Forensic
Forensic analysis in cybersecurity involves the collection, preservation, and examination of digital evidence. Here’s a breakdown of the key areas and tools involved in digital forensics.
Acquisition
Write Blocker: A device used during forensic investigations to ensure that the original data on a storage medium is not modified during acquisition.
Chain of Custody: A record-keeping system that tracks the handling of evidence from the time it is collected to the time it is used in legal proceedings.
Forensic Tools
General purpose
PDF Information Extraction
pdfinfo: A tool used to extract metadata and basic information from PDF files.
File Analysis
CAPA: A tool for analyzing the functionality of malware by extracting its capabilities.
oledump.py: A Python script to analyze Office documents, particularly
.doc,.xls, and.pptfiles for potential threats.INetSim: A tool to simulate a network environment for capturing malicious activity in controlled conditions.
Windows Forensic Tools
Sysinternals Suite: A suite of advanced utilities for Windows system management, troubleshooting, and diagnostics.
Autoruns: Displays the programs configured to run at startup.
Process Explorer: Shows detailed information about running processes.
Process Monitor: Monitors and logs real-time process/thread activity.
Disk Image:
FTK Imager: Used to create forensic disk images.
Autopsy: A digital forensics platform for investigating hard drives and smartphones.
Memory Image:
DumpIt: A memory acquisition tool for Windows that creates a bit-for-bit image of the system’s RAM.
Volatility: A framework for analyzing memory dumps in forensic investigations.
Process analysis
pstree.PsTree: Displays the process tree of running processes.
pslist.PsList: Lists active processes in memory.
cmdline.CmdLine: Displays the command line arguments used to launch processes.
filescan.FileScan: Scans memory for file-related activity.
dlllist.DllList: Lists loaded dynamic link libraries (DLLs) in memory.
malfind.Malfind: Searches memory for signs of injected code or malware.
psscan.PsScan: Scans for hidden or terminated processes in memory.
Reverse Engineering & Debugging
Ghidra: A comprehensive, open-source reverse engineering framework developed by the NSA.
x64dbg: An open-source debugger for analyzing x64 and x32 binaries.
OllyDbg: A debugger for analyzing and disassembling binary code at the assembly level.
Radare2: A powerful open-source reverse engineering suite.
Binary Ninja: A reverse engineering tool that disassembles and decompiles binaries into a human-readable form.
PEiD: A tool used to detect packers, cryptors, and compilers in executable files.
Disassemblers & Decompilers
CFF Explorer: A PE editor for analyzing and editing Portable Executable (PE) files.
Hopper Disassembler: A debugger, disassembler, and decompiler for various platforms.
RetDec: An open-source decompiler that converts machine code back to a higher-level language.
Static & Dynamic Analysis
Static Analysis: Examines the code without executing it to identify vulnerabilities and malicious patterns.
Dynamic Analysis: Observes the behavior of a file or process during execution to understand its interaction with the system.
Tool
Type
Process Hacker
Memory editor and process viewer
PEview
PE file viewer
Dependency Walker
Displays DLL dependencies
DIE (Detect It Easy)
Packer, compiler, and cryptor detection tool
Forensics & Incident Response
Volatility: A framework for analyzing RAM dumps in memory forensics.
Rekall: A memory forensic tool designed for incident response.
FTK Imager: A forensic tool for creating disk images and examining digital evidence.
Network Analysis
Wireshark: A network protocol analyzer that records and inspects network traffic.
Nmap: A network mapping and vulnerability scanning tool.
Netcat: A utility to read and write data across network connections.
File Analysis Tools
FileInsight: A tool for inspecting and editing binary files.
Hex Fiend: A fast and lightweight hex editor.
HxD: A hex editor for viewing and editing binary files.
Last updated