Digital Forensics Explained — Chain of Custody, Acquisition

Quick Reference

Chain of custody = documented record of who handled evidence, when, and what was done with it. Order of volatility = collect evidence in order from most volatile (RAM) to least (paper). Write blocker = hardware/software that prevents modification of evidence during imaging. Forensic image = bit-for-bit copy of storage media verified by hash. Legal hold = suspension of normal data deletion in response to anticipated litigation. e-Discovery = electronic discovery of data for legal proceedings.

What Is Digital Forensics?

Digital forensics is the process of identifying, preserving, collecting, analyzing, and presenting digital evidence in a manner that is legally admissible and scientifically sound. It's used in criminal investigations, civil litigation, insider threat investigations, and post-incident analysis after cyberattacks.

The Security+ exam tests digital forensics primarily in Domain 4 (Security Operations). The key principle that underlies all forensic work is: preserve the integrity of evidence. Forensic investigators must be able to prove that evidence was not altered after collection — otherwise it becomes inadmissible in court and unreliable for analysis.

The Forensic Process

🔍

Identification

Identify potential sources of evidence — which devices, logs, accounts, and data stores are relevant to the investigation. Scope the collection before touching anything.

🔒

Preservation

Secure and protect evidence from alteration. Establish chain of custody. Use write blockers. Take hashes to verify integrity. Isolate live systems if volatile evidence is present.

📥

Collection / Acquisition

Create forensic images of storage media. Capture volatile data (RAM, network state). Collect logs. All acquisition must follow the order of volatility to avoid losing transient data.

🔎

Analysis

Examine collected evidence to reconstruct events — file system analysis, memory analysis, log correlation, timeline reconstruction, malware identification.

📄

Reporting

Document findings in a clear, factual report that can withstand legal scrutiny. Include methodology, tools used, findings, and conclusions. Written for both technical and non-technical audiences.

⚖️

Presentation

Present findings in legal proceedings, management briefings, or incident reports. Expert witness testimony may be required in criminal or civil cases.

Chain of Custody

Chain of custody is the documented record that tracks who collected, handled, transferred, and analyzed a piece of evidence — from the moment it was identified through its final disposition. It's a legal requirement: without an unbroken, well-documented chain of custody, evidence can be challenged and excluded in court.

📝 Chain of Custody Documentation Must Include

Who collected the evidence and when. What was collected (description, serial numbers, hash values). Where it was collected from (physical location, device identifier). How it was collected (tools and procedures used). Who had access to it at each step. Any transfers of custody (handoffs between analysts, transport to lab). Storage conditions and location of the evidence.

A chain of custody form (also called an evidence log) accompanies every piece of evidence through the entire investigation. Every person who handles the evidence signs it. If there's a gap — an undocumented period where it's unclear who had the evidence — the chain is broken, and the evidence's integrity can be questioned. This is why evidence is typically stored in sealed, tamper-evident bags or containers.

Order of Volatility

Evidence must be collected in order from most volatile (lost soonest) to least volatile (persists longest). This is called the order of volatility and is a foundational forensic principle — RFC 3227 defines it. If you collect the hard drive image first while ignoring RAM, you've already lost all the volatile in-memory evidence.

1stCPU Registers & CacheLost immediately if power is cut — nanoseconds

2ndRAM (System Memory)Lost when system powers off — contains running processes, encryption keys, network connections

3rdNetwork State / ARP CacheActive connections, routing tables, open sockets — changes constantly

4thRunning ProcessesProcess list, handles, environment variables — lost on reboot

5thDisk / StorageFiles, registry, logs — persists but can be overwritten

6thRemote / External LogsSIEM, syslog server — retained per log retention policy

7thPhysical Media / PaperBackups, printed documents — most persistent

⚠️ Live vs Dead Acquisition

Live acquisition: System is still running — necessary to capture volatile data (RAM, network connections, running processes). Risk: normal system activity may slightly alter disk data during collection. Required when volatile evidence matters.

Dead (post-mortem) acquisition: System is powered off before imaging. Volatile data is lost, but disk contents are static and easier to image without alteration. Traditional forensic approach.

The trade-off: live acquisition gives more data but slightly less disk integrity. Modern forensics often favors live acquisition for its richer evidence, especially in malware investigations.

Forensic Acquisition and Write Blockers

When imaging storage media, forensic investigators must prevent any writes to the source device — even the act of connecting a drive to a computer can cause the OS to modify it (updating last-accessed timestamps, writing swap data). This is why write blockers are essential.

