Digital DucksGuides & Knowledge ← Back to Home

Forensic Knowledgebase

Deep-dive protocols, technical cheat sheets, and theoretical concepts for digital investigators analyzing compromised systems.

#TriageProtocols #WindowsArtifacts #NetworkForensics #MobileForensics #Glossary

Core Procedures & Preservation

First Response Immediate Triage

Before touching settings or rebooting, freeze the scene.

  • Photograph the screen immediately.
  • Isolate the device from the network.
  • Check event logs for recent unusual logins.
  • Do not power off the machine if RAM analysis is required.
Chain of Custody Evidence Handling

If legal action is possible, follow strict rules.

  • Never analyze the original drive directly.
  • Use a hardware write-blocker to make a copy.
  • Calculate MD5/SHA-256 Hashes of the image.
  • Log who has the evidence at all times.
Crucial Concept The Order of Volatility

Collect from most fragile to least fragile:

  1. Registers & Cache
  2. Process Tables, RAM
  3. Temporary File Systems
  4. Disk Storage
  5. Remote Logs & Backups

Key Windows Artifacts

These are the locations to find evidence of execution or user activity.

Prefetch Files (.pf)

Path: C:\Windows\Prefetch

Windows creates these to make apps load faster. They prove an application was executed, how many times it ran, and when it was last launched.

The Registry (NTUSER.DAT)

Path: C:\Users\[User]\NTUSER.DAT

This hidden file stores user preferences. Investigators check the RecentDocs and TypedURLs keys to see exactly what files the user opened.

Windows Event Logs (.evtx)

Path: C:\Windows\System32\winevt\Logs

The system's diary. Look for Event ID 4624 (Successful Logon) to track unauthorized access or ID 7045 (New Service) to spot malware.

Amcache.hve

Path: C:\Windows\appcompat\Programs\Amcache.hve

Stores information about executed applications. It contains the SHA-1 hash of executables, useful for finding known malware signatures.

Network Forensics Basics

Packet Captures (PCAP)

Analyzing network traffic allows investigators to reconstruct events. You can extract downloaded files directly from the packets.


DNS Profiling

Malware often uses DNS to find its C2 server. Analyzing DNS logs for strange, randomly generated domains is a fast way to spot an infected machine.

Mobile Forensics

Logical vs. Physical Extraction

Logical: Extracts what the user can see using the device's API. Fast, but misses deleted data.

Physical: A bit-for-bit copy of the device's flash memory. Allows for the recovery of deleted files from unallocated space.

Forensics Glossary

Bit-Stream Copy
An exact, sector-by-sector clone of a storage device, including all empty space and hidden files.
Chain of Custody
A chronological record of who handled the evidence. If broken, evidence may be inadmissible.
Cryptographic Hash
A mathematical "fingerprint" for a file to prove a forensic copy is mathematically identical to the original.
🦆 BOB the AI duck
System online. How can I assist with your investigation today?