Digital Forensics with Free Tools: Disk Imaging, Memory Analysis, and Malware Investigation

by

Digital forensics is the science of recovering and preserving digital evidence — from compromised servers, infected endpoints, and seized devices. Whether you’re investigating an incident, preparing for litigation, or studying for a forensics certification, these are the tools, techniques, and commands that real digital forensics professionals use. This guide focuses entirely on free and open-source tools.

The Forensics Process

Professional digital forensics follows a strict chain of custody: Identification → Preservation → Collection → Examination → Analysis → Reporting. Every step must be documented. Any deviation can render evidence inadmissible in court.

1. Disk Imaging with dd and dc3dd

The first rule of forensics: never work on the original evidence. Create a forensic image first — a bit-for-bit copy that includes deleted files, file slack, and unallocated space.

# Create forensic image with dd
sudo dd if=/dev/sdb of=/mnt/external/evidence.img bs=512 status=progress conv=sync,noerror

# dc3dd: Better than dd for forensics (built-in hashing, progress, logging)
sudo apt install dc3dd
sudo dc3dd if=/dev/sdb of=/mnt/external/evidence.img hash=sha256 log=/mnt/external/dc3dd.log

# Verify image integrity (hashes must match original)
sha256sum /dev/sdb       # Original disk hash
sha256sum evidence.img   # Image hash
# If hashes match: forensic integrity confirmed

# Create split image (for large drives)
sudo dc3dd if=/dev/sdb ofsz=4G of=/mnt/external/evidence.img

# Mount forensic image read-only
sudo mkdir /mnt/evidence
sudo mount -o ro,noatime,noexec evidence.img /mnt/evidence
# ro = read-only (never mount read-write)
# noatime = don't update access timestamps
# noexec = cannot execute programs from the image

2. File Carving: Recovering Deleted Files

# Foremost: Carve files by file signature (magic bytes)
sudo apt install foremost
sudo foremost -i evidence.img -o /mnt/recovered/ -t all

# Carve specific file types
foremost -i evidence.img -o /output/ -t jpg,pdf,docx,zip,exe

# Scalpel: More configurable carving tool
sudo apt install scalpel
sudo scalpel evidence.img -o /mnt/scalpel_output/

# PhotoRec: Best for media recovery (works on FAT/NTFS/ext)
sudo apt install testdisk  # PhotoRec is included
sudo photorec evidence.img

# Recover specific deleted files on a live Linux system
sudo extundelete /dev/sdb --restore-all
# Or restore specific file
sudo extundelete /dev/sdb --restore-file /home/user/important.txt

3. Memory Forensics with Volatility 3

# Acquire RAM from a live Windows system
# Option 1: WinPmem (free, open source)
winpmem_mini_x64_rc2.exe -o memory.dmp

# Option 2: DumpIt (trusted, used by law enforcement)
DumpIt.exe

# Option 3: From Kali Linux remotely via LiME (Linux Memory Extractor)
# Must load LiME kernel module on target
insmod lime-$(uname -r).ko "path=/mnt/usb/memory.dmp format=lime"

# Analyze with Volatility 3
pip3 install volatility3

# Basic profile check
vol.py -f memory.dmp windows.info
vol.py -f memory.dmp linux.bash  # For Linux memory dumps

# Process analysis
vol.py -f memory.dmp windows.pslist           # All processes
vol.py -f memory.dmp windows.pstree           # Process tree
vol.py -f memory.dmp windows.psscan           # Find hidden processes (rootkits hide from pslist)
vol.py -f memory.dmp windows.cmdline          # Command lines used to start processes

# Compare pslist vs psscan to find hidden processes
# Legitimate processes appear in both. Hidden processes only in psscan.

# Network forensics from memory
vol.py -f memory.dmp windows.netstat          # Active connections at capture time
vol.py -f memory.dmp windows.netscan          # All network artifacts

# Malware detection
vol.py -f memory.dmp windows.malfind          # Find injected code (process hollowing, injection)
vol.py -f memory.dmp windows.driverirp        # Check driver IRP handlers (rootkit indicator)

# Credentials from memory (for testing own systems)
vol.py -f memory.dmp windows.hashdump         # Extract password hashes
vol.py -f memory.dmp windows.lsadump          # LSA secrets

# Dump suspicious process
vol.py -f memory.dmp windows.dumpfiles --pid 4321 --output-dir ./extracted/

# Timeline creation
vol.py -f memory.dmp timers.TimerList | sort > timeline.txt

4. File System Analysis with Autopsy

# Autopsy: Free GUI forensics platform
# Download from: https://www.autopsy.com/download/
# Creates a case file and analyzes disk images

