What You'll Learn
- Explain the order of volatility and why it dictates the sequence of evidence collection during an incident
- Describe the chain of custody process and identify the critical metadata that must be documented at every transfer
- Differentiate between triage imaging and full forensic imaging and articulate when each is appropriate
- Identify common evidence handling mistakes that render evidence inadmissible or forensically unsound
- Explain the role of write blockers and cryptographic hashing in maintaining evidence integrity
- Connect evidence handling principles to the hands-on collection workflow you will perform in Lab 9.1
Why Evidence Handling Is the Foundation of Everything
Digital forensics is not about running tools. Tools are the easy part. The hard part — the part that separates a forensic investigation from casual poking around — is evidence handling. Every action you take from the moment you touch a suspect system either preserves or destroys evidence. There is no neutral action.
Consider this scenario: a SOC analyst suspects a compromised web server. They SSH into the box, run ps aux to check running processes, open /var/log/auth.log in less, and copy a suspicious binary to their workstation using scp. In five minutes, they have:
- Modified the system's RAM (their SSH session, shell process, and every command they ran)
- Changed file access timestamps on every file they opened (atime updates)
- Created network connections that overwrote volatile network state
- Potentially triggered anti-forensic mechanisms planted by the attacker
They found useful information. But they also contaminated the evidence. If this case ever goes to court — or even to an internal disciplinary hearing — a competent opposing counsel will argue that the evidence cannot be trusted because it was modified before proper preservation.
The first responder's paradox: you need to collect evidence quickly before it disappears, but every collection action modifies the system. The order of volatility and proper handling procedures exist to minimize this contamination while maximizing what you preserve.
The Order of Volatility
Not all evidence has the same lifespan. RAM contents change every millisecond. A hard drive can retain data for years. The order of volatility (defined in RFC 3227) ranks evidence sources from most volatile to least volatile, and it dictates the order in which you collect.
| Priority | Evidence Source | Volatility | Typical Lifespan | Collection Method |
|---|---|---|---|---|
| 1 | CPU registers & cache | Extreme | Nanoseconds | Rarely collected outside specialized cases |
| 2 | RAM (physical memory) | Very high | Lost on power-off | Memory dump tools (WinPMem, LiME, DumpIt) |
| 3 | Running processes | Very high | Lost on power-off | Process listing + memory dump captures these |
| 4 | Network connections | High | Seconds to minutes | netstat, ss, packet capture |
| 5 | Network traffic | High | Seconds | Packet capture (must already be running) |
| 6 | Temporary file systems | Moderate | Lost on reboot | Image /tmp, pagefile, swap |
| 7 | Disk (file system) | Low | Years | Full disk image (dd, FTK Imager) |
| 8 | Remote logs & backups | Very low | Years | SIEM exports, backup retrieval |
| 9 | Archival media | Minimal | Decades | Physical retrieval |
The rule is simple: collect the most volatile evidence first. If you start with a disk image (which takes hours), you will lose RAM contents, active network connections, and running process state. If you start with a RAM dump (which takes minutes), you preserve the volatile data and can image the disk afterward at your leisure.
In your lab environment, Velociraptor handles the first five priority levels for you. Its endpoint agent can dump memory, list processes, capture network state, and collect specific artifacts — all remotely, without logging into the target system. This is why endpoint visibility (Module 6) matters so much for forensics. In Lab 9.1, you will use Velociraptor to perform volatile data collection before touching the disk.
Evidence Preservation Principles
Three principles govern every forensic evidence handling decision:
Principle 1: Do Not Modify the Original
The original evidence must remain unchanged. Every analysis should be performed on a forensic copy (image), never on the source media. If you must interact with a live system (to capture RAM, for example), document every command you run and the expected impact on system state.
Principle 2: Document Everything
If it is not documented, it did not happen. Forensic documentation must answer:
- Who collected the evidence (name, role, organization)
- What was collected (device, serial number, model, capacity)
- When it was collected (date, time, timezone — be precise)
- Where it was collected from (physical location, rack position, network segment)
- How it was collected (tool name, version, command used, write blocker model)
- Hash values at collection time (MD5 + SHA256 minimum)
Principle 3: Maintain the Chain of Custody
From the moment evidence is collected to the moment it is presented in court or a review board, every transfer must be documented. The chain of custody is a log that proves the evidence was not tampered with, lost, or mishandled at any point.
