Practical Demo: Creating a Forensic Image with FTK Imager

What is ftk imager? FTK Imager is a free, forensic tool used to create a bit-by-bit copy, or “image,” of a storage device to preserve it as evidence without altering the original data. It is used by digital investigators to collect and analyze electronic evidence from various sources like hard drives, mobile devices, and removable media. A key feature is its ability to perform integrity checks using hashing algorithms to ensure the forensic image is an accurate and authentic copy, which is crucial for legal admissibility. ...

November 2, 2025 · 5 min · 895 words · Me

Practical Demo: Linux Forensics

Volatile: Collecting hostname, date and time: hostname hostnamectl date cat /etc/timezone timedatectl epoch time: date +%s system uptime: uptime Network information: ip a # short form of ip addr show ifconfig # promisc mode detection: ifconfig eth0 ip link show eth0 # other network info commands: netstat -i netstat -rn # routing tables ip r # routing tables open port info: nmap -sT localhost nmap -sU localhost # UDP port sudo lsof -i tcp # checking tcp listening connections of localhost sudo lsof -n -P | grep LISTEN netstat -tulpn listing current user’s open processes: sudo lsof -u user_name mounted file system info: mount # info about file systems df -h # file systems info but in human readable format kernel module info, sound driver info: modinfo ufs # kernel module modinfo snd # sound module info user event collection: id Reading ELF file: readelf -h file_name # file header reading running processes: ps aux -ww swap area and disk partition info: cat /proc/partitions # disk partition cat /proc/swaps # swap info kernel message - kernel ring buffer info: dmesg Non-volatile: Collecting system info: cat /proc/cpuinfo cat /proc/self/mounts kernel info: uname -r cat /proc/version hostnamectl | grep Kernel local user account information: cat /etc/passwd cat /etc/passwd | cut -d: -f1 # seperating users from the output logged on user information: w last # login history information collecting system logs: cat /var/log/syslog cat /var/log/kern.log # linux kernel logs cat /var/log/fail.log cat /var/log/mail.* cat /var/log/mysql.* cat /var/log/daemon.log cat /var/log/debug journalctl history and hidden file information: history ls -al # hidden files suspicious info: sudo rkhunter --check --rwo sudo chkrootkit # rootkit checker file signature analysis: xxd file_name | head -n 10 basic file information: file file_name strings -t -d file_name # finding writable files inside /var/log directory : find / -writeable -type f 2> /dev/null | grep "/var/log" Directory permission checking: ls -ld Desktop File system analysis using The Sleuth Kit: Creating an file system image using dd: Important Before that add a virtual hard disk of 1gb for testing purpose on your vm through vmware -> vm settings -> add -> hard disk -> SCSI -> Create new virtual disk -> 1 gb -> Done. ...

November 6, 2025 · 3 min · 435 words · Me

Practical Demo: Windows Forensics

Volatile data collection: system uptime and current time: In command prompt: (date /t) & (time /t) systeminfo | find "Boot Time" In powershell: (Get-Date) - (gcim Win32_OperatingSystem).LastBootUpTime Network parameters(NetBIOS name cache, active connections, routing table etc): nbtstat -c netstat -ano netstat -rn ipconfig /all Promiscous mode detection on NICs through powershell: Get-NetAdapter | Format-List -Property ifAlias, PromiscuousMode Sysinternal tools: logged on users info: PsLoggedon.exe -x logonsessions.exe -p net sessions net user user_name Hash analysis: Using powershell: Get-FileHash .\FTK_sample_00.E01 -Algorithm MD5 Get-FileHash .\FTK_sample_00.E01 -Algorithm SHA128 Open file information: net file list of running processes, services: tasklist /svc scheduled tasks info: schtasks /query history checking: doskey /history In powershell: ...

November 8, 2025 · 2 min · 255 words · Me