Roadmap

Digital Forensics Analyst

The investigator who collects, preserves, and analyzes digital evidence from computers, networks, mobile devices, and cloud environments. Reconstructs what happened, when, by whom, and what was accessed or taken, in support of incident response, litigation, law enforcement, and internal investigations.

OPTIMISTIC 2–3 yearsREALISTIC 3–4 years

Stage 00

Computer & IT Fundamentals

Forensic analysis requires understanding what the evidence actually represents at the hardware and OS level. You cannot interpret what you do not understand.

Computer Hardware — Forensic Relevance

Storage types — HDD (platters, sectors, slack space, file deletion mechanics) vs SSD (TRIM, wear leveling, complicates recovery) vs NVMe
Storage interfaces — SATA, NVMe, M.2 — physical acquisition implications
RAM — volatile memory, DIMM form factors, DDR generations — memory acquisition must be done before power-off
Write blockers — hardware and software write blockers prevent modification of evidence during acquisition
Firmware — BIOS/UEFI, hard drive firmware — anti-forensics and persistence techniques at firmware level

File Systems — Forensic Depth

NTFS (Windows primary): - MFT (Master File Table) — every file and directory; metadata even after deletion - $MFT, $MFTMirr, $LogFile, $Volume, $AttrDef, $Bitmap, $Boot, $BadClus, $Secure, $UpCase, $Extend - File attributes — $STANDARD_INFORMATION (timestamps), $FILE_NAME (timestamps), $DATA (content) - Resident vs non-resident data — small files stored directly in MFT; larger files have data runs - Alternate Data Streams (ADS) — hidden data attached to files; malware persistence technique - File deletion — MFT record flagged as unallocated; data recoverable until overwritten - Zone Identifier ADS — marks downloaded files (Zone 3 = internet); tracks file origin - $Recycle.Bin — recycle bin structure; $I (info) and $R (content) files; timestamps and original path - Volume Shadow Copies (VSS) — point-in-time snapshots; previous file versions; attackers delete these
FAT32/exFAT — flash drives, external media; simpler structure; no journaling
ext4 (Linux): - inodes — metadata; timestamps, permissions, pointers to data blocks - Journal — ext3/4 journaling protects metadata; forensic artifact - Directory entries — link filename to inode number - Deleted file recovery — inode zeroed; journal may retain data
APFS (macOS) — copy-on-write, snapshots, encryption, sealed volumes
HFS+ (legacy macOS) — still encountered on older systems

Operating System Architecture

Windows — kernel, HAL, user space, Win32 API, NT namespace, object manager
Linux — kernel, syscall interface, VFS (Virtual File System), proc filesystem
Process model — PID, PPID, handles, tokens, memory maps — forensic reconstruction
Registry — hive files, keys, values — persistence, configuration, evidence of execution

Virtualization and Cloud

Virtual machines — VMDK, VHD, VHDX forensic acquisition
Containers — ephemeral storage; forensic challenges
Cloud forensics — API-based evidence collection; logs instead of disk images

Resources

Professor Messer CompTIA A+ (free YouTube)
"The Art of Memory Forensics" (book)
Windows Internals (book)

Stage 01

Operating Systems — Forensic Depth

Forensic analysis of Windows systems is 70–80% of what most analysts do. Linux and macOS are increasingly important. Know the artifacts before the tools.

Windows Forensics — Registry Forensics

Registry hives and locations: - SYSTEM — C:\Windows\System32\config\SYSTEM — services, devices, OS config - SOFTWARE — C:\Windows\System32\config\SOFTWARE — installed software, run keys, user profiles - SAM — C:\Windows\System32\config\SAM — local user account hashes - SECURITY — C:\Windows\System32\config\SECURITY — LSA secrets, cached credentials - NTUSER.DAT — C:\Users\[username]\NTUSER.DAT — per-user settings, MRU lists, user activity - UsrClass.dat — C:\Users\[username]\AppData\Local\Microsoft\Windows\UsrClass.dat — shellbags, user interface activity
Key artifacts by category: - Persistence: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; Services keys; Scheduled Tasks; WMI subscriptions - User activity: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs; TypedPaths; UserAssist (ROT13 encoded program execution with timestamps) - Opened files: OpenSavePidlMRU; LastVisitedPidlMRU — files opened via common dialogs - USB devices: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR; HKLM\SYSTEM\CurrentControlSet\Enum\USB; first/last connection timestamps; device serial numbers; MountedDevices - Network: NetworkList — networks connected to with SSID, first/last connect; TypedURLs — URLs typed in browser address bar - ShimCache (AppCompatCache) — HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache — tracks executables that ran on system; survives deletion of executable - AmCache — C:\Windows\AppCompat\Programs\Amcache.hve — SHA1 hash, first/last execution, file path, file size; requires separate hive parsing - Background Activity Moderator (BAM) — HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings — last execution time per user - MUICache — programs that have run on the system by their window title - System boot time — HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime

Windows Event Logs — Forensic Depth

Critical Security Event IDs: - 4624 — Logon success — Logon Type is critical: - Type 2 = Interactive (keyboard/mouse at console) - Type 3 = Network (file shares, scheduled tasks, net use) - Type 4 = Batch (scheduled task, service) - Type 5 = Service - Type 7 = Unlock - Type 8 = NetworkCleartext - Type 9 = NewCredentials (runas) - Type 10 = RemoteInteractive (RDP) - Type 11 = CachedInteractive - 4625 — Logon failure — Sub Status Code distinguishes reason (0xC000006D = bad username/password, 0xC0000064 = no such user, 0xC000006A = wrong password, 0xC0000234 = locked out) - 4634/4647 — Logoff / user initiated logoff - 4648 — Logon with explicit credentials (RunAs, WMI) - 4672 — Special logon (admin privileges) - 4688 — Process creation with command line (requires audit policy enabled) - 4697 — Service installed - 4698/4699/4702 — Scheduled task created/deleted/updated - 4720 — User account created - 4722/4725/4726 — Account enabled/disabled/deleted - 4732/4733 — Member added/removed from local group - 4768 — Kerberos TGT request - 4769 — Kerberos service ticket request (Kerberoasting indicator — RC4 encryption type) - 4771 — Kerberos pre-auth failure (brute force indicator) - 4776 — NTLM authentication attempt - 5140 — Network share accessed - 5156 — Windows Filtering Platform connection allowed - 7034/7035/7036/7040/7045 — Service operations
System Event Log — unexpected reboots, driver loads, VSS deletion
Application Event Log — crash reports, error codes from applications
PowerShell/Operational (Microsoft-Windows-PowerShell/Operational): - EID 4100 — PS error - EID 4103 — Module logging (shows parameters) - EID 4104 — Script block logging (full script content, even deobfuscated)
Sysmon logs — if deployed: process creation (EID 1), network connections (EID 3), image loads (EID 7), remote thread creation (EID 8), LSASS access (EID 10), DNS queries (EID 22)
Task Scheduler Operational — task creation, execution, deletion

Windows Artifacts — Execution Evidence

Prefetch — C:\Windows\Prefetch\*.pf — executables that ran; last run time; run count (Windows 8+); up to 8 most recent run timestamps - Disabled on SSDs by default (check HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher)
Shimcache (AppCompatCache) — executables that ran or were present on system
Amcache.hve — program execution with SHA1 hash; can identify malware even after deletion
Jump Lists — recent files and applications; per-application usage tracking; LNK targets - AutomaticDestinations — recently opened files per application - CustomDestinations — pinned items
LNK Files — shortcut files; contain target path, timestamps, MAC address, drive serial number, volume name; created automatically when files are opened via Explorer or Office - Locations: %APPDATA%\Microsoft\Windows\Recent\; Office Recent
Windows.edb — Windows Search index; indexed file content; path to recovered documents
Thumbcache.db — thumbnail cache for Explorer; evidence of image/document access even after file deletion
Shellbags — UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags — directory browsing history; evidence of folder access, removable media, network share access

Windows Memory Artifacts

Hibernation file — C:\hiberfil.sys — RAM contents written to disk on hibernate; valuable for memory analysis
Page file — C:\pagefile.sys — virtual memory; may contain strings, artifacts from memory
Crash dumps — C:\Windows\Minidump\; MEMORY.DMP — process crash analysis
Unallocated clusters — may contain fragments of deleted files, metadata

Browser Forensics

Chrome/Chromium (SQLite databases): - History — C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\History — URL visits, title, visit time, visit count - Downloads — embedded in History database - Cookies — expiry, last access, domain, flags - Login Data — saved credentials (encrypted with DPAPI) - Favicons — mapping of URLs to favicons - Cache — C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Cache - Extension-based artifacts — browser history forensics considering extensions
Firefox (SQLite + JSON): - places.sqlite — history and bookmarks - cookies.sqlite — cookie data - logins.json — saved passwords (encrypted) - sessionstore.jsonlz4 — open tabs at last close
Edge — Chromium-based; similar structure to Chrome
Internet Explorer / Legacy Edge — WebCacheV01.dat; ESE database format

Email Forensics

Outlook .PST and .OST files — mailbox containers; offline message store
Exchange EWS/OWA access — server-side logs; Exchange tracking logs
Email headers — Received, X-Originating-IP, Authentication-Results (SPF/DKIM/DMARC), Message-ID, Reply-To
Phishing indicators — sender spoofing, header analysis, embedded links, attachment types
Metadata in email attachments — document properties containing author, creation date

