We kicked off the day with an assessment, and as a cohort, we achieved an impressive 91% accuracy rate! I personally missed one question regarding the type of malware that is self-replicating. I answered “worm,” but upon closer reading, the question mentioned that it attaches itself to host files, which is characteristic of a virus. A reminder of the importance of thoroughly reading each question.
Our main focus today was digital forensics. We explored the methodology outlined by NIST, which includes four primary phases:
- Collection – Identifying, labelling, recording, and acquiring data relevant to the investigation.
- Examination – Processing and assessing the collected data to extract relevant information.
- Analysis – Interpreting the examined data to draw conclusions.
- Reporting – Documenting the findings in a comprehensive manner.
We also discussed the importance of maintaining a clear chain of custody to ensure the integrity of evidence. Tools like write blockers are essential in this process, preventing any modifications to the original data during analysis. My prior studies for the CompTIA A+ certification provided a helpful foundation here.
In our lab session on cold system forensics, we learned about the “order of volatility,” which prioritizes data collection based on how quickly data can change or be lost. For instance, CPU registers and RAM are highly volatile and should be collected first, whereas hard drive data is less volatile.
We also practiced using the dc3dd command, a forensic tool that creates exact, bit-by-bit copies of storage devices. This ensures data integrity during analysis.
Today was packed with hands-on labs, but I really like the material so it was an enjoyable experience. While tools like Splunk have their complexities, diving into digital forensics has been both challenging and rewarding.
