Module 9: Digital Forensics
Recover evidence. Reconstruct the attack. Build the timeline.
You'll reconstruct the attacker's timeline on WS-HR-01 using forensic artifacts — Prefetch, Amcache, and registry evidence.
Lessons & Labs
Evidence Handling & Chain of Custody
Order of volatility, evidence preservation, chain of custody documentation, legal considerations
Lab 9.1 — Evidence Collection
Document chain of custody for a simulated incident. Collect volatile data in the correct order using Velociraptor.
Disk Imaging & Acquisition
Disk imaging concepts, FTK Imager, dcfldd, write blockers, triage imaging with KAPE
Lab 9.2 — Disk Artifact Analysis
Analyze a forensic image: extract Prefetch, Amcache, and ShimCache entries. Determine what programs were executed and when.
Windows Forensic Artifacts
Prefetch, Amcache, ShimCache, UserAssist, Shellbags, Jump Lists, browser artifacts
Lab 9.3 — Windows Forensic Investigation
Full Windows investigation: registry analysis, user activity timeline, USB history, browser artifacts. Build the attack narrative.
Linux Forensic Artifacts
auth.log, wtmp/btmp, bash_history, /var/log, package logs, cron artifacts, /tmp analysis
Lab 9.4 — Linux Forensic Investigation
Investigate a compromised Linux server: analyze auth.log, bash_history, cron jobs, and /tmp for attacker artifacts.
Memory Forensics with Volatility 3
Memory acquisition, Volatility 3 plugins, process analysis, network artifacts, detecting injected code
Lab 9.5 — Memory Forensics
Analyze a memory dump with Volatility 3: list processes, detect injected code, extract network connections, find persistence.
Building a Forensic Timeline
Super timelines, correlating artifacts across sources, Plaso/log2timeline concepts, presenting findings
Lab 9.6 — Build the Timeline
Combine disk, memory, and log artifacts into a unified forensic timeline. Present a minute-by-minute reconstruction of the attack.