Types of digital evidence and their forensic significance
Digital forensic evidence encompasses all electronic data that can be used to investigate and prosecute cybercrimes or policy violations. Understanding the types and characteristics of digital evidence is essential for SOC analysts who must preserve and document findings during incident response.
Data that is lost when power is removed: RAM contents, network connections, running processes, cached data.
Persistent data: hard drive contents, SSD data, removable media, cloud storage.
Traffic captures, flow data, DNS logs, proxy logs, firewall logs.
System logs, application logs, security logs, authentication records.
Different attacks leave traces in different places. A SOC analyst must know where to look based on the type of incident:
| Incident Type | Primary Evidence Sources | Key Artifacts |
|---|---|---|
| Malware Infection | Memory dump, disk image, EDR telemetry | Suspicious processes, injected DLLs, registry run keys, scheduled tasks, dropped files in /tmp or AppData |
| Data Exfiltration | NetFlow, proxy logs, DLP alerts, DNS logs | Large outbound transfers, connections to cloud storage, DNS tunneling patterns, encrypted traffic to unusual destinations |
| Account Compromise | Auth logs, AD event logs, SIEM alerts | Failed login attempts (4625), successful logon from unusual IP (4624), privilege escalation (4672), password changes |
| Web Application Attack | WAF logs, web server access logs, application logs | SQL injection patterns in URLs, XSS payloads, directory traversal attempts, unusual HTTP methods |
| Lateral Movement | Windows Event Logs, SMB logs, RDP logs | PsExec execution (Event ID 7045), WMI activity, RDP connections between workstations, pass-the-hash artifacts |
Always create forensic copies (bit-for-bit images) before analysis. Working on originals taints the evidence and makes it inadmissible. Use write-blockers for physical media.
Calculate MD5 + SHA-256 hashes before and after acquisition. Document hash values in your chain of custody form. Any mismatch = evidence integrity compromised.
Follow RFC 3227 order: CPU cache > RAM > network connections > running processes > disk. Once power is lost, volatile evidence is gone forever.
Photograph the physical setup. Record screen contents. Note running applications. Document network cables and connections. Your notes are evidence too.
This topic extends the IR Forensics Lab from Shield House, focusing on evidence identification and handling for SOC operations.
| Evidence Type | Location | Forensic Value |
|---|---|---|
| Master File Table (MFT) | NTFS root | File metadata, timestamps, deleted file records |
| Registry Hives | Windows Registry | User activity, installed software, USB history |
| Prefetch Files | C:\Windows\Prefetch | Evidence of program execution, timestamps |
| Browser Artifacts | User profile folders | Browsing history, downloads, cached credentials |
| Slack Space | Unallocated disk space | Fragments of deleted files |
Active programs including hidden/injected malware that may not be visible on disk.
Active TCP/UDP connections, listening ports, connection history.
Keys in memory for encrypted volumes - may be only way to access encrypted data.
Passwords and tokens cached in memory (mimikatz targets this).
Different systems use different timestamp formats and timezones. NTFS uses UTC. Linux can vary. Always document the timezone of evidence and normalize to UTC for correlation.
| Priority | Evidence Type | Volatility | Collection Method |
|---|---|---|---|
| 1 | Memory dump | Highest | Memory imaging tools (FTK Imager, WinPMEM) |
| 2 | Network state | High | netstat, Get-NetTCPConnection, tcpdump |
| 3 | Process list | High | tasklist, Get-Process, ps aux |
| 4 | Disk image | Low | dd, FTK Imager, EnCase |
| 5 | Log exports | Low | SIEM queries, wevtutil, log aggregation |
Document observations, screenshot alerts, export SIEM queries, preserve log extracts, note timestamps.
Run commands on affected systems, reboot systems, clear logs, delete suspicious files.
Screenshot Everything: Before escalating to Tier 2/forensics, take screenshots of all relevant SIEM alerts, dashboard views, and findings. Include timestamps in every screenshot. Evidence you don't capture now may not be available later.
Test your understanding of forensic evidence. Score 80% or higher to pass.
1. Which type of evidence is lost when a system is powered off?
2. What Windows artifact records evidence of program execution?
3. Why is memory forensics valuable for malware investigations?
4. What should a Tier 1 SOC analyst do when suspecting a compromised system?
5. Why should hash values be calculated for collected evidence?