Forensics Checklist

Initial Setup

• Prepare a forensic workstation with necessary tools (Autopsy, Wireshark, Volatility, binwalk, Foremost, FlareVM, etc.).

• Ensure you have a write blocker if you're dealing with physical drives.

Evidence Acquisition

• Obtain a copy of the digital evidence (disk images, memory dumps, network captures, etc.).

  • Useful tools by Eric Zimmerman:

  • MFT analysis:

• Verify the integrity of the evidence (using hash values).

Evidence Analysis

• Disk Image Analysis:

  • Analyze disk images with tools like Autopsy or Sleuth Kit.

  • Look for deleted files, hidden partitions, and file system artifacts.

• Memory Dump Analysis:

  • Use tools like Volatility or Rekall for memory analysis.

  • Search for suspicious processes, network connections, and memory strings.

• Network Traffic Analysis:

  • Analyze network captures with tools like Wireshark or NetworkMiner.

  • Look for anomalies, data exfiltration, or suspicious connections.

• Log Analysis:

  • Examine system and application logs for signs of tampering or malicious activity.

• File Analysis:

  • Use file analysis tools (binwalk, Foremost) to extract embedded or hidden content.

  • Inspect file metadata for clues (e.g., EXIF data in images).

• Email Analysis:

  • Examine email headers and content for phishing indicators or spoofed emails.

Timeline Analysis

• Create a timeline of events to understand the sequence of activities.

Data Recovery:

• Attempt to recover any deleted or corrupted data.

Artifact Correlation:

• Correlate data from different sources (logs, files, images) to build a comprehensive view.

Scripting and Automation:

• Write scripts to automate analysis tasks or parse through large datasets.

Steganography Analysis (if applicable):

• Use steganography tools (Steghide, zsteg, etc.) to check for hidden data in images or audio files.

Cryptanalysis (if applicable):

• Identify and attempt to break any cryptographic elements encountered.

Malware Analysis (if applicable):

• Analyze suspicious files for malware characteristics using sandboxes or static/dynamic analysis tools.

Challenge-Specific Analysis

• Each CTF challenge might have specific requirements or hints. Tailor your approach accordingly.

Reporting (if applicable)

• Document your findings, including the methods used and the interpretation of the data.

• Prepare a detailed report or a write-up of your analysis.

Cleanup

• Securely erase any copies of sensitive data once the analysis is complete.