Digital Forensics Guide


Introduction

Digital forensics is the practice of identifying, preserving, analyzing, and presenting digital evidence in a legally admissible manner. It bridges the gap between technical investigation and legal proceedings, making proper methodology — and meticulous documentation — every bit as important as the technical tools used.

Evidence Acquisition

Acquisition is the most critical phase. Improper handling can render evidence inadmissible or destroy it entirely.

Order of Volatility

Digital evidence must be collected from the most volatile to the least volatile:


* **CPU registers, cache** — lost at power-off

2\. **RAM contents** — lost within seconds of power loss 3\. **Network connections and process tables** — transient state 4\. **System processes** — disappear with shutdown 5\. **Disk storage** — persistent 6\. **Remote logs and archival media** — off-device persistent




# Memory acquisition with LiME on Linux


insmod lime.ko "path=/evidence/memory.dump format=lime"




# Memory acquisition with WinPmem on Windows


winpmem_mini_x64_rc2.exe --output memory.raw




# Capture running processes


ps aux > evidence/processes.txt


netstat -anp > evidence/network_connections.txt


lsof > evidence/open_files.txt





Disk Acquisition




# Create a forensic image with dd


sudo dd if=/dev/sda of=/evidence/sda.dd bs=4M conv=noerror,sync status=progress




# Verify image integrity with hash


sha256sum /dev/sda > evidence/sda.hash


sha256sum /evidence/sda.dd >> evidence/sda.hash




# Logical acquisition with forensic container (AFF/EWF)


guymager -f ewf -e "Case-2026-001" -n "Evidence Item 1" /dev/sda /evidence/





Chain of Custody

Chain of custody documents every interaction with evidence from collection to courtroom presentation. Every transfer must be logged with date, time, handler identity, purpose, and hash verification.




chain_of_custody:


item_id: "EVID-2026-001"


description: "Seized laptop, Dell Latitude 5540, S/N ABC123"




custody_events:


- date: "2026-05-10T09:15:00Z"


handler: "Officer Jane Smith, Badge 4512"


action: "Seized and logged at scene"


hash: "sha256: a1b2c3d4e5..."


notes: "Device was powered on. Immediately performed memory capture."




- date: "2026-05-10T11:30:00Z"


handler: "Officer Jane Smith -> Analyst John Doe"


action: "Transferred to forensics lab"


hash_verified: true


notes: "Transport in locked evidence bag, property receipt #8823"




- date: "2026-05-11T08:00:00Z"


handler: "Analyst John Doe"


action: "Forensic imaging commenced"


hash_verified: true


notes: "Write-blocker engaged. Imaging to EWF container."





Forensic Analysis with Autopsy and FTK

Autopsy (Sleuth Kit GUI)

Autopsy is the most widely used open-source forensic platform. It provides timeline analysis, file system parsing, keyword search, and module extensibility.




# Autopsy Python module for custom analysis


import jarray


from org.sleuthkit.datamodel import AbstractFile


from org.sleuthkit.autopsy.ingest import IngestModule




class CustomAnalysisModule(IngestModule):


def process_files(self, file_list):


for f in file_list:


if f.getName().endswith('.encrypted'):


self.flag_file(f, "Suspicious encrypted file")




# Check for known malware hashes


file_hash = f.calculateHash("SHA256")


if file_hash in threat_intel_hashes:


self.flag_file(f, f"Known malware: {file_hash}")





FTK (Forensic Toolkit)

FTK provides enterprise-grade forensic analysis with robust indexing, carving, and reporting.




# FTK Command Line (FTK Imager)


ftkimager /dev/sda1 /evidence/sda1_image.ext --mount --verify




# FTK Loader for processing


ftkloader --case="Case-2026" --evidence="/evidence/sda1_image.ext" \


--index --carve





File Carving and Recovery

File carving recovers data from unallocated space without filesystem metadata.




# Foremost: carve files by headers


foremost -i /evidence/disk.dd -o /evidence/carved/




# Scalpel: configuration-based carving


scalpel -c /etc/scalpel/scalpel.conf -o /evidence/carved/ -i /evidence/disk.dd




# Bulk Extractor: parallelized data extraction


bulk_extractor -o /evidence/bulk/ /evidence/disk.dd





Timeline Analysis

Timeline construction correlates file system events, logs, and artifacts to reconstruct incident sequences.




# Create body file with fls


fls -r -m /evidence /evidence/disk.dd > /evidence/body.txt




# Generate timeline from Sleuth Kit


mactime -b /evidence/body.txt -d > /evidence/timeline.csv




# Plaso (log2timeline) for advanced timeline generation


log2timeline.py --storage-file /evidence/timeline.plaso /evidence/disk.dd


psort.py -o dynamic -w /evidence/timeline.csv /evidence/timeline.plaso





Conclusion

Digital forensics demands rigorous methodology above all else. Preserve evidence according to the order of volatility, maintain an unbroken chain of custody, use write-blockers during acquisition, verify hashes at every stage, and document everything. The technical skills to use Autopsy, FTK, and command-line tools are essential — but they are useless without proper forensic process.