CSY204 Week 01 Intermediate

Forensics and IR lean on core foundations:

Security Operations

Track your progress through this week's content

Opening Framing: The Investigator's Mindset

Digital forensics is detective work for the information age. When a breach occurs, when data is stolen, when systems are compromised—forensic investigators reconstruct what happened. They find evidence that others miss, preserve it properly, and present findings that can stand up in court.

Unlike penetration testing, which asks "how can I break in?" forensics asks "what happened here?" The mindset shifts from attack to investigation, from exploitation to evidence. Every file, every timestamp, every log entry tells part of the story.

This week establishes the foundation: forensic methodology, legal considerations, chain of custody, and the principles that make evidence admissible and conclusions defensible.

Key insight: Forensic work that can't survive legal scrutiny is forensic work that doesn't matter.

1) Digital Forensics Defined

Understanding the discipline: 

Digital Forensics Definition:

The application of scientific methods to identify,
collect, preserve, examine, analyze, and present
digital evidence in a manner that is legally acceptable.

Key Characteristics:
- Scientific: Repeatable, verifiable methods
- Legal: Admissible in court proceedings
- Objective: Findings follow evidence, not assumptions
- Documented: Every action recorded

Forensic Disciplines: 

Computer Forensics:
- Hard drives, SSDs
- File systems, deleted files
- Operating system artifacts
- Application data

Memory Forensics:
- RAM analysis
- Running processes
- Network connections
- Encryption keys in memory

Network Forensics:
- Packet captures
- Traffic analysis
- Log correlation
- Intrusion reconstruction

Mobile Forensics:
- Smartphones, tablets
- App data, messages
- Location history
- Cloud synchronization

Cloud Forensics:
- Virtual machines
- Container artifacts
- Cloud service logs
- Distributed evidence

Malware Forensics:
- Malware identification
- Behavior analysis
- Infection vectors
- Impact assessment

When Forensics Is Needed: 

Security Incidents:
- Data breaches
- Ransomware attacks
- Unauthorized access
- Insider threats
- APT investigations

Legal Matters:
- Criminal investigations
- Civil litigation
- Employment disputes
- Intellectual property theft
- Fraud investigations

Compliance:
- Regulatory investigations
- Audit support
- Policy violation inquiries
- Due diligence

Key insight: Forensics serves multiple masters—security teams want answers quickly, legal teams need admissible evidence. Good forensics satisfies both.

2) Forensic Methodology

The systematic approach to investigations: 

Forensic Process (NIST SP 800-86):

┌─────────────────┐
│  1. Collection  │  Identify and acquire evidence
└────────┬────────┘
         ↓
┌─────────────────┐
│ 2. Examination  │  Process and extract data
└────────┬────────┘
         ↓
┌─────────────────┐
│  3. Analysis    │  Interpret and correlate findings
└────────┬────────┘
         ↓
┌─────────────────┐
│  4. Reporting   │  Document and present results
└─────────────────┘

Phase 1: Collection 

Collection Objectives:
- Identify all potential evidence sources
- Preserve evidence integrity
- Document the scene
- Maintain chain of custody

Evidence Sources:
- Hard drives and SSDs
- RAM (volatile - collect first!)
- Network devices (routers, firewalls)
- Logs (local and remote)
- Cloud services
- Mobile devices
- External media (USB, etc.)

Order of Volatility:
1. CPU registers, cache
2. Memory (RAM)
3. Network state
4. Running processes
5. Disk storage
6. Backups, archives
7. Physical evidence

Collect most volatile FIRST!

Phase 2: Examination 

Examination Activities:
- Create forensic images
- Verify integrity (hashing)
- Extract file systems
- Recover deleted data
- Parse structured data
- Identify relevant files

Key Principles:
- Work on copies, NEVER originals
- Document every action
- Use write-blocking
- Verify with hash values
- Preserve timestamps

Phase 3: Analysis 

Analysis Techniques:
- Timeline reconstruction
- Artifact correlation
- Keyword searching
- Pattern identification
- Attribution analysis

Questions to Answer:
- What happened?
- When did it happen?
- How did it happen?
- Who was involved?
- What was the impact?
- What evidence supports conclusions?

Phase 4: Reporting 

Report Requirements:
- Executive summary
- Methodology description
- Detailed findings
- Supporting evidence
- Conclusions
- Recommendations

Audience Considerations:
- Technical team: Full details
- Management: Impact and risk
- Legal: Admissibility focus
- Court: Clear, defensible

Key insight: Methodology provides structure. Without it, investigations become chaotic and findings become questionable.

3) Chain of Custody

Documenting evidence handling from seizure to court: 

Chain of Custody Definition:

A documented record of:
- Who collected the evidence
- When it was collected
- How it was collected
- Who handled it
- Where it was stored
- What was done to it

Purpose: Prove evidence hasn't been tampered with

Chain of Custody Documentation: 

CHAIN OF CUSTODY FORM
=====================

Case Number: _____________
Evidence Item #: _____________

ITEM DESCRIPTION:
Type: Hard Drive
Make/Model: Seagate ST1000DM003
Serial Number: Z1D5XXXX
Capacity: 1TB

ACQUISITION:
Collected By: John Smith (ID: 1234)
Date/Time: 2024-01-15 09:30:00 UTC
Location: Server Room, Rack 3, Slot 2
Method: Forensic imaging with FTK Imager
Hash (MD5): a1b2c3d4e5f6...
Hash (SHA256): 9f86d081884c...

TRANSFER LOG:
┌──────────┬──────────┬──────────┬──────────┐
│ Date     │ From     │ To       │ Purpose  │
├──────────┼──────────┼──────────┼──────────┤
│ 01/15/24 │ J.Smith  │ Evidence │ Storage  │
│          │          │ Locker   │          │
├──────────┼──────────┼──────────┼──────────┤
│ 01/16/24 │ Evidence │ M.Jones  │ Analysis │
│          │ Locker   │          │          │
├──────────┼──────────┼──────────┼──────────┤
│ 01/20/24 │ M.Jones  │ Evidence │ Return   │
│          │          │ Locker   │          │
└──────────┴──────────┴──────────┴──────────┘

Maintaining Chain of Custody: 

Best Practices:

Physical Evidence:
- Use evidence bags/containers
- Seal with tamper-evident tape
- Sign across seal
- Store in locked, access-controlled location
- Log all access

Digital Evidence:
- Hash before and after any action
- Use write blockers
- Work only on forensic copies
- Document all tools and versions
- Photograph physical evidence

Documentation:
- Record who, what, when, where, why
- Include photographs
- Note environmental conditions
- Document any anomalies
- Keep detailed notes

Breaking Chain of Custody:
- Evidence becomes questionable
- May be inadmissible in court
- Investigation credibility damaged
- Conclusions become challengeable

Key insight: A broken chain of custody can invalidate an entire investigation. Meticulous documentation is non-negotiable.

4) Legal Considerations

Understanding the legal framework: 

Types of Investigations:

Criminal:
- Law enforcement led
- "Beyond reasonable doubt" standard
- Fourth Amendment considerations
- Strict rules of evidence

Civil:
- Private party disputes
- "Preponderance of evidence" standard
- Discovery process
- More flexibility in collection

Internal/Corporate:
- Policy enforcement
- No criminal penalties
- Employment law considerations
- May become criminal/civil later

Authorization: 

Before ANY forensic activity:

1. Verify Authority
   - Who authorized the investigation?
   - What is the scope?
   - Are there limitations?

2. Document Authorization
   - Written approval
   - Scope definition
   - Legal review if needed

Criminal Investigations:
- Search warrant (usually required)
- Consent
- Exigent circumstances
- Plain view doctrine

Corporate Investigations:
- Acceptable use policies
- Employment agreements
- Company-owned equipment
- Privacy considerations

NEVER exceed authorized scope!

Privacy and Legal Issues: 

Key Regulations:

ECPA (Electronic Communications Privacy Act):
- Governs interception of communications
- Stored communications protection

CFAA (Computer Fraud and Abuse Act):
- Unauthorized access prohibitions
- Exceeding authorized access

GDPR (General Data Protection Regulation):
- EU data privacy
- Right to erasure complications
- Cross-border considerations

HIPAA:
- Healthcare data protection
- Special handling requirements

PCI-DSS:
- Payment card data
- Forensic investigator requirements (PFI)

State Laws:
- Vary significantly
- Some require notification
- Privacy expectations differ

Expert Witness Considerations: 

Forensic examiners may be required to:

- Testify about findings
- Explain methodology
- Defend conclusions
- Withstand cross-examination

Daubert Standard (Federal):
- Is the theory testable?
- Has it been peer reviewed?
- What is the error rate?
- Is it generally accepted?

Preparation:
- Document everything thoroughly
- Use accepted methodologies
- Maintain objectivity
- Be prepared to explain simply

Key insight: Understanding legal requirements prevents evidence from being excluded and investigators from liability.

