DFIR - Digital Forensics and Incident Response¶
When you need to figure out what happened after the breach , or solve that CTF forensics challenge
Table of Contents¶
Getting Started with DFIR¶
- What is DFIR
- DFIR vs CTF Forensics
- Essential Mindset
- Investigation Methodology
- Evidence Handling Rules
Memory Forensics¶
- Memory Acquisition
- Volatility Framework
- Process Analysis
- Network Connections in Memory
- Memory Strings and Patterns
- Malware in Memory
Disk Forensics¶
- Disk Image Acquisition
- File System Analysis
- Deleted File Recovery
- File Carving
- Timeline Analysis
- MFT Analysis
Windows Forensics¶
Linux Forensics¶
Network Forensics¶
Malware Analysis Basics¶
Tools and Automation¶
Advanced Topics¶
- Advanced Memory Forensics
- Windows Forensics Deep Dive
- Linux Forensics Advanced
- Network Forensics Advanced
- Malware Analysis Advanced
- Mobile Forensics
- Cloud Forensics
- Anti-Forensics and Counter-Measures
CTF and Real-World¶
- Forensics Automation
- CTF Forensics Challenges
- Real-World Incident Response
- Forensics Report Writing
- Forensics Lab Setup
Data Analysis¶
CTF-Specific Techniques¶
Essential Tools¶
What is DFIR¶
Digital Forensics and Incident Response is what happens when shit hits the fan
Real World DFIR Company gets breached , you investigate what happened , figure out how they got in , what they stole , and how to prevent it next time
CTF DFIR Someone gives you evidence files , you analyze them , find hidden flags , solve challenges , and learn forensics techniques
Both use the same tools and techniques , but CTF is more puzzle-solving while real DFIR has legal consequences
Why Learn DFIR
Incident response jobs pay well , CTF forensics challenges are fun , understanding attacks makes you better at defense , and forensics skills apply to malware analysis , penetration testing , and security research
What You'll Learn Here
This guide focuses on practical CTF-ready skills with real commands , actual tools , working examples , and techniques that solve challenges
Cross-references to other guides: - Linux Basics for understanding Linux systems - Windows Basics for Windows internals - Networking Basics for protocol analysis - Cryptography for encrypted evidence
DFIR vs CTF Forensics¶
Real DFIR Investigation
Evidence must be legally admissible , chain of custody is critical , you work with lawyers , documentation is mandatory , and mistakes can ruin court cases
CTF Forensics
Find the flag as fast as possible , no legal requirements , documentation optional , creative solutions encouraged , and you can break stuff
Skills Transfer
CTF teaches you tool usage , pattern recognition , quick analysis , and creative problem solving
Real DFIR teaches you methodology , proper documentation , evidence handling , and legal awareness
Both make you better at the other
This Guide's Focus
We focus on CTF-ready skills that also apply to real investigations , teach proper methodology but prioritize speed , show quick wins before deep analysis , and explain why techniques work
Essential Mindset¶
Think Like an Attacker
Attackers leave traces everywhere , they try to hide but always leave evidence , understanding attack patterns helps find artifacts , and MITRE ATT&CK framework maps attacker techniques
Think Like a Detective
Evidence tells a story , timeline matters , correlation is key , and one artifact rarely tells everything
Think Like a CTF Player
Flags are hidden in predictable places , common patterns repeat , tools automate tedious work , and speed matters but accuracy matters more
Common Mistakes
Jumping to conclusions without evidence , ignoring timestamps , not correlating across sources , forgetting to document findings , and running tools without understanding output
The Right Approach
Start with quick triage , identify obvious indicators , build timeline , correlate findings , verify with multiple sources , and document everything
Investigation Methodology¶
Phase 1: Preparation
Know your tools before the challenge starts , have analysis environment ready , understand common file formats , and practice on sample data
# Forensics workstation checklist
- Volatility installed
- Autopsy/Sleuth Kit ready
- Wireshark configured
- Hex editors available
- Python with forensics libraries
- Enough disk space for images
Phase 2: Identification
What evidence do you have , what format is it , what's the priority , and what are you looking for
# First commands on any evidence
file evidence.bin
ls -lah
md5sum evidence.bin
strings evidence.bin | head -100
Phase 3: Collection
In CTF you're given evidence , in real world you acquire it , but either way verify integrity with hashes and work on copies never originals
Phase 4: Analysis
This is where you spend most time , use appropriate tools for evidence type , look for quick wins first , then do deep analysis
Phase 5: Documentation
Keep notes as you work , record commands you run , document findings , and save output
# Log everything
script investigation.log
# Now all commands are logged
Phase 6: Reporting
In CTF submit the flag , in real world write detailed report , but both require clear explanation of findings
Evidence Handling Rules¶
Rule 1: Never Touch Originals
Always work on copies , verify copies with hashes , keep originals pristine
# Create working copy
cp evidence.img evidence_work.img
md5sum evidence.img > evidence.img.md5
md5sum evidence_work.img > evidence_work.img.md5
diff evidence.img.md5 evidence_work.img.md5 # Should match
Rule 2: Hash Everything
Hashes prove integrity , calculate before analysis , calculate after analysis , hashes should match
# Multiple hash algorithms
md5sum file
sha1sum file
sha256sum file
# Hash entire directory
find . -type f -exec sha256sum {} \; > hashes.txt
Rule 3: Document Everything
You will forget what you did , notes save time later , commands should be reproducible
# Investigation Notes Template
## Evidence: memory.dmp
## Hash: abc123...
## Tool: Volatility 3
## Commands:
- vol3 -f memory.dmp windows.pslist
- vol3 -f memory.dmp windows.netscan
## Findings:
- Suspicious process: evil.exe (PID 1337)
- Network connection to 10.10.10.10:4444
Rule 4: Understand Your Tools
Don't just run commands blindly , understand what tools do , read tool output carefully , and verify findings
Rule 5: Think Before You Act
Volatile data disappears fast , prioritize correctly , don't contaminate evidence , and one wrong command can destroy evidence
Memory Acquisition¶
Memory contains running processes , network connections , encryption keys , passwords in plaintext , and evidence that's not on disk
Why Memory Matters
Malware runs in memory , some malware never touches disk , memory shows current system state , and you can extract running process code
Acquisition Tools
Windows Memory Acquisition
# DumpIt (easiest)
DumpIt.exe
# Creates memory dump automatically
# WinPMEM
winpmem_mini_x64_rc2.exe memory.raw
# FTK Imager
# GUI tool, File > Capture Memory
Linux Memory Acquisition
# LiME (Linux Memory Extractor)
insmod lime.ko "path=/tmp/memory.lime format=lime"
# Or using dd (less reliable)
dd if=/dev/mem of=memory.dd bs=1M
# Note: /dev/mem often restricted
Memory Dump Formats
Raw format is just memory bytes , crash dump is Windows-specific , hibernation file is compressed memory , and each format needs different tools
Quick Memory Triage
# Before deep analysis, quick checks
strings memory.raw | grep -i "password"
strings memory.raw | grep -i "http://"
strings memory.raw | grep -E "flag\{.*\}"
strings memory.raw | grep -i "admin"
Volatility Framework¶
Volatility is the memory forensics tool , supports Windows Linux and Mac , extracts processes files network connections , and is essential for CTF memory challenges
Volatility 2 vs 3
Volatility 2 is older but more plugins , Volatility 3 is newer faster cleaner , both are used in CTFs , and syntax is different
Installation
# Volatility 3 (recommended)
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 vol.py -h
# Volatility 2 (legacy)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 vol.py -h
Profile Detection
Volatility needs to know OS version
# Volatility 3 (auto-detects)
python3 vol.py -f memory.raw windows.info
# Volatility 2 (manual)
python2 vol.py -f memory.raw imageinfo
# Use suggested profile
python2 vol.py -f memory.raw --profile=Win7SP1x64 pslist
Essential Volatility Commands
# Process list
vol3 -f memory.raw windows.pslist
# Process tree (shows parent-child)
vol3 -f memory.raw windows.pstree
# Network connections
vol3 -f memory.raw windows.netscan
# Command line arguments
vol3 -f memory.raw windows.cmdline
# DLLs loaded by process
vol3 -f memory.raw windows.dlllist --pid 1234
# Dump process executable
vol3 -f memory.raw windows.pslist --pid 1234 --dump
# Scan for files
vol3 -f memory.raw windows.filescan
# Dump specific file
vol3 -f memory.raw windows.dumpfiles --virtaddr 0x12345678
# Registry hives
vol3 -f memory.raw windows.registry.hivelist
# Registry keys
vol3 -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
CTF Memory Challenge Workflow
# 1. Identify OS
vol3 -f memory.raw windows.info
# 2. List processes (look for suspicious)
vol3 -f memory.raw windows.pslist
# 3. Check network (look for C2)
vol3 -f memory.raw windows.netscan
# 4. Check command lines (often has flags)
vol3 -f memory.raw windows.cmdline
# 5. Dump suspicious process
vol3 -f memory.raw windows.memmap --pid SUSPICIOUS_PID --dump
# 6. Strings on dumped memory
strings pid.SUSPICIOUS_PID.dmp | grep -i flag
Process Analysis¶
Processes are running programs , each has PID , parent process , command line , and loaded DLLs
What to Look For
Processes running from temp directories , processes with no parent , misspelled system processes , processes with suspicious network connections , and processes with encoded command lines
