Digital Forensics

Evidence collection, analysis techniques, forensic tools, and legal considerations.

Overview

Digital forensics investigates cyber incidents for evidence.

Forensic Process

1. Identification → Locate evidence
2. Preservation   → Secure evidence
3. Collection     → Gather evidence
4. Examination    → Analyze evidence
5. Analysis       → Interpret findings
6. Reporting      → Document results

Evidence Types

Forensic Tools

Memory Analysis

# Volatility analysis
import volatility.conf as conf
import volatility.commands as commands

# List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist

# Extract network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan

# Dump process
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p 1234

Disk Forensics

# Create forensic image
dd if=/dev/sda of=/evidence/disk.img bs=4M

# Calculate hash
md5sum /evidence/disk.img
sha256sum /evidence/disk.img

# Mount image
mount -o loop,ro /evidence/disk.img /mnt/evidence

# Search for files
find /mnt/evidence -name "*.doc" -o -name "*.pdf"

Chain of Custody

Evidence Log:
┌────────────────────────────────────────────┐
│ Evidence ID: E-2024-001                    │
│ Description: Hard drive from suspect PC    │
│ Collected: 2024-01-15 14:30               │
│ Collected by: John Smith                   │
│ Location: Office 101                       │
│ Condition: Sealed in anti-static bag      │
│ Hash (MD5): abc123...                      │
│ Hash (SHA256): def456...                   │
└────────────────────────────────────────────┘

Legal Considerations

1. Authorization — Proper warrants
2. Chain of Custody — Evidence tracking
3. Documentation — Detailed logs
4. Expert Testimony — Court presentation
5. Privacy Laws — Data protection

Practice

Analyze a forensic image using Autopsy and document findings.