Windows Timeline and Execution Evidence

ActivitiesCache.db — C:\Users\[user]\AppData\Local\ConnectedDevicesPlatform\[GUID]\ActivitiesCache.db — Windows Timeline; application use, file access history
SRUM (System Resource Usage Monitor) — C:\Windows\System32\sru\SRUDB.dat — application network usage, energy usage, execution history per process per hour
Windows Search Index — Windows.edb — indexed file content

Linux Forensics

Filesystem timestamps — atime (access), mtime (modify), ctime (change/metadata) — ctime cannot be set manually; reliable for timeline
/proc filesystem — /proc/[pid]/ — process information; /proc/[pid]/exe (symlink to executable); /proc/[pid]/cmdline; /proc/[pid]/fd (open file descriptors); /proc/[pid]/maps (memory mapping)
Key log files: - /var/log/auth.log or /var/log/secure — authentication events; SSH logins; sudo usage - /var/log/syslog or /var/log/messages — general system messages - /var/log/kern.log — kernel messages - /var/log/wtmp — binary; successful logins; last command - /var/log/btmp — binary; failed logins; lastb command - /var/log/lastlog — last login per user; lastlog command - /var/log/cron — cron job execution - ~/.bash_history — command history; can be disabled or manipulated by attacker - /root/.bash_history — root command history
User account artifacts: - /etc/passwd — user accounts, shells, home directories - /etc/shadow — password hashes, age, expiry - /etc/sudoers — sudo configuration; who can elevate - ~/.ssh/authorized_keys — SSH public keys; attacker persistence vector - ~/.ssh/known_hosts — systems user has connected to
Cron — /etc/crontab, /etc/cron.d/, /var/spool/cron/crontabs/ — persistence and scheduled execution
Startup — /etc/rc.local, /etc/init.d/, systemd unit files, ~/.config/autostart/
Installed packages — dpkg.log (/var/log/dpkg.log) or yum.log (/var/log/yum.log) — what was installed when
Network artifacts — netstat snapshot requires live system; /proc/net/tcp — active TCP connections
tmpfs — in-memory filesystems; contents lost on reboot

macOS Forensics

Unified Log — /private/var/db/diagnostics/ — replaced all legacy .log files; extremely rich source - log show --predicate 'eventMessage contains "..."' — querying
System logs — /var/log/system.log (legacy)
User artifacts: - ~/Library/Application Support/ — app data - ~/Library/Preferences/ — .plist files; user application settings - ~/Library/Containers/ — sandboxed app data - ~/.bash_history or ~/.zsh_history — command history
Quarantine database — ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 — downloaded files, source URL, date
Spotlight metadata — .Spotlight-V100/ — indexed file content; provides evidence even after deletion
Time Machine — backup snapshots; historical file versions
KnowledgeC.db — ~/Library/Application Support/Knowledge/knowledgeC.db — app usage, screen time, location history
CoreAnalytics — aggregated app usage data

Resources

SANS FOR500 Windows Forensics material
TryHackMe Digital Forensics rooms (free)
"Windows Forensic Analysis Toolkit" (book)
Eric Zimmermann tools documentation (free)

Stage 02

Security Fundamentals

Forensic analysts investigate attacks. You must understand how attackers operate to recognize and interpret attack artifacts.

Security Fundamentals

CIA Triad — evidence preservation maintains integrity
Attack lifecycle — Cyber Kill Chain, MITRE ATT&CK — mapping artifacts to attacker actions
Common attack types — phishing, credential theft, lateral movement, data exfiltration, ransomware
Malware types — RATs, keyloggers, rootkits, ransomware, droppers — behavioral signatures
Windows attack techniques — Pass-the-Hash, Kerberoasting, credential dumping, persistence via registry/services/scheduled tasks
Network attack patterns — C2 communication, DNS tunneling, data exfiltration over HTTP/S
Defense tools — EDR, SIEM, firewall, proxy — forensic artifact sources
Legal concepts — chain of custody, admissibility, search and seizure, privacy laws

Resources

Professor Messer Security+ (free YouTube)
MITRE ATT&CK website (free)
"Hacking: The Art of Exploitation" for understanding techniques

Stage 03

Digital Forensics Methodology & Evidence Handling

Forensic evidence must be collected and preserved in a manner that ensures its integrity and admissibility. Methodology failures can invalidate an entire investigation.

Evidence Handling Principles

Locard's Exchange Principle — every contact leaves a trace; applied to digital: every action modifies something
Chain of custody — documented record of who handled evidence, when, and what was done - Evidence tag — case number, item number, description, who collected, date/time, location - Evidence log — every transfer, access, and examination recorded - Tamper-evident packaging — sealing evidence after collection; evidence bags, hash verification
Evidence integrity — cryptographic hash of evidence before and after examination - MD5 — legacy, still used for reference; 128-bit - SHA-1 — also legacy; 160-bit - SHA-256 — current standard; 256-bit; should be primary hash - Hash mismatch = evidence contamination; potential inadmissibility
Volatility order — collect most volatile data first (memory → running processes → network connections → disk) - RAM — lost on shutdown - Running processes and network connections — lost on shutdown - Encrypted filesystem keys — may be in memory - Disk — persistent but may change with time (writes, logs)

Forensic Acquisition Methods

Bit-for-bit image — exact copy of storage media including unallocated space, deleted files, slack space - Dead acquisition — device powered off; most forensically sound - Live acquisition — device running; necessary when encryption keys are in memory
Acquisition tools: - FTK Imager — commercial, free for imaging; E01, DD, AFF, raw formats; creates multiple hash verification - dc3dd — command-line; dd with hashing; log file generation - Guymager — Linux GUI; fast; multiple output formats - ewfacquire — command-line; E01 format - Write blockers — hardware (Tableau, CRU) or software (Arsenal Image Mounter, Linux mount -o ro,noload) — mandatory to prevent modification of evidence
Image formats: - RAW/DD — bit-for-bit copy; no metadata; simple - E01 (Expert Witness Format) — EnCase format; compression; hash; case metadata; segment files - AFF4 — modern format; metadata; compression; encryption
Live acquisition — RAM: - WinPmem — Windows memory acquisition - LiME (Linux Memory Extractor) — kernel module; acquires Linux RAM - Magnet RAM Capture — Windows GUI tool - FTK Imager — Windows memory capture option
Network acquisition: - Packet capture with tcpdump or Wireshark — active capture during incident - PCAP analysis — previously captured traffic

Forensic Investigation Process

Identification — what is the scope? What media is relevant? Custodians?
Preservation — acquire images; write-protect originals; store securely
Collection — documented acquisition with hash verification
Examination — applying forensic tools to acquired images
Analysis — interpreting findings; building timeline; answering investigation questions
Reporting — communicating findings; supporting evidence; actionable conclusions
Review/Testimony — responding to questions; defending methodology

Chain of Custody Documentation

Evidence form contents — case number, investigator, date/time acquired, location, description, device serial number, hash values (before and after), storage location
Physical evidence handling — static bags for electronic media; temperature/humidity controlled storage
Digital evidence — encrypted storage; access logging; backup copies

Legal Concepts

Fourth Amendment (US) — protection against unreasonable search and seizure; warrant requirements
Privacy laws — GDPR, CCPA, HIPAA — may restrict forensic examination of certain data
Business records exception — admissibility of records kept in ordinary course of business
Expert witness qualification — voir dire; Daubert standard for scientific evidence
eDiscovery — electronic evidence production in civil litigation; forensics in litigation context
Spoliation — destruction of evidence; intentional or negligent; sanctions

Resources

SANS FOR500 methodology material
NIST SP 800-86 Guide to Integrating Forensic Techniques (free)
Brian Carrier's "File System Forensic Analysis" (book)
SWGDE (Scientific Working Group on Digital Evidence) guidelines (free)

Stage 04

Forensic Tools — Deep Proficiency

Tools amplify technique. You must understand what the tool is finding, why, and how, not just what buttons to click.

Forensic Suites

Autopsy (free, open-source) — GUI forensic analysis platform: - Ingest modules — hash lookup, file type identification, keyword search, recent activity, email parsing, web artifacts, registry analysis, EXIF metadata - Timeline — chronological event view across file system, registry, logs - Tagged items — annotating evidence for report - Module development — Python/Java plugins for custom analysis - Sleuth Kit — command-line backend underlying Autopsy
EnCase (Forensic by OpenText) — industry-standard commercial: - Evidence file (.E01) format - Case management — custodians, evidence items, tags - EnScript — C-like scripting for custom analysis - Secure viewer — reviewing without modification - Common in law enforcement and large enterprises
FTK (Forensic Toolkit by AccessData/Exterro) — commercial: - Database-backed — all data indexed before analysis - Fast keyword search across all evidence - Email threading, visualization - FTK Imager — standalone free acquisition tool
X-Ways Forensics — commercial; lightweight; fast; favored by experienced analysts
Magnet AXIOM — commercial; strong mobile and cloud integration

Eric Zimmermann Tools (Free — Industry Standard)

EZTools collection — essential for Windows artifact analysis: - MFTECmd — parsing $MFT for file system timeline - PECmd — Prefetch analysis - JLECmd — Jump Lists analysis - LECmd — LNK file analysis - RBCmd — Recycle Bin ($I file) analysis - RecentFileCacheParser — RecentFileCache.bcf analysis - AppCompatCacheParser — ShimCache parsing - AmcacheParser — Amcache.hve analysis - WxTCmd — Windows Timeline (ActivitiesCache.db) - SrumECmd — SRUM database analysis - RECmd — Registry Explorer and batch processing; RECmd batch files for common keys - Registry Explorer — full-featured Registry hive viewer and analyzer - EvtxECmd — Event Log parsing with Maps (standardized output) - MFTExplorer — MFT visualization and navigation - Timeline Explorer — multi-artifact timeline visualization; import CSV from other tools - KAPE (Kroll Artifact Parser and Extractor) — triage tool; collects artifacts and runs parsers automatically

