Digital Forensics Basics
Forensics answers what actually happened: how the attacker got in, what they touched, what they took, and whether they are truly gone — reconstructed from the evidence they left. It has hard rules, because evidence is fragile and may end up in court: preserve it before you analyze it, work on copies, keep a chain of custody, and collect in order of volatility.
This topic teaches the defender-level forensics needed to investigate Meridian's incident without destroying the very evidence that explains it — the discipline that separates a real reconstruction from a well-intentioned guess.
Preserve Before You Analyze
The first responder's job is to preserve, not investigate. Touching a live system changes it, so you capture evidence before poking around, and you always analyze copies verified against a hash, never the original. The instinct to "just look" on the live box is exactly what contaminates the data you will later need, which is why preservation comes first, always.
Order of Volatility
Collect the most ephemeral evidence first: memory and running state (gone at power-off) before disk, before logs, before backups. Pulling the plug to "preserve" a machine destroys the volatile evidence that often matters most — the fileless malware, the encryption keys, the live network connections that only exist in RAM. Order of volatility is the rule that keeps you from throwing away the best evidence by reflex.
Building the Timeline
Correlate filesystem timestamps, logs (Chapter 10), memory artifacts, and network data into one chronology of the attack. The timeline is the deliverable that answers "how did this unfold," and synchronized clocks (Chapter 10) are what make it possible — which is why the logging discipline of the previous chapter pays off precisely here, when you are reconstructing events across many systems.
Chain of Custody and Integrity
Document who handled what evidence when, and hash everything so its integrity is provable. If the incident becomes legal, sloppy custody makes the evidence worthless — so the discipline matters even when court seems unlikely, because you rarely know at the start which incidents will end there. Treat every investigation as potentially legal until proven otherwise, and combine memory and disk forensics, memory first.
Live / memory forensics — capture volatile state from a running system: running processes, injected or fileless malware (Chapter 8), network connections, keys in RAM. Essential, but changes the system slightly.
Dead / disk forensics — analyze a powered-off copy: thorough, repeatable, court-friendly, but loses everything that lived only in memory. Modern incidents need both, memory first (order of volatility).
- Investigating on the live original system, altering the evidence and contaminating the very data you need.
- Powering off a machine to "preserve" it, destroying the volatile memory evidence — fileless malware, keys, connections — that is often decisive.
- No chain of custody or integrity hashing, so the evidence cannot be trusted or used if the incident goes legal.
- Skipping the timeline and jumping to conclusions, missing the actual entry point and scope.
- Relying on disk forensics alone and losing everything that existed only in memory.
- Preserve first: capture in order of volatility (memory before disk), work on hash-verified copies, never the original.
- Maintain chain of custody and hash all evidence, treating every incident as potentially legal until proven otherwise.
- Build a synchronized-clock timeline correlating host, log, and network evidence to reconstruct the attack end to end.
- Combine memory and disk forensics, and let the forensic scope — not a guess — drive eradication (next topic).
- Capture volatile state before any action that would destroy it, including power-off.
Knowledge Check
Why must a first responder preserve evidence before investigating a compromised system?
- Touching it changes it, so you analyze hash-verified copies
- Investigating the live system first makes the analysis faster
- The original evidence cannot be read without preserving it
- Preservation encrypts the seized evidence for safe transport
Why does "order of volatility" mean capturing memory before pulling the plug?
- Fileless malware, keys, and live connections exist only in RAM
- Disk evidence disappears the moment power is cut
- Memory is easier to hash than disk
- Pulling the plug permanently corrupts the whole disk filesystem
Why maintain chain of custody even when a court case seems unlikely?
- You rarely know at the start which incidents become legal, and sloppy custody makes the evidence worthless if one does
- Chain of custody speeds up the forensic analysis
- It is only required for ransomware incidents
- It encrypts the evidence automatically
You got correct