Scribd
Upload
57 views2 pages

Digital Forensics Cheatsheet

The Digital Forensics Cheatsheet provides essential guidelines for evidence handling, including maintaining a chain of custody and using write blockers for disk imaging. It lists various tools and commands for disk imaging, file system analysis, memory forensics, network forensics, and email/artifact analysis. Additionally, it covers hashing and integrity checks, along with common forensic tools for analysis.

Uploaded by

vind14
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
57 views2 pages

Digital Forensics Cheatsheet

The Digital Forensics Cheatsheet provides essential guidelines for evidence handling, including maintaining a chain of custody and using write blockers for disk imaging. It lists various tools and commands for disk imaging, file system analysis, memory forensics, network forensics, and email/artifact analysis. Additionally, it covers hashing and integrity checks, along with common forensic tools for analysis.

Uploaded by

vind14
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Digital Forensics Cheatsheet

Evidence Handling

- Chain of Custody: Document every step-who, what, when, where, and how.

- Imaging Best Practice: Always use a write blocker. Work on copies, not originals.

Disk Imaging Tools

- dd - dd if=/dev/sdX of=disk.img bs=4M conv=noerror,sync

- dcfldd - dcfldd if=/dev/sdX of=disk.img hash=sha256

- FTK Imager - GUI-based imaging tool (Windows)

File System Analysis

- View partitions - fdisk -l disk.img

- Mount image - mount -o ro,loop,show_sys_files disk.img /mnt

- Recover deleted files - foremost -i disk.img -o output_folder

- File timeline - fls -r -m / disk.img > body.txt

- mactime -b body.txt

Memory Forensics

- Analyze memory - vol.py -f mem.dmp windows.pslist

- Extract processes - vol.py -f mem.dmp windows.pstree

- Dump process - vol.py -f mem.dmp windows.memdump -p PID

Network Forensics

- Read .pcap file - tcpdump -r capture.pcap

- GUI Analysis - Wireshark

- Extract files - NetworkMiner or tcpflow

Email & Artifact Analysis

- Email Header Check - Analyze 'Received:' headers

- Browser Artifacts - BrowserHistoryView or WebCacheViewer

- Registry Analysis (Win) - RegRipper

Hashing & Integrity

- sha256sum file - SHA256 checksum

- md5sum file - MD5 checksum

- hashdeep -r dir/ - Recursive hash listing


Common Tools

- Autopsy - GUI for SleuthKit (disk/memory analysis)

- SleuthKit - CLI forensic toolkit

- Plaso/log2timeline- Timeline creation from logs

- ExifTool - Metadata extraction from files

You might also like