---
name: pentest-forensics
description: Digital forensics — evidence acquisition, memory/disk imaging analiz, timeline reconstruction, IOC extraction advisory. Triggers on forensics, DFIR, Volatility, memory analysis, disk image, Autopsy, FTK, timeline, IOC extraction, evidence chain, log analysis.
license: MIT
compatibility: Works with Claude Code
allowed-tools: Read Write Edit Bash Grep
metadata:
  author: badi
  badi-version: ">=1.24.0"
  category: pentest
  scope: advisory
  inspired-by: 0xSteph/pentest-ai-agents forensics-analyst
---

# pentest-forensics

Digital forensics + incident response advisory. Engagement post-exploit anali, breach investigation, IR support.

## Triggers

- "memory dump analiz"
- "disk image incele"
- "timeline cikar"
- "IOC extract et"
- "Volatility ile"
- "Autopsy / FTK rapor"
- "log korelasyon"
- "evidence chain"

## Evidence Acquisition (Sira Onemli)

```
1. Volatile memory (RAM)        -> en hizli kaybolan
2. Network state                 -> aktif baglanti, route table
3. Running process               -> ps, lsof
4. Disk image                    -> bit-bit kopya
5. Log/audit files               -> /var/log, Event Viewer
6. Backup + cold storage         -> degisken degil
```

Her acquisition icin **chain of custody** dokumantasyonu: kim, ne zaman, hangi tool, SHA256 hash.

## Memory Acquisition

| OS | Tool | Komut |
|----|------|-------|
| Linux | AVML (Microsoft) | `avml memory.lime` |
| Linux | LiME (LKM) | `insmod lime.ko "path=/mnt/dump.lime format=lime"` |
| Windows | DumpIt / WinPmem | `DumpIt.exe /OUTPUT memory.raw` |
| Windows | Magnet RAM Capture | GUI |
| macOS | osxpmem | `osxpmem -o memory.aff4 /dev/pmem` |

## Volatility 3 (Memory Forensics)

```bash
# Process list
vol -f memory.raw windows.pslist

# Network connections
vol -f memory.raw windows.netscan

# Malware detect: hidden process
vol -f memory.raw windows.psscan
vol -f memory.raw windows.psxview         # cross-view

# Injected code
vol -f memory.raw windows.malfind

# Registry keys (memory'den)
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Mimikatz benzeri credential extraction (hat hata!)
vol -f memory.raw windows.hashdump
vol -f memory.raw windows.lsadump

# Linux
vol -f linux.lime linux.bash              # bash history from memory
vol -f linux.lime linux.pslist
vol -f linux.lime linux.malfind
```

## Disk Image

```bash
# Acquisition (dd ile bit-bit)
dd if=/dev/sda of=/mnt/external/disk.dd bs=4M conv=noerror,sync status=progress

# Hash dogrulama
sha256sum /dev/sda > pre.hash
sha256sum disk.dd > post.hash
diff pre.hash post.hash      # ayni olmali

# E01 format (compressed + metadata)
ewfacquire /dev/sda
```

## Timeline Reconstruction

```bash
# Plaso / log2timeline (super timeline)
log2timeline.py timeline.plaso /mnt/disk/
psort.py -o l2tcsv -w timeline.csv timeline.plaso

# Mactime (Sleuth Kit)
fls -r -m / disk.dd > body.txt
mactime -b body.txt -d > timeline.csv

# Filter: belirli zaman penceresinde
mactime -b body.txt -d 2026-05-14..2026-05-15
```

## IOC Extraction

```bash
# Network IOC from packet capture
tshark -r capture.pcap -T fields -e ip.dst -e dns.qry.name | sort -u

# File IOC from disk image
fls -r -m / disk.dd | grep -E '\.(exe|dll|ps1|sh|bash)' | head

# Hash all files
find /mnt/disk -type f -exec sha256sum {} \; > hashes.txt

# Compare against threat intel
while read hash file; do
  curl -s "https://www.virustotal.com/api/v3/files/$hash" -H "x-apikey: $VT_KEY" \
    | jq '.data.attributes.last_analysis_stats'
done < hashes.txt
```

## Log Analiz

```bash
# Auth log (Linux)
grep -E "Failed password|Accepted publickey" /var/log/auth.log | head

# Web log (Apache/Nginx)
awk '$9 >= 400 && $9 < 500 {print $1, $7, $9}' access.log | sort | uniq -c | sort -rn | head

# Windows Event Log (export edilmis EVTX)
EvtxECmd.exe -f Security.evtx --csv ./out

# SIEM-friendly format
log-aggregator: sigma rules + this evtx -> alerts
```

## Anti-Forensics Detection

| Teknik | Tespit |
|--------|--------|
| Timestomp | $STANDARD_INFO vs $FILE_NAME timestamp diff |
| Secure delete | journal entry but no file |
| Encrypted volume | VeraCrypt header signature |
| Memory wipe | physical RAM = zero blocks |
| Log clearing | gap in journalctl, Event Viewer event 1102 |
| Live response only | no persistent artifact (fileless) |

## Output Sablonu

```markdown
## Forensics Report — Incident #2026-05-14

### Acquisition
- Memory: WinPmem v3.3, SHA256 abc123..., 2026-05-14 18:30 UTC
- Disk: dd v8.32, SHA256 def456..., 2026-05-14 19:15 UTC
- Chain of custody: <analyst> -> <case-locker>

### Timeline (Kritik Olaylar)
| Time (UTC) | Event | Source |
|------------|-------|--------|
| 14:23:01 | Phishing email teslim | Email log |
| 14:23:45 | Kullanici clicked link | Web proxy |
| 14:24:12 | Implant indirildi | EDR |
| 14:25:03 | Implant calisti (powershell.exe) | Sysmon EID 1 |
| 14:25:30 | C2 baglanti | Suricata alert |
| 16:42:11 | Lateral SMB to FILESERVER | Event 4624 (Type 3) |
| 17:15:00 | Data archive olusturuldu | File system MFT |
| 17:30:00 | Exfil tespit (Suricata) | Network IDS |

### IOC
- Hashes: 5 (rapor ekinde)
- IPs: 3 C2 IP (rapor ekinde)
- Domains: 2 attacker domains
- Implant filename: svchost_2.exe (TIE score 95)
```

## Out-of-Scope

- Production sistemleri restore (musteri IR ekibi)
- Yasal tanik ifade (formal forensics firma)
- Real-time intrusion response