Key Takeaways: Digital Forensics for Defenders

A scannable, reference-grade card for the chapter. Reread this before a cert exam or before your first real investigation. The golden rules, the artifact tables, the order of volatility, and the cert crosswalk are all here.

The five rules that decide every case

1. Preserve before you remediate. Image and hash before you rebuild. Recovery from a copy; the original is sealed.
2. Collect most-volatile first. Memory before disk. Never pull power on a live, un-captured system.
3. Don't change the original; prove you didn't. Write blocker + SHA-256 hash of source and image (match = sound).
4. Account for the evidence continuously. Chain of custody: who, when, from where, why — unbroken.
5. Corroborate across independent sources. Especially off-host, append-only ones — they defeat anti-forensics.

Core definitions (one line each)

Order of volatility (collect TOP → BOTTOM)

The mistake it prevents: pulling power / rebooting before memory capture (destroys 1–4). (RFC 3227; NIST SP 800-86.)

Sound acquisition checklist

• [ ] Decide live-capture vs. power-off (favor live memory capture unless active destruction forces a power-off trade).
• [ ] Memory capture first (trusted tool → external drive) on a live system.
• [ ] Write blocker between analysis system and evidence drive (read-only).
• [ ] Bit-for-bit image (not a file copy) — captures deleted files + slack space.
• [ ] Hash source AND image (SHA-256); confirm MATCH = sound copy.
• [ ] Analyze the image, never the original; original sealed, re-hashable.
• [ ] Contemporaneous notes of every command (repeatability).
• [ ] Chain-of-custody record started at collection; every handoff logged.

Hashing nuance: MD5/SHA-1 broken for collision resistance (adversarial); an MD5 match still detects accidental change. Record SHA-256 where integrity may be contested.

Chain of custody & legal soundness

Legal hold: directive to preserve all potentially relevant data once litigation is anticipated; deleting it (even routine log rotation) can be spoliation. Authorization limit: reaching onto systems you don't control can be a crime and can taint evidence — gather only from systems you're entitled to.

Key artifacts — what each one proves

Windows

Linux

Timeline method (5 steps)

1. Gather all timestamped sources (logs, $MFT, registry write times, network records).
2. Normalize to UTC — convert every source's time zone.
3. Account for clock skew — note any machine with a wrong clock.
4. Tag each event's source, then merge and sort chronologically.
5. Read it both ways — forward for the story; backward from impact to find initial access (patient zero).

Two timeline-killers: time-zone confusion and clock skew. Weighting: trust off-host, append-only sources most (hardest to tamper).

Scoping & root cause (the pivot)

file hash → which hosts? → which account placed it? → where did that
account log on? → what credential/entry point? → ROOT CAUSE

• Scoping finds the full footprint (every host/account/data store) so eradication is complete.
• Root cause is the underlying gap (e.g., VPN without MFA), not the symptom (ransomware ran). Its fix prevents recurrence and feeds the risk register and lessons learned (Ch. 24).
• The reach to a sensitive data store determines breach-notification obligations — a bounded finding ("reached but not accessed/exfiltrated," corroborated by file-access times + off-host NetFlow) is the goal.

Anti-forensics — and the counter

Core stance: absence of evidence is evidence. You can't prevent every anti-forensic act — detect its traces and put evidence beyond the attacker's reach.

Common pitfalls

• Pulling power on a live, un-captured system → volatile evidence gone (irreversible).
• Copying files instead of imaging → misses deleted files, slack space; alters timestamps.
• Analyzing the original drive → contaminates the authoritative evidence.
• Trusting a single (attacker-reachable) source for the timeline → under-scopes the intrusion.
• Neglecting chain of custody → perfect image, inadmissible evidence.
• Overreaching onto systems you don't control → criminal exposure + tainted evidence.
• Stopping at proximate cause → guaranteed recurrence.
• Stating "stole/exfiltrated" instead of a bounded claim → indefensible in front of a regulator/court.

Framework & standard crosswalk

Certification crosswalk

Project additions (this chapter)

• Meridian program — forensic readiness standard: (1) evidence-handling procedure (order of volatility, write-blocker + hashing, chain-of-custody form); (2) forensic logging & retention (centralize 4624/4625/4688/7045/1102 + Linux auth/journal, append-only, months of retention); (3) host visibility (memory capture + fleet-wide indicator search); (4) legal-hold & escalation (when counsel/HR are engaged).
• bluekit/forensics.py: evidence_hash(data, expected) → integrity verification (SHA-256 match); merge_timeline(sources) → normalize + sort multi-source events into one chronological timeline.
• Anchors advanced: the Meridian ransomware case (Ch. 24) carried into forensics — root cause (VPN without MFA), eleven-day dwell, four-host scope, bounded "PII reached but not exfiltrated" finding.