Information Security

Digital Forensics

Stuxnet 2010: the first known cyberweapon was discovered accidentally when a Belarusian AV company found it on an Iranian engineer's laptop. The subsequent forensic analysis took months. Researchers from Kaspersky, Symantec, and ESET reconstructed the entire attack from binary artifacts on infected disks: 4 zero-day exploits, stolen Realtek digital certificates, and logic targeting Siemens S7-315 PLCs controlling uranium centrifuge frequency drives at exactly 1,064 Hz. Disk forensics of a single infected machine revealed a nation-state cyberweapon.

**Stuxnet 2010**: disk forensics reconstructed a 500KB binary into a complete attack chain against Iranian nuclear centrifuges. 4 zero-days, stolen certificates, and PLC targeting logic all recovered from disk artifacts.
**Target 2013**: memory forensics of POS terminals identified BlackPOS malware operating entirely in RAM with no disk presence. Card data was scraped during the 100-millisecond decryption window before re-encryption. Only memory forensics revealed the attack mechanism.
**Snowden 2013**: XKEYSCORE used full packet capture at internet exchange points, stored for retrospective forensic reconstruction of individual sessions. The same technique enterprises use for network forensics, applied at nation-state scale.

Disk Forensics: File System Analysis

Disk forensics analyzes storage media to reconstruct attacker activity: file creation/modification timestamps, deleted file recovery, browser history, registry analysis (Windows), and log parsing. The first step is always creating a forensic image (bit-for-bit copy) using write-blocking hardware to prevent evidence modification.

Stuxnet 2010: discovered by a Belarusian AV company in a routine scan. The forensic analysis by Kaspersky, Symantec, and independent researchers took months and revealed 4 zero-days, a stolen digital certificate from Realtek, and targeting logic specific to Siemens S7-315 PLCs controlling centrifuge frequency drives. Disk forensics of infected systems reconstructed the entire attack chain from a binary artifact.

Why must a forensic disk image be created before any analysis begins?

Memory Forensics: Analyzing RAM

Memory forensics analyzes RAM dumps to find artifacts that never touch the disk: running processes, decryption keys, network connections, injected code in legitimate processes, and cleartext credentials in memory. Volatility is the standard open-source framework for memory analysis. Memory is volatile - it must be captured before the system is powered off.

Target 2013 breach: forensic analysis of RAM from compromised POS terminals revealed the BlackPOS malware operating entirely in memory, scraping credit card data from RAM during the brief window when card data is decrypted for processing. The malware had no persistent disk presence - disk forensics found nothing. Memory forensics identified the process injection technique and data exfiltration mechanism.

Why does process injection (like hollowing or reflective loading) specifically evade disk-based forensics?

Network Forensics: Traffic Analysis

Network forensics captures and analyzes network traffic to reconstruct attacker communication, data exfiltration, and C2 channels. Full packet capture (PCAP) provides complete traffic reconstruction. NetFlow/IPFIX provides metadata (source, destination, volume, timing) at scale without storage overhead. Zeek (formerly Bro) generates structured network logs from PCAP.

Snowden 2013: NSA's XKEYSCORE system performed bulk network packet capture and full-content indexing across major internet exchange points. The forensic technique used was identical to enterprise network forensics - the difference was scale and legal authority. XKEYSCORE could reconstruct individual user sessions from stored packet captures months after collection.

Why is NetFlow analysis preferred over full PCAP for large-scale network forensics?

Chain of Custody: Legal Admissibility

Chain of custody documents who had access to digital evidence, when, and what changes were made. For evidence to be admissible in legal proceedings, it must be demonstrably unaltered from the moment of collection. Cryptographic hashes (SHA-256) of evidence files provide mathematical proof of integrity. Any gap in the chain of custody can make evidence inadmissible.

O.J. Simpson trial, 1995: DNA evidence was scientifically conclusive. The defense successfully argued that improper chain of custody procedures - evidence stored without refrigeration, gloves not always worn during handling, gaps in access documentation - introduced reasonable doubt. The forensic evidence was technically valid but legally inadmissible due to chain of custody failures. Digital evidence faces identical scrutiny.

Why are cryptographic hashes of evidence files recorded at the time of collection?

Summary

**Disk forensics**: bit-for-bit image with write blocker before any analysis. SHA-256 hash at collection proves integrity. Autopsy and TSK analyze file system, timestamps, and deleted files.
**Memory forensics**: RAM must be captured before power-off. Volatility3 analyzes processes, network connections, injected code, and cleartext credentials that never touch disk.
**Network forensics**: full PCAP for detailed reconstruction; NetFlow for long-term retention at 1-2% storage cost. Zeek generates structured logs. DNS query length analysis detects tunneling.
**Chain of custody**: hash at collection, document every transfer and access. Any gap makes evidence inadmissible. The O.J. Simpson case shows technically valid evidence can fail legally.

Вопросы для размышления

A ransomware victim powers off all affected servers immediately. What forensic evidence is lost and what can still be recovered?
BlackPOS operated entirely in memory with no disk presence. What SIEM or EDR rule could have detected it without disk forensics?
An incident involves a compromised cloud instance (AWS EC2). How does cloud forensics differ from traditional disk/memory forensics, given that physical access to hardware is impossible?