Digital Forensics#
Reference of digital-forensics tools, artifact locations, and acquisition / analysis pipelines. The discipline splits into four phases, identification, acquisition, analysis, presentation, each with its own toolkit. NIST SP 800-86 and the SWGDE guidelines remain the standard procedural references.
For broader incident response context, see Security. For runtime detection, see YARA and Sigma.
Acquisition#
Tool |
Notes |
|---|---|
FTK Imager |
Free; raw / E01 / SMART / AFF imaging, mount, preview. |
dc3dd / dcfldd |
Forensic dd with hash-on-read; defunct upstream but widely used. |
ddrescue |
GNU; resilient against bad sectors. |
Guymager |
Linux-native imager with GUI. |
EnCase Forensic |
OpenText; the legacy commercial standard; .E01 origin. |
Magnet AXIOM |
Modern integrated platform. |
X-Ways Forensics |
Single-license commercial favorite of practitioners. |
Cellebrite UFED |
Mobile forensic acquisition (iOS / Android). |
GrayKey |
iOS unlock + acquisition. |
Magnet GRAYKEY |
iOS / Android logical + physical. |
MOBILedit Forensic |
Mobile. |
Oxygen Forensics |
Mobile + cloud. |
Belkasoft X |
Computer + mobile + cloud. |
Volatility 3 |
Memory analysis (RAM dumps). |
Rekall |
Memory analysis (Volatility fork). |
WinPMem / LiME |
RAM acquisition (Windows / Linux). |
DumpIt |
Windows RAM acquisition. |
Magnet RAM Capture |
Free RAM capture. |
F-Response |
Remote evidence acquisition. |
Velociraptor |
Open EDR + DFIR endpoint collection at scale. |
KAPE |
Triage acquisition; the SANS DFIR favorite. |
GRR Rapid Response |
Google’s open-source live forensics. |
Disk / file system#
Tool |
Notes |
|---|---|
Autopsy |
OSS UI on top of The Sleuth Kit; the OSS standard. |
The Sleuth Kit |
|
TestDisk + PhotoRec |
File / partition recovery. |
foremost / scalpel |
File carving by header / footer. |
bulk_extractor |
Stream-pattern extraction (emails, URLs, BTC, EXIF) from raw images. |
SleuthKit + Autopsy |
Java GUI on top of TSK. |
log2timeline / plas |
o |
mac_robber |
File-system metadata for timeline. |
ExifTool |
EXIF metadata. |
Forensic Toolkit (F TK) |
AccessData; commercial. |
EnCase Forensic |
commercial; standard for many courts. |
Memory analysis#
Tool |
Notes |
|---|---|
Volatility 3 |
Modern Python rewrite of Volatility. |
Volatility 2.x |
Legacy; still has plugins not yet ported. |
Rekall |
Volatility fork; mostly maintenance mode. |
LiME |
Linux RAM acquisition. |
WinPMem |
Windows RAM acquisition. |
volframework / lvox |
alternative rule engines. |
Memory Process FS |
/proc-style mount of a memory image. |
Network / packet#
Tool |
Notes |
|---|---|
Wireshark / tshark |
packet capture + analysis. |
NetworkMiner |
artifact extraction from PCAP. |
tcpdump |
CLI capture. |
Zeek (Bro) |
network-monitoring framework; rich logs. |
Suricata + EVE JSON |
IDS + JSON logs. |
Stenographer |
Google’s full-PCAP storage. |
moloch / Arkime |
indexed full-packet capture + UI. |
RSA NetWitness |
commercial. |
Argus, nfdump |
NetFlow / IPFIX analysis. |
Joy |
IPFIX-flavoured intel features. |
Mobile#
Tool |
Notes |
|---|---|
Cellebrite UFED + P A |
acquisition + analysis (iOS / Android / drone / IoT). |
Magnet AXIOM Mobile |
Magnet platform. |
Oxygen Forensics |
mobile + cloud / IoT. |
GrayKey |
iOS unlock. |
MOBILedit |
mobile. |
ALEAPP / iLEAPP |
Android / iOS Logs Events And Properties Parser; OSS. |
APK forensics |
apktool, jadx, MobSF for static analysis. |
Frida |
dynamic instrumentation; hooking running apps. |
objection |
Frida-based pentest helper. |
Burp + mobile proxy |
intercepting HTTP/S on mobile. |
Cloud / SaaS#
Source / Tool |
Notes |
|---|---|
AWS CloudTrail |
account audit log (organization-wide). |
GCP Audit Logs |
Admin / Data / System. |
Azure Activity Log |
resource-level audit. |
Microsoft 365 |
Unified Audit Log (Purview / Compliance). |
