Day 1️⃣7️⃣ of Your 30 Day SOC Analyst Journey
How to get started with Digital Forensics:
How to get started with Digital Forensics:
Digital Forensics, the stuff you always dreamed about since CSI Miami.
What is Digital Forensics?, you ask
Let me tell you a story.
What is Digital Forensics?, you ask
Let me tell you a story.
It is Thursday, a quiet day.
You sit on your couch sipping hot chocolate ☕️ 🫕 staring into the fire place ❤️🔥
As always…
Obviously during working hours 🧑💼, stop asking too many questions!
Then…
You sit on your couch sipping hot chocolate ☕️ 🫕 staring into the fire place ❤️🔥
As always…
Obviously during working hours 🧑💼, stop asking too many questions!
Then…
The phone ☎️📢
RRIIING RRIIING
You try to ignore🙅♀️ it but 5 min later its still destroying your perfect moment at home..
What do you do?
You answer it🤳
HELP, EVERYTHING IS ON FIRE!🔥
We cannot login since this morning, all our passwords don’t work ❌🥴
We need you here📍
RRIIING RRIIING
You try to ignore🙅♀️ it but 5 min later its still destroying your perfect moment at home..
What do you do?
You answer it🤳
HELP, EVERYTHING IS ON FIRE!🔥
We cannot login since this morning, all our passwords don’t work ❌🥴
We need you here📍
UGH…
OK - time to get the slippers off and race to the office 🏎
Just another Tuesday…
What do you need?
🎒Go-Bag - ☑️
💻Laptop(s) - ☑️
💾empty Hard-Drives (lots) - ☑️
💿(backup) tool HDD - ☑️
🛟Thumb drive(s) - ☑️
🪥tooth brush - ☑️
🩳🩲🔞under… - ☑️☑️☑️
LETS GO!
OK - time to get the slippers off and race to the office 🏎
Just another Tuesday…
What do you need?
🎒Go-Bag - ☑️
💻Laptop(s) - ☑️
💾empty Hard-Drives (lots) - ☑️
💿(backup) tool HDD - ☑️
🛟Thumb drive(s) - ☑️
🪥tooth brush - ☑️
🩳🩲🔞under… - ☑️☑️☑️
LETS GO!
That is a lot of stuff you have with you…
WAIT! What is on that 🔧 tool drive?!
Glad you asked, we have some gems on there:
🎆 portable FTK Imager ()
🐕 Autopsy Installer ()
👩🏫 Volatility Installer ()accessdata.com/product-downlo…
autopsy.com
volatilityfoundation.org/releases
WAIT! What is on that 🔧 tool drive?!
Glad you asked, we have some gems on there:
🎆 portable FTK Imager ()
🐕 Autopsy Installer ()
👩🏫 Volatility Installer ()accessdata.com/product-downlo…
autopsy.com
volatilityfoundation.org/releases
What do you need those for?
Whenever you arrive at a location with potentially compromised machines...
You need to decide what to do.
✂️Do you cut the internet line, power and everything else?
Or do you observe first?!
Whenever you arrive at a location with potentially compromised machines...
You need to decide what to do.
✂️Do you cut the internet line, power and everything else?
Or do you observe first?!
One of the first steps you will most likely do is digital forensic image creation (what a mouthful huh?!)
That means you create a snapshot of the computers disk and memory
Why?
That means you create a snapshot of the computers disk and memory
Why?
⏲️ Sometimes malware/viruses are built to self-destruct when they cannot talk to their makers for a long time
🦠 If you cut the internet and don't have a snapshot of the compromised machine you might never find the virus
❌ Because it deleted itself.
🦠 If you cut the internet and don't have a snapshot of the compromised machine you might never find the virus
❌ Because it deleted itself.
That is what FTK Imager is for.
OK, how do I use it though?
Step-By-Step lets create an image of a Windows Host:
Download FTK Imager ()
Install it in a VM and follow this guide to get it a portable USB drive versiongo.exterro.com/l/43312/2023-0…
OK, how do I use it though?
Step-By-Step lets create an image of a Windows Host:
Download FTK Imager ()
Install it in a VM and follow this guide to get it a portable USB drive versiongo.exterro.com/l/43312/2023-0…
Attach the USB Drive to the machine that we want to have a snapshot of and open FTK Imager
Click Yes on the User Account Control, if it pops up.
Click Yes on the User Account Control, if it pops up.
Next you click on "File" (top left) and "Create Disk Image"
It will ask you which type of Source you want to select - we choose "Physical Drive" and click "Next"
FTK will now want to know which Drive it should snapshot - select the one you want to look at and click "Finish" 🏁
It will ask you which type of Source you want to select - we choose "Physical Drive" and click "Next"
FTK will now want to know which Drive it should snapshot - select the one you want to look at and click "Finish" 🏁
That was a fake... its not finished yet!
Now FTK asks which Destination it should use to store your Snapshot
IMPORTANT:
This cannot be the same Disk which you want to snapshot! Choose another one with the "Add" button.
For the Type of Image you want Raw (dd) just like the 🥩
Now FTK asks which Destination it should use to store your Snapshot
IMPORTANT:
This cannot be the same Disk which you want to snapshot! Choose another one with the "Add" button.
For the Type of Image you want Raw (dd) just like the 🥩
The next screen will add some metadata to the snapshot - Case Number, Evidence Number etc.
Fill it out, important - remember to add the date somewhere and push that "Next" button to the limit.
The last step will ask you for the Destination Folder, Filename and Fragment Size.
Fill it out, important - remember to add the date somewhere and push that "Next" button to the limit.
The last step will ask you for the Destination Folder, Filename and Fragment Size.
Fragment Size means that you will not have 1 file in the end but rather many smaller ones (1.5 GB per file in our case)🪓
This could help if the process crashes at some point or takes forever and you want to start the investigation already🔎👀🔍
"Finish" and WAIT... wait...
This could help if the process crashes at some point or takes forever and you want to start the investigation already🔎👀🔍
"Finish" and WAIT... wait...
wait some more.
And once that is done
You should have a couple of files
a Snapshot/Image summary that you can check
e.g. See what was archived and how large the disk was (65536 MB in my case)
And once that is done
You should have a couple of files
a Snapshot/Image summary that you can check
e.g. See what was archived and how large the disk was (65536 MB in my case)
Now that you have the Snapshot what do you do with it though?
You analyze it with Autopsy - This is what we will do in the next thread.
Any Questions?
You analyze it with Autopsy - This is what we will do in the next thread.
Any Questions?
If you liked this thread
follow me @maikroservice
retweet the first tweet of the thread so that more people can learn digital forensics :)
@threadreaderapp unroll
follow me @maikroservice
retweet the first tweet of the thread so that more people can learn digital forensics :)
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
