Digital Forensics

  1. Computer Forensics
    1. File System Analysis
      1. File System Structures
        1. Master Boot Record (MBR)
          1. Structure and Function
            1. Partition Table
              1. Boot Code
                1. Forensic Relevance
                2. GUID Partition Table (GPT)
                  1. Structure and Function
                    1. Partition Entries
                      1. Protective MBR
                        1. Forensic Relevance
                        2. Volume Boot Record (VBR)
                          1. Role in Boot Process
                            1. File System Parameters
                              1. Boot Code Analysis
                              2. Partition Tables
                                1. Primary Partitions
                                  1. Extended Partitions
                                    1. Logical Drives
                                  2. Common File Systems
                                    1. FAT (File Allocation Table)
                                      1. Variants (FAT12, FAT16, FAT32)
                                        1. Directory Structure
                                          1. File Allocation Methods
                                            1. Deleted File Recovery
                                              1. Long Filename Support
                                              2. NTFS (New Technology File System)
                                                1. Metadata and MFT
                                                  1. Alternate Data Streams
                                                    1. File Permissions
                                                      1. Journaling Features
                                                        1. Compression and Encryption
                                                          1. Volume Shadow Copies
                                                          2. HFS+ (Hierarchical File System Plus)
                                                            1. Catalog File and Extents
                                                              1. Resource Forks
                                                                1. Journaling
                                                                  1. Case Sensitivity
                                                                  2. APFS (Apple File System)
                                                                    1. Snapshots and Encryption
                                                                      1. Space Sharing
                                                                        1. Cloning Features
                                                                          1. Crash Protection
                                                                          2. Ext4 (Fourth Extended Filesystem)
                                                                            1. Journaling and Inodes
                                                                              1. Extent-Based Allocation
                                                                                1. Delayed Allocation
                                                                                  1. Barrier Support
                                                                                  2. ZFS (Zettabyte File System)
                                                                                    1. Btrfs (B-tree File System)
                                                                                      1. ReFS (Resilient File System)
                                                                                      2. File System Artifacts
                                                                                        1. Deleted Files and Recovery
                                                                                          1. File Slack and Unallocated Space
                                                                                            1. Metadata Preservation
                                                                                              1. Timestamp Analysis
                                                                                                1. File Carving Opportunities
                                                                                              2. Operating System Forensics
                                                                                                1. Windows Forensics
                                                                                                  1. The Windows Registry
                                                                                                    1. Structure and Hives
                                                                                                      1. User and System Artifacts
                                                                                                        1. Registry Keys of Interest
                                                                                                          1. Deleted Registry Data
                                                                                                            1. Registry Timeline Analysis
                                                                                                            2. Event Logs
                                                                                                              1. Types of Logs (System, Security, Application)
                                                                                                                1. Log Analysis Techniques
                                                                                                                  1. Event Correlation
                                                                                                                    1. Log Tampering Detection
                                                                                                                    2. Prefetch and Superfetch Files
                                                                                                                      1. Purpose and Forensic Value
                                                                                                                        1. Program Execution Evidence
                                                                                                                          1. Timeline Reconstruction
                                                                                                                          2. Shadow Copies
                                                                                                                            1. Accessing Previous Versions
                                                                                                                              1. Volume Shadow Copy Service
                                                                                                                                1. Recovery Procedures
                                                                                                                                2. LNK Files and Jump Lists
                                                                                                                                  1. Shortcut Analysis
                                                                                                                                    1. Recent Document Access
                                                                                                                                      1. Program Usage Patterns
                                                                                                                                      2. Windows Search Index
                                                                                                                                        1. Thumbcache and Icon Cache
                                                                                                                                          1. Windows.old Folders
                                                                                                                                            1. Recycle Bin Analysis
                                                                                                                                              1. User Profile Analysis
                                                                                                                                                1. Windows Artifacts Timeline
                                                                                                                                                2. Linux/Unix Forensics
                                                                                                                                                  1. System Logs (/var/log)
                                                                                                                                                    1. Log Types and Locations
                                                                                                                                                      1. Syslog Analysis
                                                                                                                                                        1. Authentication Logs
                                                                                                                                                          1. Application Logs
                                                                                                                                                          2. User Account Information
                                                                                                                                                            1. /etc/passwd and /etc/shadow
                                                                                                                                                              1. Group Information
                                                                                                                                                                1. Sudo Configuration
                                                                                                                                                                  1. Login History
                                                                                                                                                                  2. Shell History
                                                                                                                                                                    1. Bash and Other Shells
                                                                                                                                                                      1. Command Line Artifacts
                                                                                                                                                                        1. History File Analysis
                                                                                                                                                                        2. Cron Jobs
                                                                                                                                                                          1. Scheduled Task Analysis
                                                                                                                                                                            1. System and User Crontabs
                                                                                                                                                                              1. At Jobs
                                                                                                                                                                              2. File System Permissions
                                                                                                                                                                                1. Package Management Logs
                                                                                                                                                                                  1. Network Configuration
                                                                                                                                                                                    1. Kernel Modules
                                                                                                                                                                                    2. macOS Forensics
                                                                                                                                                                                      1. Plist Files
                                                                                                                                                                                        1. User and System Preferences
                                                                                                                                                                                          1. Application Settings
                                                                                                                                                                                            1. Launch Agents and Daemons
                                                                                                                                                                                            2. System Logs
                                                                                                                                                                                              1. Log Locations and Analysis
                                                                                                                                                                                                1. Console Application
                                                                                                                                                                                                  1. Unified Logging System
                                                                                                                                                                                                  2. Spotlight Metadata
                                                                                                                                                                                                    1. Indexing and Search Artifacts
                                                                                                                                                                                                      1. Metadata Database
                                                                                                                                                                                                        1. Search History
                                                                                                                                                                                                        2. Time Machine Backups
                                                                                                                                                                                                          1. Backup Structure and Recovery
                                                                                                                                                                                                            1. Incremental Backup Analysis
                                                                                                                                                                                                              1. Deleted File Recovery
                                                                                                                                                                                                              2. Keychain Analysis
                                                                                                                                                                                                                1. Safari Artifacts
                                                                                                                                                                                                                  1. Application Support Files
                                                                                                                                                                                                                    1. Quick Look Thumbnails
                                                                                                                                                                                                                  2. Volatile Data Analysis (Memory Forensics)
                                                                                                                                                                                                                    1. Capturing System Memory (RAM)
                                                                                                                                                                                                                      1. Tools and Techniques
                                                                                                                                                                                                                        1. Hardware-Based Capture
                                                                                                                                                                                                                          1. Software-Based Capture
                                                                                                                                                                                                                            1. Hypervisor-Based Capture
                                                                                                                                                                                                                            2. Live Response Considerations
