What You'll Learn
- Apply the Order of Volatility to prioritize evidence collection during a live incident
- Document a proper chain of custody for digital evidence
- Use Velociraptor to collect volatile data from a live Windows endpoint
- Capture memory, network connections, running processes, and logged-on users
- Produce a timestamped evidence collection log suitable for legal proceedings
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-velociraptor |
| Containers | Velociraptor Server, Velociraptor Client (Windows endpoint) |
| Estimated Time | 45–55 minutes |
| Difficulty | Intermediate |
| Browser Access | Velociraptor Web UI |
| Pre-Loaded Data | Simulated compromise artifacts on Windows endpoint |
| Deliverable | Evidence collection log with timestamps and chain of custody documentation |
Why Evidence Collection Matters. In digital forensics, how you collect evidence is just as important as what you find. Improper collection can destroy volatile data, break chain of custody, and render evidence inadmissible. This lab teaches the disciplined, methodical approach that separates forensic investigators from casual responders.
The Scenario
Your organization's IDS triggered an alert on a Windows workstation (WIN-ENDPOINT-01). The SOC has confirmed suspicious outbound connections and elevated process activity. You've been assigned as the forensic investigator. Your job is to collect volatile evidence in the correct order before the endpoint is isolated — every second counts, because volatile data disappears when the system powers off or reboots.
You must document everything: what you collected, when, how, and maintain an unbroken chain of custody.
Part 1: Understanding Order of Volatility
The Volatility Hierarchy
Digital evidence has a "shelf life." Some data persists for years on disk; other data vanishes in milliseconds. The Order of Volatility (RFC 3227) dictates collection priority:
| Priority | Evidence Type | Volatility | Example |
|---|---|---|---|
| 1 | CPU registers & cache | Nanoseconds | Register contents, L1/L2 cache |
| 2 | Memory (RAM) | Seconds–minutes | Running processes, encryption keys, malware in memory |
| 3 | Network state | Seconds–minutes | Active connections, routing tables, ARP cache |
| 4 | Running processes | Minutes | Process list, open handles, loaded DLLs |
| 5 | Disk (temporary) | Hours–days | Temp files, swap/pagefile, prefetch |
| 6 | Disk (persistent) | Months–years | File system, registry hives, event logs |
| 7 | Backups & archives | Years | Tape backups, cloud snapshots |
Collect Most Volatile First. Always start at the top. If you image the disk first (Priority 6) while ignoring network connections (Priority 3), those connections will be gone by the time you look for them. Memory-resident malware will never touch disk — if you don't capture RAM, you'll never find it.
Exercise: Rank the Evidence
Before touching the endpoint, rank these items by collection priority:
- Browser download history
- Active TCP connections
- Contents of RAM
- Windows Event Logs
- Running processes with command-line arguments
Write your ranking in your evidence log. (Correct order: 3 → 2 → 5 → 1 → 4)
Part 2: Setting Up Your Evidence Log
Create Your Collection Template
Before collecting anything, prepare your documentation. Open a text editor and create this template:
DIGITAL EVIDENCE COLLECTION LOG
════════════════════════════════
Case ID: IR-2026-[today's date]
Examiner: [your name]
Date/Time Start: [UTC timestamp]
Endpoint: WIN-ENDPOINT-01
Reason: IDS alert — suspicious outbound connections
CHAIN OF CUSTODY
────────────────
Date/Time | Action | Examiner | Description
----------|--------|----------|------------
[UTC] | BEGIN | [name] | Evidence collection initiated
Chain of Custody Principles
Every piece of evidence must have an unbroken record of:
- Who collected it
- When it was collected (UTC timestamps)
- How it was collected (tool, method, command)
- Where it was stored
- Integrity verification (hash values)
Always Use UTC. Forensic timestamps must be in UTC to avoid timezone confusion. If the attacker is in a different timezone from the examiner, local times create ambiguity. UTC is the universal standard for forensic evidence.
Part 3: Collecting Volatile Data with Velociraptor
Step 1: Connect to Velociraptor
- Open the Velociraptor Web UI from your lab environment
- Navigate to the client list — you should see WIN-ENDPOINT-01 connected
- Click on the client to open its details
Step 2: Collect Network State (Priority 3)
Network connections are highly volatile — they disappear when a process closes or the attacker disconnects.