Memory Analysis — Volatility

Volatility 3 (current) / Volatility 2 (legacy but still used): - python vol.py -f memory.img [plugin] - Core plugins: - windows.pslist — running processes (from EPROCESS list) - windows.pstree — process hierarchy - windows.psscan — scan all of memory for EPROCESS structures (detects hidden processes) - windows.cmdline — command line arguments for each process - windows.dlllist — DLLs loaded by each process - windows.handles — handles held by each process - windows.filescan — file objects in memory - windows.netscan / windows.netstat — network connections and sockets - windows.malfind — detect injected code (RWX memory regions) - windows.hashdump — extract SAM password hashes - windows.hivelist — registry hives loaded in memory - windows.printkey — print registry key from hive - windows.mftscan.MFTScan — MFT records from memory - windows.handles — object handles per process - Linux plugins — linux.pslist, linux.bash, linux.check_creds, linux.netstat - Detecting malicious processes — unusual parent-child relationships, processes from temp directories, hollowed processes

Network Forensics

Wireshark — deep packet analysis: - Display filters for forensics — http, dns, smtp, ftp, tcp.stream eq N - Following streams — reassembling sessions - Extracting files — File → Export Objects - Statistics → Conversations — identifying heavy talkers - GeoIP mapping — visualizing geographic connections
Network Miner — passive forensic analysis from PCAP; extracts files, credentials, hosts
Zeek (Bro) — network analysis framework: - conn.log — all connections with duration, bytes, state - dns.log — DNS queries and responses with answers - http.log — HTTP transactions, user agents, URIs, status codes - ssl.log — TLS connections, certificate details, JA3 hashes - files.log — file extractions with hashes - weird.log — protocol anomalies
Suricata — IDS/NSM generating alerts and eve.json
Tshark — command-line Wireshark; scriptable analysis
PCAP analysis workflow: - Network overview — protocols, endpoints, volumes - Suspicious connections — unusual ports, internal-to-internal lateral movement, C2 patterns - DNS analysis — unusual domain length, high NX rate, regular interval queries - Extract and hash files — malware delivered via HTTP/SMB - Credential exposure — plaintext protocols (FTP, HTTP basic auth, Telnet)

Disk Forensics — Command Line

The Sleuth Kit (TSK): - mmls — partition table analysis - fsstat — filesystem statistics - fls — file listing including deleted files - icat — extract file by inode number - ils — list inodes (including deleted) - tsk_recover — recover unallocated files
strings — extracting printable strings from binary data; strings -el for Unicode
xxd / hexdump — hex view of binary files
binwalk — embedded file detection and extraction
bulk_extractor — parallel extraction of patterns from disk/memory (URLs, emails, credit cards)
Plaso / log2timeline — building super-timelines from multiple artifact sources: - log2timeline.py — ingesting artifacts into Plaso storage - psort.py — sorting and filtering - pinfo.py — examining storage
Timesketch — visualization of super-timelines; collaborative investigation

Resources

Eric Zimmermann tools GitHub (free)
Volatility Foundation (free)
Autopsy documentation (free)
TryHackMe Digital Forensics rooms (free)
LetsDefend DFIR labs
CyberDefenders forensics challenges

Stage 05

Memory Forensics

Memory analysis reveals what the system was doing at the moment of acquisition, including active malware, injected code, network connections, credentials, and encryption keys.

What Memory Contains

Running processes — EPROCESS structures; doubly-linked list (rootkits can hide by unlinking)
Loaded DLLs — per-process module lists
Network connections — active and recently closed socket objects
Encryption keys — BitLocker keys, TrueCrypt keys, private keys if recently used
Credentials — passwords, hashes, Kerberos tickets (Mimikatz targets these)
Registry hives — loaded in memory even if not currently active on disk
Clipboard contents
Injected code — memory pages with execute permission in unusual locations
Command-line arguments — what processes were launched with
Browser history (in-memory) — not yet written to disk

Memory Acquisition

Before shutdown — always acquire memory before powering down a live system
WinPmem — command-line; raw, E01, compressed formats
Magnet RAM Capture — GUI; user-friendly
DumpIt — simple double-click; creates raw memory dump
F-Response — remote memory acquisition over network
AVML — command-line for Linux memory acquisition