Suspicious Process Indicators
# Volatility process list
vol3 -f memory.raw windows.pslist
# Look for:
# - Weird names (svchost.exe vs svch0st.exe)
# - Unusual paths (C:\Temp\svchost.exe)
# - No parent process (PPID = 0 or 4)
# - Suspicious user (SYSTEM running notepad.exe)
Process Command Lines
Command lines often contain flags or clues
vol3 -f memory.raw windows.cmdline
# Example suspicious commands:
# powershell.exe -enc BASE64_HERE
# cmd.exe /c "echo flag{...} > file.txt"
# python.exe -c "import base64; ..."
Process Memory Dump
# Dump entire process memory
vol3 -f memory.raw windows.memmap --pid 1234 --dump
# Then analyze dump
strings pid.1234.dmp | grep -i password
strings pid.1234.dmp | grep -E "flag\{.*\}"
Injected Code Detection
Malware often injects code into legitimate processes
# Check for code injection
vol3 -f memory.raw windows.malfind
# Dump suspicious sections
vol3 -f memory.raw windows.malfind --dump
Network Connections in Memory¶
Memory shows active and recent network connections , source and destination IPs , ports , and associated processes
Network Scan
# Volatility 3
vol3 -f memory.raw windows.netscan
# Output shows:
# - Local address and port
# - Remote address and port
# - Process ID
# - Process name
# - Connection state
What to Look For
Connections to suspicious IPs , unusual ports (not 80 443 53) , processes that shouldn't have network , and connections to known C2 servers
Example Analysis
# Find all connections
vol3 -f memory.raw windows.netscan > connections.txt
# Filter suspicious
grep -v "0.0.0.0" connections.txt | grep -v "127.0.0.1"
# Check specific process connections
vol3 -f memory.raw windows.netscan | grep "evil.exe"
DNS Cache
Sometimes DNS queries are in memory
# Extract DNS cache (if available)
strings memory.raw | grep -E "([a-z0-9-]+\.)+[a-z]{2,}"
Memory Strings and Patterns¶
Strings in memory reveal passwords , URLs , commands , file paths , and flags
Basic String Extraction
# Extract all strings
strings memory.raw > memory_strings.txt
# ASCII strings only (faster)
strings -a memory.raw > ascii_strings.txt
# Unicode strings
strings -el memory.raw > unicode_strings.txt
# Minimum length 10
strings -n 10 memory.raw > long_strings.txt
Pattern Searching
# Find flags
grep -E "flag\{[^\}]+\}" memory_strings.txt
# Find URLs
grep -E "https?://[^\s]+" memory_strings.txt
# Find IPs
grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" memory_strings.txt
# Find emails
grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" memory_strings.txt
# Find passwords (common patterns)
grep -i "password" memory_strings.txt
grep -i "pass=" memory_strings.txt
Encoded Data
# Base64 encoded data
grep -E "[A-Za-z0-9+/]{20,}={0,2}" memory_strings.txt
# Hex encoded
grep -E "([0-9a-fA-F]{2}){10,}" memory_strings.txt
Malware in Memory¶
Malware analysis from memory dumps
Identifying Malware
Unsigned processes , packed executables , code injection , hidden processes , and rootkit behavior
Malware Scan
# Volatility malfind (detects injected code)
vol3 -f memory.raw windows.malfind
# Dump suspicious sections
vol3 -f memory.raw windows.malfind --dump
# Scan with YARA rules
vol3 -f memory.raw windows.vadyarascan --yara-file malware_rules.yar
Extract Malware
# Dump process executable
vol3 -f memory.raw windows.pslist --pid 1337 --dump
# Dump all DLLs
vol3 -f memory.raw windows.dlllist --pid 1337 --dump
# Dump specific memory region
vol3 -f memory.raw windows.memmap --pid 1337 --dump
Quick Malware Analysis
# Check file type
file dumped.exe
# Calculate hash
sha256sum dumped.exe
# Check VirusTotal
# (in CTF, malware is usually custom)
# Strings analysis
strings dumped.exe | less
# Check for packing
entropy dumped.exe
# High entropy (>7.0) = likely packed/encrypted
Disk Image Acquisition¶
Disk images are bit-for-bit copies of storage devices
Why Disk Images
Preserve entire disk including deleted files , maintain file system metadata , enable offline analysis , and allow multiple analysts to work on copies
Acquisition Tools
# dd (Linux standard)
dd if=/dev/sda of=disk.img bs=4M status=progress
# dc3dd (forensic dd with hashing)
dc3dd if=/dev/sda of=disk.img hash=md5 hash=sha256 log=acquisition.log
# FTK Imager (Windows GUI)
# File > Create Disk Image
# Guymager (Linux GUI)
# Select drive > Right-click > Acquire image
Image Formats
Raw (.img .dd .raw) is bit-for-bit copy , E01 (.E01) is EnCase format with compression , AFF (.aff) is Advanced Forensic Format , and each has pros and cons
Verify Acquisition
# Hash original
md5sum /dev/sda > original.md5
# Hash image
md5sum disk.img > image.md5
# Compare
diff original.md5 image.md5
# Should be identical
Mount Image Read-Only
# Mount raw image
mkdir /mnt/evidence
mount -o ro,loop disk.img /mnt/evidence
# Mount E01 image (needs ewfmount)
ewfmount disk.E01 /mnt/ewf
mount -o ro,loop /mnt/ewf/ewf1 /mnt/evidence
# Unmount
umount /mnt/evidence
File System Analysis¶
File systems store files and metadata , different OS use different file systems , and understanding structure helps find evidence
Common File Systems
NTFS (Windows) , FAT32 (USB drives old Windows) , ext4 (Linux) , HFS+ / APFS (Mac) , and each stores metadata differently
File System Tools
# Sleuth Kit (TSK) - universal tool
fsstat disk.img # File system info
fls disk.img # List files
icat disk.img 123 # Extract file by inode
ils disk.img # List inodes
Autopsy
GUI for Sleuth Kit , easier for beginners , good for CTF , and automates common tasks
# Install Autopsy
sudo apt install autopsy
# Run Autopsy
autopsy
# Open browser to http://localhost:9999/autopsy
File Listing
# List all files recursively
fls -r disk.img
# List deleted files
fls -rd disk.img
# List files with timestamps
fls -m / disk.img > timeline.csv
File Extraction
# Extract by path
icat disk.img /path/to/file > extracted_file
# Extract deleted file by inode
icat disk.img 1234 > recovered_file
# Extract all files
tsk_recover disk.img /output/directory
Deleted File Recovery¶
Deleted files aren't really deleted , file system marks space as available , but data remains until overwritten
How Deletion Works
File system removes directory entry , marks clusters as free , but data stays on disk until overwritten
Recovery Tools
# Sleuth Kit
fls -rd disk.img # List deleted files
icat disk.img INODE > file # Recover by inode
# Foremost (file carving)
foremost -i disk.img -o recovered/
# PhotoRec
photorec disk.img
# Scalpel (configured carving)
scalpel disk.img -o output/
Manual Recovery
# Find deleted file signatures
xxd disk.img | grep "flag{"
# Extract specific offset
dd if=disk.img of=recovered.txt bs=1 skip=OFFSET count=SIZE
File Carving¶
File carving recovers files based on headers and footers , works even when file system is damaged , and finds files in unallocated space
How Carving Works
Scan for file signatures (magic bytes) , extract data between header and footer , and validate recovered file
