Skip to content

Forensic Analysis

Turning raw data into actionable intelligence
Analysis is where the forensics happens once you have acquired evidence you need to examine it methodically using specialized tools and techniques

Timeline Analysis

Timelines reveal the sequence of events during an incident. Create one immediately:

# Linux timeline (sleuthkit + mac)
fls -r -m / images/image.dd > body.txt
mactime -d body.txt > timeline.csv

# Plaso (log2timeline)
log2timeline.py --storage-file timeline.plaso image.dd
psort.py -o l2tcsv timeline.plaso > timeline.csv

# View timeline
cat timeline.csv | sort -t, -k1

File Carving

Recover deleted files from unallocated space:

# Foremost
foremost -i image.dd -o carved/

# Scalpel
scalpel -c scalpel.conf -o carved/ -i image.dd

# Photorec
photorec /d recovered/ image.dd

# Bulk Extractor
bulk_extractor -o output/ image.dd

String Analysis

# Extract all strings from image
strings image.dd > strings.txt

# Find IP addresses
strings image.dd | grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u

# Find URLs
strings image.dd | grep -E "https?://" | sort -u

# Find email addresses
strings image.dd | grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"

# Find base64 (potential encoded payloads)
strings image.dd | grep -E "^[A-Za-z0-9+/]{40,}={0,2}$"

Keyword Search

# Search across disk image
grep -a -i "password\|secret\|token\|apikey" image.dd

# Using yara for pattern matching
yara -s rule.yara image.dd

# Autopsy GUI (sleuthkit frontend)
autopsy

Registry Analysis (Windows)

# RegRipper
rip.exe -r SYSTEM -f system
rip.exe -r SAM -f sam

# Registry decoder (RECmd)
RECmd.exe --BootKey 0123456789abcdef... --HiveRoot C:\evidence\Registry

Browser Forensics

Browser artifacts reveal user activity:

  • Chrome - History, downloads, bookmarks, login data, cookies
  • Firefox - Places.sqlite (history), logins.json
  • Edge - Chromium-based (same as Chrome format)
# Chrome history extraction
sqlite3 History "SELECT url, title, visit_count, last_visit_time FROM urls;"

# Firefox places
sqlite3 places.sqlite "SELECT moz_places.url, moz_places.title, moz_historyvisits.visit_date FROM moz_places, moz_historyvisits;"

Malware Analysis Initial Triage

# Quick malware triage
file suspicious.exe
strings suspicious.exe | head -100
strings suspicious.exe | grep -i "http\|https\|dll\|import\|export"
pecheck suspicious.exe

# Check entropy (packed binaries have high entropy)
ent suspicious.exe

# VirusTotal hash check
sha256sum suspicious.exe

Key Artifacts Checklist

  • Prefetch files (execution evidence)
  • RecentFileCache and AmCache.hive
  • Shimcache (AppCompatCache)
  • Jump lists (user activity)
  • LNK files (file access)
  • Event logs (user logons, service crashes)
  • USN journal (NTFS change journal)
  • MFT ($MFT - master file table)