Digital Forensics
Objectives: By the end of this topic, you will be able to…
- Properly preserve digital evidence
- Use forensic tools in Kali to analyze disks or files
- Interpret relevant information from a forensic image
- Document findings clearly and in a structured manner
Introduction to digital forensic analysis
Digital forensics is a cybersecurity discipline that identifies, preserves, analyzes, and presents digital evidence with legal validity. It is applied in cases of security incidents, fraud, intrusions, or legal investigations.
The goal of forensic analysis is not only to understand what happened, but also to preserve evidence for potential judicial use.
Scenario: A university discovers that login times for a departmental server look unusual — SSH sessions are opening at 3 a.m. from an internal IP that belongs to a student who graduated last semester. The IT team suspects an unauthorized account is being used, but they must determine what happened without altering any potential evidence. This is a digital forensics investigation.
Evidence preservation
Before analyzing any compromised system, it is essential to preserve the integrity of the evidence. The first step is always to create a forensic image — a bit-for-bit copy of the disk or device using tools like dd, dcfldd, or Guymager — so that all analysis is performed on the copy rather than the original. A hash (MD5, SHA-1, or SHA-256) is computed before and after acquisition to verify that no alteration occurred during the process. The original media is connected through a write blocker or mounted read-only to prevent any accidental modification. Every action taken from this point forward is recorded in a chain of custody log, documenting who handled the evidence, when, and what was done, so that the findings remain admissible in a legal proceeding.
Types of digital evidence
| Source | Examples |
|---|---|
| Files | Deleted documents, modified or malicious files |
| System logs | Event logs (Windows Event Logs, syslog) |
| Metadata | Creation/modification dates, author, location |
| Network/application logs | Access records, errors, connections |
| User artifacts | Browsing history, recent files, executed commands |
| RAM memory | Active processes, passwords, connections |
Forensic image analysis
Analysis is performed on an exact copy (image) of the original device. A full disk or partition image enables filesystem analysis (NTFS, ext4, FAT), recovery of deleted files, and search for suspicious patterns without touching the original. A RAM memory dump captures volatile data — running processes, encryption keys, active connections, and other artifacts that disappear the moment the system powers off. Removable device images (USB drives, SD cards) are examined when there is reason to believe data was exfiltrated or malware was introduced through portable media.
Analysis tools
| Tool | Use |
|---|---|
| Autopsy / Sleuth Kit | Structured examination of forensic images |
| Bulk Extractor | Pattern extraction (emails, URLs, keys) |
| Binwalk / Foremost / Scalpel | File recovery and binary data analysis |
| Volatility / Rekall | RAM memory analysis |
| ExifTool | Metadata analysis |
Forensic tools in Kali Linux
Kali includes tools for performing forensic tasks without altering the evidence:
dcfldd/dd— forensic imaginghashdeep/sha256sum— integrity calculation and verificationautopsy/sleuthkit— structured analysis suiteforemost/scalpel— deleted file recoveryvolatility— RAM memory analysisstrings— readable text extraction
Kali can be booted in forensic mode (from USB), which avoids automatically mounting disks to prevent evidence alteration.
Hands-on lab
Requirements: Kali Linux, forensic image
disco.dd(provided), (optional) memory imagememoria.raw
Part 1: Evidence preservation
- Calculate the original hash:
sha256sum disco.dd- Create a working copy:
dcfldd if=disco.dd of=copia.dd hash=sha256 hashlog=hashes.txt- Confirm integrity by comparing hashes
? If the hashes of the original image and the working copy did not match, what would that mean for the admissibility of the evidence in a legal proceeding? What step would you take next?
Part 2: File extraction and analysis
Extracting deleted files:
foremost -i copia.dd -o output/Examine the output/ folder: documents, images, suspicious executables.
Filesystem analysis with Sleuth Kit:
fls -r -m / copia.dd > structure.txt
icat copia.dd <inode> > recovered_fileUse fls and istat to view hidden files, access and modification times, activity logs.
Text and metadata inspection:
strings copia.dd | lessSearch for credentials, messages, internal paths.
? What types of files were recovered from the image? Does the presence of deleted files suggest intentional deletion or normal usage? What filesystem metadata supports your conclusion?
Part 3 (Optional): Analysis with Autopsy
- Load the image
copia.dd - Navigate the event timeline
- Search for suspicious activity (recent execution, created or deleted files)
- Use metadata analysis and automatic indexing features
Part 4 (Optional/Advanced): Memory analysis
If memoria.raw is available:
volatility -f memoria.raw imageinfo
volatility -f memoria.raw --profile=Win7SP1x64 pslist
volatility -f memoria.raw --profile=Win7SP1x64 netscan
volatility -f memoria.raw --profile=Win7SP1x64 malfindIdentify hidden processes, extract DLLs, commands used, open connections.
Submission
- Hashes and verification of the original image
- List and analysis of recovered files
- Key fragments (strings, metadata, suspicious names)
- Screenshots and key findings
- Incident hypothesis (1-2 paragraphs): what happened, who may have done it, what evidence supports the hypothesis
Key concepts
| Term | Definition |
|---|---|
| Digital forensics | Discipline that identifies, preserves, analyzes, and presents digital evidence |
| Forensic image | Bit-for-bit copy of a device for analysis without altering the original |
| Chain of custody | Documented record of actions performed on digital evidence |
| Autopsy | Graphical forensic analysis tool based on Sleuth Kit |
| Volatility | RAM forensic analysis framework |
| Hash | Function for verifying file integrity of evidence |