Essential Data Acquisition and Digital Forensics for Incident Responders

Background: In a previous article, we discussed the method for creating a USB flash drive to acquire forensic images. In this article, I'll explain how to leverage the previously created tool during the incident response log collection stage.

The first step is to connect the external drive to the machine from which the image will be acquired. Please keep in mind that at this stage, you should use a write blocker to ensure the integrity of the image is not affected. In the second step, connect your USB drive containing OSFClone and other necessary tools, then choose to acquire the image using the dd command.

In the next step, disconnect the USB flash drive, move it to your lab environment, and generate a hash of the acquired images to preserve their integrity.

Now, in your digital forensic lab, install the open-source tool Autopsy. Create a new case, select the previously acquired image as the source, and wait for the software to complete its analysis. Keep in mind that Autopsy offers many automated features to assist in analyzing the image components. However, it's always recommended to manually review all artifacts to ensure thoroughness and accuracy.

After the information has been analyzed, you can proceed with organizing threat hunting activities. Keep in mind that all forensic artifacts should be exported, and their hash values should be calculated and documented.

Conclusion: The ability to capture an image of an infected host or a system involved in an incident is critical, as every piece of evidence can be key to a successful investigation. To effectively handle such situations, you should have at least a foundational understanding of malware analysis, operating systems, and the types of traces left behind when activities occur within the OS.