Common File Signatures
PNG: 89 50 4E 47 0D 0A 1A 0A
JPEG: FF D8 FF
PDF: 25 50 44 46
ZIP: 50 4B 03 04
GIF: 47 49 46 38
Carving Tools
# Foremost (automatic)
foremost -i disk.img -o carved/
# Recovers: jpg, gif, png, pdf, doc, zip, etc.
# Scalpel (configurable)
# Edit /etc/scalpel/scalpel.conf
scalpel disk.img -o output/
# Binwalk (embedded files)
binwalk -e firmware.bin
Manual Carving
# Find PNG header
xxd disk.img | grep "8950 4e47"
# Extract from offset
dd if=disk.img of=image.png bs=1 skip=OFFSET count=SIZE
# Or use Python
python3 << EOF
with open('disk.img', 'rb') as f:
f.seek(OFFSET)
data = f.read(SIZE)
with open('carved.png', 'wb') as out:
out.write(data)
EOF
Timeline Analysis¶
Timeline shows when events happened , correlates activity across sources , and reveals attack progression
Timeline Sources
File system timestamps (created modified accessed) , log file entries , registry modifications , browser history , and email timestamps
Creating Timeline
# Sleuth Kit timeline
fls -m / -r disk.img > timeline_body.txt
mactime -b timeline_body.txt -d > timeline.csv
# Sort by time
sort -t',' -k2 timeline.csv > sorted_timeline.csv
# Filter by date range
awk -F',' '$2 >= "2024-01-01" && $2 <= "2024-01-31"' timeline.csv
Timeline Analysis
Look for time gaps (attacker deleted logs) , unusual activity hours (3 AM file access) , rapid file creation (malware deployment) , and correlated events (login then file access)
Plaso / Log2Timeline
# Create super timeline
log2timeline.py timeline.plaso disk.img
# Export to CSV
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter and analyze
psort.py timeline.plaso "date > '2024-01-01'"
MFT Analysis¶
Master File Table (NTFS) stores file metadata , every file has MFT entry , and MFT reveals deleted files and timestamps
What MFT Contains
File name , file size , timestamps (MACB) , file location on disk , and file attributes
MFT Extraction
# Extract MFT
icat disk.img 0 > $MFT
# Parse MFT
analyzeMFT.py -f $MFT -o mft.csv
# Or use MFTECmd (Eric Zimmerman)
MFTECmd.exe -f $MFT --csv output/
MFT Analysis
# Find specific file
grep "suspicious.exe" mft.csv
# Find files in directory
grep "C:\\Temp\\" mft.csv
# Find recently created files
sort -t',' -k9 mft.csv | tail -100
# Find large files
awk -F',' '$8 > 10000000' mft.csv
Timestomp Detection
Timestomping modifies file timestamps , but MFT has multiple timestamp fields , and inconsistencies reveal tampering
# Check for timestamp anomalies
# Created time > Modified time = suspicious
# All timestamps identical = suspicious
Windows Registry¶
Registry stores Windows configuration , user settings , installed software , and persistence mechanisms
Registry Hives
HKEY_LOCAL_MACHINE\SAM - User accounts
HKEY_LOCAL_MACHINE\SECURITY - Security policies
HKEY_LOCAL_MACHINE\SOFTWARE - Installed software
HKEY_LOCAL_MACHINE\SYSTEM - System configuration
HKEY_CURRENT_USER\Software - User software settings
NTUSER.DAT - User profile
Registry Locations
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SYSTEM
C:\Users\USERNAME\NTUSER.DAT
Registry Analysis Tools
# RegRipper (automated parsing)
rip.pl -r SOFTWARE -p software
# Registry Explorer (Eric Zimmerman)
RegistryExplorer.exe
# Volatility (from memory)
vol3 -f memory.raw windows.registry.hivelist
vol3 -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Important Registry Keys
Autorun / Persistence
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SYSTEM\CurrentControlSet\Services
Recently Used
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
USB Devices
SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\MountedDevices
Network
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
Windows Event Logs¶
Event logs record system events , security events , application events , and provide investigation timeline
Event Log Locations
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\System32\winevt\Logs\Application.evtx
Important Event IDs
Security Events
4624 - Successful logon
4625 - Failed logon
4672 - Admin logon
4688 - Process creation
4689 - Process termination
4720 - User account created
4726 - User account deleted
4732 - User added to group
System Events
7045 - Service installed
1074 - System shutdown
6005 - Event log service started
6006 - Event log service stopped
Event Log Analysis
# Windows (PowerShell)
Get-WinEvent -Path Security.evtx | Where-Object {$_.Id -eq 4624}
# Linux (python-evtx)
evtx_dump.py Security.evtx > security.xml
grep "EventID>4624" security.xml
# EvtxECmd (Eric Zimmerman)
EvtxECmd.exe -f Security.evtx --csv output/
Timeline from Logs
# Extract all events with timestamps
evtx_dump.py Security.evtx | grep TimeCreated > timeline.txt
# Filter by date
grep "2024-01-15" timeline.txt
Prefetch Files¶
Prefetch files show program execution history on Windows
What Prefetch Contains
Program name , execution count , last execution time , files accessed by program , and directories accessed
Prefetch Location
C:\Windows\Prefetch\*.pf
Prefetch Analysis
# PECmd (Eric Zimmerman)
PECmd.exe -f PROGRAM.EXE-HASH.pf
# Parse all prefetch
PECmd.exe -d C:\Windows\Prefetch --csv output/
# WinPrefetchView (GUI)
WinPrefetchView.exe /stext prefetch.txt
What to Look For
Malware execution (evil.exe.pf) , execution from temp directories , execution count (how many times) , and last run time
LNK Files¶
LNK files are Windows shortcuts , contain metadata about target file , and reveal user activity
What LNK Contains
Target file path , creation time , modification time , access time , file size , and MAC address of creating system
LNK Locations
C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\USERNAME\Desktop\
LNK Analysis
# LECmd (Eric Zimmerman)
LECmd.exe -f file.lnk
# Parse all LNK files
LECmd.exe -d C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Recent --csv output/
# Exiftool
exiftool file.lnk
What to Look For
Recently accessed files , files on external drives , files on network shares , and deleted file references
Browser Artifacts¶
Browsers store history , cookies , cache , downloads , and form data
Browser Data Locations
Chrome
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\History
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Cookies
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Cache
Firefox
C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PROFILE\places.sqlite
C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PROFILE\cookies.sqlite
Browser Analysis
# History (SQLite database)
sqlite3 History "SELECT url, title, visit_count, datetime(last_visit_time/1000000-11644473600,'unixepoch') FROM urls ORDER BY last_visit_time DESC LIMIT 100;"
# Cookies
sqlite3 Cookies "SELECT host_key, name, value, datetime(creation_utc/1000000-11644473600,'unixepoch') FROM cookies;"
# Downloads
sqlite3 History "SELECT target_path, start_time, end_time FROM downloads;"
Hindsight (Automated)
# Hindsight analyzes Chrome/Chromium
hindsight.py -i "Chrome User Data" -o output/
Windows Persistence¶
Attackers establish persistence to survive reboots
Common Persistence Locations
Registry Run Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Startup Folder
C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Scheduled Tasks
C:\Windows\System32\Tasks\
C:\Windows\Tasks\
Services
HKLM\SYSTEM\CurrentControlSet\Services
WMI Event Subscriptions
# Check with PowerShell
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Persistence Detection
# Autoruns (Sysinternals)
autorunsc.exe -a * -c > autoruns.csv
# Check scheduled tasks
schtasks /query /fo LIST /v > tasks.txt
# Check services
sc query > services.txt
Linux Logs¶
Linux logs everything , logs are in /var/log/ , and different services have different logs
Important Log Files
/var/log/auth.log # Authentication (Debian/Ubuntu)
/var/log/secure # Authentication (RHEL/CentOS)
/var/log/syslog # System messages
/var/log/messages # General messages
/var/log/kern.log # Kernel messages
/var/log/apache2/access.log # Web server
/var/log/nginx/access.log # Nginx
/var/log/mysql/error.log # MySQL
Log Analysis
# Recent logins
last -f /var/log/wtmp
# Failed login attempts
grep "Failed password" /var/log/auth.log
# Sudo usage
grep "sudo" /var/log/auth.log
# SSH logins
grep "sshd" /var/log/auth.log | grep "Accepted"
# User additions
grep "useradd" /var/log/auth.log
Timeline from Logs
# Combine all logs with timestamps
cat /var/log/syslog /var/log/auth.log | sort -k1,2 > combined.log
# Filter by date
grep "Jan 15" combined.log
# Filter by time range
awk '$3 >= "10:00:00" && $3 <= "11:00:00"' combined.log
Bash History¶
Bash history shows commands users executed
History Location
~/.bash_history
~/.zsh_history
~/.history
History Analysis
# View history
cat ~/.bash_history
