Digital Forensics

Master digital forensics with tutorials, tools, and comprehensive walkthroughs

Quick Start: Digital Forensics Fundamentals

1. Understand the Chain of Custody

Maintain integrity of evidence by documenting every interaction with digital evidence

Key: Hash values (MD5/SHA1), timestamps, and access logs are critical

2. Image the Drive/Device

Create a forensic image before analyzing to preserve original evidence

dd if=/dev/sda of=image.iso bs=4M

3. Hash Verification

Verify image integrity using cryptographic hashing

sha256sum image.iso

4. Mount & Analyze

Mount image in read-only mode for safe examination

mount -o ro,noload image.iso /mnt/forensics

Disk & File Forensics

7 Tools
Autopsy
Disk Forensics
Digital forensics platform for analyzing disk images, recovering deleted files, and extracting metadata. GUI-based and comprehensive.
Installation
Debian: sudo apt-get install autopsy
Source: wget https://www.autopsy.com/download/autopsy-latest.tar.gz
How It Works
Purpose: Analyzes disk images, partitions, and file systems to recover evidence
Process: Carves files, analyzes file timelines, searches keywords, extracts metadata
Usage Example
Launch: autopsy
CLI: tsk_loaddb -d casename -i imagename /path/to/image.001
Website Docs
FTK Imager
Disk Forensics
Industry-standard forensic imaging tool. Creates verified copies of digital evidence with support for multiple file formats.
Installation
Download: https://www.exterro.com/ftk-imager
Windows/Mac: Download installer from official website
How It Works
Function: Creates block-by-block copies of storage media
Features: Supports E01, AFF, RAW formats; Generates hash values for integrity
Workflow
Step 1: Connect storage device and launch FTK Imager
Step 2: Select source (physical disk or partition) and output format
Step 3: Verify hashes (MD5/SHA1) to ensure image integrity
Website
TestDisk & PhotoRec
Disk Forensics
Open-source tools for partition recovery and file carving. Recovers lost partitions and deleted files from various storage media.
Installation
Linux: sudo apt-get install testdisk photorec
macOS: brew install testdisk
How They Work
TestDisk: Recovers lost partitions by analyzing partition tables and MBR
PhotoRec: File carving tool that recovers deleted files by searching for file signatures
Quick Start
TestDisk: sudo testdisk /dev/sda
PhotoRec: photorec /dev/sda
Docs
JLEEK
Disk Forensics
JavaScript-based forensic timeline analysis tool. Extracts and visualizes filesystem acquisition journal entries for Windows NTFS.
Installation
Clone: git clone https://github.com/MariaDelRio/jleek.git
Setup: cd jleek && node jleek.js
Purpose
Function: Analyzes NTFS $LogFile journal for file system activity timeline
Use Case: Reconstructs file system operations when timestamps are suspicious
GitHub
The Sleuth Kit (TSK)
Disk Forensics
Command-line forensic toolkit for analyzing file systems. Underlying engine for Autopsy, providing powerful CLI tools.
Installation
Linux: sudo apt-get install sleuthkit
macOS: brew install sleuthkit
Key Tools
fls: List files and directories in image
icat: Extract and display file contents
istat: Display inode information and metadata
Examples
List files: fls -r disk.img
Extract file: icat disk.img 1234 > recovered_file
Website
Bulk Extractor
Disk Forensics
Scans disk images for email addresses, credit cards, URLs, and other sensitive data without parsing file systems. Extracts structured information from any data.
Installation
Linux: sudo apt-get install bulk-extractor
Source: git clone https://github.com/simsong/bulk_extractor
How It Works
Function: Scans raw data looking for patterns like emails, URLs, credit cards
Output: Creates separate files for each data type found (emails.txt, urls.txt, etc.)
Usage
Scan image: bulk_extractor -o output_dir disk.img
Email extraction: bulk_extractor -E email -o emails_dir disk.img
GitHub
dd / dcfldd
Disk Forensics
Low-level disk copying tools for forensic imaging. dd is standard Unix utility, dcfldd is enhanced version with built-in hashing and progress.
Installation
dd: Pre-installed on all Unix/Linux systems
dcfldd: sudo apt-get install dcfldd
How It Works
dd: Block-by-block disk copy, exact bit-for-bit duplication
dcfldd: Enhanced dd with hash verification, progress bar, and split output
Usage
dd basic: dd if=/dev/sda of=disk.img bs=4M status=progress
dcfldd: dcfldd if=/dev/sda of=disk.img hash=sha256 hashwindow=1G
Split output: dcfldd if=/dev/sda of=disk.img split=4G hashwindow=4G
dcfldd Website

