Digital Forensics

Get Started. It's Free
or sign up with your email address
Rocket clouds
Digital Forensics by Mind Map: Digital Forensics

1. Digital Forensic Tools

1.1. Software

1.1.1. Data Duplication

1.1.1.1. Unix-based

1.1.1.1.1. dd

1.1.1.1.2. ewfacquire

1.1.1.1.3. Adepto

1.1.1.1.4. aimage

1.1.1.1.5. AIR

1.1.1.1.6. dcfldd

1.1.1.1.7. EnCase LinEn

1.1.1.1.8. GNU ddrescue

1.1.1.1.9. ddrescue

1.1.1.1.10. iLook IXimager

1.1.1.1.11. MacQuisition Boot CD

1.1.1.1.12. rdd

1.1.1.1.13. sdd

1.1.1.1.14. guyimager

1.1.1.2. Windows-based

1.1.1.2.1. ASR

1.1.1.2.2. DIBS

1.1.1.2.3. FTK Imager

1.1.1.2.4. Ghost

1.1.1.2.5. Paraben

1.1.1.2.6. ProDiscovery

1.1.1.2.7. X-Ways Forensics

1.1.1.2.8. X-Ways Replica

1.1.1.3. Multi-platform

1.1.2. Data Recovery

1.1.2.1. Unix-based

1.1.2.1.1. gparted

1.1.2.1.2. foremost

1.1.2.1.3. Magic Rescue

1.1.2.2. Windows-based

1.1.2.2.1. Partition Table Doctor

1.1.2.2.2. NTFS Recovery

1.1.2.2.3. Partition Recovery Software

1.1.2.2.4. HD Doctor Suite

1.1.2.2.5. BringBack

1.1.2.2.6. RAID Reconstructor

1.1.2.2.7. e-ROL

1.1.2.2.8. Recuva

1.1.2.2.9. Restoration

1.1.2.2.10. Undelete Plus

1.1.2.2.11. R-Studio

1.1.2.2.12. Stellar Phoenix

1.1.2.2.13. Androit Photo Recovery

1.1.2.2.14. File Extractor Pro

1.1.2.2.15. Simple Carver Suite

1.1.2.2.16. Photo Rescue

1.1.2.3. Multi-platform

1.1.2.3.1. TestDisk

1.1.2.3.2. Scalpel

1.1.2.3.3. PhotoRec

1.1.3. Image Analysis

1.1.3.1. Unix-based

1.1.3.2. Windows-based

1.1.3.3. Multi-platform

1.1.3.3.1. Surf Recon LE

1.1.4. File Analysis

1.1.4.1. Unix-based

1.1.4.1.1. file

1.1.4.1.2. ldd

1.1.4.1.3. ltrace

1.1.4.1.4. strace

1.1.4.1.5. xtrace

1.1.4.1.6. ktrace

1.1.4.1.7. Valgrind

1.1.4.1.8. Dtrace

1.1.4.1.9. Rifiuti

1.1.4.1.10. Pasco

1.1.4.1.11. Galleta

1.1.4.1.12. Hachoir

1.1.4.2. Windows-based

1.1.4.2.1. Code Suite

1.1.4.2.2. PEiD

1.1.4.3. Multi-platform

1.1.4.3.1. PDF Miner

1.1.4.3.2. strings

1.1.4.3.3. dumpsterdive.pl

1.1.4.3.4. Analog

1.1.5. Audio Analysis

1.1.5.1. Unix-based

1.1.5.2. Windows-based

1.1.5.2.1. DC Live

1.1.5.3. Multi-platform

1.1.6. Network Analysis

1.1.6.1. Unix-based

1.1.6.1.1. tcpdump

1.1.6.1.2. Xplico

1.1.6.1.3. ngrep

1.1.6.1.4. chaosreader

1.1.6.2. Windows-based

1.1.6.2.1. windump

1.1.6.2.2. OmniPeek

1.1.6.3. Multi-platform

1.1.6.3.1. Wireshark

1.1.6.3.2. snort

1.1.6.3.3. whois

1.1.6.3.4. Kismet

1.1.6.3.5. NetCat

1.1.7. Data Reduction

1.1.7.1. Unix-based

1.1.7.1.1. md5sum

1.1.7.2. Windows-based

1.1.7.3. Multi-platform

1.1.8. Reverse Engineering

1.1.8.1. Unix-based

1.1.8.1.1. gdb

1.1.8.2. Windows-based

1.1.8.2.1. OllyDbg

1.1.8.2.2. IDAPro

1.1.8.3. Multi-platform

1.1.9. Data Analysis

1.1.9.1. Unix-based

1.1.9.2. Windows-based

1.1.9.2.1. Financial Crimes Enforcement Network AI System

1.1.9.2.2. COPLINK Suite

