hacktricks/forensics/basic-forensic-methodology
Carlos Polop ed32856aec
Merge pull request #484 from TalebQasem/patch-39
Update interesting-windows-registry-keys.md
2022-09-18 11:20:19 +02:00
..
memory-dump-analysis Merge branch 'master' into patch-6 2022-09-09 13:44:39 +02:00
partitions-file-systems-carving GitBook: [#3483] No subject 2022-09-12 13:26:56 +00:00
pcap-inspection GitBook: [#3479] No subject 2022-09-12 12:25:59 +00:00
specific-software-file-type-tricks Merge pull request #481 from TalebQasem/patch-34 2022-09-18 11:18:16 +02:00
windows-forensics Merge pull request #484 from TalebQasem/patch-39 2022-09-18 11:20:19 +02:00
anti-forensic-techniques.md Update anti-forensic-techniques.md 2022-09-09 22:19:02 +06:00
docker-forensics.md Update docker-forensics.md 2022-09-09 22:42:39 +06:00
file-integrity-monitoring.md Update file-integrity-monitoring.md 2022-09-09 22:08:03 +06:00
linux-forensics.md change support text 2022-09-09 13:28:04 +02:00
malware-analysis.md Merge branch 'master' into patch-5 2022-09-09 13:45:27 +02:00
README.md GitBook: [#3475] No subject 2022-09-09 11:57:02 +00:00

Basic Forensic Methodology

Support HackTricks and get benefits!

Creating and Mounting an Image

{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %} image-acquisition-and-mount.md {% endcontent-ref %}

Malware Analysis

This isn't necessary the first step to perform once you have the image. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to keep these actions in mind:

{% content-ref url="malware-analysis.md" %} malware-analysis.md {% endcontent-ref %}

Inspecting an Image

if you are given a forensic image of a device you can start analyzing the partitions, file-system used and recovering potentially interesting files (even deleted ones). Learn how in:

{% content-ref url="partitions-file-systems-carving/" %} partitions-file-systems-carving {% endcontent-ref %}

Depending on the used OSs and even platform different interesting artifacts should be searched:

{% content-ref url="windows-forensics/" %} windows-forensics {% endcontent-ref %}

{% content-ref url="linux-forensics.md" %} linux-forensics.md {% endcontent-ref %}

{% content-ref url="docker-forensics.md" %} docker-forensics.md {% endcontent-ref %}

Deep inspection of specific file-types and Software

If you have very suspicious file, then depending on the file-type and software that created it several tricks may be useful.
Read the following page to learn some interesting tricks:

{% content-ref url="specific-software-file-type-tricks/" %} specific-software-file-type-tricks {% endcontent-ref %}

I want to do a special mention to the page:

{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %} browser-artifacts.md {% endcontent-ref %}

Memory Dump Inspection

{% content-ref url="memory-dump-analysis/" %} memory-dump-analysis {% endcontent-ref %}

Pcap Inspection

{% content-ref url="pcap-inspection/" %} pcap-inspection {% endcontent-ref %}

Anti-Forensic Techniques

Keep in mind the possible use of anti-forensic techniques:

{% content-ref url="anti-forensic-techniques.md" %} anti-forensic-techniques.md {% endcontent-ref %}

Threat Hunting

{% content-ref url="file-integrity-monitoring.md" %} file-integrity-monitoring.md {% endcontent-ref %}

Support HackTricks and get benefits!