Memory & RAM Analysis

5 Tools
Volatility Framework
Memory Analysis
Powerful framework for analyzing volatile memory dumps. Extract processes, network connections, passwords, and malware from RAM.
Installation
pip: pip install volatility3
Clone: git clone https://github.com/volatilityfoundation/volatility3
How It Works
Purpose: Analyzes memory dumps (hibernation files, core dumps, memory captures)
Extraction: Processes, network sockets, registry hives, DLLs, strings, handles
Key Commands
List processes: python -m volatility3 -f memory.dmp windows.pslist
Network connections: python -m volatility3 -f memory.dmp windows.netscan
Extract strings: python -m volatility3 -f memory.dmp windows.strings
Website Docs
DumpIt
Memory Analysis
Simple yet effective tool for capturing physical memory from running Windows systems. Creates memory dumps for Volatility analysis.
Installation
Download: Download portable executable from Comae Technologies
Setup: Run dumpit.exe (requires admin privileges)
How It Works
Function: Dumps entire physical RAM to file for offline analysis
Output: Creates .raw or .dmp files compatible with Volatility
Usage
Command: dumpit.exe
Note: Interactive tool, specify output location when prompted
Website
Belkasoft Live RAM
Memory Analysis
Advanced memory capture tool for both Windows and Linux systems. Captures RAM while minimizing data loss during acquisition.
Installation
Download: https://belkasoft.com/free
Linux: ./rammer capture /tmp/memory.bin
Key Features
Windows: GUI-based capture utility with hash verification
Linux: Command-line tool for headless systems
Website
Rekall
Memory Analysis
Advanced memory analysis framework similar to Volatility. Provides interactive shell and supports Windows, Linux, and macOS memory dumps.
Installation
pip: pip install rekall
Clone: git clone https://github.com/google/rekall
How It Works
Function: Interactive memory forensics with plugins for process, network, registry analysis
Features: Live memory analysis, malware detection, rootkit discovery
Usage
Interactive: rekall -f memory.dmp
List processes: rekall -f memory.dmp pslist
GitHub
MemProcFS
Memory Analysis
Mount memory dumps as a virtual file system. Browse memory like a directory structure with files representing processes, registry, network connections.
Installation
Download: https://github.com/ufrisk/MemProcFS/releases
Windows: Extract ZIP and run memprocfs.exe
How It Works
Concept: Creates virtual filesystem from memory dump for easy browsing
Structure: /processes/, /registry/, /network/, /files/ directories
Usage
Mount: memprocfs.exe -device memory.dmp -mount M
Browse: cd M:\processes\ && dir
GitHub