1.1.9.2.3. DataDetective

1.1.9.2.4. Griffin

1.1.9.3. Multi-platform

1.1.9.3.1. FACE

1.1.9.3.2. MultiAgent Digital Investigation toolKit (MADIK)

1.1.10. Multipurpose tools

1.1.10.1. Unix-based

1.1.10.1.1. The Coroners Toolkit

1.1.10.1.2. SMART

1.1.10.2. Windows-based

1.1.10.2.1. EnCase by Guidance

1.1.10.2.2. Forensic Toolkit (FTK)

1.1.10.2.3. iLook

1.1.10.3. Multi-platform

1.1.10.3.1. SleuthKit/ Autopsy

1.1.10.3.2. VM Ware

1.1.11. Mobile Phone Analysis

1.1.11.1. Windows-based

1.1.11.1.1. SIM Explorer

1.1.11.1.2. SIM Manager

1.1.11.1.3. SIMCon

1.1.11.2. Unix-based

1.1.11.3. Multi-platform

1.1.12. Live-CDs

1.1.12.1. Helix3

1.1.12.2. Backtrack

1.1.12.3. SPADA

1.1.12.4. CAINE

1.1.13. Remote Monitoring

1.1.13.1. Bundestrojaner

1.2. Hardware

1.2.1. Write Blockers

1.2.1.1. ISC Drive Lock

1.2.1.2. MyKey NoWrite

1.2.1.3. Tableu

1.2.1.4. WiebeTech

1.2.2. Hardware Imagers

1.2.2.1. Data Compass

1.2.2.2. DeepSpar Disk Imager

1.2.2.3. Data Copy King

1.2.2.4. ICS Solo3

1.2.2.5. Logicube Talon

1.2.2.6. PSIClone

1.2.2.7. Cellebrite

1.2.2.8. Voom Hardcopy III

2. Professions

2.1. Law

2.1.1. Enforcements

2.1.1.1. Collection/Analysis

2.1.1.1.1. First Responders

2.1.1.1.2. Media Aqusition

2.1.1.1.3. Media Examination

2.1.1.2. Evidence

2.1.1.2.1. Preservation

2.1.1.2.2. Presentation

2.1.2. Courts

2.1.2.1. Laws

2.1.2.1.1. Law Development

2.1.2.1.2. Law Comparison

2.1.2.2. People

2.1.2.2.1. Expert Witness

2.1.2.2.2. Firends of the Court

2.1.2.2.3. Prosecution

2.1.2.2.4. Defence

2.2. Academia

2.2.1. Research

2.2.1.1. Dicsipline Definition

2.2.1.2. Problem Solving

2.2.1.3. Testing

2.2.1.4. Evaluating

2.2.2. Education

2.2.2.1. Contributions

2.2.2.2. Professional Outcome

2.3. Military

2.3.1. Post attack analysis

2.4. Private sector

2.4.1. Consulting

2.4.1.1. Data Recovery

2.4.1.2. Forensic Analysis

2.4.1.3. Expert Witness

2.4.2. Industry

2.4.2.1. System Admins

2.4.2.2. Legal Contact

3. Digital Evidence

3.1. Physical

3.1.1. Large Scale Digital Devices

3.1.1.1. Computers

3.1.1.1.1. Desktops

3.1.1.1.2. Laptops

3.1.1.1.3. Servers

3.1.1.1.4. Tablets

3.1.1.1.5. Netbooks

3.1.1.2. Grids

3.1.1.3. Clusters

3.1.2. Small Scale Digital Devices

3.1.2.1. Mobile phones

3.1.2.2. PDAs

3.1.2.3. Digital Music Players

3.1.2.4. Smart Phones

3.1.2.5. Embedded Devices

3.1.2.6. GPS Devices

3.1.2.7. Storage Devices

3.1.2.7.1. USB Thumb Drives

3.1.2.7.2. External Harddrives

3.1.2.8. Digital Cameras

3.1.3. Network Devices

3.1.3.1. Routers

3.1.3.2. Switches

3.1.3.3. Hubs

3.1.3.4. Firewalls

3.1.3.5. IDS

3.1.3.6. Wireless AP

3.1.4. Peripherals

3.1.4.1. Printers

3.1.4.2. Scanners

3.1.4.3. Copiers

3.1.5. Storage Media

3.1.5.1. Magnetic

3.1.5.1.1. Floppy

3.1.5.1.2. Tapes

3.1.5.2. Optical

3.1.5.2.1. CD

3.1.5.2.2. DVD

