Forensic Fundamentals and Chain of Custody
Handling evidence correctly.
What Digital Forensics Is
Digital forensics is the disciplined recovery, preservation, and analysis of digital evidence so that findings hold up under scrutiny, including in court.
It is not just data recovery. The defining requirement is defensibility: every action must be documented, repeatable, and unbiased.
- Identification of relevant evidence sources
- Preservation without alteration
- Analysis using validated methods
- Presentation in clear, reproducible reports
Order of Volatility
When responding to a live incident, collect evidence from the most volatile to least volatile source. Data that disappears fastest must be captured first.
- CPU registers and cache
- Routing table, ARP cache, process list, network connections
- RAM (memory)
- Temporary file systems
- Disk
- Remote logging and archival media
RFC 3227 codifies this principle. Pull the disk image too early and you lose live RAM artifacts forever.
All lessons in this course
- Forensic Fundamentals and Chain of Custody
- Disk Imaging and File System Analysis
- Network Forensics with PCAP
- Timeline Analysis and Reporting