Evidence Acquisition
Collection
Evidence acquisition turns incident response activity into defensible facts. Collect the minimum data needed to answer the investigation question, preserve integrity with hashes and custody records, and avoid changing original evidence whenever possible.
Preserve Before You Poke
Capture volatile data and document system state before containment actions that may destroy evidence. Use write blockers for physical media and record who approved any live-response collection.
Collection Decision Tree
Live Host
- Time, hostname, user sessions, network connections.
- Process list, services, scheduled tasks, persistence clues.
- Memory image when malware, credential theft, or fileless activity is suspected.
Disk or Cloud Volume
- Snapshot or forensic image before rebuild.
- Hash image and exported logs.
- Preserve metadata, labels, and source identifiers.
SaaS / Identity
- Export audit logs with UTC timestamps.
- Record query filters and retention windows.
- Store raw exports before enrichment.
Forensic Imaging and Verification
bash
# Linux disk imaging with dc3dd, including log and hashes
dc3dd if=/dev/sda of=/evidence/host01-disk.dd hash=sha256 log=/evidence/host01-dc3dd.log
# Standard dd fallback with error handling
dd if=/dev/sda of=/evidence/host01-disk.raw bs=64K conv=noerror,sync status=progress
sha256sum /evidence/host01-disk.raw > /evidence/host01-disk.raw.sha256
# E01 acquisition with libewf
ewfacquire /dev/sda -t /evidence/host01-disk -f encase6 -c best
# Mount image read-only for analysis
mkdir -p /mnt/evidence
mount -o ro,loop,noexec,noload /evidence/host01-disk.raw /mnt/evidence
# Hash and inventory collected artifacts
find /evidence -type f -print0 | sort -z | xargs -0 sha256sum > /evidence/SHA256SUMS.txt# Linux disk imaging with dc3dd, including log and hashes
dc3dd if=/dev/sda of=/evidence/host01-disk.dd hash=sha256 log=/evidence/host01-dc3dd.log
# Standard dd fallback with error handling
dd if=/dev/sda of=/evidence/host01-disk.raw bs=64K conv=noerror,sync status=progress
sha256sum /evidence/host01-disk.raw > /evidence/host01-disk.raw.sha256
# E01 acquisition with libewf
ewfacquire /dev/sda -t /evidence/host01-disk -f encase6 -c best
# Mount image read-only for analysis
mkdir -p /mnt/evidence
mount -o ro,loop,noexec,noload /evidence/host01-disk.raw /mnt/evidence
# Hash and inventory collected artifacts
find /evidence -type f -print0 | sort -z | xargs -0 sha256sum > /evidence/SHA256SUMS.txtEvidence Manifest Fields
yaml
evidence_id: EV-2026-0001
case_id: IR-2026-042
source_system: host01.example.local
source_owner: endpoint-team
collection_type: disk_image
collector: analyst.name
approval: incident-commander.name
start_time_utc: 2026-05-26T18:05:00Z
end_time_utc: 2026-05-26T19:10:00Z
hash_sha256: <SHA256>
storage_location: encrypted-evidence-vault/path
handling_notes:
- acquired using write blocker
- original media returned to custodian
- analysis performed on verified copyevidence_id: EV-2026-0001
case_id: IR-2026-042
source_system: host01.example.local
source_owner: endpoint-team
collection_type: disk_image
collector: analyst.name
approval: incident-commander.name
start_time_utc: 2026-05-26T18:05:00Z
end_time_utc: 2026-05-26T19:10:00Z
hash_sha256: <SHA256>
storage_location: encrypted-evidence-vault/path
handling_notes:
- acquired using write blocker
- original media returned to custodian
- analysis performed on verified copyChain of Custody
- Unique evidence ID: Label physical media, images, exported logs, screenshots, and notes.
- Collector and custodian: Record names, roles, contact details, and transfer times.
- Integrity: Use SHA-256 for every file and re-verify before analysis and before delivery.
- Storage: Encrypt evidence at rest with access limited to the case team.
- Retention: Define deletion or legal hold requirements before closing the incident.