Dead Box Forensics

AdvancedSecurity
AutopsyddThe Sleuth Kitsha256sum

Objective

Hands-on practice with dead box forensics techniques.

Tools & Technologies

  • Autopsy
  • dd
  • The Sleuth Kit
  • sha256sum

Key Commands

dd if=/dev/sda of=image.dd bs=4M conv=noerror,sync
sha256sum image.dd
autopsy
fls -r image.dd

Lab Steps

01
Disk Imaging

Create a forensic disk image with dd and verify hash integrity.

02
Filesystem Analysis

Mount image read-only and examine filesystem metadata.

03
File Recovery

Use Autopsy and TSK to recover deleted files.

04
Timeline Creation

Build a filesystem activity timeline with mactime.

Challenges Encountered

  • Mounting image read-write modifies access times and destroys evidence
  • Write blockers should be used on original media

Key Takeaways

  • Always image before analyzing — never work on original media
  • MD5/SHA256 hashes prove image integrity in legal proceedings