Memory Analysis Process with Volatility

Identify OS profile — windows.info, imageinfo (V2)
List processes — pslist, pstree, psscan - Psscan vs pslist — psscan scans entire memory for EPROCESS structures; finds hidden/unlinked processes - Suspicious: processes in unusual locations (svchost.exe not in C:\Windows\System32\), unusual PPID (cmd.exe spawned by Excel), duplicate process names
Analyze network connections — netscan, netstat - Suspicious: connections to unusual external IPs, listening on unexpected ports, connections from system processes
Look for injected code — malfind - Suspicious MZ headers in private memory regions; VAD regions with VadS tag and PAGE_EXECUTE_READ_WRITE; high entropy sections
Extract DLLs — dlllist for each suspicious process - DLLs loaded from unusual paths; missing entries in PEB InLoadOrderModuleList
Check command lines — cmdline - Encoded PowerShell; unusual arguments; temp directory execution
Extract hives — hivelist, printkey - Check persistence keys from memory
Dump suspicious processes — procdump, memdump - Submit to sandbox or examine with static analysis tools
Analyze handles — handles -p [pid] -t file — files opened by suspicious process

Detecting Evasion Techniques in Memory

Process hollowing — legitimate process (svchost.exe) loaded but original code replaced; VAD/PEB mismatch
Process injection — DLL injection, reflective DLL injection — unexpected DLLs in process
DKOM (Direct Kernel Object Manipulation) — psscan finds what pslist misses
Thread injection — CreateRemoteThread; unexpected threads in legitimate processes
APC injection — unusual pending APCs
Shellcode in heap/stack — executable memory in unusual regions; malfind detects

Resources

"The Art of Memory Forensics" (Ligh, Case, Levy, Walters), the essential reference
Volatility documentation (free)
MemLabs CTF challenges (free)

Stage 06

Timeline Analysis & Incident Reconstruction

Building a coherent timeline from disparate artifact sources is the highest-level forensic skill. It requires both technical knowledge and investigative reasoning.

Timeline Analysis Principles

Establish the question first — what are you trying to prove or disprove?
Multiple source corroboration — single artifact source is vulnerable to anti-forensics; multiple independent sources strengthen conclusions
Temporal gaps — gaps in expected activity may indicate log clearing or artifact deletion
Timestamp manipulation — NTFS $STANDARD_INFORMATION can be modified; $FILE_NAME cannot (requires kernel access)
Anti-forensics awareness — timestomping, log clearing, volume shadow copy deletion, encrypted containers

Building Super-Timelines

Plaso / log2timeline — ingesting multiple artifact sources: - File system metadata (MFT) - Registry timestamps - Event logs - Browser history - LNK files and jump lists - Prefetch - Recycle Bin - Application logs
Timeline Explorer (EZTools) — visualizing and filtering multi-source timelines
Timesketch — collaborative investigation platform for large timelines

NTFS Timestamp Forensics

NTFS stores four timestamps per file in $STANDARD_INFORMATION (SI) and $FILE_NAME (FN): - $SI timestamps — Created, Modified, Accessed, MFT Changed ($MFT Entry Modified) - $FN timestamps — same four types
$SI timestamps can be modified with tools like timestomp; $FN cannot without kernel access
Timestomping detection — $SI timestamps precede $FN timestamps (impossible in normal operations); $MFT entry modified time not changed to match
The Meaning of Timestamps: - $SI Created — when the file was placed in its current location (copies get current time) - $SI Modified — last time file content was modified - $SI Accessed — can be disabled; last access to file - $SI MFT Changed — last time any metadata changed (rename, permission change, attribute added) - $FN Created/Modified/Accessed/MFT Changed — set at file creation, harder to modify

Attack Timeline Reconstruction

Step 1: Identify time anchor events — confirmed attacker actions with strong timestamps
Step 2: Expand outward — what happened before and after each confirmed event?
Step 3: Fill gaps with indirect evidence — network logs, email timestamps, login events
Step 4: Identify inconsistencies — timestomped files, gaps in normal activity patterns
Step 5: Map to ATT&CK — what technique does each artifact represent?
Common investigation questions: - When did initial access occur? What was the vector? - What reconnaissance was performed? - What tools were downloaded/compiled/executed? - What lateral movement occurred? - What data was accessed or exfiltrated? - Were any persistence mechanisms installed? - Was evidence destroyed?

Resources

Plaso/log2timeline documentation (free)
Timeline Explorer (free, EZTools)
Timesketch (free, open-source)
SANS FOR508 course content

Stage 07

Network & Cloud Forensics

Modern investigations increasingly involve network evidence and cloud environments where traditional disk imaging does not apply.

Network Forensics

Network evidence sources: - Firewall logs — connection allowed/denied; source, destination, port, bytes, duration - Proxy logs — HTTP/HTTPS traffic with URL, user agent, response code, bytes - DNS logs — query name, type, response, client IP — exfiltration and C2 indicators - NetFlow/IPFIX — connection summaries without payload; high-level pattern analysis - Full packet capture (PCAP) — complete traffic content; most valuable but storage-intensive - Web server logs — Apache access log, IIS log, nginx log - Email server logs — Exchange tracking logs, mail transfer logs - VPN logs — authentication events, connected endpoints - IDS/IPS alerts — Snort/Suricata rules fired
Network investigation workflow: - Timeline reconstruction from network evidence - Identifying C2 communication — regular interval connections, unusual ports, domain generation algorithms - Data exfiltration detection — large outbound transfers, unusual destinations, encoding in DNS/HTTP - Lateral movement — internal-to-internal authentication events, unusual port scans - Malware download events — HTTP requests to known-malicious or unusual domains