5) Setting Up Your Forensic Lab

Preparing your investigation environment: 

Forensic Workstation Requirements:

Hardware:
- Powerful CPU (multi-core)
- 32GB+ RAM (memory forensics)
- Large storage (evidence files are big)
- Write blockers (hardware preferred)
- Multiple drive interfaces
- Dedicated forensic network

Software:
- Forensic operating system
- Imaging tools
- Analysis platforms
- Timeline tools
- Specialized utilities

SIFT Workstation: 

# SANS Investigative Forensic Toolkit

Download:
https://www.sans.org/tools/sift-workstation/

Included Tools:
- Autopsy
- Volatility
- Plaso/log2timeline
- Sleuth Kit
- Bulk Extractor
- RegRipper
- And 200+ more

Installation:
# Download OVA and import to VMware/VirtualBox
# Or install on Ubuntu

# Update after installation
sudo sift update

Essential Forensic Tools: 

Imaging Tools:
- FTK Imager (Windows, free)
- dc3dd (Linux)
- Guymager (Linux GUI)
- ewfacquire (EnCase format)

Analysis Platforms:
- Autopsy (free, cross-platform)
- FTK (commercial)
- EnCase (commercial)
- X-Ways (commercial)

Memory Forensics:
- Volatility 3 (free)
- Rekall (free)
- Magnet RAM Capture

Network Forensics:
- Wireshark
- NetworkMiner
- Zeek (formerly Bro)

Timeline Tools:
- Plaso/log2timeline
- Timesketch
- mactime (Sleuth Kit)

Artifact Parsing:
- RegRipper (Registry)
- KAPE (artifact collection)
- Eric Zimmerman's tools

Lab Setup Exercise: 

# Setting up your forensic environment

1. Download and install SIFT Workstation
   # Or use REMnux for malware focus

2. Verify key tools:
   autopsy --version
   vol.py --help
   log2timeline.py --version
   
3. Download sample evidence:
   # Digital Corpora
   https://digitalcorpora.org/
   
   # CFReDS (NIST)
   https://cfreds.nist.gov/
   
   # Ali Hadi's cases
   https://www.ashemery.com/dfir.html

4. Create case directory structure:
   mkdir -p ~/cases/test_case/{evidence,exports,reports}

5. Test imaging tools:
   # Create test image
   dd if=/dev/zero of=test.raw bs=1M count=100
   md5sum test.raw

Key insight: A properly configured forensic workstation saves hours during investigations. Set it up right before you need it.

Real-World Context: Forensics in Practice

How forensics works in real investigations:

Incident Response Integration: Forensics is a critical component of incident response. While IR focuses on containment and recovery, forensics determines root cause, scope of compromise, and attribution. The two disciplines work together but have different objectives.

Time Pressure: Real investigations face competing pressures—legal teams want evidence preserved perfectly, operations teams want systems back online, executives want answers immediately. Forensic examiners balance these demands while maintaining integrity.

Career Paths: Digital forensics leads to roles in law enforcement, consulting firms, corporate security teams, and government agencies. Certifications like GCFE, EnCE, and CCE validate expertise.

MITRE ATT&CK Relevance:

  • Forensic Focus: Detecting techniques after the fact
  • Evidence Sources: Map artifacts to ATT&CK techniques
  • Timeline Correlation: Reconstruct attack sequences

Key insight: Forensics turns chaos into clarity. When everyone else is panicking, forensic examiners methodically find truth.

Guided Lab: Forensic Environment Setup

Set up your forensic workstation and practice basic procedures.

Step 1: Install SIFT Workstation

# Download SIFT OVA from SANS website
# Import into VirtualBox or VMware

# Or install on Ubuntu 20.04:
wget https://raw.githubusercontent.com/teamdfir/sift-cli/master/sift-cli-linux
chmod +x sift-cli-linux
sudo ./sift-cli-linux install

# Verify installation
sift --version

Step 2: Verify Key Tools

# Check imaging tools
dcfldd --version
ewfacquire -V

# Check analysis tools
autopsy &  # Starts browser interface
vol.py --info

# Check timeline tools
log2timeline.py --version

Step 3: Create Case Structure

# Create standard directory structure
mkdir -p ~/cases/lab01/{evidence,working,exports,reports}

# Document case creation
echo "Case: Lab01 - Forensic Setup" > ~/cases/lab01/case_notes.txt
echo "Created: $(date)" >> ~/cases/lab01/case_notes.txt
echo "Examiner: Your Name" >> ~/cases/lab01/case_notes.txt

