Module 9: Digital Forensics
Recover evidence. Reconstruct the attack. Build the timeline.
Lessons
Evidence Handling & Chain of Custody
Order of volatility, evidence preservation, chain of custody documentation, legal considerations
Disk Imaging & Acquisition
Disk imaging concepts, FTK Imager, dcfldd, write blockers, triage imaging with KAPE
Windows Forensic Artifacts
Prefetch, Amcache, ShimCache, UserAssist, Shellbags, Jump Lists, browser artifacts
Linux Forensic Artifacts
auth.log, wtmp/btmp, bash_history, /var/log, package logs, cron artifacts, /tmp analysis
Memory Forensics with Volatility 3
Memory acquisition, Volatility 3 plugins, process analysis, network artifacts, detecting injected code
Building a Forensic Timeline
Super timelines, correlating artifacts across sources, Plaso/log2timeline concepts, presenting findings
Labs
Lab 9.1 — Evidence Collection
Document chain of custody for a simulated incident. Collect volatile data in the correct order using Velociraptor.
Lab 9.2 — Disk Artifact Analysis
Analyze a forensic image: extract Prefetch, Amcache, and ShimCache entries. Determine what programs were executed and when.
Lab 9.3 — Windows Forensic Investigation
Full Windows investigation: registry analysis, user activity timeline, USB history, browser artifacts. Build the attack narrative.
Lab 9.4 — Linux Forensic Investigation
Investigate a compromised Linux server using Velociraptor — analyze auth.log, bash_history, cron jobs, systemd services, and filesystem artifacts to reconstruct the full attack chain.
Lab 9.5 — Memory Forensics
Analyze process memory and system state using Velociraptor — detect injected code, map C2 connections, identify LD_PRELOAD rootkits, and document fileless threats that disk forensics missed.
Lab 9.6 — Build the Timeline
Combine all forensic artifacts from disk and memory investigations into a unified minute-by-minute attack timeline — the ultimate deliverable of any forensic investigation.