Cloud Forensics

AWS forensic evidence sources: - CloudTrail — API call logs; who called what API, when, from which IP; management and data events - VPC Flow Logs — network traffic to/from EC2 instances; 5-tuple + bytes + action - S3 Access Logs — GET/PUT/DELETE operations on S3 objects - CloudWatch Logs — application logs, Lambda logs, EC2 system logs forwarded to CloudWatch - GuardDuty findings — aggregated threat intelligence with timing - Config — resource configuration snapshots and change history - EC2 metadata service logs — IMDSv1/v2 queries
AWS IR considerations: - Instance isolation — security group modification to deny all traffic while preserving for investigation - EBS snapshot — creating forensic snapshot of volume without removing from service - Memory acquisition — requires SSM Run Command or agent; AWS supports WinPmem/LiME via Systems Manager - Volatile data loss — network connections, process list lost when instance terminates
Azure forensic evidence sources: - Azure Activity Log — management operations; who did what to which Azure resource - Microsoft Entra ID Sign-in Logs — authentication events, device, location, risk - Azure Monitor / Log Analytics — forwarded metrics and logs - Microsoft Defender for Cloud — security alerts - NSG Flow Logs — network traffic logs per NSG
GCP forensic evidence sources: - Cloud Audit Logs — Admin Activity, Data Access, System Event, Policy Denied - VPC Flow Logs — network traffic - Cloud Logging — application and system logs

Forensic Investigation in Cloud Without Disk Images

Log-centric investigation — no physical disk; everything reconstructed from API logs, application logs, network logs
Log gaps — gaps in CloudTrail may indicate log tampering; check for StopLogging API calls
Immutable logging — CloudTrail with S3 MFA Delete; CloudWatch Logs can't be deleted without explicit API calls
Chain of custody for cloud evidence — API export with hash; preservation in S3 or Azure Blob with versioning

Resources

AWS incident response documentation (free)
SANS FOR509 Enterprise Cloud Forensics course
Mandiant cloud IR guides (free)

Stage 08

Mobile Forensics

Mobile devices are increasingly central to investigations. Smartphones contain location history, communications, app data, and behavioral evidence.

Mobile Forensics Overview

Mobile evidence types — call records, SMS/MMS, app data (WhatsApp, Signal, Telegram), browser history, location history, photos (EXIF metadata), email, contacts, calendar
iOS vs Android — different acquisition challenges; iOS encryption more robust
Legal considerations — locked devices, password requirements, right against self-incrimination

Acquisition Methods

Logical acquisition — uses device API; standard backup; does not require physical access to storage
File system acquisition — more complete than logical; requires jailbreak (iOS) or root (Android)
Physical acquisition — chip-off or JTAG; rare; destructive risk; for very high-value investigations
Cloud acquisition — iTunes backup analysis; iCloud extraction with credentials; Google Takeout
iOS Considerations: - Airplane mode immediately — prevent remote wipe - Faraday bag — prevent remote wipe if Airplane mode not possible - Backup password — if set, bypasses encryption on backup content - Logical backup via iTunes — limited content; locked by password - Cellebrite/GrayKey — commercial physical extraction; expensive
Android Considerations: - More variety — OEM differences make acquisition complex - ADB (Android Debug Bridge) — logical acquisition if USB debugging enabled - Custom recovery — TWRP for physical-like acquisition - Google Takeout — comprehensive app data backup

Mobile Forensics Tools

Cellebrite UFED (Universal Forensic Extraction Device) — industry standard commercial; law enforcement
Cellebrite PA (Physical Analyzer) — analysis platform for extracted data
Oxygen Forensic Detective — commercial; cloud extraction capability; app artifact parsing
MSAB XRY — commercial; law enforcement focused
Magnet AXIOM — commercial; strong mobile artifact parsing
ALEAPP (Android Logs Events and Protobuf Parser) — free; open-source; Android artifact parsing
iLEAPP (iOS Logs Events and Protobuf Parser) — free; open-source; iOS artifact parsing
Autopsy — mobile module; basic extraction analysis
MVT (Mobile Verification Toolkit) — checking for Pegasus spyware indicators; free; Amnesty International

Key Mobile Artifacts

iOS: KnowledgeC.db (app usage, location, device activity), SMS.db, AddressBook.db, Call History, Safari History, Spotlight-V100, Health app data
Android: mmssms.db (messages), contacts2.db, downloads.db, logcat, package manager logs, Google account activity, DCIM metadata
App artifacts — WhatsApp databases (msgstore.db), Telegram (cache), Signal (encrypted by default)

Resources

SANS FOR585 Smartphone Forensic Analysis course
ALEAPP/iLEAPP GitHub repositories (free)
Oxygen Forensics Academy (free resources)

Stage 09

Forensic Reporting

A forensic investigation without a clear, defensible report has limited value. Reports must communicate complex technical findings to non-technical audiences while withstanding scrutiny in legal proceedings.

