CHFI: Computer Hacking Forensic Investigator

A forensic investigation follows a structured process: identification (what systems are involved, what evidence might exist), preservation (acquire evidence without altering it), collection (document chain of custody, create forensic images), examination (extract relevant artefacts), analysis (interpret findings, reconstruct the timeline), and reporting (document findings in a court-admissible format). Chain of custody: every person who handles evidence must be logged. Evidence must be stored in tamper-evident containers. Admissibility requires that evidence was collected legally (search warrant or valid consent), not altered after collection (hash verification), and the collection method was accepted practice. Legal frameworks: Computer Fraud and Abuse Act (CFAA) in the US, Computer Misuse Act in the UK. Electronic evidence: must meet the same admissibility standards as physical evidence — authenticity, integrity, and relevance.

Forensic imaging: create a bit-for-bit copy of the target media using tools like dd, FTK Imager, or Guymager. Always hash the source and copy (MD5 and SHA-256) to verify integrity. Write blockers (hardware or software) prevent accidental writes to the source. File system artefacts: NTFS — Master File Table (MFT) records metadata for every file and folder; $LogFile records filesystem journal; $UsnJrnl tracks file changes; $Recycle.Bin contains deleted files (INFO2 or $I/$R files). FAT/exFAT: directory entries, deleted file recovery from unallocated clusters. File carving: recovering files from unallocated space using file headers/footers (magic bytes) without relying on filesystem metadata. Tools: Scalpel, Foremost, PhotoRec. Slack space: the gap between the end of file content and the end of the last cluster — can contain remnants of previously deleted data.

Memory forensics: acquire RAM using WinPmem, LiME (Linux), or via VM snapshot. Analyse with Volatility 3: imageinfo/windows.info (OS identification), pslist/pstree (process list), netscan (network connections), dumpfiles (extract process memory), malfind (find injected code). Look for anomalous parent-child process relationships (svchost not spawned by services.exe is suspicious). Network forensics: PCAP analysis with Wireshark. Key artefacts: DNS queries (C2 domain names), HTTP/S requests (data exfiltration, malware download), SMTP (phishing emails), unusual protocol usage. Flow data (NetFlow/IPFIX) provides connection metadata without payload when full capture is unavailable. Log forensics: Windows Event Log (EVTX) — Event ID 4624 (successful logon), 4625 (failed logon), 4688 (process creation), 4698 (scheduled task created), 7045 (service installed). Linux: /var/log/auth.log for authentication, /var/log/syslog for system events, bash history, cron logs.

Static analysis: examine malware without executing it. Tools: strings (extract printable strings), PEiD/Detect-It-Easy (packer detection), PE Studio (PE header analysis), VirusTotal (multi-AV scan), Capa (identify capabilities from binary). Look for suspicious imports (VirtualAlloc, WriteProcessMemory, CreateRemoteThread indicate process injection). Dynamic analysis: execute malware in a sandbox (Cuckoo Sandbox, Any.run, VMRay) and observe behaviour — files created/modified, registry changes, network connections, child processes. API monitoring with tools like API Monitor or Process Monitor reveals the sequence of system calls. Forensic report structure: executive summary (for non-technical stakeholders), methodology (tools and procedures used), findings (artefacts discovered with timestamps), conclusions (what happened based on evidence), appendices (raw data, hash values, chain of custody documentation). Write in clear, factual language — avoid speculation; distinguish between evidence and inference.