Log Analysis & Event Reconstruction

6 Tools
ELK Stack (Elasticsearch)
Log Analysis
Powerful log aggregation and analysis platform. Index, search, and visualize logs from multiple sources for forensic investigation.
Installation
Docker: docker run -d --name elasticsearch docker.elastic.co/elasticsearch/elasticsearch:8.0.0
Linux: apt-get install elasticsearch logstash kibana
How It Works
Elasticsearch: Stores and indexes logs for fast full-text searching
Logstash: Parses and structures log data from various sources
Kibana: Visualizes data with dashboards and timeline analysis
Website
Splunk
Log Analysis
Enterprise-grade log management and SIEM platform. Indexes terabytes of data and provides instant visibility into security events.
Installation
Download: wget -O splunk-latest.tgz 'https://www.splunk.com/en_us/download/splunk-enterprise.html'
Install: tar xvzf splunk-latest.tgz -C /opt && /opt/splunk/bin/splunk start
Key Capabilities
Indexing: Index and search Windows Event Logs, syslog, application logs
Correlation: Correlate events across multiple systems for attack patterns
Website
Event Log Parser
Log Analysis
Tools for analyzing Windows Event Logs (.evtx files). Extract and parse security logs for forensic investigation.
Installation
evtx_dump (Linux): pip install evtx
WEF (Windows): Download Windows Event Forwarding tools
How It Works
Function: Parses binary .evtx files and extracts event data
Output: JSON or CSV format for analysis in Splunk/ELK
Usage
Parse log: evtx_dump.py Security.evtx > events.json
GitHub
NetworkMiner
Log Analysis
Network forensics tool for offline analysis of packet captures. Extract artifacts, files, and network behavior from PCAP files.
Installation
Download: wget https://www.netresec.com/?download=NetworkMiner
Extract: unzip NetworkMiner_*.zip
How It Works
Function: Passively parses network traffic without generating traffic
Extraction: Files, IPs, hosts, DNS requests, emails, credentials
Website
SIEMonster
Log Analysis
Open-source SIEM (Security Information & Event Management) platform. Monitors security events, correlates logs, and provides threat detection.
Installation
Docker: docker pull siemonster/siemonster
GitHub: git clone https://github.com/siemonster/siemonster
How It Works
Function: Aggregates logs from multiple sources for centralized monitoring
Features: Real-time alerts, correlation rules, threat intelligence integration
Website
Graylog
Log Analysis
Free log management and analysis tool. Collect, index, and analyze terabytes of log data from any source with powerful search capabilities.
Installation
Docker: docker run -d -p 9000:9000 graylog/graylog
Linux: wget https://packages.graylog2.org/repo/packages/graylog-server.deb
How It Works
Collection: Accepts syslog, GELF, beats, and custom log inputs
Analysis: Full-text search, dashboards, alerting, and stream processing
Usage
Access: http://localhost:9000 (admin/admin)
Website

Network Forensics & Traffic Analysis

4 Tools
Wireshark
Network Forensics
Industry-standard network protocol analyzer. Capture and interactively browse network traffic, identify suspicious patterns.
Installation
Linux: sudo apt-get install wireshark
macOS: brew install wireshark
How It Works
Capture: Captures all packets on selected interface with full details
Analysis: Decodes protocols, colors traffic, applies display filters
Key Features
Filters: ip.addr==192.168.1.1 || tcp.port==80
Follow Stream: Reconstruct complete conversations and view payloads
Export Objects: Extract files transmitted over HTTP/FTP/SMTP
Website Docs
Zeek (formerly Bro)
Network Forensics
Network security monitoring framework. Analyzes live traffic or PCAP files, generates logs of network activity and anomalies.
Installation
Linux: sudo apt-get install zeek
Source: git clone https://github.com/zeek/zeek --recursive
How It Works
Processing: Reads PCAP files and generates structured logs
Output: conn.log, dns.log, http.log, ssl.log, files.log, etc.
Usage
Analyze PCAP: zeek -r traffic.pcap
View logs: cat conn.log
Website
tcpdump
Network Forensics
Command-line packet capture tool. Lightweight and powerful for capturing network traffic into PCAP files for later analysis.
Installation
Linux: sudo apt-get install tcpdump
macOS: brew install tcpdump
How It Works
Function: Captures raw network packets and writes to PCAP files
Filter: Supports Berkeley Packet Filter (BPF) syntax for selective capture
Examples
Capture all: sudo tcpdump -i eth0 -w traffic.pcap
Port 80 only: sudo tcpdump -i eth0 tcp port 80 -w web.pcap
Read PCAP: tcpdump -r traffic.pcap 'tcp.dstport==443'
Website
Tshark
Network Forensics
Command-line version of Wireshark. Powerful packet analysis tool for scripting, automation, and headless systems with full protocol support.
Installation
Linux: sudo apt-get install tshark
macOS: brew install wireshark (includes tshark)
How It Works
Function: CLI packet analyzer with same features as Wireshark GUI
Output: Text, JSON, CSV, PDML formats for scripting and automation
Examples
Read PCAP: tshark -r traffic.pcap
Filter HTTP: tshark -r traffic.pcap -Y 'http.request'
Export JSON: tshark -r traffic.pcap -T json > output.json
Docs