Google Workspace |
Admin Audit + Drive / Gmail logs. |
Okta Logs |
identity provider events. |
GitHub Audit Log |
organization events. |
Slack Audit Logs |
workspace events (Plus tier+). |
Magnet AXIOM Cyber |
cloud DFIR. |
Cellebrite Pathfind |
er cross-source IRR. |
SOF-ELK |
SANS ELK distro for forensic search. |
OS artifacts (Windows)#
Source |
Notes |
|---|---|
NTFS $MFT |
file-system metadata; per-file MAC times. |
$LogFile, $UsnJrnl |
filesystem journals. |
USN Journal |
file change history. |
Registry hives |
|
Event logs (.evtx) |
|
Prefetch (.pf) |
execution evidence. |
ShimCache |
AppCompat cache. |
AmCache |
Amcache.hve; executed-binary metadata. |
SRUM |
System Resource Usage Monitor; per-process net use. |
LNK files |
shortcut metadata; targets, MAC times. |
Jump Lists |
recently-used items per app. |
Volume Shadow Copy |
point-in-time snapshots. |
Browser artifacts |
Chrome / Edge / Firefox: history, cache, cookies, downloads, autofill. |
Outlook PST/OST |
email. |
Recycle Bin |
$I + $R files. |
RDP cache, BAM/DAM |
user-activity monitor caches. |
Windows Search DB |
Windows.edb. |
OS artifacts (Linux)#
Source |
Notes |
|---|---|
/var/log |
|
journald |
|
audit |
|
~/.bash_history |
per-user shell history. |
/var/spool/cron |
scheduled tasks. |
SSH artifacts |
|
package logs |
|
systemd units |
|
mounted devices |
|
OS artifacts (macOS)#
Source |
Notes |
|---|---|
Unified Logs |
|
plist files |
property lists for app config + state. |
keychain |
|
Spotlight |
|
APFS snapshots |
|
File system events |
fseventsd. |
Quarantine |
|
Persistence |
LaunchAgents, LaunchDaemons ( |
TCC database |
|
KnowledgeC.db |
usage analytics (Apple). |
Photos.sqlite |
photos library metadata. |
Notes / Messages |
SQLite DBs in |
Browser / app artifacts#
Browser / app |
Artifact location |
|---|---|
Chrome / Edge |
SQLite DBs under |
Firefox |
|
Safari |
|
Outlook |
.pst / .ost on disk; OST per-account. |
Slack |
local SQLite under |
Discord |
|
Telegram |
SQLite + per-chat caches. |
Signal |
encrypted SQLite (sqlcipher); requires DB key. |
Standards / methodology#
Standard |
Notes |
|---|---|
NIST SP 800-86 |
Guide to Integrating Forensic Techniques into IR. |
NIST SP 800-101r1 |
Guidelines on Mobile Device Forensics. |
ISO/IEC 27037 |
Identification, collection, acquisition, preservation of digital evidence. |
ISO/IEC 27042 |
Analysis and interpretation. |
ISO/IEC 27043 |
Incident investigation principles. |
ISO/IEC 27050 |
Electronic discovery. |
SWGDE Best Practice s |
Scientific Working Group on Digital Evidence; per-topic documents. |
RFC 3227 |
Guidelines for Evidence Collection and Archiving. |
ACPO Good Practice |
UK police digital-evidence guidance. |
ENFSI Best Practice |
EU forensic networks per-discipline guides. |
Operator notes#
Chain of custody, document acquisition steps, hashes, custodian transfers. The forensic image is only as good as the log of how it was made.
Hashing, MD5 + SHA-1 + SHA-256 simultaneously is still the convention for forensic acquisitions.
Volatility order, per RFC 3227: registers / cache, RAM, network state, processes / kernel, temporary files, disk, remote logs, archival media.
Anti-forensics, timestamp manipulation, log clearing, encrypted volumes, file wiping all count; verify journals and snapshots.
Mobile encryption, modern iOS / Android make full physical extraction effectively impossible without vendor exploits (GrayKey, Cellebrite Premium); plan for logical / iCloud / Google backup acquisition.
Authorization, forensic acquisition without consent or warrant exposes the operator and the evidence to suppression. Verify legal authority first.
References#
NIST CFTT, tool validation reports.
NIST CFReDS, reference data sets.
Hacking, techniques to look for in artifacts.
Hacker Groups, attribution.
YARA, pattern matching.