8.1.2. Order of Volatility and Forensic Tools
💡 First Principle: Digital forensics is the process of collecting, preserving, analyzing, and presenting digital evidence in a manner that maintains its integrity and admissibility. The forensic process must be reproducible — another expert following the same process on the same evidence must reach the same conclusion. Any alteration of evidence, even unintentional, can make it inadmissible and compromises the entire investigation.
The fundamental tension in forensic investigations: the actions required to investigate a system (accessing files, running tools, examining memory) can alter the evidence. Forensic methodology resolves this tension by working on copies — imaging the original evidence and conducting analysis on the copy — and by documenting every action taken.
Order of volatility — collect most volatile first:
| Evidence Type | Volatility | Collection Priority |
|---|---|---|
| CPU registers and cache | Highest — lost on reboot | 1st |
| RAM / running processes | High — lost on shutdown | 2nd |
| Network connections (netstat, ARP) | High — changes constantly | 3rd |
| Running processes (ps, tasklist) | High | 4th |
| Disk / file system | Medium — persists but can be overwritten | 5th |
| Remote logging / SIEM | Low | 6th |
| Physical media (backup tapes) | Very low | 7th |
Chain of custody — the documented record of who handled evidence, when, and what actions were taken:
- Every piece of evidence must be logged upon collection: description, location found, collector, date/time, hash value
- Evidence must be stored securely to prevent tampering (evidence bags, locked storage, access log)
- Any transfer of custody must be documented
- Without an intact chain of custody, evidence may be inadmissible in legal proceedings
Forensic imaging:
- Create a bit-for-bit copy (forensic image) of storage media using write-blockers (hardware or software that prevents any writes to the source)
- Hash the original media (SHA-256) before and after imaging — hash must match to prove no alteration occurred
- Conduct all analysis on the copy, never on the original
- Tools: FTK Imager, dd (Unix), Autopsy
Memory forensics: Live memory contains artifacts not found on disk: encryption keys, process injection artifacts, malware that runs only in memory ("fileless malware"), network connection state, user activity. Tools: Volatility, Rekall. Memory must be captured before the system is powered off.
Types of forensic investigations:
| Type | Focus | Example |
|---|---|---|
| Network forensics | Traffic captures, NetFlow, log analysis | Reconstructing attack timeline from pcap files |
| Endpoint forensics | Disk images, memory dumps, registry analysis | Finding malware persistence mechanisms |
| Mobile forensics | Device extraction, app data, location history | Insider threat investigation |
| Cloud forensics | Log exports, API audit trails, snapshot analysis | SaaS account compromise |
Legal holds and eDiscovery: When litigation is "reasonably anticipated" (not just filed), organizations must preserve all potentially relevant electronically stored information (ESI). Legal holds must be issued to custodians (employees who have relevant data), backup deletion schedules must be suspended for covered data, and IT systems must be configured to retain data that would otherwise be auto-deleted. Failure to preserve evidence after a duty to preserve arises constitutes spoliation, which can result in court sanctions including adverse inference instructions (the jury is told to assume the destroyed evidence was unfavorable).
⚠️ Exam Trap: "Turning off the system preserves evidence." Powering off a system destroys all volatile evidence: RAM contents, running process list, network connections, encryption keys in memory. For live forensics, memory must be captured while the system is running. For disk-only investigations, a controlled shutdown (not hard power-off) is preferred when RAM capture is not needed — but this decision depends on the investigation type.
Reflection Question: During a ransomware incident investigation, a system administrator — wanting to be helpful — immediately rebooted the encrypted servers to "clear the malware," overwrote the affected drives with backups, and discarded the drives. Identify each forensic error committed, what specific evidence was lost by each action, and what procedure should be in the IR plan to prevent this scenario.
