Forensics Checklist
Last updated
Last updated
Verify the integrity of the evidence (using hash values).
Disk Image Analysis:
Analyze disk images with tools like Autopsy or Sleuth Kit.
Look for deleted files, hidden partitions, and file system artifacts.
Memory Dump Analysis:
Use tools like Volatility or Rekall for memory analysis.
Search for suspicious processes, network connections, and memory strings.
Network Traffic Analysis:
Analyze network captures with tools like Wireshark or NetworkMiner.
Look for anomalies, data exfiltration, or suspicious connections.
Log Analysis:
Examine system and application logs for signs of tampering or malicious activity.
File Analysis:
Use file analysis tools (binwalk, Foremost) to extract embedded or hidden content.
Inspect file metadata for clues (e.g., EXIF data in images).
Email Analysis:
Examine email headers and content for phishing indicators or spoofed emails.
Create a timeline of events to understand the sequence of activities.
Attempt to recover any deleted or corrupted data.
Correlate data from different sources (logs, files, images) to build a comprehensive view.
Write scripts to automate analysis tasks or parse through large datasets.
Use steganography tools (Steghide, zsteg, etc.) to check for hidden data in images or audio files.
Identify and attempt to break any cryptographic elements encountered.
Analyze suspicious files for malware characteristics using sandboxes or static/dynamic analysis tools.
Each CTF challenge might have specific requirements or hints. Tailor your approach accordingly.
Document your findings, including the methods used and the interpretation of the data.
Prepare a detailed report or a write-up of your analysis.
Securely erase any copies of sensitive data once the analysis is complete.