The Threat Landscape
Know your enemy. A breakdown of modern cyber threats, what they specifically target, and the forensic footprints they leave behind.
Malicious Software (Malware)
Ransomware encrypts a victim's files, rendering them completely inaccessible, and demands payment (usually cryptocurrency) in exchange for the decryption key. Advanced variants also steal data before encrypting it for double-extortion.
Forensic Footprint: Mass file modifications in a short time frame, deletion of Windows Shadow Volume Copies (via vssadmin.exe), and ransom note text files dropped in every directory.
Designed to silently monitor user behavior. Keyloggers record every keystroke typed, while broader spyware might take periodic screenshots or harvest saved passwords directly from the browser's database.
Forensic Footprint: Hidden background processes hooking into keyboard APIs, unauthorized outbound network connections sending small packets of text data, and hidden log files locally storing the keystrokes.
Rootkits are designed to deeply bury themselves into the core of the operating system. They give attackers total administrative control while actively hiding their own files, processes, and network connections from standard antivirus software.
Forensic Footprint: Difficult to spot on a "live" running system. Requires offline memory analysis (using tools like Volatility) or a full bit-stream disk clone to bypass the rootkit's cloaking mechanisms.
Social Engineering
Attackers use fraudulent emails, messages, or fake login pages to trick users into handing over their usernames, passwords, or Multi-Factor Authentication (MFA) tokens. "Spear-phishing" is highly targeted at specific individuals (like a CEO).
Forensic Footprint: Malicious URLs in browser history, unusual login times from foreign IP addresses in Office 365/Google Workspace logs, and newly created inbox forwarding rules.
An attacker leaves a physical device (like an infected USB drive labeled "Q4 Layoffs" or "Payroll") in a public space hoping a curious employee plugs it into a company computer, executing a malicious payload automatically.
Forensic Footprint: Windows registry keys tracking USB history (USBSTOR), showing the exact serial number and timestamp of the rogue device being connected.
Network & Application Attacks
An attacker uses a massive botnet (thousands of infected computers) to flood a target website or network with fake traffic, overwhelming the servers until they crash and block legitimate users from accessing the service.
Forensic Footprint: Massive spikes in inbound traffic logs, thousands of connections originating from diverse global IP addresses, and exhausted server resources (CPU/RAM).
Attackers input malicious database commands into a standard website search bar or login form. If the website is poorly coded, the database executes the command, allowing the attacker to dump, modify, or delete the entire database.
Forensic Footprint: Web server access logs showing strange queries containing characters like ' OR 1=1 -- in the URL strings.