Digital Forensics#

Reference of digital-forensics tools, artifact locations, and acquisition / analysis pipelines. The discipline splits into four phases, identification, acquisition, analysis, presentation, each with its own toolkit. NIST SP 800-86 and the SWGDE guidelines remain the standard procedural references.

For broader incident response context, see Security. For runtime detection, see YARA and Sigma.

Acquisition#

Tool

Notes

FTK Imager

Free; raw / E01 / SMART / AFF imaging, mount, preview.

dc3dd / dcfldd

Forensic dd with hash-on-read; defunct upstream but widely used.

ddrescue

GNU; resilient against bad sectors.

Guymager

Linux-native imager with GUI.

EnCase Forensic

OpenText; the legacy commercial standard; .E01 origin.

Magnet AXIOM

Modern integrated platform.

X-Ways Forensics

Single-license commercial favorite of practitioners.

Cellebrite UFED

Mobile forensic acquisition (iOS / Android).

GrayKey

iOS unlock + acquisition.

Magnet GRAYKEY

iOS / Android logical + physical.

MOBILedit Forensic

Mobile.

Oxygen Forensics

Mobile + cloud.

Belkasoft X

Computer + mobile + cloud.

Volatility 3

Memory analysis (RAM dumps).

Rekall

Memory analysis (Volatility fork).

WinPMem / LiME

RAM acquisition (Windows / Linux).

DumpIt

Windows RAM acquisition.

Magnet RAM Capture

Free RAM capture.

F-Response

Remote evidence acquisition.

Velociraptor

Open EDR + DFIR endpoint collection at scale.

KAPE

Triage acquisition; the SANS DFIR favorite.

GRR Rapid Response

Google’s open-source live forensics.

Disk / file system#

Tool

Notes

Autopsy

OSS UI on top of The Sleuth Kit; the OSS standard.

The Sleuth Kit

mmls, fls, icat, istat; CLI primitives.

TestDisk + PhotoRec

File / partition recovery.

foremost / scalpel

File carving by header / footer.

bulk_extractor

Stream-pattern extraction (emails, URLs, BTC, EXIF) from raw images.

SleuthKit + Autopsy

Java GUI on top of TSK.

log2timeline / plas

o plaso produces super-timelines from many artifact sources.

mac_robber

File-system metadata for timeline.

ExifTool

EXIF metadata.

Forensic Toolkit (F TK)

AccessData; commercial.

EnCase Forensic

commercial; standard for many courts.

Memory analysis#

Tool

Notes

Volatility 3

Modern Python rewrite of Volatility.

Volatility 2.x

Legacy; still has plugins not yet ported.

Rekall

Volatility fork; mostly maintenance mode.

LiME

Linux RAM acquisition.

WinPMem

Windows RAM acquisition.

volframework / lvox

alternative rule engines.

Memory Process FS

/proc-style mount of a memory image.

Network / packet#

Tool

Notes

Wireshark / tshark

packet capture + analysis.

NetworkMiner

artifact extraction from PCAP.

tcpdump

CLI capture.

Zeek (Bro)

network-monitoring framework; rich logs.

Suricata + EVE JSON

IDS + JSON logs.

Stenographer

Google’s full-PCAP storage.

moloch / Arkime

indexed full-packet capture + UI.

RSA NetWitness

commercial.

Argus, nfdump

NetFlow / IPFIX analysis.

Joy

IPFIX-flavoured intel features.

Mobile#

Tool

Notes

Cellebrite UFED + P A

acquisition + analysis (iOS / Android / drone / IoT).

Magnet AXIOM Mobile

Magnet platform.

Oxygen Forensics

mobile + cloud / IoT.

GrayKey

iOS unlock.

MOBILedit

mobile.

ALEAPP / iLEAPP

Android / iOS Logs Events And Properties Parser; OSS.

APK forensics

apktool, jadx, MobSF for static analysis.

Frida

dynamic instrumentation; hooking running apps.

objection

Frida-based pentest helper.

Burp + mobile proxy

intercepting HTTP/S on mobile.

Cloud / SaaS#

Source / Tool

Notes

AWS CloudTrail

account audit log (organization-wide).

GCP Audit Logs

Admin / Data / System.

Azure Activity Log

resource-level audit.

Microsoft 365

Unified Audit Log (Purview / Compliance).

Google Workspace

Admin Audit + Drive / Gmail logs.

Okta Logs

identity provider events.

GitHub Audit Log

organization events.

Slack Audit Logs

workspace events (Plus tier+).

Magnet AXIOM Cyber

cloud DFIR.

Cellebrite Pathfind

er cross-source IRR.

SOF-ELK

SANS ELK distro for forensic search.

OS artifacts (Windows)#

Source

Notes

NTFS $MFT

file-system metadata; per-file MAC times.

