Advanced Defense (Blue Team) Updated on Jun 25, 2025

Basic Digital Forensics

Digital forensics is the discipline of collecting, preserving, and analyzing digital evidence in a way that can be used in internal investigations or legal proceedings. Order and method matter as much as the findings themselves.

Core principle: preserve before analyzing

Never analyze the original system directly. Any access modifies metadata (atime, mtime). The correct process:

Compromised system
       │
       ▼
  Evidence collection (write blocker + bit-for-bit image)
       │
       ▼
  Image hashing (MD5 + SHA-256 — dual verification)
       │
       ▼
  Analysis on forensic copy
       │
       ▼
  Documentation + chain of custody

Order of volatility

Capture from most volatile to least volatile:

1. CPU registers and cache
2. RAM (highest loss — live processes, connections, encryption keys)
3. Network state (active TCP connections, ARP, routing table)
4. Running processes
5. Disk (least volatile, survives reboot)
6. Remote logs / SIEM
7. Backups, physical media

RAM collection

# Linux — with avml (Amazon Volatile Memory Library)
avml /mnt/evidence/memory-2026-06-25.lime

# Windows — with WinPmem (run as Administrator)
winpmem_mini_x64.exe memory.raw

# Hash immediately after capture
sha256sum memory-2026-06-25.lime > memory-2026-06-25.lime.sha256

Disk imaging

# Linux — dd with progress logging
dd if=/dev/sdb bs=4M conv=noerror,sync status=progress | \
  tee disk-evidence.img | sha256sum > disk-evidence.img.sha256

# Verify integrity
sha256sum -c disk-evidence.img.sha256

Alternative: dcfldd or ewfacquire (E01 format with embedded metadata).

Memory analysis with Volatility 3

# List processes in memory dump
vol -f memory.lime windows.pslist

# Check open network connections at time of capture
vol -f memory.lime windows.netstat

# Dump suspicious process for malware analysis
vol -f memory.lime windows.dumpfiles --pid 4512

# Detect code injection in legitimate processes
vol -f memory.lime windows.malfind

Disk analysis with Autopsy / TSK

Key areas to investigate:

Windows:
  - $MFT (Master File Table) — deleted file history
  - Prefetch (%SystemRoot%\Prefetch) — previous executions
  - Amcache.hve — tracks executed binaries
  - NTUSER.DAT — user activity, run keys
  - Event Logs (%SystemRoot%\System32\winevt\Logs)
  - Shellbags — folders accessed via Explorer

Linux:
  - /var/log/, /home/*/.bash_history
  - /tmp and /dev/shm — malware staging
  - /etc/crontab, /etc/cron.d/ — persistence
  - journalctl -xe — systemd logs

Chain of custody

Document proving evidence was not tampered with:

Evidence: 1TB HDD — S/N: WD-XYZ123
Collected by: Ana Lima (forensic analyst)
Date/time: 2026-06-25 14:30 UTC
SHA-256 hash: a3f1b2c4...
Transferred to: physical safe — seal no. 00482
Analyzed using: forensic copy (hash verified before analysis)

Essential tools

Tool	Function
Volatility 3	Memory analysis
Autopsy / TSK	Disk analysis
Wireshark / tcpdump	PCAP analysis
KAPE	Fast Windows artifact collection
FTK Imager	Forensic imaging + hash verification