CYBERWARFARE LABS

Blue Team
Fundamentals
Module : 06 | UNVEILING THE SECRETS OF DIGITAL INVESTIGATIONS
UNVEILING THE SECRETS OF
DIGITAL INVESTIGATIONS
UNVEILING THE SECRETS OF DIGITAL INVESTIGATIONS

● digital forensic plays a vital role in post compromise

analysis scenarios the key focus is to investigating
and analyzing various cybersecurity incidents
● An effective forensic approach involved in imaging,
analysing and determining the root cause of the
detected incident.
● General overview of digital forensics
● Working of digital forensics
● Evidence collection methodology
● Post incident analysis
General overview of
Digital Forensics
General overview of digital forensics

In organisation cyber defence digital forensics plays a very

important role in post-compromise investigations. if an internal
system has been get compromised it been responsible for the
forensic investigator to investigate and detected root cause of
the triggered incident.
General overview of Cyber Forensics

Forensics teams generally operate under a general shift

Cyber forensics generally required an

● Post compromise investigation
combination of technical expertise, analytical
● Analysing and examining the image & Memory file
skills, and adherence to legal and ethical
● Identifying and determining root cause of the
standards.
incident
 Working of
Digital Forensics
General overview of Digital Forensics
Digital forensics
Life Cycle
Digital forensics Life Cycle
Digital Forensics is a part of cyber defense that
involves identifying, collecting, analysing, and reporting
any useful digital information in digital devices
involved in cyber incidents

It covers research on storage media, hardware,

operating systems, networks, and applications. It
includes five high-level stages.
Planning & Identification
a well-structured plan and identification techniques, cyber
forensic investigators can effectively uncover and analyze
digital evidence, attributing cyber incidents to specific
individuals or entities.

The initial stage in planning and identification is to

collect and determine the alerts and occurrences
that fall under post-compromise scenarios.
Preparation
Based on the incident the forensics analyst should be
prepared with the necessary tools and technologies for
digital evidence collection, preservation, and analysis.

Establish clear and standardized documentation procedures

for all stages of the investigation, including incident discovery,
evidence collection, and analysis.
Imaging & Memory Acquisition
Imaging and memory acquisition are the essential
processes in cyber forensic investigations, particularly
when dealing with digital evidence from computers and
other electronic devices.

These techniques entail generating a copy or snapshot

of a system's storage media and memory to preserve
its state for examination without affecting the original
data.
Analysing & Investigation
This particular process plays a crucial role in identifying and
determining the root cause of the reported or detected
incidents. the analyst need to be manually review the
extracted image and memory file to gather as much
information from it. information such as

● Process Information ● Logs/ Histories

● PE and File Extraction ● Kernel Memory and Objects
● Injected Code ● Registry
● Processes Listings ● Password Recovery
● Networking Information ● Malware Specific
Working of Digital
Forensics : Phase 01
Working of Digital Forensics : Phase 02
Evidence collection
methodology
Evidence collection methodology
Evidence collection methodology plays a key aspect of forensics investigations, evidence can be
collected from various source include live system data, hibernated machine , network packets etc.

Here is a general methodology for evidence collection in post-compromise scenarios:

1. Volatile Data Collection
2. Disk Imaging
3. Network packet capture
4. Event/Log collection
 Volatile
Data Collection
Step:01
The initial step is to logon to the
relevant infected machine,

In our presentation, we are using

FTK Imager to do our live memory
acquisition.
Step:02
The next step is to download and install the
FTK Imager from the official website listed
below.

https://www.exterro.com/digital-forensics-
software/ftk-imager

Other recommended tools are magnet

forensics, volatility, etc.
Step:03
After downloading the FTK Imager
the next step is to open the
downloaded FTK Imager in the
infected system.
Step:04
To capture memory, go to File → Capture Memory. In the dialogue box
named Memory Capture, simply provide the necessary information.
Step:05
After entering the necessary information, such as the destination
directory and filename, just choose Capture Memory.

Shortly after the Volatile Data Collection procedure begins, the FTK
imager begins capturing RAM memory. The procedure takes time,
depending on the amount of RAM used.
Step:06
Soon after the procedure is completely completed, transfer the file
to the the investigation machine, for additional examination.
Disk Imaging
General Working of Disk Imaging
Disc imaging is the process of transferring data/imaging bit-by-bit or bitstream to another hard disc,
resulting in an unchanged copy of the copied medium. Disk imaging has the potential to either copy the
entire disc or the logical partition present in it.

This imaging process are been more different than a traditional copy pasting method, imaging generally
not only copy entire file which typically include data like the master boot record and table allocation
information.
Step:01
The initial step is to logon to the
relevant infected machine,

In our presentation, we are again

using FTK Imager to do our live disk
image acquisition.
Step:02
The next step is to download and install
the FTK Imager from the official website
listed below.

After downloading the FTK Imager the

next step is to open the downloaded
FTK Imager in the infected system.
Step:03
To initiate a disk image acquisition , navigate to File → Create Disk
Image.
Step:04
The next step is to select the appropriate option to proceed
further.
Physical Drive → Retrieve the image of entire disk
Logical Drive → Retrieve the image of the selected disk
partition
Image File → Retrieve the image of image files
Content of a Folder → Retrieve the image of the specific folder
Step:05
In our demonstration , we will proceed to
image the infected system's physical
drive. After selecting, FTK imager will
prompt you with a dialogue box to
choose a disc that needs to be imaged
with the information about the
destination where it need to be saved
Step:06
The most important part of disk acquisition is to select the
appropriate image type.

RAW dd: Raw: commonly produce raw disk images with extensions
such as .dd or .raw. These files contain the raw binary data of the
storage media.

AFF: Advanced Forensic Format: AFF is an open and extensible

format designed for forensic imaging. Tools like AFFLIB support this
format, and files may have extensions like .AFF or .AFD.

EnCase Image Format: EnCase Forensic software often creates forensic images with the .E01 extension. If an image is split
into multiple segments, you may see extensions like .E02, .E03, etc.
Step:07
Its recommend to fill all sort of information related to the
investigation for better visibility and maintaining
Step:06
Shortly after the disk imaging data begins, depending on the
amount of disk size the process will consume lot more time.
Post incident analysis
Demo
 Thank You
For Professional Red Team / Blue Team / Purple Team / Cloud Cyber Range labs / Trainings, please contact

[email protected]
To know more about our offerings, please visit: https://cyberwarfare.live