Basic Digital Forensics

Purpose and Scope

Digital forensics provides the ability to collect, preserve, and analyze evidence from security incidents. Even if you do not perform deep forensic analysis, understanding the basics helps you preserve critical evidence and support investigation efforts.

Prerequisites

• Authorization: Written approval to collect and analyze evidence
• Collection tools: Forensic imaging software, memory acquisition tools
• Secure storage: Evidence repository with integrity verification
• Documentation system: Chain of custody tracking
• Legal awareness: Understanding of evidence handling requirements in your jurisdiction

When Forensics Matters

Consider forensic evidence collection when:

• Legal action or law enforcement involvement is possible
• Regulatory reporting requires detailed evidence
• You need to understand the full scope of a compromise
• Insurance claims require documented evidence
• The incident may result in employee termination or discipline
• Attribution of the attacker is important

Fundamental Principles

Order of Volatility

Collect evidence in order of how quickly it disappears:

1. Memory (RAM): Lost on power off or reboot
2. Running processes: Change constantly
3. Network connections: Transient by nature
4. Temporary files: May be overwritten
5. Disk contents: More persistent but can be modified
6. Log files: May rotate or be deleted
7. Physical media: Most persistent

Evidence Integrity

Maintain the integrity of evidence:

• Work on copies, never original evidence
• Use write blockers when imaging disks
• Hash everything before and after acquisition
• Document every action taken on evidence
• Store evidence securely with access controls

Chain of Custody

Document the complete history of evidence:

• Who collected it and when
• Where it was stored
• Who had access at each stage
• What actions were performed on it
• How it was transferred between parties

Evidence Collection Procedures

Memory Acquisition

Capture RAM before shutting down a system:

• Use tools like FTK Imager, WinPmem, or Velociraptor
• Memory contains running processes, network connections, encryption keys
• Must be collected while the system is running
• Document the time and method of acquisition
• Hash the memory image immediately after capture

Disk Imaging

Create a bit for bit copy of storage media:

• Use write blockers to prevent modification of original
• Create forensic images using dd, FTK Imager, or similar tools
• Calculate and record hash values (MD5, SHA-256)
• Verify the image matches the original by comparing hashes
• Store original media securely

Log Collection

Preserve log data before it rotates or is deleted:

• Export logs from SIEM for the relevant time period
• Collect raw logs from affected systems
• Preserve authentication logs, web server logs, application logs
• Include cloud service logs (CloudTrail, Azure Activity, etc.)
• Document the time range and sources collected

Network Capture

Collect network evidence when relevant:

• PCAP files from network monitoring tools
• Zeek or Suricata logs
• NetFlow or IPFIX data
• Firewall and proxy logs

Triage Artifacts

When full forensics is not possible, collect key artifacts:

Windows

• Windows Event Logs (Security, System, Application)
• Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT)
• Prefetch files
• Browser history and cache
• Scheduled tasks and startup items
• Recent files and jump lists

Linux and macOS

• System logs (/var/log/)
• Authentication logs (auth.log, secure)
• Shell history files
• Cron jobs and systemd services
• User home directories
• Running processes and network connections

Documentation Requirements

Document everything during evidence collection:

• Date, time, and timezone of all actions
• Name of person performing collection
• System identifiers (hostname, serial number, MAC address)
• Tools and versions used
• Hash values of all collected evidence
• Any anomalies or issues encountered
• Photos of physical evidence if applicable

Evidence Storage

• Store evidence on encrypted, access-controlled storage
• Maintain multiple copies in different locations
• Use checksums to verify integrity over time
• Restrict access to authorized personnel only
• Document all access to evidence storage
• Define retention periods based on legal requirements

Common Mistakes to Avoid

• Analyzing live systems: Run analysis on forensic copies, not originals
• Rebooting compromised systems: May destroy volatile evidence
• Missing documentation: Undocumented evidence may be inadmissible
• Improper tool use: Using tools that modify timestamps or file content
• Breaking chain of custody: Gaps in custody documentation
• Over-retention: Keeping evidence longer than necessary creates liability

Working with Law Enforcement

If you may involve law enforcement:

• Contact legal counsel before engaging law enforcement
• Preserve evidence to their standards
• Document your collection methods thoroughly
• Be prepared to provide original media if requested
• Coordinate evidence handoff formally

Tools for SOC Analysts

• FTK Imager: Free disk imaging and memory acquisition
• Velociraptor: Endpoint collection and triage
• KAPE: Automated artifact collection
• Arsenal Image Mounter: Mount forensic images
• Autopsy: Open source disk forensics platform
• Volatility: Memory forensics framework

References

• NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
• SANS Digital Forensics and Incident Response: sans.org/dfir
• CISA Forensics: cisa.gov
• SWGDE Best Practices for Computer Forensics