# Key Autopsy modules:
# - Hash Set Lookup: Compare against known good (NSRL) and bad file hashes
# - Keyword Search: Full-text search across all files including deleted ones
# - Web Artifacts: Browser history, downloads, bookmarks, cookies from Chrome/Firefox/IE
# - Recent Activity: Recently opened files, USB devices, searches
# - Email Parser: Recover and parse email messages
# - Android Analyzer: Analyze Android device images
# - Timeline Analysis: Visual timeline of all file system activity

# CLI alternative: The Sleuth Kit (TSK)
sudo apt install sleuthkit

# File system info
fsstat evidence.img

# List all files (including deleted)
fls -r -l evidence.img

# List deleted files only
fls -r -l evidence.img | grep "^*"  # * = deleted

# Extract specific file by inode number
icat evidence.img INODE_NUMBER > recovered_file.ext

# Create timeline of file system activity
mactime -b body.txt > timeline.txt
fls -r -m "/" evidence.img > body.txt
mactime -b body.txt -d 2024-01-01 > timeline.txt

5. Log Analysis for Incident Reconstruction

# Windows Event Log analysis with Python-evtx
pip3 install python-evtx
python3 -m evtx.dump Security.evtx | head -100

# Or use Hayabusa for Windows log threat hunting
# Download from: https://github.com/Yamato-Security/hayabusa
hayabusa.exe csv-timeline -d /path/to/evtx/logs/ -o timeline.csv

# Linux log analysis
# Reconstruct authentication timeline
last -F | head -50          # All login/logout events
lastb | head -50           # Failed logins
who -a                     # Current logins
w                          # What users are doing

# grep auth.log for SSH attacks
grep "Failed password|Accepted password|Invalid user" /var/log/auth.log |
  awk '{print $1, $2, $3, $11, $13}' | sort | uniq -c | sort -rn

# Apache access log analysis
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -20  # Top IPs
grep " 404 " /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -rn  # 404 paths (recon)

6. Network Forensics with Zeek and Wireshark

# Zeek: Generate structured logs from PCAP
zeek -r network_capture.pcap

# Analyze generated logs
# conn.log: All network connections
# dns.log: DNS queries (detect data exfiltration, C2)
# http.log: HTTP transactions (detect malware downloads)
# ssl.log: TLS/SSL certificates (detect self-signed certs used by malware C2)
# files.log: Files transferred over network

# Find malicious file transfers
cat http.log | zeek-cut uri mime_type resp_fuids | sort | head -30

# Extract all transferred files
zeek -r capture.pcap /usr/share/zeek/policy/frameworks/files/extract-all-files.zeek
ls ./extract_files/  # All extracted files

# Analyze with VirusTotal
for file in ./extract_files/*; do
  hash=$(md5sum "$file" | cut -d' ' -f1)
  result=$(curl -s "https://www.virustotal.com/api/v3/files/$hash" -H "x-apikey: YOUR_VT_KEY")
  echo "$file: $(echo $result | jq '.data.attributes.last_analysis_stats')"
done

Malware Sample Analysis

# NEVER run malware on a production system
# Use: isolated VM with no network or host-only network

# Static analysis: examine without running
file malware.exe          # File type identification
strings malware.exe       # Extract printable strings
strings malware.exe | grep -E "http|.com|.ru|cmd|powershell|registry"
xxd malware.exe | head -20   # Hex dump of file header

# Check file hash against VirusTotal
md5sum malware.exe
sha256sum malware.exe
# Submit to VT: https://www.virustotal.com/gui/home/upload

# PE analysis (Windows executables)
pip3 install pefile
python3 -c "
import pefile
pe = pefile.PE('malware.exe')
print('Imports:')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(f'  {entry.dll.decode()}: {[i.name.decode() for i in entry.imports if i.name]}')
"

# Sandbox analysis (online, free)
# Hybrid Analysis: https://hybrid-analysis.com (free)
# Any.run: https://any.run (free tier)
# Cuckoo Sandbox: self-hosted, open-source
# Joe Sandbox: https://www.joesandbox.com (free community)

Digital forensics is a discipline where speed and precision are equally important. Every second of delayed response allows evidence to overwrite itself in logs and memory. But every careless action can destroy the evidentiary value of your findings. The combination of Autopsy, Volatility, Zeek, and the Sleuth Kit gives you a fully professional forensics toolkit at zero cost — the same tools used by corporate incident response teams and law enforcement agencies worldwide.