3.1.5.2.3. Blu-ray

3.1.5.3. Transistor

3.1.5.3.1. Memory Cards

3.1.5.3.2. Smart Cards

3.1.5.3.3. RFID Tags

3.1.6. Obscure Devices

3.1.6.1. Gaming Devices

3.1.6.1.1. Xbox

3.1.6.1.2. PlayStation

3.1.6.1.3. Wii

3.1.6.1.4. PSP

3.1.6.2. Recording Devices

3.1.6.2.1. Camcorders

3.1.6.2.2. Audio recorders

3.1.6.2.3. Surveillance cameras

3.1.6.3. Network enabled appliances

3.1.6.3.1. Refrigerators

3.2. Logical

3.2.1. Operating Systems

3.2.1.1. Registry

3.2.1.2. System Logs

3.2.1.3. System Files

3.2.1.4. Printer Spool

3.2.1.5. Swap files

3.2.2. Applications

3.2.2.1. Application Logs

3.2.2.1.1. Security Logs

3.2.2.1.2. Browser History

3.2.2.2. Application Files

3.2.2.2.1. Cookies

3.2.2.2.2. Configuration Files

3.2.2.2.3. Executables

3.2.3. File Systems

3.2.3.1. Files

3.2.3.1.1. Images

3.2.3.1.2. Data

3.2.3.1.3. Documents

3.2.3.1.4. Audio

3.2.3.1.5. Video

3.2.3.2. File metadata

3.2.3.2.1. MAC-times

3.2.3.2.2. Permissions

3.2.4. Memory

3.2.4.1. RAM

3.2.4.2. Cache

3.3. External

3.3.1. Telecom network

3.3.1.1. Phone Records

3.3.1.2. Internet logs

3.3.2. Internet

3.3.2.1. Clouds

3.3.2.1.1. Online Storage

3.3.2.1.2. Cloud Apps

3.3.2.2. Domain Name records

3.3.2.3. Social networks

3.3.2.4. Webpages

3.3.3. Access Control Systems

3.3.3.1. Passport control logs

3.3.3.2. Building security logs

3.3.4. Electronic Commerce Services

3.3.4.1. Credit Card comany logs

3.3.4.2. Bank logs

3.3.4.3. E-payment logs

3.3.4.4. Webshop logs

4. Digital Forensic Process

4.1. Preparation

4.1.1. Training

4.1.2. Prepare tools

4.1.3. Warrants and authorizations

4.1.4. Management support

4.2. Identification

4.2.1. Incident detection

4.3. Approach Strategy

4.4. Preservation

4.4.1. Isolate

4.4.2. Secure

4.5. Collection

4.5.1. Record

4.5.2. Duplicate

4.6. Examination

4.6.1. Search for evidence

4.7. Analysis

4.7.1. Reconstruct

4.7.2. Evaluate

4.7.3. Correlate

4.7.4. Conclude

4.8. Presentation

4.8.1. Summarize

4.8.2. Explain

4.9. Returning evidence

5. Digital Crime Cases

5.1. Cyber Crime Case

5.1.1. Increased Access

5.1.1.1. Buffer Overflows

5.1.1.2. Password attacks

5.1.1.3. Malware

5.1.1.3.1. Virus

5.1.1.3.2. Worm

5.1.1.3.3. Trojan

5.1.2. Disclosure of information

5.1.2.1. Copyright infringement

5.1.2.2. Identity Theft

5.1.2.3. Sniffing

5.1.2.4. Data theft

5.1.2.5. Phishing

5.1.2.6. Fraud

5.1.3. Corruption of information

5.1.3.1. Tampering

5.1.4. Denial of Service

5.1.4.1. Dos attack

5.1.5. Theft of resources

5.1.5.1. Botnets

5.1.5.2. SPAM

5.2. Traditional Crime Case

5.2.1. Traffic violations

5.2.1.1. Speeding

5.2.1.2. Reckless driving

5.2.1.3. Collisions

5.2.1.4. DUI

5.2.1.5. Hit-and-run

5.2.2. Sex crime

5.2.2.1. Rape

5.2.2.2. Sexual abuse

5.2.2.3. Child molestation

5.2.2.4. Child pornography