# Look for suspicious commands
grep -E "wget|curl|nc|bash|python" ~/.bash_history
# Look for privilege escalation
grep -E "sudo|su|chmod|chown" ~/.bash_history
# Look for data exfiltration
grep -E "scp|rsync|tar|zip" ~/.bash_history
History Timestamps
# If HISTTIMEFORMAT is set
export HISTTIMEFORMAT="%F %T "
history
# Parse history with timestamps
while read line; do
echo "$line"
done < ~/.bash_history
Cron Jobs¶
Cron jobs are scheduled tasks on Linux
Cron Locations
/etc/crontab # System crontab
/etc/cron.d/ # System cron jobs
/var/spool/cron/crontabs/USER # User cron jobs
/etc/cron.hourly/ # Hourly jobs
/etc/cron.daily/ # Daily jobs
/etc/cron.weekly/ # Weekly jobs
/etc/cron.monthly/ # Monthly jobs
Cron Analysis
# List all cron jobs
crontab -l
# List for specific user
crontab -u username -l
# Check system crontab
cat /etc/crontab
# Check all cron directories
find /etc/cron* -type f -exec cat {} \;
# Check user cron
ls -la /var/spool/cron/crontabs/
Suspicious Cron Jobs
Jobs running from /tmp/ , jobs with network activity , jobs running as root , and jobs with obfuscated commands
User Activity¶
Track what users did on Linux system
Last Logins
# Recent logins
last
# Last login per user
lastlog
# Currently logged in
who
w
# Login history
cat /var/log/wtmp | last
Command History
# All users' bash history
find /home -name ".bash_history" -exec cat {} \;
# Specific user
cat /home/username/.bash_history
File Access
# Recently modified files
find / -type f -mtime -7 -ls
# Recently accessed files
find / -type f -atime -1 -ls
# Files modified by user
find / -user username -type f -mtime -7
Network Activity
# Active connections
netstat -antp
# Connection history (if logged)
grep "ESTABLISHED" /var/log/syslog
Linux Persistence¶
Attackers establish persistence on Linux too
Common Persistence Methods
Cron Jobs
# Check all cron
crontab -l
cat /etc/crontab
ls /etc/cron.d/
Systemd Services
# List all services
systemctl list-unit-files --type=service
# Check for suspicious services
ls /etc/systemd/system/
ls /usr/lib/systemd/system/
Init Scripts
# SysV init
ls /etc/init.d/
ls /etc/rc*.d/
Bashrc / Profile
# Check startup scripts
cat /etc/profile
cat /etc/bash.bashrc
cat ~/.bashrc
cat ~/.bash_profile
SSH Keys
# Authorized keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
Persistence Detection
# Find recently modified system files
find /etc /usr/bin /usr/sbin -type f -mtime -7
# Check for unusual SUID files
find / -perm -4000 -type f 2>/dev/null
# Check for hidden files
find / -name ".*" -type f 2>/dev/null
PCAP Analysis¶
PCAP files contain network traffic , show all packets , and reveal network-based attacks
PCAP Tools
# Wireshark (GUI)
wireshark capture.pcap
# tshark (CLI Wireshark)
tshark -r capture.pcap
# tcpdump
tcpdump -r capture.pcap
# NetworkMiner (Windows)
NetworkMiner.exe
Basic PCAP Analysis
# Count packets
capinfos capture.pcap
# List conversations
tshark -r capture.pcap -q -z conv,tcp
# List endpoints
tshark -r capture.pcap -q -z endpoints,ip
# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs
Filter Traffic
# HTTP traffic only
tshark -r capture.pcap -Y "http"
# Specific IP
tshark -r capture.pcap -Y "ip.addr == 192.168.1.100"
# Specific port
tshark -r capture.pcap -Y "tcp.port == 80"
# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0"
Extract Data
# Export HTTP objects
tshark -r capture.pcap --export-objects http,./http_objects/
# Export SMB files
tshark -r capture.pcap --export-objects smb,./smb_files/
# Extract credentials
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
Protocol Analysis¶
Understanding protocols helps analyze traffic
HTTP Analysis
# HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.request.method -e http.request.uri -e http.host
# HTTP responses
tshark -r capture.pcap -Y "http.response" -T fields -e http.response.code
# HTTP POST data
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
# Cookies
tshark -r capture.pcap -Y "http.cookie" -T fields -e http.cookie
DNS Analysis
# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name
# DNS responses
tshark -r capture.pcap -Y "dns.flags.response == 1" -T fields -e dns.qry.name -e dns.a
# DNS tunneling detection (long queries)
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50'
FTP Analysis
# FTP commands
tshark -r capture.pcap -Y "ftp.request.command" -T fields -e ftp.request.command -e ftp.request.arg
# FTP credentials
tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" -T fields -e ftp.request.arg
SMTP Analysis
# Email headers
tshark -r capture.pcap -Y "smtp" -T fields -e smtp.req.parameter
# Email content
tshark -r capture.pcap -Y "smtp.data.fragment" -T fields -e smtp.data.fragment
Traffic Extraction¶
Extract files and data from network traffic
HTTP File Extraction
# Wireshark GUI
# File > Export Objects > HTTP
# tshark
tshark -r capture.pcap --export-objects http,./extracted/
# NetworkMiner (automatic)
# Drag PCAP into NetworkMiner
# Check "Files" tab
FTP File Extraction
# Follow FTP-DATA stream
tshark -r capture.pcap -Y "ftp-data" -T fields -e ftp-data.data
# Or use Wireshark
# Find FTP-DATA packet
# Right-click > Follow > TCP Stream
# Save as raw
Email Extraction
# Extract SMTP traffic
tshark -r capture.pcap -Y "smtp" -w smtp_only.pcap
# Parse emails
# Use Wireshark to follow SMTP streams
Encrypted Traffic
# If you have SSL keys
tshark -r capture.pcap -o "ssl.keys_list:192.168.1.1,443,http,server.key"
# Otherwise, encrypted traffic is opaque
# But you can still see:
# - Connection metadata
# - Certificate information
# - SNI (Server Name Indication)
DNS Analysis¶
DNS reveals domain lookups , C2 communication , and data exfiltration
DNS Queries
# All DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name
# Unique domains
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort -u
# Query count per domain
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c | sort -rn
DNS Responses
# DNS A records
tshark -r capture.pcap -Y "dns.a" -T fields -e dns.qry.name -e dns.a
# DNS CNAME records
tshark -r capture.pcap -Y "dns.cname" -T fields -e dns.qry.name -e dns.cname
DNS Tunneling Detection
# Long queries (potential tunneling)
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50'
# High query volume to single domain
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | grep "suspicious.com" | wc -l
# Unusual TXT records
tshark -r capture.pcap -Y "dns.txt" -T fields -e dns.txt
HTTP Analysis¶
HTTP traffic often contains flags in CTFs
HTTP Requests
# All HTTP requests
tshark -r capture.pcap -Y "http.request"
# GET requests
tshark -r capture.pcap -Y "http.request.method == GET" -T fields -e http.request.uri
# POST requests
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.request.uri -e http.file_data
# User agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e http.user_agent | sort -u
HTTP Responses
# Response codes
tshark -r capture.pcap -Y "http.response" -T fields -e http.response.code
# Response content
tshark -r capture.pcap -Y "http.response" -T fields -e http.file_data
# Specific response code
tshark -r capture.pcap -Y "http.response.code == 200"
HTTP Headers
# All headers
tshark -r capture.pcap -Y "http" -T fields -e http.request.line -e http.response.line
# Cookies
tshark -r capture.pcap -Y "http.cookie" -T fields -e http.cookie
# Authorization headers
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization
Flag Hunting in HTTP
# Search for flag pattern
tshark -r capture.pcap -Y "http" -T fields -e http.file_data | grep -E "flag\{.*\}"
# Base64 in HTTP
tshark -r capture.pcap -Y "http" -T fields -e http.file_data | grep -E "[A-Za-z0-9+/]{20,}={0,2}"
Static Analysis¶
Analyze malware without executing it
File Identification
# File type
file malware.exe
# File hash
md5sum malware.exe
sha256sum malware.exe
# VirusTotal lookup
# (In CTF, usually custom malware)
Strings Analysis
# Extract strings
strings malware.exe > strings.txt
# ASCII strings
strings -a malware.exe
# Unicode strings
strings -el malware.exe
# Minimum length
strings -n 10 malware.exe
# Look for:
# - URLs
# - IP addresses
# - File paths
# - Function names
# - Error messages
# - Flags
PE Analysis (Windows)
# PEiD (detect packer)
# GUI tool
# PEview (view PE structure)
# GUI tool
# pestudio (automated analysis)
pestudio.exe malware.exe
# pefile (Python)
python3 << EOF
import pefile
pe = pefile.PE('malware.exe')
print(pe.dump_info())
EOF
ELF Analysis (Linux)
# readelf
readelf -a malware.elf
# objdump
objdump -d malware.elf
# nm (symbols)
nm malware.elf
# ldd (dependencies)
ldd malware.elf
Dynamic Analysis¶
Execute malware in controlled environment and observe behavior
Sandbox Setup
Use isolated VM , snapshot before execution , no network or isolated network , and monitor all activity
