🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  1. Digital Forensics

Digital Evidence and Handling

  • Trace evidence is often left behind.

  • This evidence can easily be tampered with so all evidence needs to be verified before it can be trusted.

Types of digital evidence:

  • E-mails

  • Digital Photographs

  • Logs

  • Documents

  • Messages

  • Files

  • Browser History

  • Databases

  • Backups

  • Disk Images

  • Video/audio files

Handling

  • Handling and securing of evidence is critical

  • Actions taken by digital forensic teams should not alter the original evidence

  • Proper documentation and justification of actions can help prevent evidence from being dismissed if evidence is altered.

  • Use both hardware and software write blockers to stop data being altered.

  • Everything should be documented

Order of Volatility

  • Volatile evidence is evidence that can be lost if a system is powered down.

  • Registers and cache - contents of CPU is very volatile, nano seconds could be the difference between retrieving or losing data

  • Routing table, ARP Cache, Process Table, Kernel Statistics, Memory - highly volatile

  • Temporary File Systems - less volatile, but very important

  • Disk - less volatile but processes could overwrite data

  • Remote logging and monitoring data - High volatile but not as important

  • Physical configuration, network topology and archival media - either not vital or not volatile.

Metadata and File carving

  • Metadata is data about data

  • File carving is a process of searching for files in a data steam and is used to retrieve deleted files from disk images

Metadata

  • Look under the details tab in properties (windows)

  • Use either “ls -lisap <file>” or “stat <file>”

  • Exiftool is also an amazing tool to use

File Carving

  • Tool: scalpel

  • First tell scalpel what to detect: /etc/scalpel/scalpel.conf

  • Uncomment the files you want to detect

  • Use scalpel by the following command: “scalpel -b -o <output> <disk image file>”

PreviousIntroductionNextMemory, Pagefile and Hibernation file

Last updated 2 years ago