).bodyfile"
mactime -b "$OUTPUT_DIR/$(basename $img).bodyfile" > "$OUTPUT_DIR/$(basename $img).timeline"
# Extract files
mkdir -p "$OUTPUT_DIR/$(basename $img)_files"
tsk_recover "$img" "$OUTPUT_DIR/$(basename $img)_files"
# Generate hash list
find "$OUTPUT_DIR/$(basename $img)_files" -type f -exec md5sum {} \; > "$OUTPUT_DIR/$(basename $img).hashes"
fi
done
echo "Processing complete. Results in $OUTPUT_DIR"Tool Integration and Workflows
The Sleuth Kit + Autopsy
Command Line Workflow:
# Create Sleuth Kit case
tsk_createdb case.db
# Add evidence to database
tsk_loaddb case.db evidence.img
# Generate timeline
fls -r -m / evidence.img > timeline.bodyfile
mactime -b timeline.bodyfile > timeline.txt
# Search for specific files
ffind evidence.img -n "*.doc"
ffind evidence.img -n "password*"YARA Rules for Forensics
Custom YARA Rules:
rule Suspicious_PowerShell_Script
{
meta:
description = "Detects suspicious PowerShell scripts"
author = "Forensic Analyst"
date = "2024-01-01"
strings:
$a = "DownloadString" nocase
$b = "Invoke-Expression" nocase
$c = "IEX" nocase
$d = "base64" nocase
$e = "Hidden" nocase
condition:
2 of them
}
rule Potential_Credential_Theft
{
meta:
description = "Detects potential credential theft tools"
strings:
$a = "mimikatz"
$b = "sekurlsa::logonpasswords"
$c = "SAMDump"
$d = "hashdump"
condition:
any of them
}Best Practices and Standards
Forensic Best Practices
Collection Standards:
- Use write-blocking devices
- Create bit-for-bit copies
- Verify image integrity with hashes
- Document all procedures
- Maintain chain of custody
Analysis Standards:
- Use validated tools
- Work on copies, never originals
- Document all findings
- Peer review analysis
- Maintain reproducible methodology
Quality Assurance
Verification Procedures:
# Hash verification
sha256sum original_device > original.hash
sha256sum forensic_image.img > image.hash
diff original.hash image.hash
# Tool validation
# Test tools on known datasets
# Verify tool output accuracy
# Document tool versions usedConclusion
Digital forensics requires a methodical approach combining technical expertise with legal knowledge. Key principles for successful forensic investigations:
- Preparation: Have proper tools, training, and procedures
- Preservation: Maintain evidence integrity throughout the process
- Analysis: Use systematic approaches and validated tools
- Documentation: Maintain detailed records of all activities
- Presentation: Clearly communicate findings to stakeholders
Essential Skills for Digital Forensics:
- Understanding of computer systems and networks
- Knowledge of legal requirements and procedures
- Proficiency with forensic tools and techniques
- Attention to detail and analytical thinking
- Communication and reporting skills
Continuous Learning:
- Stay updated with new tools and techniques
- Practice on test datasets and CTF challenges
- Attend forensics conferences and training
- Obtain relevant certifications (GCFA, CCE, CFCE)
- Participate in forensics communities and forums
Remember that digital forensics is both a technical and legal discipline. Always ensure your methods meet legal standards and consult with legal counsel when necessary.
Disclaimer: This guide is for educational and authorized investigation purposes only. Digital forensics should only be performed by trained professionals with proper authorization. Always follow applicable laws and organizational policies when conducting forensic investigations.