The Chain of Custody in Practice
A chain of custody form (physical or digital) records every person who handles the evidence and every location it passes through.
| Field | Example Entry |
|---|---|
| Case ID | INC-2026-0142 |
| Evidence ID | EVD-001 |
| Description | Western Digital 1TB HDD, S/N: WX51A90H7234 |
| Collected by | Analyst Sarah Chen, SOC Team |
| Collection date/time | 2026-01-15 14:32 UTC |
| Collection location | Server Room B, Rack 7, Slot 3 |
| Collection method | FTK Imager v4.7.1, Tableau T35689iu write blocker |
| MD5 at collection | a3f2b8c1d4e5f67890abcdef12345678 |
| SHA256 at collection | e3b0c44298fc1c149afbf4c8996fb924...b855 |
| Transferred to | Forensic Lab, Building C, Evidence Locker 12 |
| Transfer date/time | 2026-01-15 15:10 UTC |
| Received by | Forensic Analyst James Park |
| Hash verified on receipt | Yes — MD5 and SHA256 match |
Every subsequent transfer gets a new row. If the hashes do not match at any transfer point, the chain is broken and the evidence may be considered compromised.
Hash verification is non-negotiable. You must hash the evidence at collection time and re-verify the hash at every subsequent access. If you image a drive and get an MD5 of a3f2b8c1..., the person who receives that image must independently compute the MD5 and confirm it matches. Any discrepancy — even a single bit — means the evidence was modified in transit.
Write Blockers and Why They Exist
When you connect a hard drive to a computer, the operating system immediately begins modifying it — updating last-access timestamps, writing journal entries, mounting file systems. These modifications destroy evidence.
A write blocker is a hardware or software device that allows read access to a storage device while physically preventing any write operations. It sits between the evidence drive and your forensic workstation.
| Type | Examples | Pros | Cons |
|---|---|---|---|
| Hardware write blocker | Tableau T356789iu, CRU WiebeTech | Tamper-proof, court-accepted, no software dependencies | Expensive ($200–$500), physical device required |
| Software write blocker | EnCase PDE, SAFE Block | Free/cheap, no hardware needed | OS bugs can bypass, less court-accepted |
For forensic examinations that may result in legal proceedings, hardware write blockers are the standard. Software write blockers are acceptable for internal investigations where legal admissibility is not a primary concern.
Triage vs. Full Imaging: The Decision
Not every incident requires a full forensic image of every drive. The decision depends on the situation:
| Factor | Triage Collection | Full Forensic Image |
|---|---|---|
| Time pressure | High — active incident, need answers fast | Low — investigation can take days |
| Legal requirement | Internal investigation only | Potential litigation or law enforcement |
| Scope | Specific artifacts (event logs, prefetch, registry) | Complete bit-for-bit copy of all sectors |
| Data volume | GBs (minutes to collect) | TBs (hours to collect) |
| Tool | KAPE, Velociraptor artifact collection | FTK Imager, dd/dcfldd |
| Preserves deleted data | No — only collects existing files | Yes — images slack space, unallocated clusters |
| Court admissibility | Limited | Full |
Triage first, image later is a common workflow. During an active incident, use KAPE or Velociraptor to grab critical artifacts (event logs, MFT, registry hives, prefetch files, browser history) in minutes. Simultaneously, begin a full disk image in the background. You get actionable intelligence fast while still preserving the complete evidence for later analysis.
Evidence Handling Procedures: Step by Step
A disciplined evidence handling workflow follows this sequence:
Step 1: Isolate the system. Disconnect from the network (pull the cable, disable Wi-Fi) to prevent remote wiping or continued attacker access. Do not power off — you will lose volatile data.
Step 2: Document the scene. Photograph the screen, note any running applications visible, record the system time (compare to a reference clock for skew), document all connected peripherals and cables.
Step 3: Capture volatile data. Memory dump first (WinPMem on Windows, LiME on Linux). Then capture running processes, network connections, logged-in users, open files, and clipboard contents.
Step 4: Triage collection (if time-critical). Run KAPE or Velociraptor collection to grab critical artifacts while you set up for full imaging.
Step 5: Full disk image. Connect write blocker, attach evidence drive, create a bit-for-bit image using FTK Imager or dd/dcfldd. Hash the image immediately.
