Useful Links
Computer Science
Cybersecurity
Digital Forensics
1. Foundations of Digital Forensics
2. Evidence Collection and Preservation (Acquisition)
3. Computer Forensics
4. Network Forensics
5. Mobile Device Forensics
6. Advanced Forensic Topics
7. Reporting and Presentation
Evidence Collection and Preservation (Acquisition)
Preparing for Acquisition
Assembling the Forensic Toolkit
Hardware Tools
Write Blockers
Imaging Devices
Cables and Adapters
Storage Media
Software Tools
Imaging Software
Analysis Tools
Validation Utilities
Documentation Supplies
Forms and Templates
Photography Equipment
Labeling Materials
Documenting the Scene
Photographing and Sketching
Overall Scene Documentation
Device-Specific Photography
Connection Diagrams
Noting System State and Connections
Power Status
Network Connections
Peripheral Devices
Screen Contents
Establishing a Secure Environment
Isolating Devices from Networks
Physical Disconnection
Faraday Bags
Signal Blocking
Preventing Remote Access or Tampering
Access Control
Monitoring
Environmental Security
Data Acquisition Types
Live Acquisition (Volatile Data)
Capturing RAM
Memory Dump Tools
Hibernation Files
Page Files
Capturing Network Connections
Active Connections
Listening Ports
Network Statistics
Capturing Running Processes
Process Lists
Process Memory
Loaded Modules
System State Information
Registry Contents
Environment Variables
Temporary Files
Dead Acquisition (Static Data)
Imaging Powered-Off Devices
Cold Boot Procedures
BIOS/UEFI Considerations
Collecting Storage Media
Hard Drives
Solid State Drives
Optical Media
Flash Memory
Acquisition Methods
Disk-to-Image
Full Physical Imaging
Sector-by-Sector Copy
Bad Sector Handling
Compression Options
Disk-to-Disk
Cloning Drives
Hardware Cloning
Software Cloning
Verification Procedures
Logical Acquisition
Extracting File System Data
File-Level Copying
Directory Structure Preservation
Targeted Data Collection
Selective File Types
Date Range Filtering
Keyword-Based Selection
Sparse Acquisition
Selective Imaging of Relevant Data
Allocated Space Only
Specific Partitions
File System Metadata
Forensic Imaging
Creating a Bit-Stream Copy
Ensuring Data Completeness
Error Handling
Progress Monitoring
Forensic Image Formats
Raw (dd)
Characteristics and Use Cases
Advantages and Limitations
Tool Compatibility
EnCase (E01)
Features and Metadata
Compression Support
Error Recovery
AccessData (AD1)
Compatibility and Limitations
Proprietary Features
Advanced Forensics Format (AFF)
Compression and Encryption Support
Metadata Capabilities
Open Source Nature
Expert Witness Format (EWF)
SMART Format
Image Splitting and Spanning
Size Limitations
Media Spanning
Reconstruction Procedures
Validating Forensic Data
Hashing Algorithms
MD5
Strengths and Weaknesses
Collision Vulnerabilities
Legacy Use Cases
SHA-1
Deprecation and Security Concerns
Transition Considerations
SHA-256
Current Best Practices
Performance Considerations
Security Strength
SHA-3
Blake2
Verifying Image Integrity
Comparing Hash Values
Block-Level Verification
Documenting Validation Results
Re-verification Procedures
Digital Signatures
PKI Infrastructure
Certificate Validation
Timestamp Services
Hardware and Software Write Blockers
Role and Function
Preventing Data Modification
Read-Only Access
Command Filtering
Types of Write Blockers
Hardware Write Blockers
SATA/IDE Blockers
USB Blockers
FireWire Blockers
Network Blockers
Software Write Blockers
Operating System Level
Driver-Based Solutions
Virtual Machine Integration
Testing and Verification of Write Blockers
NIST Testing Procedures
Validation Protocols
Performance Testing
Compatibility Testing
Previous
1. Foundations of Digital Forensics
Go to top
Next
3. Computer Forensics