Digital Forensics

Digital forensics is the scientific process of identifying, preserving, analyzing, and presenting digital evidence. It applies to criminal investigations, incident response, litigation, and regulatory compliance.

Forensic Process

NIST Digital Forensic Framework

1. Collection: Identify and acquire digital evidence from devices, networks, and cloud services.
2. Examination: Process collected data to extract relevant information.
3. Analysis: Interpret extracted data to draw conclusions.
4. Reporting: Document findings in a clear, reproducible manner suitable for the intended audience.

Key Principles

• Preserve the original: Never modify the original evidence. Work on forensic copies.
• Document everything: Every action taken must be recorded with timestamps.
• Reproducibility: Another examiner should reach the same conclusions using the same methods.
• Admissibility: Follow procedures that ensure evidence is admissible in court (jurisdiction-dependent).

Evidence Acquisition

Order of volatility — acquire the most volatile evidence first:

1. CPU registers and cache
2. RAM (memory)
3. Network state (routing tables, connections)
4. Running processes
5. Disk (file system)
6. Remote logging and monitoring data
7. Physical configuration and network topology
8. Archival media (backups, tapes)

Imaging tools: dd, dc3dd (forensic variant with hashing), FTK Imager, Guymager.

# Create a forensic image with hash verification
dc3dd if=/dev/sda of=/evidence/disk.raw hash=sha256 log=/evidence/acquisition.log

# Or using dd with manual hash
dd if=/dev/sda of=/evidence/disk.raw bs=4M status=progress
sha256sum /dev/sda > /evidence/source_hash.txt
sha256sum /evidence/disk.raw > /evidence/image_hash.txt
# Hashes must match

Write blockers: Hardware or software devices that prevent any writes to the evidence drive during acquisition. Essential for maintaining integrity.

Disk Forensics

File System Analysis

Key artifacts by file system:

| File System | Forensic Artifacts | |-------------|-------------------| | NTFS | MFT, $LogFile,$UsnJrnl, alternate data streams | | ext4 | Inodes, journal, deleted file recovery via inode tables | | APFS | Snapshots, clones, encryption metadata | | FAT32 | Directory entries, FAT chain (simple but limited metadata) |

MFT (Master File Table): NTFS stores file metadata in the MFT. Each file has an MFT entry containing timestamps (created, modified, accessed, entry modified — MACE), file size, and data location. Even deleted files retain MFT entries until overwritten.

Timestamps: Files have multiple timestamps across the file system, OS, and applications. Discrepancies can reveal anti-forensic activity (timestomping).

Data Carving

Recovering files without file system metadata by scanning raw disk data for known file signatures (magic bytes).

Common file signatures (magic bytes):
JPEG:  FF D8 FF E0 ... FF D9 (start ... end)
PNG:   89 50 4E 47 0D 0A 1A 0A
PDF:   25 50 44 46 (%PDF)
ZIP:   50 4B 03 04
ELF:   7F 45 4C 46

Tools: Scalpel, PhotoRec, Foremost. These scan raw images for header/footer signatures and extract matching data blocks.

Challenges: Fragmented files (non-contiguous blocks), encrypted data, compressed containers.

Timeline Analysis

Construct a chronological sequence of events from multiple timestamp sources.

Sources: File system timestamps (MACE), log files, browser history, registry modifications (Windows), shell history, email headers.

Tools: Plaso/log2timeline (extracts timestamps from many artifact types into a single timeline), Timesketch (visualization).

Example timeline output:
2024-03-15 02:14:33  NTFS  FILE_CREATED     C:\Users\admin\malware.exe
2024-03-15 02:14:35  EVT   PROCESS_START    malware.exe (PID 4832)
2024-03-15 02:14:37  REG   KEY_MODIFIED     HKLM\...\Run\persistence
2024-03-15 02:15:01  NET   CONNECTION       → 198.51.100.50:443 (C2 server)
2024-03-15 02:17:44  NTFS  FILE_CREATED     C:\Users\admin\exfil.7z

Deleted File Recovery

When a file is "deleted," the file system typically marks the space as available but does not overwrite the data.

NTFS: MFT entry marked as deleted; data clusters marked free. Recoverable until overwritten.

ext4: Inode cleared (data block pointers zeroed in modern ext4). Recovery relies on journal replay or data carving.

SSDs: TRIM command notifies the SSD controller that blocks are no longer in use. The controller may zero them at any time, making recovery unreliable.

Memory Forensics

Memory analysis captures the state of a running system — processes, network connections, encryption keys, and malware that exists only in RAM.

Acquisition

• Live capture: LiME (Linux), WinPmem (Windows), osxpmem (macOS).
• Virtual machines: Suspend the VM and capture the .vmem or snapshot file.
• Crash dumps: Windows BSOD creates memory dumps; can be forced.

Volatility Framework

The primary open-source memory forensics tool. Supports Windows, Linux, and macOS memory images.

# List running processes
volatility3 -f memory.dmp windows.pslist

# Detect hidden processes (compare different listing methods)
volatility3 -f memory.dmp windows.psscan   # Scans for EPROCESS structures
# Processes in psscan but not pslist may be hidden by rootkits

# Extract network connections
volatility3 -f memory.dmp windows.netscan

# Dump a suspicious process's memory
volatility3 -f memory.dmp windows.memmap --pid 4832 --dump

# Detect injected code
volatility3 -f memory.dmp windows.malfind

# Extract command-line history
volatility3 -f memory.dmp windows.cmdline

Key plugins:

• pslist / psscan / pstree — Process enumeration and hidden process detection.
• netscan — Active and closed network connections.
• malfind — Finds injected code (pages that are executable and not backed by a file).
• dlllist — Loaded DLLs per process.
• handles — Open file, registry, and mutex handles.
• hashdump — Extract password hashes from the SAM.
• filescan — Find file objects in memory (including deleted files still cached).

Network Forensics

Captures and analyzes network traffic to reconstruct events, identify data exfiltration, and trace attacker activity.

Capture and Analysis

Full packet capture: tcpdump, Wireshark, Moloch/Arkime (indexed, searchable PCAP storage at scale).

Flow data: NetFlow/IPFIX records (source, destination, ports, bytes, timestamps). Less storage than full PCAP but sufficient for detecting anomalies.

# Capture traffic on an interface
tcpdump -i eth0 -w /evidence/capture.pcap -n

# Filter for traffic to/from suspicious IP
tcpdump -r capture.pcap host 198.51.100.50

# Extract files from HTTP traffic
tcpflow -r capture.pcap -o /evidence/extracted/

Analysis areas: DNS queries (exfiltration via DNS tunneling), HTTP/HTTPS traffic (C2 communication), unusual ports, data volume anomalies, beaconing patterns (regular intervals of outbound connections).

Zeek (formerly Bro)

Network security monitor that produces structured logs from traffic.

# conn.log — connection summaries
# dns.log — DNS queries and responses
# http.log — HTTP requests with headers
# files.log — files transferred over the network
# ssl.log — TLS handshake details
# notice.log — alerts triggered by Zeek scripts

Anti-Forensics

Techniques used to hinder forensic investigation.

| Technique | Description | Detection | |-----------|-------------|-----------| | Timestomping | Modifying file timestamps | Compare $MFT timestamps vs$STDINFO | | Secure deletion | Overwriting data multiple times | Partially detectable via journal/SSD wear | | Log clearing | Deleting or modifying log files | Event log gaps, log forwarding to SIEM | | Steganography | Hiding data within images/files | Statistical analysis of file entropy | | Encryption | Full-disk or file-level encryption | Cannot recover plaintext without key | | Live-only malware | Runs in memory, no disk artifacts | Memory forensics required | | Rootkits | Hide processes, files, connections | Cross-view analysis (multiple listing methods) |

Counter-anti-forensics: Centralized logging (attacker cannot delete remote logs), memory forensics, multiple independent evidence sources, hardware write blockers.

Chain of Custody

A documented, unbroken record of who handled the evidence, when, and what they did with it.

Requirements

1. Identification: Unique identifier for each piece of evidence.
2. Collection record: Who collected it, when, where, and how.
3. Transfer log: Every handoff between individuals or organizations.
4. Storage: Secure, access-controlled storage with tamper-evident seals.
5. Integrity verification: Hash values computed at collection and verified at each transfer.

Chain of Custody Log:
──────────────────────────────────────────────────────────
Evidence ID: CASE-2024-0042-HDD-001
Description: Seagate 2TB HDD, S/N: ZA10XXXXX
SHA-256:     a3f2b8c1d4e5f6...

Date/Time            Action              Person          Notes
2024-03-15 08:30     Seized              Det. Johnson    Server room, rack 3
2024-03-15 09:15     Imaged (dc3dd)      Tech. Williams  Hash verified
2024-03-15 10:00     Stored in locker    Tech. Williams  Evidence locker B-7
2024-03-18 14:00     Retrieved for exam  Analyst Chen    Locker seal intact
──────────────────────────────────────────────────────────

Mobile Forensics

Acquisition Levels

1. Manual: Photograph the screen, navigate through the UI. Least data, most limited.
2. Logical: Extracts files accessible through the OS API (backup-style). Contacts, messages, photos.
3. File system: Full file system access. Requires root/jailbreak or exploits.
4. Physical: Bit-for-bit image of storage. Can recover deleted data. Most complete.
5. Chip-off: Physically removing the storage chip and reading it directly. Last resort.

Platform-Specific Considerations

iOS: Full-disk encryption enabled by default. Acquisition requires the passcode or an exploit. iTunes backups (encrypted or unencrypted) are a key logical acquisition source. Keychain data only in encrypted backups.

Android: Varies by manufacturer. ADB backup (limited), root access for file system, JTAG/chip-off for physical. Full-disk encryption (FDE) or file-based encryption (FBE) depending on version.

Key artifacts: SQLite databases (SMS, contacts, call logs, browser history), application data (chat databases — WhatsApp, Signal, Telegram), location data (GPS logs, Wi-Fi connection history), photos with EXIF metadata.

Tools

• Cellebrite UFED: Commercial, supports thousands of device models.
• GrayKey: Specializes in iOS acquisition (uses undisclosed exploits).
• Autopsy/The Sleuth Kit: Open-source forensic suite for disk and mobile analysis.
• ALEAPP/iLEAPP: Open-source parsers for Android/iOS artifacts.

Digital forensics requires methodical, documented processes that maintain evidence integrity. The combination of disk, memory, and network forensics provides the most complete picture of an incident, while proper chain of custody ensures findings are defensible.