Evidence that isn’t preserved soundly is worthless — in court and in analysis. