RSS Feed


⬛️ Console Activity Analysis

Remote vs local commands? Windows macOS Linux

Data Carving

Below are the techniques, tools and instructions regarding data recovery from various file systems and devices. Most of the below techniques apply to HDDs only. Those that are for SDDs or other flash memory devices will be specified in the last section.

💿 Imaging

There are two types of acquisitions: live 🍀 and dead ☠️. Choosing based on the system’s initial state in question is usually preferable. So, for example, if the system is turned on, perform live acquisition first, capturing all volatile data that will be deleted after reboot. Otherwise, jump right to the dead acquisition (if the system is shut down).