                                                                                                                                                                                                                              1. Minimizing System Impact
                                                                                                                                                                                                                                1. Order of Operations
                                                                                                                                                                                                                                  1. Tool Selection
                                                                                                                                                                                                                                2. Analyzing Memory Dumps
                                                                                                                                                                                                                                  1. Running Processes
                                                                                                                                                                                                                                    1. Process Enumeration
                                                                                                                                                                                                                                      1. Process Tree Analysis
                                                                                                                                                                                                                                        1. Hidden Processes
                                                                                                                                                                                                                                        2. Network Connections
                                                                                                                                                                                                                                          1. Open Ports and Connections
                                                                                                                                                                                                                                            1. Network Statistics
                                                                                                                                                                                                                                              1. Socket Analysis
                                                                                                                                                                                                                                              2. Loaded Drivers and DLLs
                                                                                                                                                                                                                                                1. Identifying Malicious Modules
                                                                                                                                                                                                                                                  1. Driver Analysis
                                                                                                                                                                                                                                                    1. Code Injection Detection
                                                                                                                                                                                                                                                    2. Passwords and Encryption Keys
                                                                                                                                                                                                                                                      1. Extraction Techniques
                                                                                                                                                                                                                                                        1. Key Recovery Methods
                                                                                                                                                                                                                                                          1. Password Hash Extraction
                                                                                                                                                                                                                                                          2. Registry Analysis in Memory
                                                                                                                                                                                                                                                            1. File System Structures in Memory
                                                                                                                                                                                                                                                              1. Malware Detection in Memory
                                                                                                                                                                                                                                                              2. Memory Analysis Frameworks
                                                                                                                                                                                                                                                                1. Volatility Framework
                                                                                                                                                                                                                                                                  1. Rekall Framework
                                                                                                                                                                                                                                                                    1. WinDbg Analysis
                                                                                                                                                                                                                                                                    2. Advanced Memory Analysis
                                                                                                                                                                                                                                                                      1. Rootkit Detection
                                                                                                                                                                                                                                                                        1. Code Injection Analysis
                                                                                                                                                                                                                                                                          1. Heap and Stack Analysis
                                                                                                                                                                                                                                                                            1. Virtual Address Space Analysis
                                                                                                                                                                                                                                                                          2. Data Recovery and Carving
                                                                                                                                                                                                                                                                            1. Recovering Deleted Files
                                                                                                                                                                                                                                                                              1. File System Recovery Tools
                                                                                                                                                                                                                                                                                1. Undelete Utilities
                                                                                                                                                                                                                                                                                  1. Recovery Procedures
                                                                                                                                                                                                                                                                                  2. Limitations and Overwrites
                                                                                                                                                                                                                                                                                    1. File System Behavior
                                                                                                                                                                                                                                                                                      1. Overwrite Patterns
                                                                                                                                                                                                                                                                                        1. Recovery Success Factors
                                                                                                                                                                                                                                                                                      2. File Carving Techniques
                                                                                                                                                                                                                                                                                        1. Header/Footer Analysis
                                                                                                                                                                                                                                                                                          1. Identifying File Signatures
                                                                                                                                                                                                                                                                                            1. Magic Number Detection
                                                                                                                                                                                                                                                                                              1. File Type Identification
                                                                                                                                                                                                                                                                                              2. Structure-based Carving
                                                                                                                                                                                                                                                                                                1. Parsing File Structures
                                                                                                                                                                                                                                                                                                  1. Format-Specific Recovery
                                                                                                                                                                                                                                                                                                    1. Validation Methods
                                                                                                                                                                                                                                                                                                    2. Fragmented File Recovery
                                                                                                                                                                                                                                                                                                      1. Fragment Identification
                                                                                                                                                                                                                                                                                                        1. Reassembly Techniques
                                                                                                                                                                                                                                                                                                          1. Validation Procedures
                                                                                                                                                                                                                                                                                                          2. Statistical Carving
                                                                                                                                                                                                                                                                                                            1. Semantic Carving
                                                                                                                                                                                                                                                                                                            2. Advanced Recovery Techniques
                                                                                                                                                                                                                                                                                                              1. RAID Recovery
                                                                                                                                                                                                                                                                                                                1. Encrypted Volume Recovery
                                                                                                                                                                                                                                                                                                                  1. Damaged Media Recovery
                                                                                                                                                                                                                                                                                                                    1. Cross-Drive Analysis

                                                                                                                                                                                                                                                                                                                Previous

                                                                                                                                                                                                                                                                                                                2. Evidence Collection and Preservation (Acquisition)

                                                                                                                                                                                                                                                                                                                Go to top

                                                                                                                                                                                                                                                                                                                Next

                                                                                                                                                                                                                                                                                                                4. Network Forensics