Intro to Digital Forensics
TryHackMe Walkthroughs â‹… Guided â‹… Intro to Digital Forensics
Task 1: Introduction to Digital Forensics
The field of forensics applies science to investigate crimes. Digital forensics, focusing on digital evidence, stands at the intersection between cybersecurity and forensics.
There are two types of investigations where digital forensics is applicable:
Public-sector investigations: These investigations are carried out by government and law enforcement.
Private-sector investigations: These investigations are carried out by corporations.
Task 2: Digital Forensics Processes
Before acquiring evidence, we should have proper search authorization.
At the scene, we should complete the following tasks:
Acquire the evidence.
Establish a chain of custody so that we know who has the evidence at any time.
Place the evidence in a secure container.
Transport the evidence to the lab.
Upon arrival at the lab, we should do the following:
Retrieve the evidence from the secure container.
Create a forensic copy of the evidence using validated tools.
Return the evidence to the secure container.
Begin analysis on the forensic copy.
Following proper procedures is crucial in digital forensics because our findings must be repeatable.
Task 3: Practical Example of Digital Forensics
Files in a computer have associated data, called metadata. This metadata includes information about the file, such as creation date and last modification date. We can view the metadata of a PDF file by downloading pdfinfo
using sudo apt install poppler-utils
. The tool can be run as follows: pdfinfo <file>
.
Images also have metadata. The standard format for saving image metadata is the Exchangeable Image File Format (EXIF), and EXIF metadata can be viewed with exiftool
. To download this too, first run sudo apt install libimage-exiftool-perl
. Then, EXIF metadata can be viewed with the command exiftool <image>
.
Last updated