Step 4: Practice Hashing

# Create test file
echo "This is test evidence" > ~/cases/lab01/evidence/test.txt

# Generate hashes
md5sum ~/cases/lab01/evidence/test.txt > ~/cases/lab01/evidence/test.txt.md5
sha256sum ~/cases/lab01/evidence/test.txt > ~/cases/lab01/evidence/test.txt.sha256

# Verify hashes
md5sum -c ~/cases/lab01/evidence/test.txt.md5

Step 5: Download Sample Evidence

# Download a sample disk image
# Digital Corpora - nps-2009-casper-rw
wget https://digitalcorpora.org/corpora/disk-images/...

# Or use NIST CFReDS
# Hacking Case scenario

Reflection (mandatory)

  1. Why is working on forensic copies essential?
  2. What would happen if chain of custody was broken?
  3. How does forensics differ from penetration testing mindset?
  4. What tools seem most important for your interests?

Week 01 Quiz

Test your understanding of Forensic Fundamentals, Methodology, and Legal Considerations.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Week 1 Outcome Check

By the end of this week, you should be able to:

Next week: Evidence Acquisition—creating forensically sound copies of digital evidence.

📚 Building on Prior Knowledge

Forensics and IR lean on core foundations:

🎯 Hands-On Labs (Free & Essential)

Build core forensic habits before moving to reading resources.

🎮 TryHackMe: Intro to Forensics

What you'll do: Learn forensic fundamentals and evidence handling basics.
Why it matters: Sets the legal and technical foundation for all analysis.
Time estimate: 1.5-2 hours

Start TryHackMe Intro to Forensics →

🎮 TryHackMe: Forensics

What you'll do: Work through beginner artifact analysis and reporting.
Why it matters: Reinforces the investigation workflow from intake to findings.
Time estimate: 1-2 hours

Start TryHackMe Forensics →

🏁 PicoCTF Practice: Forensics (Foundations)

What you'll do: Solve beginner forensics challenges to build evidence intuition.
Why it matters: Hands-on challenges sharpen your investigative mindset.
Time estimate: 1-2 hours

Start PicoCTF Forensics →

💡 Lab Tip: Document every action and timestamp from the start to preserve admissibility.

🛡️ SOC Context for Forensics

Forensics rarely happens in isolation. It is triggered by SOC triage and guided by response priorities. 

SOC fundamentals:
- Tier 1/2/3 roles and handoff
- Alert triage methodology (PICERL, F3EAD)
- False positive management
- Metrics: MTTD, MTTR, alert volume

📚 Building on CSY201: SOC workflows and incident handling fundamentals.

Resources

Complete the required resources to build your foundation.

Lab: Forensic Foundations

Goal: Set up forensic environment and practice fundamental documentation procedures.

Part 1: Environment Setup

  1. Install SIFT Workstation or configure Ubuntu with forensic tools
  2. Verify all major tool categories are working
  3. Create standardized case directory structure
  4. Document your setup with screenshots

Part 2: Chain of Custody Practice

  1. Create a chain of custody form template
  2. Practice documenting a simulated evidence collection
  3. Include all required fields
  4. Simulate a custody transfer

Part 3: Hashing Exercise

  1. Create multiple test files
  2. Generate MD5 and SHA256 hashes
  3. Modify one file slightly
  4. Demonstrate how hash changes
  5. Document verification process

Part 4: Legal Scenario

  1. Given a scenario (employee suspected of data theft)
  2. What authorization would you need?
  3. What evidence sources exist?
  4. What legal considerations apply?
  5. Write a brief investigation plan

Deliverable (submit):

Checkpoint Questions

  1. What are the four phases of the forensic process?
  2. Why is order of volatility important during evidence collection?
  3. What is chain of custody and why does it matter?
  4. What is the difference between criminal and civil investigations?
  5. Why should forensic analysis be performed on copies, not originals?
  6. What is the Daubert standard?

Weekly Reflection

Reflection Prompt (200-300 words):

This week introduced digital forensics fundamentals—the methodology, legal framework, and tools that enable professional investigations.

Reflect on these questions:

A strong reflection will connect forensic methodology to practical investigation challenges.

Verified Resources & Videos

Digital forensics transforms incident chaos into documented truth. The methodology, chain of custody, and legal awareness you've learned this week form the foundation for everything that follows. Without proper foundations, even brilliant technical analysis becomes worthless. Next week: evidence acquisition—creating forensically sound images.

← Course Overview Next: Week 02 →