Monitoring Tools
# Process Monitor (Windows)
procmon.exe
# Process Explorer (Windows)
procexp.exe
# Wireshark (network)
wireshark
# Regshot (registry changes)
# Take snapshot before and after
Safe Execution
# Run in VM
# Take snapshot
# Execute malware
# Observe behavior
# Revert snapshot
# Monitor:
# - Processes created
# - Files created/modified
# - Registry changes
# - Network connections
Behavioral Analysis
# What does it do?
# - Create files?
# - Modify registry?
# - Connect to network?
# - Inject into processes?
# - Establish persistence?
Strings Analysis¶
Strings reveal hardcoded data in binaries
Basic Strings
# All strings
strings file.bin
# Minimum length
strings -n 8 file.bin
# Only printable
strings -a file.bin
# Unicode
strings -el file.bin
Pattern Searching
# URLs
strings file.bin | grep -E "https?://"
# IPs
strings file.bin | grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
# Emails
strings file.bin | grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"
# Flags
strings file.bin | grep -E "flag\{.*\}"
# Base64
strings file.bin | grep -E "[A-Za-z0-9+/]{20,}={0,2}"
Context Strings
# Strings with offset
strings -t x file.bin
# Strings with file offset
strings -t d file.bin
# Use offset to find in hex editor
xxd file.bin | grep OFFSET
Packing Detection¶
Packed malware hides code through compression or encryption
Entropy Check
# High entropy = likely packed
ent file.exe
# Entropy > 7.0 = suspicious
# Entropy > 7.5 = likely packed/encrypted
Section Analysis
# PE sections
pefile file.exe
# Look for:
# - UPX sections
# - High entropy sections
# - Unusual section names
# - Executable sections with high entropy
Common Packers
UPX (most common) , ASPack , PECompact , Themida , VMProtect , and custom packers
Unpacking
# UPX
upx -d packed.exe -o unpacked.exe
# Generic unpacking
# Run in debugger
# Find OEP (Original Entry Point)
# Dump from memory
Database Forensics¶
Databases store application data
SQLite Analysis
# Open database
sqlite3 database.db
# List tables
.tables
# Table schema
.schema tablename
# Query data
SELECT * FROM users;
# Export to CSV
.mode csv
.output data.csv
SELECT * FROM users;
.quit
MySQL/MariaDB
# Connect
mysql -u root -p
# List databases
SHOW DATABASES;
# Use database
USE dbname;
# List tables
SHOW TABLES;
# Query
SELECT * FROM users;
PostgreSQL
# Connect
psql -U username -d database
# List tables
\dt
# Query
SELECT * FROM users;
Deleted Records
# SQLite deleted records
strings database.db | grep "flag"
# Or use recovery tools
# sqlparse
# sqlite-parser
Email Forensics¶
Email headers reveal sender , route , and metadata
Email Headers
From: sender@example.com
To: recipient@example.com
Subject: Email subject
Date: Mon, 1 Jan 2024 12:00:00 +0000
Message-ID: <unique-id@example.com>
Received: from server1 by server2
X-Originating-IP: 192.168.1.100
Header Analysis
# Extract headers
grep "^From:\|^To:\|^Subject:\|^Date:\|^Received:" email.eml
# Trace route
grep "^Received:" email.eml
# Originating IP
grep "X-Originating-IP" email.eml
Email Attachments
# Extract attachments (manual)
# Find boundary in email
# Extract base64 content
# Decode
# Or use tool
munpack email.eml
# Or ripmime
ripmime -i email.eml -d output/
PST/OST Files (Outlook)
# readpst
readpst outlook.pst
# Converts to mbox format
# Then analyze with email tools
Document Metadata¶
Documents contain hidden metadata
PDF Metadata
# exiftool
exiftool document.pdf
# pdfinfo
pdfinfo document.pdf
# Shows:
# - Author
# - Creator
# - Creation date
# - Modification date
# - PDF version
Office Documents
# exiftool
exiftool document.docx
# Shows:
# - Author
# - Last modified by
# - Creation date
# - Modification date
# - Software used
# - Revision number
Image Metadata
# exiftool
exiftool image.jpg
# Shows:
# - Camera make/model
# - GPS coordinates
# - Date taken
# - Software used
# - Comments
Metadata Extraction
# Batch extraction
exiftool -r -csv /path/to/files > metadata.csv
# Specific fields
exiftool -Author -CreationDate document.pdf
Steganography Detection¶
Hidden data in images , audio , or other files
Visual Inspection
# View image
# Look for:
# - Unusual patterns
# - Noise in solid colors
# - Artifacts
LSB Analysis
# zsteg (PNG/BMP)
zsteg image.png
# steghide (JPEG)
steghide extract -sf image.jpg
# stegsolve (Java tool)
java -jar stegsolve.jar
Metadata Check
# exiftool
exiftool image.jpg
# Look for:
# - Comments
# - Description
# - Hidden fields
Strings
# Extract strings
strings image.png | grep flag
Binwalk
# Find embedded files
binwalk image.png
# Extract embedded
binwalk -e image.png
Quick Wins¶
Fast techniques for CTF challenges
First Commands
file evidence
strings evidence | grep -i flag
exiftool evidence
binwalk evidence
xxd evidence | head -20
xxd evidence | tail -20
Common Hiding Places
End of file (append data) , file metadata , alternate data streams , slack space , and unallocated clusters
Quick Checks
# Check file size
ls -lh evidence
# Unusually large? Hidden data
# Check entropy
ent evidence
# High entropy? Encrypted/compressed
# Check for embedded files
binwalk evidence
# Check for archives
file evidence | grep -i "archive\|compressed"
Flag Patterns
# Common flag formats
grep -E "flag\{.*\}" evidence
grep -E "FLAG\{.*\}" evidence
grep -E "CTF\{.*\}" evidence
grep -E "[A-Z0-9]{32}" evidence # MD5-like
Common CTF Patterns¶
Patterns that repeat in CTF challenges
Memory Dumps
Always check process list , command lines , network connections , and strings
Disk Images
Check deleted files , browser history , recent files , and timeline
Network Captures
Export HTTP objects , check DNS queries , follow TCP streams , and look for credentials
Malware Samples
Run strings first , check for packing , look for network indicators , and analyze statically before dynamic
Encrypted Files
Check for weak encryption , look for keys in memory/disk , try common passwords , and check metadata
Tool Chaining¶
Combine tools for better results
Example: Memory to Malware
# 1. Find suspicious process
vol3 -f memory.raw windows.pslist
# 2. Dump process
vol3 -f memory.raw windows.memmap --pid 1337 --dump
# 3. Strings on dump
strings pid.1337.dmp > process_strings.txt
# 4. Find URLs
grep -E "https?://" process_strings.txt
# 5. Extract network connections
vol3 -f memory.raw windows.netscan | grep 1337
Example: PCAP to Files
# 1. Export HTTP objects
tshark -r capture.pcap --export-objects http,./objects/
# 2. Analyze each file
for file in objects/*; do
echo "=== $file ==="
file $file
strings $file | grep flag
done
# 3. Check for archives
find objects/ -type f -exec file {} \; | grep -i archive
# 4. Extract archives
for zip in objects/*.zip; do
unzip $zip -d extracted/
done
Flag Hunting¶
Strategies for finding flags
String Search
# Recursive grep
grep -r "flag{" .
# Case insensitive
grep -ri "flag" .
# Multiple patterns
grep -E "flag\{.*\}|FLAG\{.*\}|CTF\{.*\}" file
Binary Search
# Hex search
xxd file.bin | grep "666c6167" # "flag" in hex
# Binary grep
grep -a "flag{" file.bin
Encoded Flags
# Base64
strings file | grep -E "[A-Za-z0-9+/]{20,}={0,2}" | base64 -d
# Hex
strings file | grep -E "([0-9a-fA-F]{2})+" | xxd -r -p
# ROT13
strings file | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hidden Locations
File metadata , end of file , alternate data streams , registry keys , environment variables , and process memory
Volatility¶
Essential memory forensics tool
Installation
# Volatility 3
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
# Usage
python3 vol.py -h
Common Commands
# Windows
vol3 -f memory.raw windows.info
vol3 -f memory.raw windows.pslist
vol3 -f memory.raw windows.pstree
vol3 -f memory.raw windows.cmdline
vol3 -f memory.raw windows.netscan
vol3 -f memory.raw windows.filescan
vol3 -f memory.raw windows.registry.hivelist
# Linux
vol3 -f memory.raw linux.pslist
vol3 -f memory.raw linux.bash
vol3 -f memory.raw linux.lsof
Plugin List
# List all plugins
python3 vol.py -h | grep "windows\."
Autopsy¶
GUI forensic platform
Installation
# Download from
# https://www.autopsy.com/download/
# Or on Linux
sudo apt install autopsy
Usage
Create new case , add data source (disk image) , wait for analysis , browse file system , view timeline , search for keywords , and export findings
Autopsy Features
File system browser , timeline analysis , keyword search , hash analysis , and web artifacts
Wireshark¶
Network protocol analyzer
Installation
# Linux
sudo apt install wireshark
# Windows
# Download from wireshark.org
Basic Usage
Open PCAP , apply filters , follow streams , export objects , and analyze protocols
Useful Filters
http
http.request.method == "POST"
ip.addr == 192.168.1.1
tcp.port == 80
dns
ftp
Follow Stream
Right-click packet , Follow , TCP/UDP/HTTP Stream , view conversation , and save data
Sleuth Kit¶
File system analysis toolkit
Installation
sudo apt install sleuthkit
Common Commands
# File system info
fsstat image.dd
# List files
fls -r image.dd
# Extract file
icat image.dd INODE > file
# Timeline
fls -m / -r image.dd > timeline.body
mactime -b timeline.body > timeline.csv
Bulk Extractor¶
Extract features from disk images
Installation
sudo apt install bulk-extractor
Usage
# Extract features
bulk_extractor -o output/ image.dd
# Output includes:
# - email.txt (email addresses)
# - url.txt (URLs)
# - telephone.txt (phone numbers)
# - ccn.txt (credit card numbers)
# - domain.txt (domains)
Feature Files
# Check each file
cat output/email.txt
cat output/url.txt
cat output/domain.txt
Advanced Memory Forensics¶
Because sometimes the basic stuff doesn't cut it
Kernel Memory Analysis
When malware goes full stealth mode and hides in kernel space , you need to dig deeper
