.. | ||
memory-dump-analysis | ||
partitions-file-systems-carving | ||
pcap-inspection | ||
specific-software-file-type-tricks | ||
windows-forensics | ||
anti-forensic-techniques.md | ||
docker-forensics.md | ||
file-integrity-monitoring.md | ||
linux-forensics.md | ||
malware-analysis.md | ||
README.md |
Basic Forensic Methodology
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Creating and Mounting an Image
{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %} image-acquisition-and-mount.md {% endcontent-ref %}
Malware Analysis
This isn't necessary the first step to perform once you have the image. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to keep these actions in mind:
{% content-ref url="malware-analysis.md" %} malware-analysis.md {% endcontent-ref %}
Inspecting an Image
if you are given a forensic image of a device you can start analyzing the partitions, file-system used and recovering potentially interesting files (even deleted ones). Learn how in:
{% content-ref url="partitions-file-systems-carving/" %} partitions-file-systems-carving {% endcontent-ref %}
Depending on the used OSs and even platform different interesting artifacts should be searched:
{% content-ref url="windows-forensics/" %} windows-forensics {% endcontent-ref %}
{% content-ref url="linux-forensics.md" %} linux-forensics.md {% endcontent-ref %}
{% content-ref url="docker-forensics.md" %} docker-forensics.md {% endcontent-ref %}
Deep inspection of specific file-types and Software
If you have very suspicious file, then depending on the file-type and software that created it several tricks may be useful.
Read the following page to learn some interesting tricks:
{% content-ref url="specific-software-file-type-tricks/" %} specific-software-file-type-tricks {% endcontent-ref %}
I want to do a special mention to the page:
{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %} browser-artifacts.md {% endcontent-ref %}
Memory Dump Inspection
{% content-ref url="memory-dump-analysis/" %} memory-dump-analysis {% endcontent-ref %}
Pcap Inspection
{% content-ref url="pcap-inspection/" %} pcap-inspection {% endcontent-ref %}
Anti-Forensic Techniques
Keep in mind the possible use of anti-forensic techniques:
{% content-ref url="anti-forensic-techniques.md" %} anti-forensic-techniques.md {% endcontent-ref %}
Threat Hunting
{% content-ref url="file-integrity-monitoring.md" %} file-integrity-monitoring.md {% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.