Concept	Description
Write Blocker	Hardware or software device that allows reading from storage media while preventing any writes. Ensures the original evidence is not modified during imaging. Hardware write blockers are preferred for legal proceedings.
Forensic Image	A bit-for-bit, sector-by-sector copy of an entire storage device — including deleted files, slack space, and unallocated space. More complete than a file-level backup. Common formats: DD (raw image), E01 (EnCase), AFF.
Hash Verification	MD5 or SHA-256 hash computed on the source drive and the forensic image — if hashes match, the image is a perfect, unmodified copy. This cryptographic proof of integrity is essential for evidence admissibility.
Memory Acquisition	Capture of RAM contents to a file for analysis. Tools: FTK Imager (live capture), Volatility (analysis). Reveals running processes, encryption keys, network connections, fileless malware that never touches disk.
Steganography	Hiding data within other files (images, audio) — forensic investigators look for steganography as a method adversaries use to exfiltrate data or hide evidence. Detection tools analyze file structure for anomalies.

Common Forensic Tools

🖼️

FTK (Forensic Toolkit)

Commercial forensic suite by AccessData. Disk imaging, file carving, email analysis, password cracking, registry analysis. FTK Imager (free version) widely used for acquisitions.

🔮

Autopsy / Sleuth Kit

Open-source forensic platform. GUI (Autopsy) and command-line tools (Sleuth Kit). File system analysis, keyword search, timeline analysis, hash filtering. Industry standard for cost-effective forensics.

💾

Volatility

Open-source memory forensics framework. Analyzes RAM dumps to extract running processes, network connections, loaded drivers, injected code, and encryption keys. Essential for malware analysis.

🌐

Wireshark

Network packet capture and analysis. Used in forensics to analyze network traffic captures (PCAP files) and reconstruct communications, identify C2 channels, extract transferred files.

Legal Hold and e-Discovery

Digital forensics doesn't only happen after an attack — it's also triggered by legal proceedings. Two closely related concepts appear on Security+:

Concept	What It Means	Who Initiates
Legal Hold	A directive to suspend all normal data deletion or modification for data that may be relevant to anticipated or active litigation. Overrides standard data retention/deletion policies. Also called a "litigation hold" or "preservation order."	Legal counsel, compliance team, HR — anyone who anticipates litigation
e-Discovery	The process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request (subpoena, court order). Emails, documents, databases, logs — all can be subject to e-discovery.	Courts, opposing counsel, regulatory agencies
Chain of Custody	Required during e-discovery to demonstrate evidence hasn't been tampered with between collection and production to opposing counsel or court.	IT / legal team handling the collection

💡 Spoliation

Spoliation is the intentional or negligent destruction, alteration, or failure to preserve evidence that may be relevant to litigation. If an organization destroys data after receiving notice of a lawsuit (or when litigation was reasonably foreseeable), courts can impose sanctions — including adverse inference (telling the jury to assume the destroyed evidence was unfavorable) or default judgment. A legal hold is the primary mechanism to prevent spoliation.

Exam Scenarios

A forensic analyst responds to a compromised workstation that is still powered on. What data should they collect FIRST, and why?

RAM (system memory) — first per the order of volatility. RAM contains the most volatile evidence: running processes, active network connections, encryption keys in use, and potentially malicious code that never touched disk. If the analyst images the hard drive first or powers off the machine, this data is permanently lost. The analyst should use a tool like FTK Imager to capture a memory dump before proceeding to disk imaging.

After imaging a suspect hard drive, a forensic analyst must demonstrate to the court that the forensic image is a perfect copy and was not modified. What technique proves this?

Hash verification — computing and comparing hash values (MD5 or SHA-256). The analyst computes a cryptographic hash of the original drive and the forensic image immediately after imaging. If both hashes are identical, the image is mathematically proven to be an exact, unaltered copy. This hash value is documented in the chain of custody and is the accepted legal standard for proving forensic image integrity.

A company receives notice that it is the subject of a lawsuit. The legal team tells IT to ensure that no relevant emails or documents are deleted. What is this directive called?

Legal hold (also called litigation hold or preservation order). A legal hold suspends normal data deletion policies for data that may be relevant to the anticipated litigation. IT must configure email systems, file servers, and any other relevant data stores to preserve the data in question. Failure to comply — whether intentional or accidental — can constitute spoliation, which carries serious legal consequences.

A forensic investigator needs to image a hard drive without risk of accidentally writing to the original evidence. What device should they use?

A write blocker (hardware write blocker preferred). A write blocker sits between the evidence drive and the forensic workstation, physically preventing any write commands from reaching the source device while allowing reads. Hardware write blockers are preferred over software write blockers for legal proceedings because they provide a physical guarantee that no writes occurred. The analyst then uses a forensic imaging tool (FTK Imager, dd) to create a bit-for-bit image.

Digital Forensics — Chain of Custody, Acquisition & Forensic Tools