performing-disk-forensics-investigation

# Performing Disk Forensics Investigation ## When to Use - A security incident requires forensic analysis of a system's persistent storage - Evidence preservation is needed for potential legal proceedings or HR investigations - Deleted files, browser history, or application artifacts must be recovered - A timeline of user or adversary activity must be reconstructed from file system metadata - Malware persistence mechanisms stored on disk need identification and documentation **Do not use** for volatile evidence (running processes, network connections); use memory forensics with Volatility instead. ## Prerequisites - Forensic workstation with write-blocking hardware or software (Tableau T35u, Arsenal Image Mounter) - Forensic imaging software: FTK Imager, Guymager, or dd with dcfldd - Analysis platform: Autopsy, FTK (Forensic Toolkit), or X-Ways Forensics - Sufficient storage (2-3x the target drive size for image plus working copies) - Chain of custody forms and evidence bags for physical media - Hash verification tools for evidence integrity (SHA-256) ## Workflow ### Step 1: Secure and Document the Evidence Before touching any storage media, establish chain of custody: - Photograph the system, noting serial numbers, labels, and cable connections - Document the evidence source: device type, make, model, serial number, capacity - Complete chain of custody form with date, time, handler name, and reason for acquisition - Use a hardware write blocker when connecting the e...