5.2.2.5. Prostitution

5.2.2.6. Trafficking

5.2.3. Theft

5.2.3.1. Robbery

5.2.3.2. Burglary

5.2.3.3. Auto theft

5.2.3.4. Theft of national secrets

5.2.4. Fraud

5.2.4.1. Money Laundering

5.2.4.2. Counterfeiting

5.2.4.3. Incurance fraud

5.2.4.4. Corruption

5.2.5. Arson

5.2.6. Drugs

5.2.6.1. Possesion

5.2.6.2. Distribution

5.2.6.3. Sale

5.2.6.4. Trafficking

5.2.7. Violent crime

5.2.7.1. Murder

5.2.7.2. Assault

5.2.7.3. Hate Crime

5.2.7.4. Terrorism

5.2.7.5. Bombing

6. Counter-Forensics

6.1. Encryption

6.1.1. PGP

6.1.2. Blowfish

6.1.3. TrueCrypt

6.1.4. IPSec

6.1.5. SSL

6.2. Steganography

6.2.1. Slacker

6.2.2. Steganos Privacy Suite

6.2.3. S-Tools

6.3. Proxies

6.3.1. The Onion Router (TOR)

6.4. Storage-less devices

6.4.1. LiveCDs

6.5. Secure deletion

6.5.1. Dariks Boot and Nuke (DBAN)

6.5.2. Eraser

6.5.3. Evidence Eliminator

6.5.4. ParetoLogic Privacy Controls

6.5.5. Steganos Privacy Suite

6.5.6. WinClear

6.5.7. Window Washer

6.5.8. PDWipe

6.6. Data Tampering

6.6.1. Timestomp (tool)

7. Digital Forensic Methods

7.1. Data Duplication

7.1.1. File copy

7.1.2. Backup

7.1.3. Partition copy

7.1.4. Bit-by-bit imaging

7.1.5. Memory Imaging

7.2. Image Analysis

7.2.1. Camera Identification

7.2.2. Location Identification

7.2.3. Manipulation Detection

7.2.4. Image Enhancement

7.2.5. Video Analysis

7.3. Audio Analysis

7.3.1. Microphone Identification

7.3.2. Location Identification

7.3.3. Manipulation Detection

7.3.4. Audio Enhancement

7.3.5. Voice Identification

7.4. Document Analysis

7.4.1. Author Attribution

7.4.2. Manipulation Detection

7.5. File Analysis

7.5.1. Call trace

7.5.2. String extraction

7.5.3. Parsing

7.5.4. Differentiating

7.5.5. Logfile analysis

7.5.6. Reverse engineering

7.5.6.1. Decompiling

7.5.6.2. Debugging

7.5.6.3. Disassembly

7.6. Network Analysis

7.6.1. Packet capture

7.6.2. Packet analysis

7.6.3. Session analysis

7.7. Data reduction

7.7.1. Cryptographic hashes

7.7.2. Exclusion of known files

7.7.3. Thumbnailing

7.8. Data Recovery

7.8.1. File carving

7.8.2. Partition Recovery

7.8.3. Bad Sector Recovery

7.8.4. Slack-space recovery

7.8.5. Deleted Files Recovery

7.8.6. Hidden data recovery

7.8.7. Password recovery

7.8.8. Decryption

7.9. Data Analysis

7.9.1. Data mining

7.9.1.1. Association analysis

7.9.1.2. Classification

7.9.1.3. Prediction

7.9.1.4. Clustering

7.9.1.5. Outlier analysis

7.9.1.6. Pattern Recognition

7.9.2. String Search

8. Legal Aspects

8.1. Chain of Custody

8.2. Daubert Criteria

8.3. Privacy

9. Terminology

9.1. Computer Forensic

9.2. Internet Forenisc

9.3. Embedded Forensic

9.4. Mobile Forenisic

9.5. Network Forensic

9.6. File Forensic

9.7. Media Forensic

9.8. Live Analysis

9.9. Dead Analysis

9.10. Static analysis

9.11. Dynamic Analysis

9.12. eDiscovery