Chapter 12. Digital Forensics

Computer crimes have become more prevalent over time, in part because it is far more cost-effective to attack and steal digitally than in real life. This means there is a great need for professionals to search for evidence on computer systems to identify when and how attacks have happened. While the word forensics technically relates to the law and evidence in court cases, the term digital forensics describes activities related to looking for evidence of attacker activities on computer systems.

As you might expect with a security-oriented distribution like Kali Linux, extensive digital forensics tools are available. These range from tools that can be used to collect disk images, to analysis of the images that have been collected, to memory collection and assessment of hidden information in files and disks. While memory forensic tools are also available online, the ones that were once available in the Kali repository have been removed, requiring that you install them outside the normal package installation process.

In addition to tools, Kali can be booted into Forensic mode. One important aspect of collecting information to be used as part of an investigation, whether or not it has a legal purpose, is to ensure the information gathered hasn’t been tampered with. Anytime you are booted into an operating system, running any process will make changes to the disk. Also, memory is changing all the time. The act of observing can have an impact on what is ...