Investigating and Proving Digital Crime
Digital Forensics, Chain of Custody and Analysis of Evidence
🎯 Concept Focus – What You Actually Need to Master
Today we learn very important concepts of steps of take in case a real breach , incident happens. Key concepts we will focus on are :
Incident scene handling.
Volatile vs non-volatile data and the order of volatility.
General forensic guidelines and evidence handling.
EDRM (Electronic Discovery Reference Model).
Chain of custody: how you prove you didn’t mess with the artefacts.
The forensic process: collection → examination → analysis → reporting.
Types of forensic analysis (network, media, software, hardware/embedded).
Types of investigations (operational, criminal, civil, eDiscovery) and jurisdiction.
Incident Scene Handling
Identify the Scene
Pinpoint which systems, networks, or devices are affected.
Scope: is it one payments node, the whole Kubernetes cluster, the VPN, or more?
Protect the Environment
Restrict physical access (server room, laptops).
Restrict digital access (privileges, remote logins, SSH, RDP).
Ensure attackers can’t wipe logs or data.
Identify Evidence and Potential Sources
Log files, SIEM events, network captures, system snapshots, cloud audit logs, emails, scripts, malware binaries.
Compromised accounts, API keys, service accounts.
Collect Evidence
Follow forensic best practices.
Use write blockers for disks; take forensic images (bit-by-bit).
Capture timestamps, system states, and access records.
Minimize Contamination
Don’t reboot unless absolutely necessary.
Don’t run random tools that rewrite temp files and logs.
Log every action taken and why.
Digital Evidence, Volatility & Locard’s Principle
Volatile vs Non-Volatile Evidence
Volatile evidence: Exists only while the system is running.
RAM contents, running processes, login sessions, network connections, caches.
Lost on reboot/power-off.
Non-volatile evidence: Survives reboots.
Disk contents, logs on storage, backups, snapshots.
Locard’s Exchange Principle
“Every contact leaves a trace.”
Volatile Data Collection
For evidence follow a most-to-least volatile order.
Network connections
Active connections, remote sessions, suspicious outbound IPs.
Why first? They can vanish in seconds when attackers disconnect or routes change.
Login sessions
Who is logged in locally, via SSH, RDP, VPN, etc.
Why early? Attacker sessions disappear on logout.
Contents of memory (RAM dump)
Keys, decrypted data, malware in memory, secrets, in-memory-only tooling.
Why early? RAM is wiped on reboot or power-off.
Running processes
Suspicious binaries, injected processes, abnormal services.
Why now? Processes can terminate, restart, or morph.
Open files
Files currently in use: exfil scripts, temp archives, open DB dumps.
They may be flushed, closed, or deleted quickly.
Network configuration
IPs, routes, firewall rules, DNS settings.
These change less frequently but can be manipulated by attackers to keep footholds.
Operating system time
System clock and timezone used for correlating logs and events.
Changes rarely; collected last.
Mobile Evidence Twist
Legal authority to search is still mandatory.
Shutting down a smartphone can lock you out or trigger secure wipe.
Use a Faraday bag to isolate the device (no signals in/out), then perform collection under controlled conditions.
General Guidelines for Handling Digital Evidence
Follow formal forensic procedures
Structured, documented, repeatable. No ad-hoc heroics.
Preserve original evidence
Always work on forensic images, not the original disk/log dataset.
Use write blockers; use bit-stream copies (sector-by-sector), not “copy-paste.”
Only trained personnel handle evidence
Anas can help acquire system images under supervision, but he isn’t doing solo forensics.
Document everything
Who accessed what, when, how, using which tools.
Individuals are accountable
If you touch evidence, your name is in the log. No hiding behind “the team.”
The company must enforce compliance
Policies that define access controls, retention, encryption, and handling of evidence.
EDRM – Electronic Discovery Reference Model
EDRM is the “process map” for electronic evidence, from pre-incident data governance to courtroom presentation.
Information Governance
How Neuromesh manages data lifecycle, retention, storage, privacy.
Identification
Decide which emails, logs, systems, and datasets are relevant.
Preservation
Legal hold; freeze changes to specific storage and logs.
Collection
Forensic extraction from servers, cloud buckets, laptops, phones.
Processing
Filter, de-duplicate, index; reduce noise.
Review
Legal/security review: relevance, privilege, confidentiality.
Analysis
Find patterns, timelines, root cause, responsible actors.
Production
Package evidence in required legal/regulatory formats.
Presentation
Use evidence in court, to regulators, or in internal reports.
Evidence Collection & Handling
Compromised data
Stolen or modified customer records, payment files.
Compromised systems
Servers, laptops, cloud VMs, containers, USB sticks.
Incident-related data
Firewall logs, IDS/IPS logs, WAF logs, OS logs, IAM logs, SIEM events.
Witness information
Statements from staff—“I saw a login at 02:00 from an unusual IP,” etc.
Incident scene information
Open server room doors, missing devices, tampered CCTV, physical access anomalies.
Best-Practice Checklist
Maintain chain of custody (CoC).
Always create copies/forensic images before analysis.
Only analyze the copies, never originals.
Appoint an evidence custodian.
Document every single action.
Avoid any unrecorded modifications (write blockers, read-only mounts).
Treat collection as high-risk: one mistake can kill admissibility.
No amateurs: IT ops ≠ forensic specialists.
Chain of Custody
Chain of Custody (CoC) is the formal ledger of who touched what, when, why, and how.
Seize / identify the item:
“Image of payments-node-03 disk”, “Memory dump of VM”, “S3 access logs”, etc.
Label:
Unique ID, date/time, handler, description, location.
Record every transfer:
From analyst A to analyst B, from war room to locked storage, etc.
