Digital Forensics Cheat Sheet

DFIR and CTF forensics workflow — file/disk triage, memory analysis with Volatility3, network artifacts, and Windows evidence. (20 payloads)

Try it interactively with the What Is This?

File & Disk Triage

(5)

file suspicious.bin

Identify a file's true type by magic bytes regardless of extension — always step one.type confusion

binwalk -e firmware.bin

Detect and extract embedded files/filesystems (firmware, polyglots, appended archives).embedded data

foremost -i image.dd -o carved/

Carve files from a raw disk/image by header/footer signatures.deleted-file recovery

photorec image.dd

Recover files from corrupted/formatted media when the filesystem is gone.deep recovery

strings -e l -n 8 file.bin

Extract little-endian UTF-16 strings (common in Windows artifacts) plus the default ASCII pass.hidden text

Memory Analysis (Volatility 3)

(6)

vol -f mem.raw windows.info

Identify the OS/build of a memory image before deeper analysis.Volatility 3 auto-detects profiles

vol -f mem.raw windows.pslist

List running processes; pair with windows.pstree and psscan (for hidden/terminated procs).process triage

vol -f mem.raw windows.netscan

Recover network connections/sockets — find C2 or exfil channels.network IOCs

vol -f mem.raw windows.cmdline

Show command-line arguments per process — reveals attacker commands/paths.execution evidence

vol -f mem.raw windows.dumpfiles --pid 1337

Carve files cached in memory for a given process.artifact extraction

vol -f mem.raw linux.bash.Bash

Recover bash command history from a Linux memory image.Linux DFIR

Network & PCAP Artifacts

(3)

tshark -r capture.pcap -q -z conv,tcp

Rank TCP conversations by volume to find the noteworthy flows fast.see the Wireshark cheat sheet for more

tshark -r capture.pcap --export-objects http,out/

Extract files transferred over HTTP for analysis.payload recovery

zeek -r capture.pcap

Generate rich protocol logs (conn.log, dns.log, http.log, files.log) for timeline + IOC work.large captures

Windows Artifacts

(4)

rip.pl -r NTUSER.DAT -f ntuser

RegRipper: pull user activity, run keys, and persistence from registry hives.registry forensics

PECmd.exe -d C:\\Windows\\Prefetch

Parse Prefetch to prove program execution and timestamps.execution evidence

MFTECmd.exe -f $MFT --csv out

Parse the NTFS $MFT for file creation/modification timeline.file-system timeline

EvtxECmd.exe -d C:\\Windows\\System32\\winevt\\Logs --csv out

Convert Windows event logs to CSV for logon/privilege/process auditing.event-log analysis

Timeline & Integrity

(2)

log2timeline.py timeline.plaso image.dd && psort.py -o l2tcsv timeline.plaso

Build a super-timeline across all artifacts with Plaso.full timeline

sha256sum evidence.dd

Hash evidence before and after handling to prove integrity / chain of custody.forensic soundness

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

What Is This?Cipher Decoder

Related Cheat Sheets

Cryptography Attacks Cheat Sheet Steganography Cheat Sheet

Frequently asked questions

What is the Digital Forensics Cheat Sheet?+

It's a quick-reference collection of 20 Forensics payloads for testing Digital Forensics vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Forensics payloads?+

Copy any payload straight into your authorized test, or use the What Is This? to apply them interactively. Only test systems you have explicit permission to assess.

Are these Forensics payloads free to use?+

Yes — this cheat sheet and all Forensics payloads are completely free, with no account required. Everything runs in your browser.

$loading...