The disk holds the persistent story — files, deleted data, and the operating system’s own records of what ran and when. Learn where the artifacts live and how to read them.
Why: a disk image contains more than the visible files — deleted files often remain until overwritten, and file-system metadata records timestamps — so forensics recovers and interprets all of it. When: analyze the image with a forensic suite that parses the file system and carves deleted content. Where: "deleted" usually means "unlinked," so recovery is frequently possible and is a core forensic technique.
# The Sleuth Kit on a disk image (read-only analysis of the COPY):
mmls disk.img # partition layout
fls -r -o 2048 disk.img # list files INCLUDING deleted (* = deleted)
icat -o 2048 disk.img 12345 > recovered.bin # recover a file by inode
# Autopsy provides a GUI over these, plus keyword search and timelining.Why: operating systems keep their own records of activity — recently run programs, opened files, mounted devices, browser and shell history — and these artifacts reconstruct user and attacker behavior. When: pull the artifacts relevant to your hypothesis (what ran, when, by whom). Where: Windows (registry, prefetch, event logs, $MFT) and Linux (bash history, auth logs, cron, systemd) each have well-known artifact locations.
High-value artifacts (what ran / what was accessed / persistence):
WINDOWS registry (Run keys), Prefetch, Amcache, $MFT, event logs,
browser history, LNK/JumpLists, Scheduled Tasks
LINUX ~/.bash_history, /var/log/auth.log, cron, systemd units,
/etc/passwd changes, SUID files, ~/.ssh/authorized_keys
Attackers leave traces in PERSISTENCE mechanisms — check them first.Why: individual artifacts are fragments; a super-timeline that merges all timestamped events into one chronological view reconstructs the incident from first access to final action. When: generate a timeline early to anchor the investigation and spot the initial compromise. Where: timeline analysis is the backbone of forensics — it turns scattered artifacts into a narrative you can defend.
# Build a super-timeline from a disk image (Plaso / log2timeline):
log2timeline.py timeline.plaso disk.img
psort.py -o l2tcsv timeline.plaso > timeline.csv
# Then filter to the incident window and read the story in order:
# first suspicious login -> file dropped -> program executed ->
# persistence created -> data accessed. The timeline anchors everything.