DFIR Fundamentals
Foundation
Digital forensics is the application of scientific methodology to identify, preserve, analyze, and present digital evidence in a manner that is legally admissible. Proper handling of evidence is paramount—mistakes can render critical artifacts inadmissible in court.
Chain of Custody
Chain of custody documents who handled evidence, when, where, and why. Every transfer must be logged:
markdown
# Chain of Custody Template
## Evidence Details
- Case Number: 2026-001-RANSOMWARE
- Evidence ID: EVD-2026-001-HDD01
- Description: 1TB Western Digital hard drive from CFO laptop
- Serial Number: WD-WCAV12345678
- Collection Date/Time: 2026-01-15 09:45 UTC
- Collector: Jane Smith, DFIR Analyst
## Hash Values (Verification)
- MD5: 5d41402abc4b2a76b9719d911017c592
- SHA256: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
## Chain of Custody Log
| Date/Time | Transferred From | Transferred To | Reason | Signature |
|-----------|------------------|----------------|--------|-----------|
| 2026-01-15 09:45 | On-site (CFO office) | J. Smith | Collection | JS |
| 2026-01-15 11:30 | J. Smith | Evidence locker | Storage | JS |
| 2026-01-15 14:00 | Evidence locker | M. Johnson | Analysis | MJ |
| 2026-01-16 17:00 | M. Johnson | Evidence locker | Analysis complete | MJ |
## Storage Location
Building A, Room 120, Evidence Locker #3 (locked, access log maintained)Never Work on Original Evidence
Always create a forensic image (bit-for-bit copy) and verify with cryptographic hashes. Work on the copy, preserve the original in a secure location.
Forensic Imaging
bash
# Use hardware write-blocker to prevent modification
# Connect source drive to write-blocker, destination to workstation
# FTK Imager (Windows GUI) - recommended for beginners
# Command-line imaging with dd
sudo dd if=/dev/sdb of=/cases/2026-001/evidence.dd bs=4M status=progress conv=noerror,sync
# Verify with hash
md5sum /cases/2026-001/evidence.dd > evidence.dd.md5
sha256sum /cases/2026-001/evidence.dd > evidence.dd.sha256
# Better: use dc3dd (includes hashing)
sudo dc3dd if=/dev/sdb of=/cases/2026-001/evidence.dd hash=md5 hash=sha256 log=/cases/2026-001/imaging.log
# Or use Guymager (Linux GUI, parallelized)
# - Select source drive
# - Choose destination
# - Enable MD5/SHA256 verification
# - Start acquisition
# Mount forensic image as read-only
sudo mkdir /mnt/evidence
sudo mount -o ro,loop evidence.dd /mnt/evidenceOrder of Volatility
Collect evidence from most volatile (disappears quickly) to least volatile:
1. CPU Registers, Cache — Lost immediately when system powers off
2. RAM (Memory) — Lost when powered off or rebooted
3. Network State, Running Processes — Changes constantly, collect before shutdown
4. Disk (Non-volatile storage) — Persists, but can be overwritten
5. Backups, Logs — Most persistent, but may be incomplete
Live Response First
If the system is running, perform live response to collect memory, network connections, and running processes BEFORE pulling the plug. Once powered off, this data is gone forever.