Disk Forensics: SOC Analyst Playbook

Disk Forensics for SOC Analysts: How It Informs Detection and Threat Hunting

Disk forensics is no longer the exclusive domain of incident responders or law enforcement investigators. Modern SOC workflows, particularly in Tier 2 and Tier 3 roles, demand that analysts understand how to triage disk artifacts, extract forensic evidence, and convert findings into actionable detection content. Whether you're investigating a suspected ransomware precursor, validating an EDR alert, or threat hunting for a stealthy implant, disk forensics gives you ground truth.

➤ Check out our complete guide: Endpoint Detection and Response (EDR) Explained.

This guide is built for working SOC analysts. It covers the artifact landscape, practical triage workflows, the tools you need, and critically, how disk forensic findings feed directly back into detection engineering and proactive hunting.

What Is Disk Forensics in the SOC Context?

Disk forensics is the process of identifying, preserving, extracting, and analyzing data stored on physical or virtual storage media to reconstruct attacker activity and system state.

In the SOC context, this doesn't always mean full forensic imaging of a hard drive. More often, it means:

Targeted artifact collection from a live or triaged endpoint.
Timeline reconstruction to establish attacker dwell time and lateral movement.
Deleted file recovery to surface evidence of staging, exfiltration, or anti-forensics.
Metadata analysis to validate or refute alert context.
IOC extraction to push indicators back into detection platforms.

Disk forensics informs detection and hunting in a feedback loop: alerts drive investigations, investigations surface artifacts, artifacts produce indicators, and indicators sharpen future detection.

The Windows Artifact Landscape: What SOC Analysts Must Know

Windows systems are the primary target in most enterprise environments. Knowing where artifacts live and what they reveal is foundational.

1. Prefetch Files (C:\Windows\Prefetch\)

Prefetch files (.pf) track the execution of applications to speed up subsequent launches. For a SOC analyst, they are gold.

What they reveal:

Whether a binary was executed, even if it has since been deleted.
The timestamp of first and last execution (up to 8 run timestamps in Win8+)
Files and directories accessed during execution (useful for spotting staging directories like C:\Users\Public\ or %TEMP%)

Tool: PECmd.exe by Eric Zimmermann

PECmd.exe -d C:\Windows\Prefetch --csv output_dir

Detection use case: If an EDR alert fires on cmd.exe spawning powershell.exe, cross-reference Prefetch to confirm execution and identify what files were touched. This can reveal a dropper or a second-stage payload path that the initial alert missed.

2. Windows Event Logs (C:\Windows\System32\winevt\Logs\)

Event logs are the most structured forensic source on Windows. Key channels every SOC analyst must triage:

Log Channel	Key Event IDs	Forensic Significance
Security	4624, 4625, 4648, 4768, 4769	Authentication events, pass-the-hash, Kerberoasting.
System	7045, 7034	Malicious service installation.
PowerShell/Operational	4103, 4104	Script block logging full command execution.
Sysmon	1, 3, 7, 8, 10, 11, 13	Process creation, network, image load, registry.
Microsoft-Windows-TaskScheduler/Operational	106, 200, 201	Scheduled task creation and execution.

Hunting tip: Event ID 4104 (PowerShell Script Block Logging) captures deobfuscated PowerShell even when attackers use base64 encoding or IEX (New-Object Net.WebClient).DownloadString(...). If this logging isn't enabled in your environment, push for it immediately.

➤ Learn the full attacker playbook in our guide on Credential Theft Detection and Hunting Strategies.

3. The Registry as a Forensic Database

The Windows Registry is a persistent, structured store that attackers abuse for persistence, lateral movement, and defense evasion. Critical forensic keys:

Persistence mechanisms:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\System\CurrentControlSet\Services\

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Last write timestamps on registry keys provide timeline anchors. If a Run key was written at 02:14 AM on a Saturday, that's a strong behavioral indicator even without the actual binary being present.

Tool: RegRipper or Registry Explorer (Zimmermann) for offline hive parsing.

Shimcache / AppCompatCache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache): Records execution metadata for binaries encountered by the system. Unlike Prefetch, Shimcache does not confirm execution but it does confirm that a binary was present on disk and known to the system, which matters when tracing attacker tooling.

Amcache.hve (C:\Windows\AppCompat\Programs\Amcache.hve): Complements Shimcache with SHA1 hashes of executed binaries a critical pivot point for IOC matching and VirusTotal lookups.

4. Shell Items: LNK Files, Jump Lists, and ShellBags

These artifacts record user interactions with the filesystem and attackers leave traces here whether they intend to or not.

LNK files (C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\): Created automatically when a file is opened. Contain the full path, MAC timestamps, and volume serial number of the target file, even if the target was on a network share or removable media.
Jump Lists (AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\): Record recently and frequently accessed files per application. Useful for identifying staged files opened in Notepad, Excel, or a browser.
ShellBags: Store folder view preferences and persist even after folders are deleted. They prove that a user (or attacker) navigated to a directory critical for proving access without file access logs.

Tool: ShellBagsExplorer and LECmd.exe (Zimmermann suite)

5. Browser Artifacts

Attackers use browsers for C2 communication, malware download, and credential theft. Even if the cache is cleared, residual artifacts often remain:

SQLite databases for history, downloads, and cookies: Chrome stores these in AppData\Local\Google\Chrome\User Data\Default\
WebCacheV01.dat (IE/Edge Legacy): Often recoverable even after clearing.
Download history reveals: filename, source URL, download time, and target path.

Hunting use: A download of update.exe from a suspicious domain hours before a Cobalt Strike beacon fires is a strong kill-chain link.

➤ Walk through a full case study in our SOC Simulator: Malware Download Alert Investigation.

Linux Disk Forensics: Key Artifacts for SOC Analysts

Linux endpoints and servers are increasingly targeted, particularly in cloud and container environments.

Critical Linux Artifact Locations

Artifact	Path	Significance
Bash history	~/.bash_history	Attacker commands (often cleared, but timing gaps are suspicious)
Auth logs	/var/log/auth.log or /var/log/secure	SSH logins, sudo usage, PAM events.
Cron jobs	/etc/cron*, /var/spool/cron/	Persistence mechanism.
Systemd units	/etc/systemd/system/, /lib/systemd/system/	Malicious service persistence.
/tmp and /dev/shm	Various	Common staging areas for malware.
/proc/ (live only)	Various	Process memory maps, open file descriptors, and network connections.
Syslog	/var/log/syslog	General system events.
Wtmp/utmp/lastlog	/var/log/	Login records even for deleted accounts.

Pro tip: On Linux, attackers frequently write payloads to /dev/shm (shared memory filesystem) because it's RAM-backed, leaves minimal disk artifacts, and is often excluded from endpoint monitoring. Always check it during triage.

Disk Forensics Triage Workflow for SOC Analysts

A repeatable triage process is essential under the time pressure of active incidents.

Phase 1: Scope and Preserve

Before touching anything, define the scope:

Is this a live system or an offline image?
Is legal hold required?
Is memory acquisition needed first?

For live triage, use a forensic collection tool that minimizes footprint:

KAPE (Kroll Artifact Parser and Extractor): Collects targeted artifact sets (MFT, event logs, registry hives, Prefetch, browser data) in minutes without a full disk image.
Velociraptor: Agentless or agent-based remote artifact collection at scale, ideal for SOC triage across multiple endpoints simultaneously.

bash

# KAPE example: collect common triage targets

kape.exe --tsource C: --tdest D:\Triage --tflush --target !SANS_Triage

Phase 2: Timeline Construction

A super-timeline merges all timestamp data from multiple artifact sources into a single chronological view. This is where disk forensics becomes most powerful for the SOC.

Tool: log2timeline/Plaso → psort.py → visualize in Timesketch

bash

# Create timeline from disk image or mounted volume

log2timeline.py output.plaso /mnt/suspect_disk/

# Filter and export

psort.py -z UTC -o l2tcsv output.plaso "date > '2025-01-01 00:00:00' AND date < '2025-01-02 00:00:00'" > timeline.csv

Timeline analysis immediately answers: What happened in the 30 minutes before the alert? What persisted afterward?

Phase 3: MFT Analysis

The Master File Table (MFT) is the heart of the NTFS filesystem. Every file has an MFT entry containing:

File name and path.
Standard Information timestamps ($SI): Created, Modified, Accessed, Entry Modified.
Filename timestamps ($FN): Harder to manipulate, used to detect timestomping.
File size, flags, and data runs.

