Digital Forensics

"Digital forensics isn't about looking at files — it's about listening to what the system is trying to say."


What is digital forensics ?

Digital forensics is a field of study where you learn to collect, analyze, preserve data even you can use that data as avidence if that is acceptable.

What is in this section ?

In this section you are going to learn about digital forensics and insident response in in-depth, with hands on practice on secure simulations.


Following DFIR structure we are going to follow

  1. 1. 📖 Fundamentals of DFIR
    1. 1.1. Introduction to DFIR
      1. 1.1.1. Digital Forensics vs. Incident Response
      2. 1.1.2. Offensive vs. Defensive Forensics
      3. 1.1.3. Reactive vs. Proactive DFIR
    2. 1.2. Roles in DFIR
      1. 1.2.1. Forensic Analyst
      2. 1.2.2. Threat Hunter
      3. 1.2.3. SOC Analyst
      4. 1.2.4. Incident Responder
      5. 1.2.5. Malware Reverse Engineer
    3. 1.3. DFIR Methodologies
      1. 1.3.1. Locard's Exchange Principle
      2. 1.3.2. Evidence Lifecycle
      3. 1.3.3. Time-based Analysis (Timeline Forensics)
    4. 1.4. Digital Evidence Types
      1. 1.4.1. Physical Media
      2. 1.4.2. Volatile Data
      3. 1.4.3. Network Traffic
      4. 1.4.4. Metadata
      5. 1.4.5. Artifacts
  2. 2. 🔐 Legal, Ethical, and Compliance Considerations
    1. 2.1. Chain of Custody Procedures
    2. 2.2. Evidence Integrity and Validation (Hashing: MD5/SHA1/SHA256)
    3. 2.3. Court-Admissible Evidence (Daubert Standard)
    4. 2.4. Jurisdictional Challenges
    5. 2.5. Regulatory Frameworks
      1. 2.5.1. GDPR
      2. 2.5.2. HIPAA
      3. 2.5.3. PCI-DSS
      4. 2.5.4. SOX
    6. 2.6. Ethics in Forensics
      1. 2.6.1. Responsible Disclosure
      2. 2.6.2. Scope Management
  3. 3. 💾 Disk and Storage Forensics
    1. 3.1. Disk Acquisition
      1. 3.1.1. Tools: FTK Imager, Guymager, dd, DC3DD
      2. 3.1.2. Write Blockers
      3. 3.1.3. Acquisition Formats (E01, AFF, RAW)
    2. 3.2. Partition Schemes
      1. 3.2.1. MBR / GPT
      2. 3.2.2. Hidden Volumes / Encrypted Partitions
    3. 3.3. File Systems
      1. 3.3.1. NTFS, FAT, exFAT
      2. 3.3.2. EXT2/3/4, XFS, Btrfs
      3. 3.3.3. APFS / HFS+
    4. 3.4. File Carving
      1. 3.4.1. Header/Footer Carving
      2. 3.4.2. Fragmented File Recovery
      3. 3.4.3. Tools: Scalpel, Foremost, PhotoRec
      4. 3.4.4. Manual Carving using Hex Editors
    5. 3.5. Volume Shadow Copy Analysis
      1. 3.5.1. Restore Points & Backups
    6. 3.6. Encrypted Volumes
      1. 3.6.1. BitLocker, VeraCrypt
      2. 3.6.2. Decryption Attacks (Cold Boot, Key Extraction)
  4. 4. 🧠 Memory Forensics
    1. 4.1. RAM Acquisition
      1. 4.1.1. WinPmem, Belkasoft, DumpIt
      2. 4.1.2. LiME for Linux
    2. 4.2. Analysis Frameworks
      1. 4.2.1. Volatility (and plugins)
      2. 4.2.2. Rekall
    3. 4.3. Artifacts in Memory
      1. 4.3.1. Running Processes, Hidden Processes
      2. 4.3.2. Kernel Drivers
      3. 4.3.3. Open Files
      4. 4.3.4. Clipboard Data
      5. 4.3.5. Plaintext Passwords
    4. 4.4. Malware Artifacts
      1. 4.4.1. Injection Techniques (Reflective DLL, Hollowing)
      2. 4.4.2. Indicators in Memory (PE Headers, Mutexes)
  5. 5. 🔍 Operating System Artifact Analysis
    1. 5.1. Windows Forensics
      1. 5.1.1. Registry Analysis (NTUSER.DAT, SYSTEM, SOFTWARE)
      2. 5.1.2. Prefetch / Superfetch
      3. 5.1.3. LNK Files
      4. 5.1.4. Jump Lists
      5. 5.1.5. Event Logs (Security, System, App)
      6. 5.1.6. Amcache / Shimcache
      7. 5.1.7. SRUM Database
      8. 5.1.8. USN Journal
    2. 5.2. Linux Forensics
      1. 5.2.1. Bash History
      2. 5.2.2. Syslogs
      3. 5.2.3. Cron Jobs
      4. 5.2.4. .ssh Keys, known_hosts
      5. 5.2.5. Auth Logs
    3. 5.3. macOS Forensics
      1. 5.3.1. TCC.db
