Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Incident Response Glossary

Digitale Forensik

Forensic analysis of digital systems following a security incident—secures evidence for legal proceedings, reconstructs attack paths and the perpetrator’s activities, and provides the basis for criminal prosecution and technical damage analysis.

Digital Forensics (also known as Computer Forensics, Digital Forensics & Incident Response, DFIR) is the systematic examination of digital evidence following security incidents or criminal offenses. It combines information technology methods with legal requirements for the preservation of evidence.

Forensic Disciplines

Computer Forensics: Analysis of hard drives, SSDs, USB drives, and other storage media. Goal: Recover deleted files, reconstruct timestamps, and trace user activities.

Memory Forensics: Analysis of volatile memory (RAM dump). Critical for: running processes, network connections, encryption keys (in plain text in RAM), malware without hard drive traces (fileless malware).

Network Forensics: Analysis of network captures (PCAP), firewall logs, and NetFlow data. Reconstructs communication between attackers and compromised systems.

Malware Forensics/Reverse Engineering: Analysis of malware: What functions does the malware have? Which command-and-control servers does it contact? What data does it exfiltrate? Static (without execution) and dynamic (in sandbox) analysis.

Mobile Forensics: Extraction of data from smartphones (iOS, Android): Messages, call logs, app data, location data, photos.

Cloud Forensics: Special challenge: Data in cloud environments (AWS, Azure, GCP) – log sources, access logs (CloudTrail, Azure Activity Log), short-lived instances.

The Forensic Process

1. Identification What happened? Which systems are affected? What evidence exists and where?

2. Preservation Most important principle: Preservation of evidence without alteration.

  • Write blockers prevent unintended write access to storage media
  • Forensic copies (bit-for-bit) via dd, FTK Imager, or EnCase
  • Hash values (SHA-256) ensure the integrity of the copy
  • RAM dump before shutting down the system (volatile data!)
# RAM dump (Linux)
dd if=/dev/mem of=/forensics/memory.img bs=4096

# Hard drive image with hash verification
ewfacquire /dev/sda -t /forensics/case01 -c lzma -C "CaseID" -E "Evidence01"
md5sum /forensics/case01.E01 > /forensics/case01.md5

3. Analysis

  • Timestamp analysis (MACB times: Modified, Accessed, Changed, Born)
  • File recovery from free memory (file carving)
  • Log analysis (Windows Event Log, Syslog, Auth.log)
  • Artifact analysis (Registry, Prefetch, LNK files, browser history)
  • Indicator extraction (IOCs: IPs, hashes, domain names)

4. Documentation Complete log of all forensic steps (chain of custody) for admissibility in court.

5. Reporting Technical report (for IT) and plain-language report (for management, authorities).

Typical Forensic Tools

Disk Forensics:
  Autopsy (Open Source), FTK, EnCase, Sleuth Kit, X-Ways

Memory Forensics:
  Volatility Framework (Open Source), Rekall

Malware Analysis:
  Ghidra (NSA, Open Source), IDA Pro, Cuckoo Sandbox, Any.run

Network:
  Wireshark, NetworkMiner, Zeek (Bro), Arkime

Log Analysis:
  Splunk, Elastic Stack (ELK), KAPE (Artifact Collection)

Mobile:
  Cellebrite UFED, Oxygen Forensics, Magnet AXIOM

Challenges of Modern Forensics

Encryption: Fully encrypted devices (BitLocker, FileVault) cannot be analyzed without a key. RAM forensics can provide keys.

Anti-forensics: Attackers (APTs) use techniques to cover their tracks: log manipulation, timestamp alteration (timestomping), file deletion via overwriting, living-off-the-land (no custom malware → fewer traces).

Fileless Malware: Malware exists only in RAM, no files on the hard drive → only RAM forensics can detect it.

Cloud and SaaS: Logs depend on the provider. Retention periods are often short (30–90 days). Forensic analysts need access to cloud logging services.

Vast Amounts of Data: Modern systems generate terabytes of logs. AI-powered forensic platforms (e.g., Elastic SIEM, Microsoft Sentinel) are becoming indispensable.

Forensics and Incident Response

Digital forensics and Incident Response (IR) are closely linked:

  • During an ongoing incident, IR takes priority (damage mitigation)
  • Forensics answers these questions afterward: How did the attackers gain access? When? What data was exfiltrated?

The SANS model distinguishes between:

  • Hot Forensics (Live Response): System is running – secure volatile data, assess scope
  • Cold Forensics (Post-Mortem): System offline – deep hard drive analysis

Criminal Prosecution: Forensic evidence must withstand judicial scrutiny. A missing chain of custody or altered evidence can render it inadmissible.

GDPR and Data Protection: Forensic investigations involve personal data (emails, browser histories). Data protection requirements must also be adhered to in a forensic context.

NIS2 Reporting Obligation: The forensic analysis provides the basis for the NIS2 final report (1 month after the incident). Without forensics, a complete analysis of the root cause is not possible.

BSI Recommendation: The BSI recommends involving forensic experts in significant security incidents. The IT-Grundschutz includes requirements for forensic readiness in DER.2.2 ("Provisions for IT Forensic Investigation").

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation