Preparation, Case Categorization and Scoping
Case Related Info: Crime Type/Category, Investigation Type, Damages made (Financial, Social, IT disruption), Location (Within/Outside Organization), Systems Involved, OS Involved.
Crime Against Individuals
- Email Spoofing
- Phishing
- Hacking
- Cyber-Stalking
- Obscene Material
- Unauthorized Access
- Fraud & Cheating
Crime Against Organizations
- Unauthorized Access
- Data/IP Theft
- Malware
- Hacking
Crime Against Society
- Cyber Trafficking
- Financial Crimes
- Online Gambling
- Online Forgery
- Cyber Terrorism
- Pirated Software
Feasibility Check
Evidence RelatedLikelihood of evidence on media, Strength of evidence, Volatile/Non-volatile evidence
Scope of InvestigationSystems, Users, Locations, 3rd Party vendors, Social media involved
Time & Cost AnalysisValue of info vs recovery cost, Access level required, Manpower availability
Tools AvailabilityIdentify and select required tools, Purchase new software/hardware/licenses if needed
Investigation Related Info
Case PrioritizationOwner of the system involved, Level of initial intelligence (IoC)
Impact/Likely ValueLoss of company data (IP), Loss of customer base, Market value & reputation, Financial loss
Investigation CostNumber of systems involved, Complexity of case, Examination type (Internal/External vendor)
Investigation ApproachReview case information, Review initial IOC, Review evidence involved, Technical expertise required
Tasks in Investigation
- IoC gathering
- Initial Timeline Creation
- Evidence identification and Acquisition (Local/Remote, Live/Dead)
- Creation of Tasks Checklist
- Identify best methods of investigation
Evidence Identification
Volatile Evidence
- Running Processes
- Network Connections
- Memory-only Malware
- Opened Files/Sockets
- Encryption Keys
Non-Volatile Evidence
- File System (FAT/NTFS/ReFS)
- Logical Evidence (OS view)
- Physical Evidence (Disk image)
- Registry Hives
- Event Logs
Technical Category of Evidence
User Activity: File download, Program execution, File creation/opening/deletion, USB activity, Account usage
System Activity: Browser activity, Chat activity, Internet activity, Installed/deleted applications, Deleted registry entries
Evidence Locations
Local: Hard Drive · USB · Peripheral Devices · System Share · Sharepoint
Cloud: Dropbox · OneDrive · Google Drive · Azure · AWS
Mobile: Android · iOS · BlackBerry · Windows Mobile
Evidence Acquisition
Acquisition Types
Local/RemotePhysical access vs network-based acquisition
Logical/PhysicalOS-level view vs full disk image
Live/DeadRunning system vs powered-off system
Full/PartialComplete image vs targeted collection
Write Blockers
Software: Safeblock, Registry modificationsHardware: Tableau, WiebeTech, ICS Write Blocker, EPOS WriteProtect
Imaging Commands
# DD Imaging
dd if=/dev/sda of=/path/to/evidence.raw bs=512 status=progress conv=noerror,sync
# DC3DD with hashing
dc3dd if=/dev/sdb of=case1.disk1.raw hash=sha1 hash=md5 log=image.log
# Over Network (netcat)
# Receiver: nc -l -p 5555 | dd of=/mnt/evidence/net_dd.raw
# Sender: dd if=/dev/sda | nc 192.168.0.1 5555
dd if=/dev/sda of=/path/to/evidence.raw bs=512 status=progress conv=noerror,sync
# DC3DD with hashing
dc3dd if=/dev/sdb of=case1.disk1.raw hash=sha1 hash=md5 log=image.log
# Over Network (netcat)
# Receiver: nc -l -p 5555 | dd of=/mnt/evidence/net_dd.raw
# Sender: dd if=/dev/sda | nc 192.168.0.1 5555
Acquisition Tools
Open Source: dd, dc3dd, ddrescue, ewfacquire, FTK Imager, KAPE, Memoryze, Redline, Dumpit.exe
Commercial: EnCase, FTK, Tableau, LogiCube, X-Ways Imager, Magnet Acquire
Evidence Extraction and Analysis
Extraction Techniques
File Carvingrecoverjpeg, foremost, photorec, scalpel, bulk-extractor
Keyword Searchinggrep-based searches across allocated and unallocated space
Registry AnalysisRegRipper, Registry Explorer, FTK Registry Analyzer
MFT AnalysisanalyzeMFT, mft2csv, SleuthKit
Analysis Focus: 5 Ws
- What happened?
- Where did it happen?
- When did it happen?
- Who did it?
- Why did it happen?
Artifact Analysis
Registry Analysis: System info, AutoStart, USB devices, UserAssist, RecentDocs, RunMRU
Shell Items: LNK Files, Jump Lists, Shellbags
Browser Forensics: IE/Edge, Chrome, Firefox history, cache, cookies, downloads
Email Forensics: Outlook PST/OST, Exchange EDB, Webmail analysis
USB Forensics: USBSTOR registry keys, Setupapi logs, MountPoints2
Report Writing
Comprehensive Forensic ReportsCase Overview, Methodology, Findings, Interpretations, Limitations, Conclusion
Chain of Custody DocumentationIdentification, Custody History, Handling Actions, Location Tracking, Authentication
Evidence LogsCapture chain of custody and handling for each evidence item
Expert Testimony PreparationReview reports, Anticipate cross-examination, Simplify complex concepts
Documentation Requirements
- Case Details: Case Name/Number, Investigator info, Case description
- Evidence Details: Evidence type, Make/Model, Serial Number, Drive Capacity, Hash values
- Process Documentation: Tools utilized, Exact commands, Procedures followed
- Chain of Custody: Chronological documentation of evidence handling
Enterprise Forensics Techniques
Remote AcquisitionF-Response like tools to mount drives remotely, Acquiring RAM through network
Cloud Storage AcquisitionDropbox, OneDrive, Amazon S3, Google Drive
Triage AcquisitionIdentifying what to collect, Data collection with custom scripts
Multi-Disk AcquisitionRAID, JBOD (Just a Bunch Of Disks)
Memory ForensicsFTK Imager, Memoryze, Redline, Dumpit.exe, Volatility
Enterprise ToolsEnCase Enterprise, FTK Enterprise, KAPE for rapid triage
Forensics Evidence in the Court
Legal / Compliance RequirementsHR investigation, Employee related internal investigation, LEA Investigation
Local Laws and RegulationsLocal Country specific laws, International Laws, Industry specific laws, Regional laws, GDPR
Evidence AdmissibilityForensic soundness, Chain of custody integrity, Hash verification, Proper documentation
Expert TestimonyRole of forensic expert, Preparation for cross-examination, Legal standards (Daubert/Frye)
# Evidence Integrity Verification
# Compute hash of original evidence
md5sum /dev/sdb > original.hash
# Verify after imaging
md5sum evidence.dd | diff - original.hash
Forensics Tools
Commercial Tools
EnCaseFTKCellebriteMagnet AXIOMX-Ways
Open Source Tools
Autopsy/SleuthKitVolatilityKAPEWiresharkdd/dc3dd
Registry Analysis
RegRipperRegistry ExplorerFTK Registry Analyzer
Browser Forensics
NirSoft ToolsHindsightSQLite Browser
File Carving
ForemostScalpelPhotorecBulk Extractor
Memory Forensics
VolatilityRedlineDumpit
📚 This is an overview of the complete Windows Forensics Framework.
Access the Full Original Framework