Mobile Forensics

2 Tools
MobSF
Mobile Forensics
Mobile Security Framework - automated analysis platform for Android/iOS apps. Performs static and dynamic analysis plus forensic data extraction.
Installation
Docker: docker pull opensecurity/mobile-security-framework-mobsf
Run: docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf
How It Works
Static Analysis: Analyzes APK/IPA files for security issues, permissions, code review
Dynamic Analysis: Runtime analysis, network traffic, API monitoring
Forensics: Extracts app data, databases, shared preferences, files
Usage
Access: http://localhost:8000
Upload: Upload APK/IPA or ZIP for analysis
GitHub
OS-Forensics
Mobile Forensics
Digital investigation tool with mobile data recovery features. Free edition supports basic mobile device forensics and data extraction.
Installation
Download: https://www.osforensics.com/download.html
Platform: Windows - Free for personal/educational use
Features
Mobile: Extract contacts, messages, call logs from Android/iOS backups
Search: Index and search mobile device images
Website

Malware & Malicious Code Analysis

3 Tools
CAPE Sandbox
Malware Analysis
Malware configuration and payload extraction sandbox. Automated malware analysis with advanced unpacking and configuration extraction capabilities.
Installation
Clone: git clone https://github.com/kevoreilly/CAPEv2
Setup: cd CAPEv2 && sudo ./installer/cape2.sh
How It Works
Function: Executes malware in isolated VM, monitors behavior and extracts payloads
Output: Network traffic, API calls, file operations, memory dumps, configurations
Usage
Submit: cape submit malware.exe
Web UI: http://localhost:8000
GitHub
Cuckoo Sandbox
Malware Analysis
Leading open-source automated malware analysis system. Analyzes suspicious files/URLs in isolated environment to detect malicious behavior.
Installation
pip: pip install cuckoo
Setup: cuckoo init && cuckoo community
How It Works
Execution: Runs malware in VMs (VirtualBox/VMware/KVM) for safe analysis
Monitoring: Tracks API calls, network connections, file modifications, registry changes
Usage
Submit file: cuckoo submit malware.exe
Web interface: cuckoo web runserver 0.0.0.0:8000
Website
PeStudio
Malware Analysis
Static malware analysis tool for Windows executables. Analyzes PE files without execution - detects packers, suspicious strings, imports, and anomalies.
Installation
Download: https://www.winitor.com/download
Platform: Windows portable executable - no installation required
How It Works
Function: Static PE file analysis - no execution, safe for initial triage
Detection: Identifies suspicious imports, strings, URLs, crypto operations, packers
Features
VirusTotal: Integrated VirusTotal hash lookup
Strings: Extracts and highlights suspicious strings and indicators
Website

