Digital Forensics & Incident Response Lab
Overview
In this hands-on lab, you will learn how to analyze digital evidence, extract forensic artifacts, and reconstruct cyber incidents. You will work with disk and memory forensics, system logs, and forensic timelines to investigate potential security breaches.
Lab Instructions
1. Setting Up Your Environment
You will need:
- A Debian-based forensic workstation (Kali Linux, SIFT Workstation, or REMnux)
- Tools:
Autopsy
,Sleuth Kit
,Volatility
,Plaso
,log2timeline
Install Required Tools
sudo apt update && sudo apt install autopsy sleuthkit volatility plaso
2. Disk Forensics with Autopsy & Sleuth Kit
Step 1: Acquire an Image
Download a sample forensic image (e.g., evidence.dd
):
wget https://example.com/sample-disk-image.dd -O evidence.dd
Step 2: Load the Image into Autopsy
- Open Autopsy:
autopsy &
- Create a new case and add
evidence.dd
as a disk image. - Navigate through file system artifacts to locate deleted or suspicious files.
๐ Proof of Completion: Take a screenshot of your findings in Autopsy.
3. Memory Forensics with Volatility
Step 1: Identify Memory Image Profile
volatility -f memory.img imageinfo
Step 2: Extract Running Processes
volatility -f memory.img --profile=<PROFILE> pslist
Step 3: Detect Malicious Network Connections
volatility -f memory.img --profile=<PROFILE> netscan
๐ Proof of Completion: Document and analyze any suspicious processes or network connections.
4. Timeline Analysis with Plaso & log2timeline
Step 1: Generate a Timeline from Logs
log2timeline.py plaso.dump /var/log/syslog
Step 2: Analyze the Timeline
psort.py -o l2tcsv plaso.dump "date > '2025-03-07'"
๐ Proof of Completion: Generate a report summarizing suspicious activity based on forensic timelines.
Final Submission
- Submit a Google Doc with:
- Screenshots of forensic analysis results, Autopsy findings, and memory analysis.
- A summary report reconstructing a cyber incident timeline.
- Ensure all steps are documented and properly labeled.
๐ Congratulations! You’ve completed the Digital Forensics & Incident Response Lab! ๐