# Kernel modules (rootkit territory)
vol3 -f memory.raw linux.lsmod
vol3 -f memory.raw windows.modules
# Look for:
# - Modules with no file path (loaded from memory)
# - Modules with weird names (h4x0r.ko anyone?)
# - Hidden modules (not in module list but code is there)
Rootkit Detection
Rootkits are sneaky bastards that hide processes , files , and network connections
# SSDT hooks (Windows)
vol3 -f memory.raw windows.ssdt
# IDT hooks
vol3 -f memory.raw windows.idt
# Driver IRP hooks
vol3 -f memory.raw windows.driverscan
# Compare:
# - What kernel says is running
# - What's actually in memory
# - Differences = rootkit
Memory Strings Deep Dive
Sometimes you gotta get creative with strings
# Extract ALL the strings (this takes forever)
strings -a -n 4 memory.raw > all_strings.txt
# Now the fun part - pattern matching
# Passwords (people love "password123")
grep -i "password" all_strings.txt | grep -v "Password:" | head -20
# API keys (AWS, Azure, etc)
grep -E "AKIA[0-9A-Z]{16}" all_strings.txt # AWS
grep -E "sk-[a-zA-Z0-9]{32}" all_strings.txt # OpenAI
# Private keys (yeah people leave these in memory)
grep -B5 -A5 "BEGIN RSA PRIVATE KEY" all_strings.txt
# Credit cards (for the lulz, don't actually steal these)
grep -E "[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}" all_strings.txt
# Crypto wallet addresses
grep -E "^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$" all_strings.txt # Bitcoin
grep -E "^0x[a-fA-F0-9]{40}$" all_strings.txt # Ethereum
Process Injection Detection
Malware loves injecting into legit processes
# Check for hollowed processes
vol3 -f memory.raw windows.malfind
# Suspicious indicators:
# - svchost.exe with PAGE_EXECUTE_READWRITE (RWX) sections
# - explorer.exe with injected DLLs
# - Mismatched process path and loaded modules
# Dump suspicious memory regions
vol3 -f memory.raw windows.malfind --pid 1337 --dump
# Analyze dumped code
xxd pid.1337.*.dmp | head -50
strings pid.1337.*.dmp | grep -i "http"
Encrypted Memory Regions
Sometimes attackers encrypt their payload in memory
# High entropy regions are suspicious
# Extract memory region
vol3 -f memory.raw windows.memmap --pid 1337 --dump
# Check entropy
ent pid.1337.dmp
# Entropy > 7.5 = probably encrypted
# Look for crypto artifacts
strings pid.1337.dmp | grep -E "AES|RSA|encrypt|decrypt|cipher"
# XOR is common (lazy encryption)
# Try XOR with common keys
for key in {0..255}; do
python3 -c "import sys; sys.stdout.buffer.write(bytes([b ^ $key for b in open('pid.1337.dmp','rb').read()]))" > xor_$key.bin
strings xor_$key.bin | grep -i "flag" && echo "Found with key: $key"
done
Windows Forensics Deep Dive¶
Windows is a goldmine of artifacts if you know where to look
Shimcache (AppCompatCache)
Windows tracks executed programs even if they're deleted
# Extract shimcache
# From registry hive
python3 AppCompatCacheParser.py -f SYSTEM --csv output/
# What you get:
# - Program path
# - Last modification time
# - Execution flag (maybe)
# Why it matters:
# Proves a program existed even if it's gone now
# Shows execution timeline
# Can't be easily cleared without admin
Amcache
Another execution tracker , more detailed than shimcache
# Parse amcache
AmcacheParser.exe -f Amcache.hve --csv output/
# Contains:
# - SHA1 hash of executable
# - First execution time
# - Program publisher
# - File size
# Gold for proving malware execution
USN Journal
Change journal tracks NTFS file system changes
# Extract USN journal
fsutil usn readjournal C: csv > usn.csv
# Or from disk image
# Use MFTECmd with --usn flag
# Shows:
# - File created
# - File deleted
# - File renamed
# - File modified
# Timeline reconstruction heaven
Volume Shadow Copies
Windows keeps snapshots of files , attackers often forget about these
# List shadow copies
vssadmin list shadows
# Mount shadow copy
mklink /d C:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
# Now you can access old versions of files
# Deleted malware? Check the shadow copy
# Modified registry? Shadow copy has the old one
SRUM (System Resource Usage Monitor)
Tracks application resource usage , network activity , and energy consumption
# Parse SRUM
srum-dump.exe -i SRUDB.dat -o output/
# Contains:
# - Application network usage
# - Bytes sent/received per app
# - Execution time
# - User context
# Perfect for data exfiltration detection
Windows Search Database
Windows indexes everything , including deleted files
# Location
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
# Parse with ESEDatabaseView
# Or strings (quick and dirty)
strings Windows.edb | grep -i "suspicious"
# Contains:
# - File paths (even deleted)
# - File content snippets
# - Email content
# - Document text
Recycle Bin Forensics
People think delete means gone , cute
# Recycle bin location
C:\$Recycle.Bin\USER-SID\
# Files are renamed:
# $IXXXXXX.ext - actual file
# $RXXXXXX.ext - metadata (original path, deletion time)
# Parse with Rifiuti2
rifiuti-vista.exe -o output.csv C:\$Recycle.Bin\S-1-5-21-xxx\
# Recover deleted evidence like a boss
Linux Forensics Advanced¶
Linux hides evidence in interesting places
Systemd Journal
Binary logs that most people forget about
# View journal
journalctl
# Filter by time
journalctl --since "2024-01-01" --until "2024-01-31"