Browser & Application Forensics

3 Tools
Browser History Capturer
Browser Forensics
Extract browsing history from Chrome, Firefox, Edge, Safari. Recovers visited URLs, timestamps, download history, and cached data.
Installation
Python: pip install browser-history
Alternative: Use NirSoft BrowsingHistoryView (Windows GUI)
How It Works
Function: Reads browser SQLite databases and parses history records
Sources: Chrome, Firefox, Safari, Edge history databases
Usage
Python: from browser_history import get_history; outputs = get_history()
GitHub
Plaso / log2timeline
Browser Forensics
Create super timelines from forensic artifacts. Parses browser history, logs, registry, file metadata to create comprehensive activity timeline.
Installation
Ubuntu: sudo add-apt-repository ppa:gift/stable && sudo apt-get install plaso-tools
pip: pip install plaso
How It Works
Function: Extracts timestamps from 100+ artifact types into unified timeline
Sources: Browser history, prefetch, USN journal, event logs, registry
Usage
Create timeline: log2timeline.py timeline.plaso /mnt/image
View: psort.py -o l2tcsv -w timeline.csv timeline.plaso
GitHub
RegRipper
Browser Forensics
Windows Registry forensic tool. Extracts user activity, installed software, USB devices, recent files, and system configuration from registry hives.
Installation
Download: https://github.com/keydet89/RegRipper3.0
Requirements: Perl interpreter (Windows/Linux)
How It Works
Function: Parses registry hives (NTUSER.DAT, SYSTEM, SAM, SOFTWARE)
Extraction: RecentDocs, UserAssist, ShimCache, AmCache, run keys, services
Usage
Run: rip.pl -r NTUSER.DAT -p recentdocs
All plugins: rip.pl -r NTUSER.DAT -a
GitHub

Forensic Utilities & File Analysis

3 Tools
ExifTool
Forensic Utilities
Read, write, and edit metadata from images, videos, PDFs, and office documents. Extract camera info, GPS coordinates, timestamps, and more.
Installation
Linux: sudo apt-get install exiftool
macOS: brew install exiftool
How It Works
Function: Reads EXIF, GPS, IPTC, XMP metadata from files
Supports: JPEG, PNG, PDF, DOCX, MP4, and 300+ file formats
Usage
Read metadata: exiftool image.jpg
Extract GPS: exiftool -gps* image.jpg
Bulk extract: exiftool -csv -r /path/to/images > metadata.csv
Website
Hashdeep / md5deep
Forensic Utilities
Compute and verify cryptographic hashes for files. Generate hash sets for integrity verification and known file elimination in forensics.
Installation
Linux: sudo apt-get install md5deep
macOS: brew install md5deep
How It Works
Function: Recursively computes MD5, SHA1, SHA256 hashes for files
Verification: Audit mode compares files against known hash databases
Usage
Generate hashes: hashdeep -r /evidence > hashes.txt
Verify: hashdeep -r -k hashes.txt -a /evidence
MD5 only: md5deep -r /evidence
GitHub
SQLite Forensic Explorer
Forensic Utilities
Specialized tool for examining SQLite databases commonly found in mobile apps, browsers, and applications. Recovers deleted records and analyzes structure.
Installation
Commercial: https://sandersonforensics.com/
Alternative: sqlitebrowser (free GUI) - brew install db-browser-for-sqlite
How It Works
Function: Opens and analyzes SQLite .db files from apps and systems
Recovery: Carves deleted records from unallocated database space
CLI Alternative
Open DB: sqlite3 database.db
List tables: .tables
Query: SELECT * FROM messages;
DB Browser (Free)