Store properly:
Tamper-evident bags, sealed containers, locked evidence room, restricted access.
Support with visuals:
Photos or video of the system setup and each evidence interaction.
Digital Forensics – The Core Principles
Digital forensics is not just “looking at logs.” It’s a disciplined process built on five principles:
Authentic
Evidence must be provably genuine.
Use hashes (e.g., SHA-256) to show the image hasn’t changed.
Accurate
Findings must be correct and reproducible by another expert.
Complete
Don’t cherry-pick. Capture all relevant evidence and context.
Convincing
The data and the story it tells must make sense to non-technical stakeholders.
Admissible
Collected legally, with proper CoC, respecting privacy and regulation (GDPR, sectoral laws).
Forensic Process
Collection
Identify, label, log, and acquire relevant data.
Decide upfront if the case may require legal-grade preservation.
Keep detailed logs of tools, versions, parameters, timestamps.
Take photos/screenshots of system states before touching anything.
Plus: Digital-forensic imaging
Use write blockers when removing drives.
Do bit-stream/sector-by-sector images, not logical file copies.
Hash originals and images, store hashes in CoC.
Keep an untouched master image and a separate working copy.
Examination
Use appropriate forensic tools (Autopsy, FTK, EnCase, etc.).
Extract relevant data while preserving integrity.
Recover deleted files, inspect registry/system artefacts, reconstruct sessions.
Analysis
Translate raw artefacts into answers: who, what, when, where, how.
Common analysis lanes:
Network Traffic Analysis
Tools: Wireshark, tcpdump, Zeek.
Reconstruct sessions, detect exfil paths, identify C2 endpoints.
Log Aggregation & Analysis
SIEM/ELK: Splunk, QRadar, Elastic stack.
Correlate events from DCs, firewalls, critical servers, IAM, endpoints.
Isolated Analysis Environments
Sandboxes (VMware VMs, Cuckoo sandbox).
Detonate malware safely, observe behavior.
Manager lens: ensure you have SPAN/mirror ports, packet capture, log retention, and an air-gapped lab.
Reporting
Explain what was done, what was found, how confident you are, and what to do next.
Feed back into:
Policy & process improvements.
Hardening and detection tuning.
Legal and regulatory responses.
Deep-Dive Analysis Types
Network Analysis
Traffic analysis, log review, path tracing.
Goal: understand attacker entry point, lateral movement, exfil route.
Media Analysis
Hard drives, SSDs, USBs, cloud volumes.
Techniques: slack space analysis, shadow copy analysis, disk imaging, timeline analysis (MAC times).
Software Analysis
Malware analysis, IP theft investigations, copyright disputes.
Methods: reverse engineering, malicious code review, exploit analysis.
Goals: author identification, payload understanding, impact analysis.
Hardware / Embedded Device Analysis
IoT, OT, industrial systems, embedded appliances.
Challenges:
Custom OSes and hardware interfaces.
Devices that can’t be imaged without altering state.
Hardware vulnerabilities that are hard to detect and reproduce.
Types of Investigations & Jurisdiction
Laws differ across countries (GDPR vs US sectoral laws).
Attack origin, victim, infrastructure and data may all sit in different jurisdictions.
Cross-border cooperation (Europol/INTERPOL etc.) is complex and slow.
Investigation Types
Treat every investigation as if it will end up in court.
🧠 Brain Ticklers
1 . The “Helpful” Reboot
Neuromesh detects suspicious outbound traffic from a payments node. Anas wants to reboot the VM to “stabilize it.” Anya intervenes and decides to start volatile data collection instead.
What is the most appropriate first artefact for her to capture?A. Full disk image of the VM
B. Network connections and active sessions
C. OS time and timezone configuration
D. Archived application logs from last month
2 .Chain of Custody Gap
During a ransomware investigation, a hard drive image changes hands three times. The final report mentions the image, but one transfer between two analysts was never recorded in the CoC log. What is the primary risk?
A. Some evidence will become non-volatile.
B. The image will no longer be hashable.
C. The evidence may be considered inadmissible or unreliable.
D. The investigation automatically becomes a civil case.
3. EDRM Stage Confusion
Neuromesh Legal issues a legal hold: all emails and logs related to the incident are frozen and cannot be deleted or altered, but not yet collected. Which EDRM stage is this?
A. Identification
B. Preservation
C. Processing
D. Production
4 . Wrong Person on the Keyboard
A serious breach occurs on Neuromesh’s admin portal. The CIO asks a generalist sysadmin, with no forensic training, to “have a look, grab what you can, and tell us what happened.” Which principle is being violated?
A. Only trained personnel should access digital evidence.
B. Preserve original evidence using write blockers.
C. Capture volatile data before non-volatile data.
D. Always process data before preservation.
5 . Type of Investigation
A former Neuromesh developer is accused of stealing proprietary code before joining a competitor. Neuromesh sues the developer and the new employer for damages. What type of investigation is this primarily?
A. Criminal investigation
B. Operational/administrative investigation
C. Civil investigation
D. eDiscovery investigation
Executive Takeaways for Busy Readers
Never reboot first. Volatile data is often the only window into what attackers actually did.
Chain of custody makes or breaks your case. One undocumented hand-off can destroy months of work.
Always work from images, not originals. Hash, log, and lock the originals away.
EDRM is your operating model. Everything you do in IR and forensics sits somewhere on that lifecycle.
Treat every incident as courtroom-grade. That mindset aligns perfectly with CISSP Domain 7 and real-world liability.
Follow The series
#CISSP #CyberSecurity #InfoSec #SecurityLeadership #WomenInCyberforce #WomenInTech #AnyaInCyberSecurity #FromDevToDefender #TechLeadership #DevSecOps #CISSPDomains #DigitalForensics #ChainOfCustody