- Navigate to the Collected Artifacts tab
- Click New Collection
- Search for and select:
Windows.Network.Netstat - Launch the collection
Document in your log:
[UTC] | COLLECT | [name] | Network connections via Windows.Network.Netstat
Hash: [note the flow ID]
Results: [number of active connections]
Notable: [any suspicious external IPs or unusual ports]
Review the results. Look for:
- Connections to unusual external IP addresses
- Processes with connections on non-standard ports
- Any connections to known-bad IP ranges
Step 3: Collect Running Processes (Priority 4)
- Create a new collection
- Select:
Windows.System.Pslist - Launch the collection
Document in your log and look for:
- Processes running from unusual paths (e.g.,
C:\Users\Public\,C:\Temp\) - Processes with suspicious parent-child relationships
- Processes with encoded or obfuscated command-line arguments
Step 4: Collect Logged-On Users
- Create a new collection
- Select:
Windows.Sys.Users - Launch the collection
Document in your log and identify:
- Which accounts are currently logged on
- Any unexpected service accounts or admin sessions
- Remote logon sessions (RDP, network logons)
Step 5: Collect Process Memory (Targeted)
For any suspicious processes identified in Step 3:
- Create a new collection
- Select:
Windows.Memory.Acquisitionor target specific process memory - Launch the collection
Full Memory Dumps Are Large. A full RAM dump can be 4-16 GB. In a lab environment, target specific suspicious processes rather than dumping all memory. In production, you'd use dedicated memory acquisition tools (WinPmem, FTK Imager) for full dumps.
Part 4: Collecting Persistent Evidence
Step 6: Collect System Information
- Select:
Windows.Sys.Info - Launch the collection
This gives you the baseline: OS version, hostname, timezone, last boot time. Critical for your report.
Step 7: Collect Prefetch Files
- Select:
Windows.Forensics.Prefetch - Launch the collection
Prefetch files prove program execution. Document:
- Any suspicious executables in the Prefetch results
- Execution counts and timestamps
- Executables that match your process findings from Step 3
Step 8: Collect Recent File Activity
- Select:
Windows.Forensics.RecentApps - Launch the collection
This reveals recently accessed files and applications.
Part 5: Evidence Integrity and Finalization
Hash Everything
For each collection you've completed:
- Note the Velociraptor Flow ID (this uniquely identifies each collection)
- Record the collection start and completion timestamps
- Document the result count for each artifact
Complete Your Chain of Custody
Add a final entry:
[UTC] | END | [name] | Evidence collection completed. 7 artifacts collected.
Total Collections: 7
Flow IDs: [list all]
Endpoint Status: [still running / isolated]
Next Steps: [analysis phase / handoff to senior examiner]
Evidence Storage
In a real investigation, you would:
- Export all collections from Velociraptor
- Store in a write-protected evidence container
- Generate SHA-256 hashes of all exported files
- Store hashes separately from evidence
- Restrict access to authorized examiners only
Deliverable Checklist
Before completing the lab, ensure you have:
- Evidence Collection Log — complete with UTC timestamps for every action
- Chain of Custody Record — unbroken chain from start to finish
- 7 Artifact Collections — network, processes, users, memory, sysinfo, prefetch, recent files
- Suspicious Findings — at least 3 notable items identified across your collections
- Order of Volatility Ranking — correctly prioritized collection order documented
- Flow IDs — all Velociraptor collection IDs recorded for evidence integrity
Key Takeaways
- The Order of Volatility (RFC 3227) dictates collection priority — most volatile first
- Chain of custody must be unbroken: who, when, how, where, and integrity verification for every piece of evidence
- Velociraptor enables remote volatile data collection without physically touching the endpoint
- Always use UTC timestamps in forensic documentation
- Hash values prove evidence integrity — if the hash changes, the evidence was modified
- Documentation is evidence itself — a poorly documented collection can invalidate findings in court
What's Next
In Lab 9.2 — Disk Artifact Analysis, you'll analyze the persistent artifacts on disk: Prefetch files, Amcache entries, and ShimCache. These artifacts tell the story of what programs were executed, when, and how many times — even after the attacker tries to delete their tools.
Lab Challenge: Evidence Collection
10 questions · 70% to pass
According to RFC 3227's Order of Volatility, which evidence type should be collected FIRST during a live incident?
Why must all forensic timestamps be recorded in UTC rather than local time?
You're collecting evidence from a compromised Windows endpoint. Which Velociraptor artifact captures active network connections?
What are the five elements that must be documented in a chain of custody record?
Why is network state (active connections) collected before disk artifacts during incident response?
You collected Windows.System.Pslist and found a process running from C:\Users\Public\svchost.exe. Why is this suspicious?
What is the purpose of recording Velociraptor Flow IDs in your evidence collection log?
Why should you avoid performing a full memory dump in a lab environment and instead target specific processes?
After collecting all evidence, what is the final step to ensure evidence integrity?
An examiner collected disk artifacts first, then tried to collect network connections 30 minutes later. Most connections were gone. What forensic principle did they violate?
0/10 answered