# Filter by service
journalctl -u sshd
# Filter by priority
journalctl -p err
# Export to JSON
journalctl -o json > journal.json
# Why it matters:
# Can't be easily cleared
# Contains detailed service logs
# Survives log rotation
Auditd Logs
Linux audit system tracks everything if configured
# Audit logs location
/var/log/audit/audit.log
# Search for specific events
ausearch -k suspicious_activity
# User commands
ausearch -ua username
# File access
ausearch -f /etc/shadow
# Parse with aureport
aureport --summary
aureport --executable
aureport --file
Process Accounting
Tracks all executed commands
# Enable process accounting
accton /var/log/pacct
# View accounting data
lastcomm
# Specific user
lastcomm username
# Specific command
lastcomm bash
# Shows:
# - Command name
# - User
# - Terminal
# - Start time
# - CPU time
Deleted File Recovery on ext4
ext4 makes recovery harder but not impossible
# extundelete (for ext3/ext4)
extundelete /dev/sda1 --restore-all
# Or specific file
extundelete /dev/sda1 --restore-file /path/to/file
# Or by inode
debugfs /dev/sda1
debugfs: logdump -i <inode>
# PhotoRec (file carving)
photorec /dev/sda1
# Success rate depends on:
# - How long ago deletion happened
# - Disk activity since deletion
# - File system fragmentation
Docker Forensics
Containers leave traces
# Container logs
docker logs container_id
# Container filesystem
docker export container_id > container.tar
tar -xf container.tar
# Image layers
docker history image_name
# Container metadata
docker inspect container_id
# Look for:
# - Mounted volumes
# - Environment variables (secrets?)
# - Network configuration
# - Command history
Network Forensics Advanced¶
Because basic PCAP analysis is too mainstream
SSL/TLS Decryption
Encrypted traffic isn't always encrypted to you
# If you have the private key
tshark -r capture.pcap \
-o "tls.keys_list:192.168.1.1,443,http,server.key" \
-Y "http"
# If you have SSLKEYLOGFILE (browser debugging)
export SSLKEYLOGFILE=/tmp/sslkeys.log
# Run browser, capture traffic
wireshark -o "tls.keylog_file:/tmp/sslkeys.log" -r capture.pcap
# Now you can see:
# - HTTPS content
# - API calls
# - Passwords in "secure" forms
# - Session tokens
DNS Tunneling Analysis
Attackers love hiding data in DNS
# Suspicious DNS patterns
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
awk 'length > 50' | sort -u
# Entropy analysis
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
while read domain; do
echo "$domain" | python3 -c "import sys,math; s=sys.stdin.read().strip(); print(s, -sum(s.count(c)/len(s)*math.log2(s.count(c)/len(s)) for c in set(s)))"
done | awk '$2 > 3.5' # High entropy = suspicious
# Frequency analysis
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
cut -d. -f1 | sort | uniq -c | sort -rn | head -20
# Look for:
# - Long subdomain names
# - High query frequency to single domain
# - Hex/Base64 patterns in queries
# - TXT record abuse
HTTP/2 Analysis
HTTP/2 is binary , makes analysis harder
# Wireshark handles HTTP/2
# But for command line:
# Export HTTP/2 streams
tshark -r capture.pcap -Y "http2" --export-objects http,./http2_objects/
# View HTTP/2 headers
tshark -r capture.pcap -Y "http2.headers" -T fields -e http2.headers.path
# Decode HTTP/2 frames
tshark -r capture.pcap -Y "http2" -V | less
WebSocket Analysis
Real-time communication channel , often used for C2
# Find WebSocket handshakes
tshark -r capture.pcap -Y "http.upgrade contains WebSocket"
# Follow WebSocket stream
# In Wireshark: Find WS handshake > Follow > TCP Stream
# Extract WebSocket data
tshark -r capture.pcap -Y "websocket" -T fields -e websocket.payload
# Decode masked payload (if needed)
# WebSocket masking is XOR with 4-byte key
ICMP Tunneling
Because why not hide data in ping packets
# Extract ICMP data
tshark -r capture.pcap -Y "icmp" -T fields -e data
# Look for patterns
tshark -r capture.pcap -Y "icmp" -T fields -e data | \
xxd -r -p | strings
# Check payload size
tshark -r capture.pcap -Y "icmp" -T fields -e icmp.data_len | \
sort -u
# Normal ping: 32-48 bytes
# Tunneling: varies or suspiciously large
Malware Analysis Advanced¶
When basic static analysis isn't enough
Unpacking Techniques
Packed malware hides its code
# Detect packer
peid malware.exe # Windows tool
detect-it-easy malware.exe # Cross-platform
# Common packers:
# - UPX (easy to unpack)
# - ASPack
# - PECompact
# - Themida (nightmare)
# - VMProtect (good luck)
# UPX unpacking
upx -d packed.exe -o unpacked.exe
# Manual unpacking (generic)
# 1. Load in debugger (x64dbg, IDA, Ghidra)
# 2. Find OEP (Original Entry Point)
# 3. Let packer decompress
# 4. Dump from memory
# 5. Fix imports
# Or use automated tools
# - Unipacker
# - de4dot (for .NET)
Anti-Analysis Detection
Malware checks if it's being analyzed
# Common anti-analysis tricks:
# 1. Debugger detection
# Checks IsDebuggerPresent()
# Checks PEB.BeingDebugged
# Checks timing (debugger is slower)
# 2. VM detection
# Checks for VMware/VirtualBox artifacts
# Checks CPU count (VMs often have few cores)
# Checks RAM (VMs often have limited RAM)
# 3. Sandbox detection
# Checks for analysis tools
# Checks for common sandbox usernames
# Sleeps for long time (sandboxes timeout)
# Bypass techniques:
# - Patch anti-analysis checks
# - Use stealthy debugger (ScyllaHide)
# - Modify VM to look like real machine
# - Let it sleep, then resume
Code Obfuscation
Malware makes code hard to read
# Control flow flattening
# - Turns if/else into switch/case mess
# - Makes decompiled code unreadable
# String obfuscation
# - Encrypts strings
# - Decrypts at runtime
# - Find decryption routine, extract all strings
# API hashing
# - Doesn't import APIs by name
# - Resolves at runtime by hash
# - Find hash algorithm, rebuild import table
# Dead code insertion
# - Adds useless code
# - Makes analysis slower
# - Ignore and focus on real code
Behavioral Analysis in Sandbox
Run malware and watch what it does
# Cuckoo Sandbox
cuckoo submit malware.exe
# Any.run (online)
# Upload and watch in browser
# What to monitor:
# - Files created/modified/deleted
# - Registry changes
# - Network connections
# - Process creation
# - Mutex creation (for single-instance check)
# - Service installation
# Extract IOCs:
# - File hashes
# - IP addresses
# - Domain names
# - Registry keys
# - File paths
# - Mutex names
Mobile Forensics¶
Because phones have all the good stuff
Android ADB Forensics
When you have physical access
# Enable USB debugging first
# Settings > Developer Options > USB Debugging
# Connect and verify
adb devices
# Pull entire /data partition (requires root)
adb shell su -c "tar -czf /sdcard/data.tar.gz /data"
adb pull /sdcard/data.tar.gz
# App data
adb pull /data/data/com.app.package
# Databases
adb pull /data/data/com.app.package/databases/
# Shared preferences
adb pull /data/data/com.app.package/shared_prefs/
# WhatsApp messages
adb pull /data/data/com.whatsapp/databases/msgstore.db
# SMS/MMS
adb pull /data/data/com.android.providers.telephony/databases/mmssms.db
# Call logs
adb pull /data/data/com.android.providers.contacts/databases/calllog.db
# Chrome history
adb pull /data/data/com.android.chrome/app_chrome/Default/History
iOS Forensics
Apple makes it harder but not impossible
# iTunes backup (unencrypted)
# Location:
# Windows: %APPDATA%\Apple Computer\MobileSync\Backup\
# Mac: ~/Library/Application Support/MobileSync/Backup/
# Parse with iBackup Viewer or similar
# Jailbroken device (SSH access)
ssh root@iphone_ip
# Common locations:
/var/mobile/Library/SMS/sms.db # Messages
/var/mobile/Library/CallHistory/call_history.db # Calls
/var/mobile/Library/Safari/History.db # Safari
/var/mobile/Containers/Data/Application/ # App data
# WhatsApp
/var/mobile/Containers/Shared/AppGroup/*/ChatStorage.sqlite
Mobile App Analysis
APK/IPA reverse engineering
# Android APK
apktool d app.apk
# Decompiles to smali
# Convert to Java
d2j-dex2jar app.apk
jd-gui app-dex2jar.jar
# iOS IPA
unzip app.ipa
# Binary is in Payload/App.app/
# Decrypt (if from App Store)
# Use Clutch or similar on jailbroken device
# Analyze with
# - Hopper
# - IDA Pro
# - Ghidra
Cloud Forensics¶
Because everything's in the cloud now
AWS Forensics
When someone hacks your AWS account
# CloudTrail logs (who did what)
aws cloudtrail lookup-events --max-results 50
# S3 access logs
aws s3 cp s3://bucket/logs/ ./logs/ --recursive
# VPC Flow Logs
aws ec2 describe-flow-logs
# EC2 instance metadata
# From inside instance:
curl http://169.254.169.254/latest/meta-data/
# Snapshot compromised instance
aws ec2 create-snapshot --volume-id vol-xxx
# Mount snapshot for analysis
# Create volume from snapshot
# Attach to forensic instance
# Mount read-only
Azure Forensics
Microsoft's cloud
# Activity logs
az monitor activity-log list --max-events 100
# Storage account logs
az storage logging show --services b
# VM diagnostics
az vm boot-diagnostics get-boot-log --name vm-name --resource-group rg-name
# Snapshot VM disk
az snapshot create --resource-group rg --name snapshot --source disk-id
Google Cloud Forensics
# Audit logs
gcloud logging read --limit 100
# Storage logs
gsutil logging get gs://bucket-name
# Compute instance snapshot
gcloud compute disks snapshot disk-name --snapshot-names=snapshot-name
# Download snapshot
gcloud compute images create image-name --source-snapshot=snapshot-name
gcloud compute images export --image=image-name --destination-uri=gs://bucket/image.vmdk
Anti-Forensics and Counter-Measures¶
What attackers do to hide their tracks
Timestomping
Modifying file timestamps to hide activity
# Windows
# SetFileTime API
# Or tools like Timestomp
# Detection:
# - Check $MFT timestamps vs file system timestamps
# - $STANDARD_INFORMATION can be modified
# - $FILE_NAME timestamps are harder to modify
# - Inconsistencies reveal timestomping
# Linux
touch -t 202401010000 file.txt
# Detection:
# - Check inode change time (ctime)
# - ctime can't be easily modified
# - mtime/atime can be modified
# - Inconsistencies reveal tampering
Log Deletion
Attackers delete logs to hide evidence
# Windows Event Log clearing
wevtutil cl Security
wevtutil cl System
# Detection:
# - Event ID 1102 (Security log cleared)
# - Event ID 104 (System log cleared)
# - Gap in event IDs
# - Sudden log file size change
# Linux log deletion
> /var/log/auth.log
> /var/log/syslog
# Detection:
# - Check log rotation timestamps
# - Compare with other systems
# - Check for empty logs (suspicious)
# - Audit logs might survive
Secure Deletion
Overwriting files to prevent recovery
# Tools:
# - sdelete (Windows)
# - shred (Linux)
# - srm (Linux)
# Detection:
# - File is gone (obviously)
# - But metadata might remain
# - Check MFT/journal for file name
# - Check shadow copies
# - Check backups
# - Check file system slack
Rootkits
Hiding at kernel level
# Detection techniques:
# - Compare live system vs offline analysis
# - Cross-view diff (what kernel reports vs raw memory)
# - Signature scanning
# - Behavioral analysis
# Tools:
# - GMER (Windows)
# - rkhunter (Linux)
# - chkrootkit (Linux)
# - Volatility plugins
Forensics Automation¶
Because manual analysis is for chumps
DFIR Scripts
Automate common tasks
#!/bin/bash
# Quick triage script
echo "[*] Starting DFIR triage..."
