Forensics Checklist

Prepare a forensic workstation with necessary tools (Autopsy, Wireshark, Volatility, binwalk, Foremost, FlareVM, etc.).

Ensure you have a write blocker if you're dealing with physical drives.

Obtain a copy of the digital evidence (disk images, memory dumps, network captures, etc.).

Verify the integrity of the evidence (using hash values).

Disk Image Analysis:

Memory Dump Analysis:

Network Traffic Analysis:

Log Analysis:

Examine system and application logs for signs of tampering or malicious activity.

File Analysis:

Use file analysis tools (binwalk, Foremost) to extract embedded or hidden content.
Inspect file metadata for clues (e.g., EXIF data in images).

Email Analysis:

Create a timeline of events to understand the sequence of activities.

Attempt to recover any deleted or corrupted data.

Correlate data from different sources (logs, files, images) to build a comprehensive view.

Write scripts to automate analysis tasks or parse through large datasets.

Use steganography tools (Steghide, zsteg, etc.) to check for hidden data in images or audio files.

Identify and attempt to break any cryptographic elements encountered.

Analyze suspicious files for malware characteristics using sandboxes or static/dynamic analysis tools.

Each CTF challenge might have specific requirements or hints. Tailor your approach accordingly.

Document your findings, including the methods used and the interpretation of the data.

Prepare a detailed report or a write-up of your analysis.

Securely erase any copies of sensitive data once the analysis is complete.

Last updated 6 months ago