Digital Forensics & Investigation
Introduction to Digital Forensics Evidence Collection & Chain of Custody File System & Disk Forensics Memory & Network Forensics Forensic Reporting & Expert Testimony
Progress: 0%
Digital Forensics & Investigation

Evidence Collection & Chain of Custody

55 min

Chain of Custody

Chain of custody is the chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of evidence. Any gap in the chain can cause evidence to be inadmissible in court.

CHAIN OF CUSTODY DOCUMENTATION ────────────────────────────────────────────────────── Required Information for Each Evidence Item: ─ Unique evidence ID/tag number ─ Description (device type, make, model, serial #) ─ Date, time, and location of collection ─ Condition of the item when collected ─ Name and signature of person collecting ─ All subsequent transfers (who, when, why) ─ Storage conditions and location ─ Hash values (MD5 + SHA-256) for verification ──────────────────────────────────────────────────────

Write Blockers

Write blockers are hardware or software tools that allow reading from a storage device while preventing any writes to it. They are MANDATORY when imaging suspect media to ensure the original evidence is not altered.

  • Hardware Write Blockers: Tableau, WiebeTech, Logicube — most trusted
  • Software Write Blockers: USB write protection (Windows registry), Linux read-only mounts

Forensic Imaging

Creating a bit-for-bit (sector-level) copy of storage media, including deleted files and unallocated space.

FORENSIC IMAGING TOOLS & COMMANDS ────────────────────────────────────────────────────── # dd (Linux) - Basic but powerful dd if=/dev/sdb of=evidence.img bs=4M conv=sync,noerror md5sum evidence.img > evidence.md5 # Hash verification # FTK Imager (Windows GUI) - Industry standard # Supports E01, AFF, RAW formats # Creates verification hash automatically # dcfldd - Enhanced dd with hashing dcfldd if=/dev/sdb of=evidence.E01 hash=sha256 hashlog=hash.txt # Formats: # RAW (.img/.dd) - Simple bit-for-bit copy # E01 (EnCase) - Compressed with metadata, industry standard # AFF - Advanced Forensic Format, open standard ──────────────────────────────────────────────────────

Order of Volatility

Collect evidence from most volatile (disappears fastest) to least volatile:

  1. CPU registers and cache
  2. RAM / System Memory
  3. Network connections & routing tables
  4. Running processes
  5. Hard disk / Storage
  6. Remote logs
  7. Archived/backed-up data
Previous
Login to Track Progress Next