Step-by-Step Walkthroughs

2 Guides

Complete Guide: Creating a Forensic Image

1
Prepare the Evidence
Connect the suspect drive to your forensic workstation using a write blocker. This hardware device prevents accidental modifications to the evidence.
# Verify device is recognized lsblk # Example output: sdb (suspect drive) sudo fdisk -l /dev/sdb
2
Create the Image File
Use dd to create a bit-by-bit copy of the drive. This creates an exact replica of all sectors, including unallocated space.
# Create image with progress monitoring sudo dd if=/dev/sdb of=/mnt/forensics/suspect.iso bs=4M status=progress # Estimate time: 1TB @ 100MB/s ≈ 2-3 hours
3
Calculate Hash Values
Generate cryptographic hashes (MD5 and SHA256) of the image. These prove the image has not been modified during the process.
# Generate MD5 hash md5sum /mnt/forensics/suspect.iso > suspect.md5 # Generate SHA256 hash (more secure) sha256sum /mnt/forensics/suspect.iso > suspect.sha256 # Verify hash integrity (re-run later) sha256sum -c suspect.sha256
4
Document Chain of Custody
Create a detailed log documenting: - Date and time of acquisition - Equipment and tools used - Hash values generated - Any unusual observations
CHAIN OF CUSTODY LOG ==================== Date: 2024-02-28 Examiner: John Doe Evidence: Suspect Laptop HDD Device: Western Digital WD10EZEX MD5: a1b2c3d4e5f6... SHA256: abc123def456...
5
Verify Image Integrity
After creation, verify the image integrity by re-hashing and comparing hashes. Use specialized forensic tools like FTK Imager to generate verification reports.
# Verify the image matches original device sudo dd if=/dev/sdb | sha256sum > original.hash sha256sum /mnt/forensics/suspect.iso # Hashes should be identical if capture was successful

Complete Guide: Memory Analysis with Volatility

1
Capture Memory Dump
First, you need a memory dump from the suspect system. This can be captured using DumpIt (Windows), Belkasoft, or by hibernating the system.
# Windows - Using DumpIt (run as Administrator) dumpit.exe # Follow prompts to save memory dump # Linux - Using dd on /proc/kcore or using Belkasoft ./rammer capture /tmp/memory.bin
2
Identify the System Profile
Volatility needs to know the OS and profile. You can discover this from the memory dump information or by running imageinfo plugin.
# Identify the system (can take several minutes) python -m volatility3 -f memory.dmp -p windows # Or for older Volatility 2 volatility -f memory.dmp imageinfo # Common profiles: # Windows: Win10x64, Win7SP1x64, WinXPSP3x86 # Linux: LinuxUbuntu_5_4_x64
3
Extract Running Processes
List all processes that were running in memory. This helps identify suspicious or unauthorized programs.
# List all processes python -m volatility3 -f memory.dmp windows.pslist # Output shows: PID, Parent PID, Process Name, Create Time # Look for: suspicious process names, system processes in wrong locations # Common malware indicators: mimikatz.exe, meow.exe, rundll32.exe loading DLLs
4
Analyze Network Connections
Examine network sockets to identify command and control (C2) connections or data exfiltration.
# List active network connections python -m volatility3 -f memory.dmp windows.netscan # Output: Protocol, Local IP:Port, Remote IP:Port, State, PID # Look for: Unusual remote IPs, non-standard ports, encrypted connections # Indicators: svchost.exe making outbound connections, unexpected network services
5
Search for Suspicious Strings
Extract all strings from memory to find evidence of malicious activity, usernames, passwords, or URLs.
# Extract all strings (slow, generates large file) python -m volatility3 -f memory.dmp windows.strings | grep -i "password\|credential\|http\|cmd" # Search for specific patterns python -m volatility3 -f memory.dmp windows.strings | grep "malicious_url.com" # Common findings: # - Hardcoded credentials # - Command line arguments # - File paths # - URLs and domains
6
Extract DLLs and Executables
Extract suspicious processes or DLLs for offline analysis and virus scanning.
# Dump a specific process (PID 1234) python -m volatility3 -f memory.dmp -p windows windows.dumpfiles --pid=1234 # Extract kernel drivers python -m volatility3 -f memory.dmp windows.modscan # Submit extracted files to VirusTotal for analysis # This helps identify known malware signatures
7
Generate Analysis Report
Compile all findings into a comprehensive forensic report documenting the evidence, analysis methodology, and conclusions.

Key Points for Report: Timeline of events, identified malware, compromised accounts, data exfiltration evidence, attack vector, lateral movement, and recommendations