In this chapter we're going CSI. Well, not the CSI you see on CSI—Cyber. This is the real deal. There may come a time in your Sysadmin career when you may have to deliver data that must maintain a Chain of Evidence. The Chain of Evidence is a documented and auditable list of how, why, and by whom evidence was handled, stored, and examined. Kali is your friend when it comes to this duty. You'll also find that some of the techniques we will use can also be handy in day to day data retrieval, copying disk images, and scanning your own systems for data that should not be where it is – or maybe isn't where you expected it to be. Doing pen testing, we have seen a lot of companies fail their compliance assessments because credit card and personal data is found in the wrong place. It's amazing where employees will rat-hole files on the network. We will explore Guymager first, and then dive into Autopsy:
Getting into Digital Forensics
Exploring Guymager
Diving into Autopsy