Report Structure

Executive Summary — what happened, when, what was affected, what was taken, in plain language with no technical jargon; 1–2 pages
Scope and Methodology — what was examined, what tools were used, limitations of analysis
Findings — chronological narrative of events supported by specific evidence
Evidence Appendix — specific artifacts cited with hashes, source, extraction method
Conclusions — answering the investigation questions based on evidence
Recommendations — remediation, security improvements, policy changes

Writing for Different Audiences

Legal team — admissibility focus; methodology documentation; evidence preservation; chain of custody
Executives — business impact; risk quantification; recommendations in business terms
Technical team — detailed findings; affected systems; specific IOCs; remediation steps
Law enforcement — evidence documentation; facts without conclusions beyond evidence; preparation for testimony

Expert Witness Preparation

CV/resume — documenting qualifications, certifications, prior testimony experience
Methodology defense — being able to explain every analytical step and why it is reliable
Cross-examination preparation — anticipating challenges to methodology, tools, conclusions
Daubert standard (US) — methodology must be testable, peer-reviewed, have known error rate, and be generally accepted
Language discipline — "consistent with," "is evidence of," "supports the conclusion" — appropriate hedging

Resources

SANS FOR500 report writing guidance
sample forensic reports (publicly available)
Guidance on Expert Witness Testimony (various legal bar association guides)

Stage 10

Hands-On Practice & Portfolio

Practice Platforms

CyberDefenders — blue team forensics challenges with realistic datasets
CTFtime.org — forensics categories in CTF competitions
BlueTeamLabs Online — forensics and IR scenarios
TryHackMe — Digital Forensics rooms (free)
dfir.training — curated DFIR practice resources
Cases from The DFIR Report (thedfirreport.com) — detailed real-world incident analyses (free)
MemLabs — memory forensics CTF challenges (free)
Magnet CTF archives — mobile and disk forensics challenges (free)

Home Lab

Windows VM with known malware executed — analyze your own infected VM
Acquire memory with WinPmem before analysis — practice memory forensics workflow
Generate artifacts intentionally — USB insertions, file downloads, browser history — confirm artifacts match expected locations
Timeline analysis — use EZTools + Timeline Explorer on your lab VM artifacts
Practice KAPE triage — collect artifacts from live Windows system

What to Document on LabList

CTF forensics writeups — methodology from evidence to finding to flag
Forensic lab exercises — documenting artifact analysis with tool output and interpretation
Tool usage documentation — evidence that you can use Volatility, Autopsy, EZTools in real scenarios
Custom scripts — Python parsing scripts for artifacts, timeline automation
Cert progression — Security+ → GCFE → GCFA documented with lessons learned

FAQ

Common questions

How long does it take to become a Digital Forensics Analyst?

2–3 years optimistic at 20–25 hours/week, 3–4 years realistic. Forensics demands deep operating system expertise (registry, MFT, ShimCache, prefetch on Windows; ext4, journals, /var/log on Linux) plus chain-of-custody discipline plus tool fluency (Autopsy, FTK, X-Ways, Volatility). Career-changers from incident response or SOC roles transition fastest because they already have telemetry literacy. Pure self-taught paths exist but require obsessive practice with public sample sets and CTF challenges.

Which certifications matter for forensics roles?

GCFA is the canonical investigator cert and most-listed in postings. GCFE for endpoint forensics depth. EnCE for EnCase shops. Certified Forensic Computer Examiner (CFCE) for law enforcement. CHFI as an entry-level signal. GCFA-certified analysts earn 15–20% more than non-certified peers. SANS courses are expensive but the cert + content is genuinely the gold standard.

Do I need a degree to do forensics?

Helpful but not required for corporate forensics. Federal and law enforcement forensic roles often require a bachelor's plus security clearance. CS, computer engineering, or criminal justice degrees are common backgrounds. Self-taught analysts with strong CTF and Hack The Box DFIR challenge writeups break in to consulting (Mandiant, CrowdStrike Services, Unit 42) routinely. Big Four consulting firms have demonstrated entry paths.

What separates a hired Digital Forensics Analyst?

Public investigation writeups. CTF challenge solutions, sample case analyses on public datasets (Digital Corpora, NIST CFReDS), and demonstrated chain-of-custody reasoning in your portfolio. Generic 'I know forensics' candidates lose to candidates with documented analyses. Other differentiators: programming (Python for evidence parsing), memory forensics depth (Volatility), and at least one full report sample showing investigative narrative + technical evidence + conclusions. 13% projected growth through 2034.

Digital Forensics Analyst

Common questions

Related roles