Timestomping detection: Attackers manipulate $SI timestamps to blend malicious files into the filesystem timeline. But $FN timestamps are updated by the kernel and cannot be changed by userspace tools. Compare $SI vs $FN creation times; a mismatch is a strong indicator of anti-forensics.

bash

# Parse MFT with MFTECmd

MFTECmd.exe -f C:\$MFT --csv output_dir

Hunting use case: Filter the MFT for files created in %TEMP%, C:\Users\Public\, or C:\ProgramData\ during the attacker's suspected dwell window. Correlate with Prefetch and event logs to build execution chains.

Converting Disk Forensic Findings Into Detection Content

This is where disk forensics delivers its highest SOC value, feeding the detection and hunting pipeline.

IOC Extraction and Enrichment

From a single disk triage, you can extract:

File hashes (MD5, SHA1, SHA256) from Amcache → submit to VirusTotal, push to EDR blocklist.
Mutex names, registry keys, file paths from malware analysis → write YARA rules.
C2 domains/IPs from browser artifacts, DNS cache, or network connection artifacts → push to SIEM watchlist.
Execution paths and arguments from Prefetch and Event ID 4688 → tune process creation detection rules.

Writing Sigma Rules from Disk Evidence

When disk forensics reveals a novel persistence mechanism or execution chain, translate it into a Sigma rule immediately:

yaml

title: Suspicious Binary Executed from ProgramData

status: experimental

logsource:

category: process_creation

product: windows

detection:

selection:

Image|startswith: 'C:\ProgramData\'

Image|endswith: '.exe'

filter_known_legit:

Image|contains:

- '\Microsoft\'

- '\Adobe\'

condition: selection and not filter_known_legit

falsepositives:

- Legitimate software installers

level: medium

Building Threat Hunt Hypotheses

Every disk forensic investigation should generate at least one hunt hypothesis:

Finding	Hunt Hypothesis
Cobalt Strike beacon found in %TEMP%	Hunt for named pipe patterns (\\.\pipe\MSSE-*) across all endpoints.
Malicious scheduled task found	Hunt for tasks with Base64-encoded commands in arguments.
ShellBag evidence of USB navigation	Hunt for removable media access events across high-value workstations.
Timestomped file in System32	Hunt for $SI/$FN timestamp mismatches across crown-jewel servers.

Toolchain Summary for SOC Disk Forensics

Tool	Purpose	Platform
KAPE	Rapid artifact collection	Windows
Velociraptor	Remote triage at scale	Cross-platform
Autopsy / Sleuth Kit	Full disk image analysis	Cross-platform
Eric Zimmermann Tools (PECmd, MFTECmd, RECmd, etc.)	Artifact parsing	Windows
Plaso / log2timeline	Super-timeline creation	Cross-platform
Timesketch	Timeline visualization	Web-based
Volatility	Memory forensics (complements disk)	Cross-platform
YARA	Pattern matching on disk artifacts	Cross-platform
RegRipper	Registry hive analysis	Windows/Linux

Common SOC Mistakes in Disk Forensics

Modifying the source: Running tools directly on a suspect disk changes access timestamps. Always work from a forensic copy or use read-only mounts.
Ignoring VSS (Volume Shadow Copies): Attackers delete VSS to prevent recovery, but if VSS exists, it may contain earlier versions of malicious files or registry hives from before an attack.
Treating timestamps as the absolute truth: Timestamps are easily manipulated. Always corroborate with at least two independent artifact sources.
Skipping the MFT: Most triage workflows focus on logs. The MFT reveals file system activity that logs miss entirely.
Not closing the loop: Disk forensics findings that don't result in new detection rules or hunt queries waste their full potential.

➤ Learn how to operationalize it in our dedicated guide: Why Memory Forensics Matters for SOC Teams.

Conclusion: Disk Forensics as a Force Multiplier for the SOC

For the modern SOC analyst, disk forensics isn't a niche skill; it's a force multiplier. It transforms alert-driven reactive work into evidence-based investigation and grounds threat hunting in forensic reality rather than hypothesis alone.

The workflow is clear: collect artifacts → build timelines → extract IOCs → validate attacker activity → feed detection and hunting pipelines. Every disk investigation that closes without producing a Sigma rule, a YARA signature, or a hunt hypothesis is a missed opportunity.

Invest time in the toolchain, build your triage playbooks, and make disk forensics a routine part of how your SOC understands the endpoints it protects. The ground truth is on the disk, and it's yours to read.
Start Your Training in Disk Forensics: Explore CyberDefenders Cyber Range.