Forensics

Forensics

Recovering evidence and analysing compromised systems

13 min readUpdated 2026-04-16
#memory-forensics#disk-forensics#volatility#autopsy#steganography#network-forensics
TL;DR
  • Never modify original evidence — always work from a verified, hash-matched bit-for-bit copy
  • Volatility reveals running processes, injected code, network connections, and encryption keys from memory images
  • Disk forensics recovers deleted files, reconstructs timelines, and surfaces hidden partitions using Autopsy and Sleuth Kit
  • Steganography hides data inside image and audio files — CTF forensics heavily features this; check stegsolve, zsteg, binwalk
  • Hash everything — if hashes do not match before and after acquisition, your analysis cannot be trusted in a report or in court

Overview

Digital forensics is the practice of collecting, preserving, and analysing digital evidence in a forensically sound manner. In penetration testing contexts, forensic techniques are used to understand attacker TTPs on compromised systems, recover artefacts from CTF challenges, or perform incident response. The golden rule: never modify the original evidence.

Prerequisites

  • Familiarity with filesystems (ext4, NTFS) and basic OS internals helps, but isn't strictly required
  • Comfortable installing and running tools from a Linux terminal
  • For CTF forensics: patience and a systematic methodology matter more than prior tool knowledge

Recommended lab: HackTheBox, TryHackMe, and PicoCTF all have forensics challenge categories. For memory forensics practice, download sample images from the MemLabs GitHub repository. For disk forensics: DFIR.training has free challenge images.

Acquisition & Imaging

Before analysis, create a bit-for-bit copy of the target media. Work only from the copy.

bash
# Disk image with dd (verify with hash)
dd if=/dev/sdb of=/mnt/evidence/disk.img bs=4M status=progress
md5sum /dev/sdb > original.md5
md5sum disk.img > copy.md5
diff original.md5 copy.md5  # must match

# Better: dcfldd (built-in hashing and progress)
dcfldd if=/dev/sdb of=disk.img hash=sha256 hashlog=hash.log

# Mount image read-only for analysis
mount -o ro,loop disk.img /mnt/analysis

# Memory acquisition — dump RAM on Linux
avml /tmp/memory.lime

# Load LiME kernel module for live acquisition
insmod lime.ko "path=/tmp/memory.lime format=lime"

Disk Forensics

File Recovery

bash
# Recover deleted files from image
foremost -i disk.img -o /output/foremost/
scalpel disk.img -o /output/scalpel/

# Photorec — GUI-friendly file carver
photorec disk.img

# List files including deleted (ext4)
fls -r -m "/" disk.img | grep "(deleted)"

# Extract a deleted file by inode
icat disk.img 12345 > recovered_file

Filesystem Analysis

bash
# Show filesystem info
fsstat disk.img

# Browse filesystem timeline
mactime -b bodyfile.txt -d > timeline.csv

# Generate bodyfile from image
fls -r -m "/" disk.img > bodyfile.txt

# Autopsy — full GUI suite
autopsy &
# Open browser to http://localhost:9999/autopsy

Steganography

Hidden data inside image, audio, and other files.

bash
# Detect hidden data in images
steghide info suspicious.jpg
stegcracker suspicious.jpg /usr/share/wordlists/rockyou.txt

# Extract with known password
steghide extract -sf suspicious.jpg -p "password"

# LSB steganography analysis
zsteg suspicious.png

# Strings and metadata
strings suspicious.jpg | grep -E "flag|password|secret"
exiftool suspicious.jpg

# Binwalk — find embedded files
binwalk suspicious.jpg
binwalk -e suspicious.jpg  # extract embedded files

Memory Forensics

Memory analysis with Volatility reveals running processes, network connections, injected code, and credentials — even after rebooting to clear tracks.

bash
# Identify the memory profile
vol.py -f memory.lime imageinfo
vol.py -f memory.lime --profile=LinuxUbuntu20_04x64 linux_banner

# Process listing
vol.py -f memory.lime --profile=Win10x64 pslist
vol.py -f memory.lime --profile=Win10x64 pstree
vol.py -f memory.lime --profile=Win10x64 cmdline   # what commands were run

# Find hidden/injected processes
vol.py -f memory.lime --profile=Win10x64 psscan
vol.py -f memory.lime --profile=Win10x64 malfind   # detect code injection

# Network connections
vol.py -f memory.lime --profile=Win10x64 netscan

# Dump a process for further analysis
vol.py -f memory.lime --profile=Win10x64 procdump -p 1234 -D /output/

# Extract strings from a process
vol.py -f memory.lime --profile=Win10x64 memdump -p 1234 -D /output/
strings /output/1234.dmp | grep -i "password\|credential"

# Registry analysis
vol.py -f memory.lime --profile=Win10x64 hivelist
vol.py -f memory.lime --profile=Win10x64 printkey -o 0xe1034b60 -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion"

Network Forensics

bash
# Analyse a PCAP
tcpdump -r capture.pcap -n

# Follow TCP streams
tcpdump -r capture.pcap -A 'tcp port 80' | grep -E "GET|POST|Host:"

# Wireshark — filter examples
# http.request.method == "POST"
# tcp.stream eq 4
# ip.addr == 10.10.10.5

# Extract files from PCAP
tcpflow -r capture.pcap -C

# NetworkMiner — automated file extraction
networkminer capture.pcap

CTF Forensics Checklist

A systematic approach for challenge files:

  1. file mystery — identify file type regardless of extension
  2. strings mystery | less — quick scan for readable content
  3. xxd mystery | head -40 — examine raw hex header
  4. binwalk mystery — check for embedded files
  5. exiftool mystery — full metadata dump
  6. Check magic bytes manually — compare against known signatures
  7. Try common steg tools — steghide, zsteg, stegcracker
  8. Check for encrypted archives — zip/rar with password

Operational Notes

  • Hash before and aftersha256sum disk.img before and after acquisition. If hashes differ, your analysis is unreliable.
  • Never work on originals — always image first, analyse the copy. Tools like foremost modify access timestamps on the files they touch.
  • Use write blockersmount -o ro at minimum; hardware write blockers in professional IR contexts.
  • Volatility 3 syntax — Volatility 3 dropped profiles entirely. Use vol -f memory.lime windows.pslist, not the old vol.py --profile=Win10x64 pslist.
  • CTF vs IR — CTF forensics rewards spotting clever steganography tricks; incident response rewards systematic timeline reconstruction. The tools overlap; the mindset differs entirely.

What to Read Next

  • Post-Exploitation — understanding offensive TTPs from the attacker side sharpens what you look for as an analyst
  • Reconnaissance — artefacts attackers leave during recon are often the first indicators forensic analysts find
  • Password Attacks — forensic password cracking (extracting hashes from disk images and memory) uses the same hashcat/John workflow
← PreviousNetwork Traffic AnalysisNext →Evasion & AV Bypass
← back to knowledge base