hacktricks/forensics/basic-forensic-methodology
2022-05-20 11:11:49 +00:00
..
memory-dump-analysis GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
partitions-file-systems-carving GitBook: [#3219] No subject 2022-05-20 11:11:49 +00:00
pcap-inspection GitBook: [#3219] No subject 2022-05-20 11:11:49 +00:00
specific-software-file-type-tricks GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
windows-forensics GitBook: [#3219] No subject 2022-05-20 11:11:49 +00:00
anti-forensic-techniques.md GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
docker-forensics.md GitBook: [#3163] No subject 2022-05-01 16:04:05 +00:00
file-integrity-monitoring.md GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
image-adquisition-and-mount.md GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
linux-forensics.md GitBook: [#3195] No subject 2022-05-08 23:13:03 +00:00
malware-analysis.md GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
README.md GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00

Basic Forensic Methodology

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Creating and Mounting an Image

{% content-ref url="image-adquisition-and-mount.md" %} image-adquisition-and-mount.md {% endcontent-ref %}

Malware Analysis

This isn't necessary the first step to perform once you have the image. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to keep these actions in mind:

{% content-ref url="malware-analysis.md" %} malware-analysis.md {% endcontent-ref %}

Inspecting an Image

if you are given a forensic image of a device you can start analyzing the partitions, file-system used and recovering potentially interesting files (even deleted ones). Learn how in:

{% content-ref url="partitions-file-systems-carving/" %} partitions-file-systems-carving {% endcontent-ref %}

Depending on the used OSs and even platform different interesting artifacts should be searched:

{% content-ref url="windows-forensics/" %} windows-forensics {% endcontent-ref %}

{% content-ref url="linux-forensics.md" %} linux-forensics.md {% endcontent-ref %}

{% content-ref url="docker-forensics.md" %} docker-forensics.md {% endcontent-ref %}

Deep inspection of specific file-types and Software

If you have very suspicious file, then depending on the file-type and software that created it several tricks may be useful.
Read the following page to learn some interesting tricks:

{% content-ref url="specific-software-file-type-tricks/" %} specific-software-file-type-tricks {% endcontent-ref %}

I want to do a special mention to the page:

{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %} browser-artifacts.md {% endcontent-ref %}

Memory Dump Inspection

{% content-ref url="memory-dump-analysis/" %} memory-dump-analysis {% endcontent-ref %}

Pcap Inspection

{% content-ref url="pcap-inspection/" %} pcap-inspection {% endcontent-ref %}

Anti-Forensic Techniques

Keep in mind the possible use of anti-forensic techniques:

{% content-ref url="anti-forensic-techniques.md" %} anti-forensic-techniques.md {% endcontent-ref %}

Threat Hunting

{% content-ref url="file-integrity-monitoring.md" %} file-integrity-monitoring.md {% endcontent-ref %}

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.