Digital Forensics
Core Principles
Preserve → Acquire → Analyze → ReportNever work on original evidence — always work from a forensic copy.
Chain of Custody
A documented, unbroken record of who handled evidence, when, and how.
Required fields:
- Evidence ID / case number
- Description of evidence
- Date/time collected
- Collected by (name + signature)
- Location of collection
- Hash value of original
- All transfers (who → who, date/time, reason)Legal Hold
Formal, legally mandated preservation of data relevant to litigation or investigation.
Prevents deletion, modification, or destruction of ESI (Electronically Stored Information).
Evidence Acquisition
# Forensic disk image (preserve original)
dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M status=progress
dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt
# Verify integrity
sha256sum image.dd > image.dd.sha256
md5sum image.dd > image.dd.md5
# Mount read-only (never write to evidence)
mount -o ro,loop image.dd /mnt/evidencePreservation Techniques
| Technique | Purpose |
|---|---|
| Write blockers | Hardware/software to prevent any writes to original media |
| Hashing (MD5/SHA-256) | Verify evidence integrity at every stage |
| Secure storage | Physically controlled environment with access logging |
| Legal compliance | Follow jurisdiction-specific rules of evidence |
E-Discovery
Collection and preservation of ESI as evidence in legal proceedings.
Covers:
- Emails and attachments
- Documents, spreadsheets
- Databases
- SMS / MMS / instant messages
- Cloud storage, backups
- Log filesMemory Forensics (Volatility)
# Identify profile
volatility -f memory.dmp imageinfo
# Running processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 pstree
# Network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan
# Command history
volatility -f memory.dmp --profile=Win7SP1x64 cmdscan
# Find injected code
volatility -f memory.dmp --profile=Win7SP1x64 malfind
# Dump a process
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p PID -D /output/File Carving
# Recover files from image
foremost -i image.dd -o /output/
photorec image.dd
# Strings from binary
strings -n 8 image.dd | grep -i "password\|http\|login"Investigation Data Sources
| Source | Value |
|---|---|
| Firewall logs | Track, analyze, and detect suspicious traffic |
| IDS/IPS logs | Intrusion attempts, signatures triggered |
| Endpoint logs | User behavior, process execution, file changes |
| Application logs | App errors, auth events, data access |
| Network logs | Traffic patterns, connections, DNS queries |
| SIEM dashboard | Correlated view across all sources |
| Packet captures | Full payload analysis of network communication |
| Metadata | Origin, timestamps, interactions — used to reconstruct timelines |
Reporting
Documents must include:
- Methods used
- Tools and versions
- Findings and conclusions
- Chain of custody record
- Hash verification results
- Timeline of events