Step 6: Verify hashes. Compute MD5 and SHA256 of the image and compare to the source. They must match.
Step 7: Secure original evidence. Place the original drive in an anti-static bag, seal it, label it with the case ID and evidence ID, and store it in a locked evidence locker.
Step 8: Work on the copy. All analysis happens on the forensic image, never the original.
Legal Considerations
Evidence handling is ultimately about admissibility. If your investigation results in a termination, a lawsuit, or a criminal referral, the evidence must meet legal standards.
| Standard | Requirement |
|---|---|
| Authenticity | Prove the evidence is what you claim it is (chain of custody + hashing) |
| Integrity | Prove the evidence has not been altered since collection (hash verification) |
| Reliability | Prove the collection method is scientifically sound and repeatable |
| Relevance | Prove the evidence is connected to the case |
| Proportionality | Prove you did not collect more than necessary (privacy considerations) |
Even for internal investigations, follow forensic standards. An internal HR investigation can escalate to a lawsuit. An internal security incident can escalate to a criminal referral. If you handled the evidence casually during the "internal" phase, it may be inadmissible when the stakes increase. Treat every investigation as if it might go to court — because it might.
Common Mistakes That Destroy Evidence
| Mistake | What Happens | Prevention |
|---|---|---|
| Powering off a running system | All RAM, process, and network state lost | Capture volatile data before shutdown |
| Logging into the suspect system | SSH/RDP modifies RAM, creates logs, changes timestamps | Use remote collection tools (Velociraptor) |
| Running antivirus on evidence drive | AV quarantines/deletes malware samples — your evidence | Use write blocker, analyze on forensic copy |
| Forgetting to hash at collection | No baseline to prove integrity later | Hash immediately, record in chain of custody |
| Using original for analysis | Any tool modifies file access times, journal entries | Always work on a forensic copy |
| Not documenting your commands | Cannot prove what you did or did not do | Script your session, log every command |
| Storing evidence on shared drive | Multiple people access = broken chain of custody | Locked evidence locker, single custodian |
| Imaging without write blocker | OS may write to evidence drive during imaging | Always use hardware write blocker |
Key Takeaways
- The order of volatility (RFC 3227) dictates collection order: RAM and processes first, disk last — because volatile evidence disappears fastest
- Chain of custody documents every person, every transfer, and every hash verification from collection to courtroom — if a link is missing, the chain is broken
- Write blockers prevent the operating system from modifying evidence media during imaging — hardware blockers are the forensic standard
- Triage collection (KAPE, Velociraptor) grabs critical artifacts in minutes; full imaging (FTK, dd) preserves everything including deleted data but takes hours
- Hash verification (MD5 + SHA256) at collection and every transfer proves evidence integrity — a single-bit discrepancy means contamination
- The first responder's paradox means every action modifies the system — minimize your footprint by using remote tools and documenting every command
- Treat every investigation as potentially going to court: follow forensic standards even for internal incidents
What's Next
Now that you understand how to handle and preserve evidence, Lesson 9.2 covers Disk Imaging & Acquisition — the tools and techniques for creating forensically sound copies. You will learn FTK Imager, dd/dcfldd, KAPE triage imaging, and remote acquisition via Velociraptor, along with when to use each method and how to verify your images.
Knowledge Check: Evidence Handling & Chain of Custody
10 questions · 70% to pass
According to the order of volatility (RFC 3227), which evidence source should be collected FIRST during an incident?
What is the primary purpose of maintaining a chain of custody?
Why is powering off a compromised system considered a critical evidence handling mistake?
A forensic analyst images a drive and records an MD5 hash. When the image arrives at the forensic lab, the computed MD5 does not match. What does this indicate?
What is the role of a hardware write blocker in forensic imaging?
In Lab 9.1, you will use Velociraptor for volatile data collection. Why is remote collection preferred over logging into the suspect system directly?
When is triage imaging (KAPE/Velociraptor) preferred over a full forensic disk image?
Which of the following is NOT one of the five legal standards for evidence admissibility discussed in this lesson?
An analyst runs antivirus on an evidence drive before imaging it. What is the forensic consequence?
In the evidence handling workflow, what should happen IMMEDIATELY after creating a forensic disk image?
0/10 answered