# System info
echo "[+] Collecting system info"
uname -a > triage/system_info.txt
cat /etc/*-release >> triage/system_info.txt
# Network connections
echo "[+] Collecting network info"
netstat -antp > triage/network.txt
ss -antp >> triage/network.txt
# Running processes
echo "[+] Collecting process info"
ps auxf > triage/processes.txt
# Users
echo "[+] Collecting user info"
cat /etc/passwd > triage/users.txt
last > triage/last_logins.txt
# Cron jobs
echo "[+] Collecting scheduled tasks"
crontab -l > triage/cron.txt
ls -la /etc/cron* >> triage/cron.txt
# Bash history
echo "[+] Collecting command history"
cat ~/.bash_history > triage/bash_history.txt
# Suspicious files
echo "[+] Finding suspicious files"
find / -name "*.sh" -mtime -7 > triage/recent_scripts.txt
find / -perm -4000 2>/dev/null > triage/suid_files.txt
echo "[*] Triage complete! Check triage/ directory"
Memory Analysis Automation
#!/usr/bin/env python3
# Automated Volatility analysis
import subprocess
import sys
memory_dump = sys.argv[1]
output_dir = "volatility_output"
plugins = [
"windows.info",
"windows.pslist",
"windows.pstree",
"windows.cmdline",
"windows.netscan",
"windows.filescan",
"windows.registry.hivelist",
"windows.malfind"
]
for plugin in plugins:
print(f"[+] Running {plugin}")
output_file = f"{output_dir}/{plugin.replace('.', '_')}.txt"
cmd = f"vol3 -f {memory_dump} {plugin} > {output_file}"
subprocess.run(cmd, shell=True)
print("[*] Analysis complete!")
PCAP Analysis Automation
#!/bin/bash
# Automated PCAP analysis
PCAP=$1
echo "[*] Analyzing $PCAP"
# Basic stats
echo "[+] PCAP statistics"
capinfos $PCAP > analysis/stats.txt
# Conversations
echo "[+] Network conversations"
tshark -r $PCAP -q -z conv,tcp > analysis/conversations.txt
# HTTP objects
echo "[+] Extracting HTTP objects"
tshark -r $PCAP --export-objects http,analysis/http_objects/
# DNS queries
echo "[+] DNS queries"
tshark -r $PCAP -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort -u > analysis/dns_queries.txt
# Suspicious patterns
echo "[+] Looking for suspicious patterns"
tshark -r $PCAP -Y "http" -T fields -e http.request.uri | grep -E "cmd=|exec=|shell=" > analysis/suspicious_http.txt
echo "[*] Analysis complete!"
CTF Forensics Challenges¶
Real talk about solving CTF challenges
Memory Dump Challenges
What you'll actually encounter
# Challenge: "Find the flag in memory"
# Step 1: Identify OS
vol3 -f memory.raw windows.info
# or
vol3 -f memory.raw linux.info
# Step 2: Quick wins
strings memory.raw | grep -i "flag{"
strings memory.raw | grep -i "ctf{"
# Step 3: Process analysis
vol3 -f memory.raw windows.pslist
# Look for suspicious process names
# Step 4: Command lines (flags often here)
vol3 -f memory.raw windows.cmdline
# Check for base64, hex, or encoded data
# Step 5: Network connections
vol3 -f memory.raw windows.netscan
# Note any IPs/ports
# Step 6: Dump suspicious processes
vol3 -f memory.raw windows.memmap --pid SUSPICIOUS --dump
# Step 7: Strings on dump
strings pid.SUSPICIOUS.dmp | grep -i flag
# Step 8: If still nothing, check:
# - Clipboard
# - Environment variables
# - Registry keys
# - Loaded DLLs
PCAP Challenges
Network forensics CTF style
# Challenge: "Extract the flag from network traffic"
# Step 1: Quick overview
wireshark capture.pcap
# or
tshark -r capture.pcap
# Step 2: Export objects
tshark -r capture.pcap --export-objects http,./objects/
# Step 3: Check each file
for file in objects/*; do
echo "=== $file ==="
file $file
strings $file | grep -i flag
done
# Step 4: Follow streams
# In Wireshark: Find interesting packet > Follow > TCP Stream
# Step 5: Check DNS
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u
# Step 6: Check for encoding
# Base64 in HTTP
tshark -r capture.pcap -Y "http" -T fields -e http.file_data | grep -E "[A-Za-z0-9+/]{20,}={0,2}" | base64 -d
# Step 7: Check FTP
tshark -r capture.pcap -Y "ftp-data"
# Follow FTP-DATA stream to get files
Disk Image Challenges
File system forensics
# Challenge: "Find the hidden flag"
# Step 1: Mount image
mkdir /mnt/evidence
mount -o ro,loop disk.img /mnt/evidence
# Step 2: Quick search
grep -r "flag{" /mnt/evidence/
# Step 3: Check deleted files
fls -rd disk.img
# Step 4: Recover deleted files
tsk_recover disk.img /recovered/
# Step 5: Check for hidden data
# - Alternate data streams (NTFS)
# - File slack space
# - Unallocated clusters
# Step 6: Timeline analysis
fls -m / -r disk.img > timeline.body
mactime -b timeline.body > timeline.csv
# Step 7: Check specific locations
# - Browser history
# - Recent files
# - Recycle bin
# - Temp directories
Steganography Challenges
Hidden data in images
# Challenge: "The flag is in the image"
# Step 1: File info
file image.png
exiftool image.png
# Step 2: Strings
strings image.png | grep -i flag
# Step 3: Binwalk (embedded files)
binwalk image.png
binwalk -e image.png
# Step 4: Steganography tools
zsteg image.png # PNG/BMP
steghide extract -sf image.jpg # JPEG
stegsolve image.png # GUI tool
# Step 5: LSB analysis
# Least significant bit often hides data
# Use stegsolve or custom script
# Step 6: Check alpha channel
# PNG alpha channel can hide data
# Step 7: Pixel manipulation
# Sometimes flag is in pixel values
# Extract RGB values and decode
Real-World Incident Response¶
When shit actually hits the fan
Initial Response
First 30 minutes are critical
# 1. Don't panic (easier said than done)
# 2. Isolate affected systems
# - Disconnect from network (not power off!)
# - Block at firewall
# - Disable network adapter
# 3. Preserve volatile data
# Memory dump
# Running processes
# Network connections
# Open files
# 4. Document everything
# Screenshots
# Command output
# Timestamps
# Who did what
# 5. Notify stakeholders
# Management
# Legal
# IT team
# Law enforcement (if needed)
Evidence Collection Priority
What to collect first
Priority 1 (Volatile - collect immediately):
- Memory dump
- Running processes
- Network connections
- Logged-in users
- Open files
- Clipboard content
Priority 2 (Semi-volatile - collect soon):
- Recent logs
- Temp files
- Swap/page file
- Recent registry changes
Priority 3 (Non-volatile - collect when possible):
- Full disk image
- Historical logs
- Registry hives
- File system timeline
Containment Strategies
Stop the bleeding
# Network containment
# - Block C2 IPs at firewall
# - Disable compromised accounts
# - Segment affected network
# - Monitor for lateral movement
# System containment
# - Disable malicious services
# - Kill malicious processes
# - Remove persistence mechanisms
# - Patch vulnerabilities
# Data containment
# - Prevent data exfiltration
# - Monitor outbound traffic
# - Block file transfers
# - Encrypt sensitive data
Forensics Report Writing¶
Because you have to explain what you found
Report Structure
What actually goes in a report
# Incident Report
## Executive Summary
- What happened (plain English)
- When it happened
- Impact
- Current status
- Recommendations
## Technical Summary
- Attack vector
- Malware/tools used
- Systems affected
- Data compromised
- Timeline
## Detailed Findings
- Evidence collected
- Analysis performed
- IOCs identified
- Attack progression
- Persistence mechanisms
## Timeline
- Initial compromise
- Lateral movement
- Data access
- Exfiltration (if any)
- Detection
- Response
## Recommendations
- Immediate actions
- Short-term fixes
- Long-term improvements
- Prevention measures
## Appendix
- Evidence hashes
- Tool versions
- Commands executed
- Raw data
Writing Tips
How to not sound like a robot
DO:
- Use clear language
- Explain technical terms
- Include screenshots
- Show command output
- Provide context
- Be specific
DON'T:
- Use jargon without explanation
- Make assumptions
- Skip evidence
- Forget timestamps
- Ignore chain of custody
- Rush the report
Forensics Lab Setup¶
Build your own analysis environment
Hardware Requirements
What you actually need
Minimum:
- 16GB RAM (32GB better)
- 500GB SSD
- Quad-core CPU
- USB 3.0 ports
- External drive for evidence
Recommended:
- 32GB+ RAM
- 1TB+ SSD
- 8-core CPU
- Multiple monitors
- Write blockers
- Forensic workstation
Software Setup
Essential tools
# Linux (Ubuntu/Kali)
sudo apt update
sudo apt install -y \
volatility3 \
autopsy \
sleuthkit \
wireshark \
binwalk \
foremost \
bulk-extractor \
exiftool \
strings \
xxd \
sqlite3
# Python tools
pip3 install \
pefile \
yara-python \
python-evtx \
analyzeMFT
# Windows tools
# - FTK Imager
# - Eric Zimmerman tools
# - Sysinternals Suite
# - HxD Hex Editor
# - Process Hacker
VM Setup
Isolated analysis environment
# Create analysis VM
# - Snapshot before analysis
# - No network or isolated network
# - Shared folder for evidence
# - Tools pre-installed
# Malware analysis VM
# - Windows 10 VM
# - No network
# - Sysinternals installed
# - Process Monitor running
# - Wireshark ready
# - Take snapshot before each analysis
Good luck hunting flags and solving incidents