      2. 5.3.2. Plist Files
      3. 5.3.3. Spotlight Metadata
      4. 5.3.4. Unified Logs
  6. 6. 📱 Mobile Device Forensics
    1. 6.1. Extraction Methods
      1. 6.1.1. Logical, Physical, File System
      2. 6.1.2. JTAG, ISP, Chip-Off
    2. 6.2. Tools
      1. 6.2.1. Cellebrite UFED
      2. 6.2.2. Magnet AXIOM
      3. 6.2.3. MOBILedit, Oxygen Forensics
    3. 6.3. App and OS Artifacts
      1. 6.3.1. SQLite Databases
      2. 6.3.2. Contacts, SMS, GPS, Photos
      3. 6.3.3. Messenger Data (WhatsApp, Signal, Telegram)
    4. 6.4. Mobile Malware Analysis
  7. 7. 🌐 Network and Traffic Forensics
    1. 7.1. Network Capture Tools
      1. 7.1.1. Wireshark, tcpdump, Tshark
    2. 7.2. Protocol Analysis
      1. 7.2.1. TCP, UDP, ICMP
      2. 7.2.2. Application (HTTP, HTTPS, DNS, FTP, SMTP)
    3. 7.3. Packet Reconstruction
      1. 7.3.1. File Reassembly
      2. 7.3.2. Session Replay
    4. 7.4. Logs
      1. 7.4.1. NetFlow / sFlow / IPFIX
      2. 7.4.2. Proxy, VPN, DNS Logs
    5. 7.5. Wi-Fi Forensics
      1. 7.5.1. Beacon Frames
      2. 7.5.2. WPA/WPA2 Key Cracking
  8. 8. 🎣 Email and Web Forensics
    1. 8.1. Email Header Analysis
    2. 8.2. MIME Structure Parsing
    3. 8.3. Email Spoofing and Phishing
    4. 8.4. Web Browser Artifacts
      1. 8.4.1. History, Cookies, Cache
      2. 8.4.2. Download Records
      3. 8.4.3. Autofill and Saved Credentials
  9. 9. 🦠 Malware Analysis & Reverse Engineering
    1. 9.1. Static Analysis
      1. 9.1.1. PE Header Inspection
      2. 9.1.2. Strings, Hex View
      3. 9.1.3. VirusTotal, HybridAnalysis
    2. 9.2. Dynamic Analysis
      1. 9.2.1. Sandboxes
      2. 9.2.2. API Call Tracing
      3. 9.2.3. Network Behavior
    3. 9.3. Reverse Engineering
      1. 9.3.1. IDA Pro, Ghidra
      2. 9.3.2. Obfuscation & Packers
      3. 9.3.3. Decompiled Code Analysis
  10. 10. ⚠️ Incident Response
    1. 10.1. Lifecycle
      1. 10.1.1. Preparation
      2. 10.1.2. Detection & Identification
      3. 10.1.3. Containment
      4. 10.1.4. Eradication
      5. 10.1.5. Recovery
      6. 10.1.6. Lessons Learned
    2. 10.2. Playbooks
      1. 10.2.1. Ransomware
      2. 10.2.2. Data Breach
      3. 10.2.3. Insider Threats
      4. 10.2.4. Malware Infections
    3. 10.3. IR Tools
      1. 10.3.1. Velociraptor, KAPE, GRR
      2. 10.3.2. CrowdStrike, SentinelOne
      3. 10.3.3. SIEM: Splunk, ELK, Graylog
  11. 11. ☁️ Cloud Forensics
    1. 11.1. AWS
      1. 11.1.1. CloudTrail, CloudWatch
      2. 11.1.2. S3 Bucket Access Logs
      3. 11.1.3. EC2 Snapshotting
    2. 11.2. Azure
      1. 11.2.1. Activity Logs
      2. 11.2.2. Blob Storage & Defender Logs
    3. 11.3. GCP
      1. 11.3.1. Audit Logs
      2. 11.3.2. GCS Buckets
    4. 11.4. SaaS Forensics (Google Workspace, O365)
  12. 12. 🎭 Anti-Forensics and Evasion Techniques
    1. 12.1. File Wiping Tools
    2. 12.2. Time Stomping
    3. 12.3. Steganography
    4. 12.4. Alternate Data Streams (ADS)
    5. 12.5. RAM Poisoning
    6. 12.6. Log Tampering
  13. 13. 📑 Reporting, Documentation, and Courtroom Readiness
    1. 13.1. Report Writing Best Practices
    2. 13.2. Timeline Reconstruction
    3. 13.3. Screenshots, Tool Logs, and Hashes
    4. 13.4. Expert Testimony Preparation
    5. 13.5. Trial Presentation Tools
  14. 14. 📚 Education, Certifications, and Labs
    1. 14.1. Certifications
      1. GCFA
      2. GREM
      3. CHFI
      4. EnCE
      5. CCE
    2. 14.2. DFIR Labs & Practice
      1. DFIR Diva Labs
      2. CyberDefenders
      3. Malware Traffic Analysis
    3. 14.3. Capture the Flag (CTFs) for DFIR
      1. 14.3.1. Memory Forensics CTFs
      2. 14.3.2. Disk Image CTFs
      3. 14.3.3. Cloud DFIR Challenges

📞 Contact Us

We're always here to help!

© 2024 cyberuniversity.tech. All rights reserved.Term of service, Privacy Policy