Types of Evidence

Digital Evidence Collection for Host-Based Analysis

1Evidence Types
2Volatility
3Collection
4Quiz

Digital Evidence Categories

SOC analysts and forensic investigators work with different types of digital evidence when investigating host-based incidents.

System Memory (RAM)

VOLATILE

Running processes, network connections, encryption keys, malware in memory. Lost when power is removed.

Disk Storage

NON-VOLATILE

File systems, deleted files, slack space, registry hives, logs. Persists without power.

Log Files

NON-VOLATILE

Windows Event Logs, application logs, security logs, web server logs.

Network Captures

VOLATILE

Packet captures (PCAP), NetFlow data, DNS queries, connection logs.

Registry

NON-VOLATILE

Windows configuration, user activity, installed software, persistence mechanisms.

Timestamps

NON-VOLATILE

File MACB times (Modified, Accessed, Changed, Born), event timestamps.

Explore IR & Forensics Lab →

Full incident response lifecycle, forensic phases, and volatility order.

Order of Volatility (RFC 3227)

When collecting evidence, always collect the most volatile data first. Once lost, it cannot be recovered.

1
CPU Registers/Cache
Nanoseconds - gone instantly when power lost
2
System Memory (RAM)
Running processes, network state, encryption keys
3
Swap/Virtual Memory
Pagefile contents, hibernation files
4
Disk Storage
File systems, deleted files, slack space
5
Remote Logs
SIEM data, centralized logging, NetFlow
6
Archival Media
Backups, tapes - least volatile

Why Order Matters

  • Memory contains live malware: Fileless malware only exists in RAM
  • Encryption keys in memory: May be the only way to decrypt data
  • Network connections: Show active C2 communication
  • Running processes: Reveal injected code, hidden services
  • User credentials: May be cached in memory (Mimikatz target)

Evidence Collection Tools

Evidence Type Tool Command/Notes
Memory Dump WinPmem / DumpIt winpmem_mini.exe memdump.raw
Memory Analysis Volatility vol.py -f memdump.raw --profile=Win10 pslist
Disk Image FTK Imager / dd dcfldd if=/dev/sda of=disk.dd hash=sha256
Network Capture Wireshark / tcpdump tcpdump -i eth0 -w capture.pcap
Registry RegRipper rip.pl -r NTUSER.DAT -p all
Event Logs wevtutil / Log Parser wevtutil epl Security security.evtx

Chain of Custody Requirements

1
Document Collection
Record who, what, when, where for every piece of evidence
2
Hash Everything
Generate MD5/SHA256 hashes immediately after acquisition
3
Secure Storage
Store evidence in locked, access-controlled location
4
Track Transfers
Log every handoff with signatures and timestamps
5
Work on Copies
Never analyze original evidence - use forensic copies

Legal Considerations

  • Authorization: Ensure proper legal authority before collection
  • Scope: Only collect what's relevant to the investigation
  • Privacy: Be aware of PII and data protection requirements
  • Documentation: Maintain detailed notes for court admissibility
  • Integrity: Use write blockers to prevent evidence modification

Evidence Types Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. According to RFC 3227, which evidence should be collected FIRST?
Disk image
System memory (RAM)
Backup tapes
Remote logs
Q2. Which tool is used specifically for memory forensics analysis?
Volatility
Wireshark
FTK Imager
RegRipper
Q3. Why is collecting memory evidence critical for fileless malware?
It's faster to collect than disk
Memory is more reliable
Fileless malware only exists in RAM
Disk imaging requires special hardware
Q4. What is the PRIMARY purpose of chain of custody documentation?
Speed up the investigation
Reduce storage costs
Encrypt sensitive data
Ensure evidence integrity and legal admissibility
Q5. When should hash values be generated for collected evidence?
Immediately after acquisition
After analysis is complete
Only if going to court
When transferring to another analyst

Quiz Complete!

0/5