$LogFile, $UsnJrnl

filesystem journals.

USN Journal

file change history.

Registry hives

SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT, UsrClass.dat.

Event logs (.evtx)

Security, System, Application, Microsoft-Windows-* channels.

Prefetch (.pf)

execution evidence.

ShimCache

AppCompat cache.

AmCache

Amcache.hve; executed-binary metadata.

SRUM

System Resource Usage Monitor; per-process net use.

LNK files

shortcut metadata; targets, MAC times.

Jump Lists

recently-used items per app.

Volume Shadow Copy

point-in-time snapshots.

Browser artifacts

Chrome / Edge / Firefox: history, cache, cookies, downloads, autofill.

Outlook PST/OST

email.

Recycle Bin

$I + $R files.

RDP cache, BAM/DAM

user-activity monitor caches.

Windows Search DB

Windows.edb.

OS artifacts (Linux)#

Source

Notes

/var/log

auth.log / secure, syslog / messages, kern.log, audit.log, apache2, nginx, postgresql, apt.

journald

journalctl --no-pager; binary structured logs.

audit

auditd rules + aureport.

~/.bash_history

per-user shell history.

/var/spool/cron

scheduled tasks.

SSH artifacts

~/.ssh/known_hosts, authorized_keys, /etc/ssh/sshd_config.

package logs

/var/log/dpkg.log, /var/log/apt/, yum.log, dnf.log.

systemd units

systemctl list-units --all; /etc/systemd/system, /lib/systemd/system.

mounted devices

/etc/fstab, /var/log/messages USB events.

OS artifacts (macOS)#

Source

Notes

Unified Logs

log show --predicate ...; binary logs from 10.12+.

plist files

property lists for app config + state.

keychain

Keychain Access; cred store.

Spotlight

mdfind, mds index; per-volume.

APFS snapshots

tmutil snapshot list.

File system events

fseventsd.

Quarantine

com.apple.quarantine xattr; download provenance.

Persistence

LaunchAgents, LaunchDaemons (~/Library/LaunchAgents, /Library/LaunchAgents, /Library/LaunchDaemons).

TCC database

TCC.db; consent decisions.

KnowledgeC.db

usage analytics (Apple).

Photos.sqlite

photos library metadata.

Notes / Messages

SQLite DBs in ~/Library/Group Containers/.

Browser / app artifacts#

Browser / app

Artifact location

Chrome / Edge

SQLite DBs under ~/AppData/Local/Google/Chrome/User Data/<Profile> (Win) / ~/Library/Application Support/Google/Chrome (mac) / ~/.config/google-chrome (Linux). History, Cookies, Downloads, Login Data, Web Data.

Firefox

places.sqlite, cookies.sqlite, logins.json, cert9.db, key4.db.

Safari

History.db, Cookies.binarycookies, Downloads.plist.

Outlook

.pst / .ost on disk; OST per-account.

Slack

local SQLite under ~/Library/Application Support/Slack (mac).

Discord

~/.config/discord (Linux), similar elsewhere.

Telegram

SQLite + per-chat caches.

Signal

encrypted SQLite (sqlcipher); requires DB key.

Standards / methodology#

Standard

Notes

NIST SP 800-86

Guide to Integrating Forensic Techniques into IR.

NIST SP 800-101r1

Guidelines on Mobile Device Forensics.

ISO/IEC 27037

Identification, collection, acquisition, preservation of digital evidence.

ISO/IEC 27042

Analysis and interpretation.

ISO/IEC 27043

Incident investigation principles.

ISO/IEC 27050

Electronic discovery.

SWGDE Best Practice s

Scientific Working Group on Digital Evidence; per-topic documents.

RFC 3227

Guidelines for Evidence Collection and Archiving.

ACPO Good Practice

UK police digital-evidence guidance.

ENFSI Best Practice

EU forensic networks per-discipline guides.

Operator notes#

  • Chain of custody, document acquisition steps, hashes, custodian transfers. The forensic image is only as good as the log of how it was made.

  • Hashing, MD5 + SHA-1 + SHA-256 simultaneously is still the convention for forensic acquisitions.

  • Volatility order, per RFC 3227: registers / cache, RAM, network state, processes / kernel, temporary files, disk, remote logs, archival media.

  • Anti-forensics, timestamp manipulation, log clearing, encrypted volumes, file wiping all count; verify journals and snapshots.

  • Mobile encryption, modern iOS / Android make full physical extraction effectively impossible without vendor exploits (GrayKey, Cellebrite Premium); plan for logical / iCloud / Google backup acquisition.

  • Authorization, forensic acquisition without consent or warrant exposes the operator and the evidence to suppression. Verify legal authority first.

References#