hacktricks/generic-methodologies-and-resources/basic-forensic-methodology/README.md

# Basic Forensic Methodology

{% hint style="success" %}
Impara e pratica l'Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica l'Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos di github.

</details>
{% endhint %}

## Creating and Mounting an Image

{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %}
[image-acquisition-and-mount.md](../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)
{% endcontent-ref %}

## Malware Analysis

Questo **non è necessariamente il primo passo da eseguire una volta che hai l'immagine**. Ma puoi utilizzare queste tecniche di analisi malware in modo indipendente se hai un file, un'immagine del file system, un'immagine di memoria, pcap... quindi è utile **tenere a mente queste azioni**:

{% content-ref url="malware-analysis.md" %}
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}

## Inspecting an Image

Se ti viene fornita un'**immagine forense** di un dispositivo, puoi iniziare **ad analizzare le partizioni, il file-system** utilizzato e **recuperare** potenzialmente **file interessanti** (anche quelli eliminati). Scopri come in:

{% content-ref url="partitions-file-systems-carving/" %}
[partitions-file-systems-carving](partitions-file-systems-carving/)
{% endcontent-ref %}

A seconda dei sistemi operativi utilizzati e persino della piattaforma, dovrebbero essere cercati diversi artefatti interessanti:

{% content-ref url="windows-forensics/" %}
[windows-forensics](windows-forensics/)
{% endcontent-ref %}

{% content-ref url="linux-forensics.md" %}
[linux-forensics.md](linux-forensics.md)
{% endcontent-ref %}

{% content-ref url="docker-forensics.md" %}
[docker-forensics.md](docker-forensics.md)
{% endcontent-ref %}

## Deep inspection of specific file-types and Software

Se hai un **file** molto **sospetto**, allora **a seconda del tipo di file e del software** che lo ha creato, diversi **trucchi** potrebbero essere utili.\
Leggi la pagina seguente per scoprire alcuni trucchi interessanti:

{% content-ref url="specific-software-file-type-tricks/" %}
[specific-software-file-type-tricks](specific-software-file-type-tricks/)
{% endcontent-ref %}

Voglio fare una menzione speciale alla pagina:

{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}

## Memory Dump Inspection

{% content-ref url="memory-dump-analysis/" %}
[memory-dump-analysis](memory-dump-analysis/)
{% endcontent-ref %}

## Pcap Inspection

{% content-ref url="pcap-inspection/" %}
[pcap-inspection](pcap-inspection/)
{% endcontent-ref %}

## **Anti-Forensic Techniques**

Tieni a mente il possibile uso di tecniche anti-forensi:

{% content-ref url="anti-forensic-techniques.md" %}
[anti-forensic-techniques.md](anti-forensic-techniques.md)
{% endcontent-ref %}

## Threat Hunting

{% content-ref url="file-integrity-monitoring.md" %}
[file-integrity-monitoring.md](file-integrity-monitoring.md)
{% endcontent-ref %}

{% hint style="success" %}
Impara e pratica l'Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica l'Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos di github.

</details>
{% endhint %}
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`# Basic Forensic Methodology`

			`{% hint style="success" %}`
			`Impara e pratica l'Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica l'Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`<summary>Supporta HackTricks</summary>`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos di github.`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`{% endhint %}`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Creating and Mounting an Image`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %}`
			`[image-acquisition-and-mount.md](../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Malware Analysis`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`Questo non è necessariamente il primo passo da eseguire una volta che hai l'immagine. Ma puoi utilizzare queste tecniche di analisi malware in modo indipendente se hai un file, un'immagine del file system, un'immagine di memoria, pcap... quindi è utile tenere a mente queste azioni:`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="malware-analysis.md" %}`
			`[malware-analysis.md](malware-analysis.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Inspecting an Image`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`Se ti viene fornita un'immagine forense di un dispositivo, puoi iniziare ad analizzare le partizioni, il file-system utilizzato e recuperare potenzialmente file interessanti (anche quelli eliminati). Scopri come in:`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="partitions-file-systems-carving/" %}`
			`[partitions-file-systems-carving](partitions-file-systems-carving/)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`A seconda dei sistemi operativi utilizzati e persino della piattaforma, dovrebbero essere cercati diversi artefatti interessanti:`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="windows-forensics/" %}`
			`[windows-forensics](windows-forensics/)`
			`{% endcontent-ref %}`

			`{% content-ref url="linux-forensics.md" %}`
			`[linux-forensics.md](linux-forensics.md)`
			`{% endcontent-ref %}`

			`{% content-ref url="docker-forensics.md" %}`
			`[docker-forensics.md](docker-forensics.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Deep inspection of specific file-types and Software`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`Se hai un file molto sospetto, allora a seconda del tipo di file e del software che lo ha creato, diversi trucchi potrebbero essere utili.\`
			`Leggi la pagina seguente per scoprire alcuni trucchi interessanti:`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="specific-software-file-type-tricks/" %}`
			`[specific-software-file-type-tricks](specific-software-file-type-tricks/)`
			`{% endcontent-ref %}`

			`Voglio fare una menzione speciale alla pagina:`

			`{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}`
			`[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Memory Dump Inspection`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="memory-dump-analysis/" %}`
			`[memory-dump-analysis](memory-dump-analysis/)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Pcap Inspection`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="pcap-inspection/" %}`
			`[pcap-inspection](pcap-inspection/)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Anti-Forensic Techniques`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`Tieni a mente il possibile uso di tecniche anti-forensi:`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="anti-forensic-techniques.md" %}`
			`[anti-forensic-techniques.md](anti-forensic-techniques.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`## Threat Hunting`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`{% content-ref url="file-integrity-monitoring.md" %}`
			`[file-integrity-monitoring.md](file-integrity-monitoring.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`{% hint style="success" %}`
			`Impara e pratica l'Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica l'Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: No commit message 2024-04-06 18:35:30 +00:00			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`<summary>Supporta HackTricks</summary>`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos di github.`
GitBook: No commit message 2024-04-06 18:35:30 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:52:42 +00:00			`{% endhint %}`