hacktricks/forensics/basic-forensic-methodology/README.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


{% hint style="danger" %}
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
{% endhint %}

If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.


In this section of the book we are going to learn about some **useful forensics tricks**.\
We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.

So if you are doing a professional forensic analysis to some data or just playing a CTF you can find here useful interesting tricks.

# Creating and Mounting an Image

{% content-ref url="image-adquisition-and-mount.md" %}
[image-adquisition-and-mount.md](image-adquisition-and-mount.md)
{% endcontent-ref %}

# Malware Analysis

This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:

{% content-ref url="malware-analysis.md" %}
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}

# Inspecting an Image

if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:

{% content-ref url="partitions-file-systems-carving/" %}
[partitions-file-systems-carving](partitions-file-systems-carving/)
{% endcontent-ref %}

Depending on the used OSs and even platform different interesting artifacts should be searched:

{% content-ref url="windows-forensics/" %}
[windows-forensics](windows-forensics/)
{% endcontent-ref %}

{% content-ref url="linux-forensics.md" %}
[linux-forensics.md](linux-forensics.md)
{% endcontent-ref %}

{% content-ref url="docker-forensics.md" %}
[docker-forensics.md](docker-forensics.md)
{% endcontent-ref %}

# Deep inspection of specific file-types and Software

If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
Read the following page to learn some interesting tricks:

{% content-ref url="specific-software-file-type-tricks/" %}
[specific-software-file-type-tricks](specific-software-file-type-tricks/)
{% endcontent-ref %}

I want to do a special mention to the page:

{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}

# Memory Dump Inspection

{% content-ref url="memory-dump-analysis/" %}
[memory-dump-analysis](memory-dump-analysis/)
{% endcontent-ref %}

# Pcap Inspection

{% content-ref url="pcap-inspection/" %}
[pcap-inspection](pcap-inspection/)
{% endcontent-ref %}

# **Anti-Forensic Techniques**

Keep in mind the possible use of anti-forensic techniques:

{% content-ref url="anti-forensic-techniques.md" %}
[anti-forensic-techniques.md](anti-forensic-techniques.md)
{% endcontent-ref %}

# Threat Hunting

{% content-ref url="file-integrity-monitoring.md" %}
[file-integrity-monitoring.md](file-integrity-monitoring.md)
{% endcontent-ref %}


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


GitBook: [master] 21 pages modified 2021-05-31 11:39:02 +02:00			`{% hint style="danger" %}`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks?\`
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`[Support Hacktricks through github sponsors](https://github.com/sponsors/carlospolop) so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!`
GitBook: [master] 21 pages modified 2021-05-31 11:39:02 +02:00			`{% endhint %}`

discord group 2022-01-31 15:20:28 +01:00			If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the [💬](https://emojipedia.org/speech-balloon/)[Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass), or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).\
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`If you want to share some tricks with the community you can also submit pull requests to [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.`
GitBook: [master] 21 pages modified 2021-05-31 11:39:02 +02:00


GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`In this section of the book we are going to learn about some useful forensics tricks.\`
GitBook: [master] 7 pages and 6 assets modified 2021-05-28 19:07:52 +02:00			`We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.`

			`So if you are doing a professional forensic analysis to some data or just playing a CTF you can find here useful interesting tricks.`

fix mess 2022-05-01 14:41:36 +02:00			`# Creating and Mounting an Image`
GitBook: [master] 2 pages modified 2021-05-28 19:29:30 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="image-adquisition-and-mount.md" %}`
			`[image-adquisition-and-mount.md](image-adquisition-and-mount.md)`
			`{% endcontent-ref %}`
GitBook: [master] 2 pages modified 2021-05-28 19:29:30 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Malware Analysis`
GitBook: [master] 7 pages modified 2021-05-28 19:51:59 +02:00
			`This isn't necessary the first step to perform once you have the image. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to keep these actions in mind:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="malware-analysis.md" %}`
			`[malware-analysis.md](malware-analysis.md)`
			`{% endcontent-ref %}`
GitBook: [master] 7 pages modified 2021-05-28 19:51:59 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Inspecting an Image`
GitBook: [master] 7 pages and 6 assets modified 2021-05-28 19:07:52 +02:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`if you are given a forensic image of a device you can start analyzing the partitions, file-system used and recovering potentially interesting files (even deleted ones). Learn how in:`
GitBook: [master] 7 pages and 6 assets modified 2021-05-28 19:07:52 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="partitions-file-systems-carving/" %}`
			`[partitions-file-systems-carving](partitions-file-systems-carving/)`
			`{% endcontent-ref %}`
GitBook: [master] 7 pages and 6 assets modified 2021-05-28 19:07:52 +02:00
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00			`Depending on the used OSs and even platform different interesting artifacts should be searched:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="windows-forensics/" %}`
			`[windows-forensics](windows-forensics/)`
			`{% endcontent-ref %}`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="linux-forensics.md" %}`
			`[linux-forensics.md](linux-forensics.md)`
			`{% endcontent-ref %}`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="docker-forensics.md" %}`
			`[docker-forensics.md](docker-forensics.md)`
			`{% endcontent-ref %}`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Deep inspection of specific file-types and Software`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`If you have very suspicious file, then depending on the file-type and software that created it several tricks may be useful.\`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00			`Read the following page to learn some interesting tricks:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="specific-software-file-type-tricks/" %}`
			`[specific-software-file-type-tricks](specific-software-file-type-tricks/)`
			`{% endcontent-ref %}`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
			`I want to do a special mention to the page:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}`
			`[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)`
			`{% endcontent-ref %}`
GitBook: [master] 11 pages modified 2021-05-28 19:24:45 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Memory Dump Inspection`
GitBook: [master] 46 pages modified 2021-05-28 19:27:17 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="memory-dump-analysis/" %}`
			`[memory-dump-analysis](memory-dump-analysis/)`
			`{% endcontent-ref %}`
GitBook: [master] 46 pages modified 2021-05-28 19:27:17 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Pcap Inspection`
GitBook: [master] 7 pages and 6 assets modified 2021-05-28 19:07:52 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="pcap-inspection/" %}`
			`[pcap-inspection](pcap-inspection/)`
			`{% endcontent-ref %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Anti-Forensic Techniques`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [master] 7 pages modified 2021-05-28 19:51:59 +02:00			`Keep in mind the possible use of anti-forensic techniques:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="anti-forensic-techniques.md" %}`
			`[anti-forensic-techniques.md](anti-forensic-techniques.md)`
			`{% endcontent-ref %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Threat Hunting`
GitBook: [master] 3 pages modified 2021-09-06 17:03:23 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% content-ref url="file-integrity-monitoring.md" %}`
			`[file-integrity-monitoring.md](file-integrity-monitoring.md)`
			`{% endcontent-ref %}`
GitBook: [master] 3 pages modified 2021-09-06 17:03:23 +02:00
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`