Part III — Digital Forensics

"In recovery, the data is the prize. In forensics, the data is testimony — and you will defend every byte of it from the witness stand."

Part II asked a single, urgent question: can you get it back? The drive was failing, the partition was gone, the files were deleted or encrypted, and success was measured in bytes restored to a grateful client. Part III asks a harder question, and asks it of the same hardware with the same skills: can you prove what happened? Not "I think the engineer copied the files," but "I can demonstrate, to a standard that survives a hostile cross-examination years from now, the exact sequence of events — and prove that I never altered the evidence while I established it." That shift, from restoration to proof, is the whole subject of this part. The book's subtitle names both halves: Part II was finding what's lost; Part III is proving what happened.

The difference is not the tools — you will reach for many of the same ones — but the bar. A data-recovery job ends when the file opens. A forensic examination ends when a finding can withstand opposing counsel, a Daubert challenge, and the simple, devastating question, "How do you know you didn't change it?" Everything in this part is built to answer that question before it is asked: image first and work only on the copy, hash everything, document every minute, and treat every action you take as something you may one day explain under oath.

This is the longest part of the book, and deliberately so — it is the heart of the discipline. It moves outward in a widening spiral, from the most controlled evidence to the most fragile. You start at the bench with a still disk and learn to capture it perfectly, then face a running machine you dare not power off. You open the image and read what each operating system recorded about itself, then move from the machine's logbook to the user's diary — the browser, their communications, the files themselves. You rise above the individual artifacts to fuse them into a single timeline, the moment scattered facts become an argument. And the part closes on three frontiers where evidence is most volatile and most personal: memory that vanishes when the power dies, packets that live on the wire for microseconds, and the device that goes everywhere its owner does.

What you will learn

  • Chapter 14 — Forensic Acquisition. Producing a bit-for-bit image, enforcing read-only with a write-blocker, verifying with cryptographic hashes, and maintaining the chain of custody that makes a copy defensible — the one step you cannot redo.
  • Chapter 15 — Live Response and Triage Forensics. Capturing volatile evidence from a running system you dare not power off; the order of volatility, the cost of every keystroke you knowingly make, and triage at scale with KAPE, CyLR, and Velociraptor.
  • Chapter 16 — Windows Forensics. Reading the receipts Windows cannot help keeping — registry hives, event logs, Prefetch, LNK and Jump Lists, USB device history, and the $Recycle.Bin — and watching a departing engineer's cover-up make the truth easier to prove.
  • Chapter 17 — macOS and Linux Forensics. APFS snapshots that quietly preserve deleted files, the unified log, ext4 journals, and the plain-text and binary artifacts of Unix — because half of modern evidence is not on Windows.
  • Chapter 18 — Browser and Internet Forensics. Mining the richest record of the human on the machine — history, cache, cookies, downloads, and typed search terms — where cache becomes possession and a search term becomes intent.
  • Chapter 19 — Email, Chat, and Social Media Forensics. Recovering what people said and to whom, from PST/OST stores and webmail headers to deleted records carved out of SQLite — and which legal instrument compels which class of records.
  • Chapter 20 — Photo, Video, and Document Forensics. Reading the file you cannot see — EXIF, document metadata, embedded thumbnails, incremental-update history, and manipulation detection — handled clinically where the court case demands it.
  • Chapter 21 — Timeline Analysis. Fusing every dated artifact into one normalized super-timeline, reading the sequence that turns facts into an argument, and detecting timestomping where someone lied to the clock.
  • Chapter 22 — Memory Forensics. Analyzing RAM for evidence that never touched the disk — encryption keys, fileless malware, injected code, and live command-and-control — captured now or lost forever.
  • Chapter 23 — Network Forensics. Reconstructing an ephemeral event from packet captures, flow records, and sensor logs, where the wire forgets and only what something wrote down as it passed survives.
  • Chapter 24 — Mobile Device Forensics. Extracting evidence from the most personal endpoint there is — the acquisition pyramid, hardware encryption and compelled access, and authenticating the messages that win and lose cases.

Why this part matters

This is where the book's principles stop being advice and become courtroom obligations. The original is sacred opens the part literally: Chapter 14 exists because a single careless write breaks your ability to say the evidence is unaltered. Every action leaves a trace — and the absence of a trace is itself a trace is the engine of the seven chapters that follow; Windows, macOS, browsers, and apps record activity their users never imagine, and the anti-forensic tools that try to erase those records leave fresh traces of their own. Deleted ≠ destroyed carries forward from Part II — deleted chat records, snapshotted files, carved thumbnails — and then meets its sharp inversion in Chapter 23, where the network's default state is destroyed and you keep only what you captured in flight. Running underneath is technology changes, principles don't: Windows hives, APFS snapshots, packet captures, and locked phones look nothing alike, but the method never varies — understand the technology, image the evidence, analyze systematically, document everything, report accurately. And the part never lets you forget the last two themes. Know your limitations recurs at the close of nearly every chapter, because encryption, TRIM, and ephemeral packets can defeat you, and "the evidence is insufficient to reach a conclusion" is a professional finding, not a failure. The human cost is real sits behind the two anchor cases that thread this part — the engineer whose career turns on a timeline (Chapters 16, 21, 23) and the court case handled clinically throughout (Chapters 20, 24) — because every image you open belonged to a person.

For each learning path

🔍 Forensic Examiners, this part is your home and the center of gravity of the entire book — linger everywhere, because these eleven chapters are the substance of the job. 🛡️ Incident Response practitioners should slow down hard on live response (15), memory (22), and network (23), the spine of intrusion work, and read the artifact chapters for persistence and lateral movement. 📜 Legal/eDiscovery readers can move briskly through the deep hex, but must stop and study the chain of custody in Chapter 14 and the compulsion-and-admissibility sections of Chapters 19, 22, 23, and 24 — they decide what you may lawfully collect and what survives a suppression motion. 💾 Data Recovery technicians get the leanest tour here, yet should not skip it: "image first, work on the copy" protects an irreplaceable original even with no courtroom in sight, and real recovery prizes are scattered throughout — SQLite record recovery, APFS snapshots, ext4 journals, embedded thumbnails, and corrupt-PST repair.

Every chapter that follows assumes one thing: a perfect, verified copy you can defend. So we begin where every investigation begins — at the bench, with a sealed evidence bag, a write-blocker, and a hash you will stake your testimony on. Turn to Chapter 14.

Chapters in This Part