# Digital Forensics * Usually organizer will gave us a Digital Image like memory dump like `.raw` or image file like `.e01` and few others more. * Always issuing `file ` command to whatever file you get first! If the result of the file command is only "`data`", you must try harder to find the right tool to carve information that contain in the file. * Checkout the EXIF data of the file by using `exiftool ` command. * Run `strings` for clues. * Try file carve using `foremost ` command. Foremost support all files. But it takes time to extract all file when you face a big size file. * Common locations for various artifacts :- * **Web**: browsing history, cookies, cache files and others. * **Windows OS**: registry table, event logs and others. * **Linux**: configuration files, log files and others. * **Mobile phones**: app data and others. * Many more! * Tools :- * **Volatility**. Its a memory extraction utility framework for memory forensic. Use this as your Volatility [command reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference). * **Redline**. Another alternative to volatility. But Volatility is the best for me. * **Bulk-extractor** software. It can extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. * **FTK Imager**. FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. * Use **Autopsy, ProDiscover** or **EnCase** software, function as FTK Imager. * Use `e2fsck [mnt image]` to fix corrupt filesystem. ext3 and 4. * Recover files using **Recuva**. They may gave you an image that you can mount to your machine using FTK Imager. So, go to the drive and try recover the files you want. * **RegRipper** for registry analysis * Mastering **Windows event viewer** will give you a plus. * And many more! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybermuhdupa.gitbook.io/ctfme/fundamentals/digital-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.