A collection of papers and how-to guides to assist with computer forensics on Windows, Linux, Unix, MacOS / OSX, iOS and Android operating systems. These papers may include free open-source tools, custom written applications by Network Defense Solutions, Inc. as well as professional tools such as FTK, EnCase as well as Autopsy / Sleuth Kit.

ATTENTION: Please note that if you are practicing some of this information in a professional capacity that some states require that the analyst does in fact obtain a P.I. license. We are only offering these tools, guides and utilities as a means to teach and provide a better understanding of computer forensics and, how forensics is conducted. Some of the tools within this section will also require a payment / purchase / license in order to utilize them. Additionally you will require hardware write-blockers and other utilities to keep the information you are analyzing safe from contamination if in the event they are brought fourth to a court of competent jurisdiction.


This article serves as a general guideline, rule-set and other details regarding the grounds of computer forensics. We will aim to answer many of the questions in the field, as well as to point out what may be needed. We will provide forms, and labels that you can utilize during your own investigations, some legal issues jurisdiction effects, content to be viewed, and a brief over-view of the Wire Tap Act. If you plan to follow any of these guides please do so for educational purposes and not in a real environment if you cannot procure the hardware or software to perform a digital forensics. Within this documentation I will also aim to provide case studies through mockup hacks and attacks on a privately owned network and virtual system to provide details as to how evidence collection works, what to look for and how to assess the situation upon arrival.

Linux Forensics & Incident Response Introduction

The main purpose of this document will be to combine both incident response and Linux forensics into one single article. Please keep in mind that the information presented in this segment will require intractions with the suspect machine. While we would prefer that analysts utilize the script here: https://networkdefensesolutions.com/index.php/products/58-desktop-services-linux/289-linuxir if you feel any other tools would work best for you. Please use those.

Loading Images and File Recovery with Autopsy (Part 2)

Extracting files, and or recovery of critical forensic information is key within the process of computer forensics. Out in the wild there are a plethora of tools that a forensic examiner may choose to utilize in order to do so. Although this does not directly relate to recovery of files from a forensic stand point, it can also be utilized for users who have lost data and want to try their hand at recovery of information. The focus of this document will be around Autopsy and how to use the free tool in order to recover said files.

Obtain Disk Image With Linux

Although stated in a previous writeup concerning computer forensics, it can be quite an expensive endeavor. Some of the things that you may come across whereby an expense is needed you may be able to get away with utilizing, Linux. When we discussed the need for write-blockers, it was said that you needed to purchase an expensive write-blocker that would allow you to make a disk image with ease of mind. However, you don't really need to do this. This article will explain how you can utilize Linux in order to pull a disk image and then feed it into ProDiscover and of course, bypass the need for a write blocker. This document will also detail how you can recover files that were deleted for a forensic investigation.

Recovering Files in Autopsy

Recovering files with Forensic tools can be a great help when putting together a case, or even when you need to recover files that have been accidentally deleted. This paper will discuss how to utilize autopsy in order to recover, and pillage for files that have been deleted.

Cracking Passwords in Forensics

This document highlights some of the issues that forensic examiners face when dealing with encrypted files. Ideally, it will also point out how a forensic examiner may procure access to items that are encrypted with the use of a small browser trick which may be commonly overlooked by attackers. Although it's directed at the common person when engaging, it can also be applied to those who are not well versed with forensic obfuscation techniques. This focus herein will be centric around zip, browsers and other types of access.

Windows Live Analysis

Sometimes in computer forensics you will come across an issue where you may need to interact with the RAM within a computer. This example does not take the efforts into discussing an attack and the steps that you need to set up, but rather, it discusses tracking an event in memory. This is normally seen when a service, or application has been attacked. Once an exploit has been executed against the system, and if the attack is happening when the investigator is present – a forensic examiner may take the following steps as a sort of outline to assist.

Encase Forensic Data Recovery

This document will detail how you can recover lost or, deleted files during an incident or, if in the event you are facing a forensics. Topics discussed will be: 1) Analyzing the file system for files that were deleted, 2) Determining the date/time of a deleted file and lastly 3) The recovery of said files and or artifacts. Please note, dates and times within this article are discussed if in the event a legal proceeding is taking place and a cease notice has been delivered. This is to prove or disprove that a suspect system has been modified AFTER a cease notice was sent. You can also utilize this article if you are in need of recovering files that have been lost or damaged.

ProDiscover Forensic Data Recovery

This article covers information regarding ProDiscover Forensic tools to retrieve files from a computer whose data has been destroyed. The main purpose of this document is for forensic file recovery with ProDiscover. Although this is an older version it may in fact be the same in the newer versions -- if however, it is not we will attempt to get a newer version of ProDiscover in order to demonstrate the use of the software in another article.

Bagging & Tagging Evidence

If you are interested in getting into Digital Forensics, our Chain of Custody process is where you should start. Here you will discover the critical role of preserving evidence integrity and ensuring legal compliance. Learn essential procedures for handling, documenting, and securing digital evidence. Uncover the key benefits and practical considerations for implementing a robust chain of custody protocol. Whether you're a seasoned investigator or new to the field, this document offers valuable insights to enhance your understanding and proficiency in digital forensics. We also talk about some acquisition tools which we will also utrilize within this segment.

Login Form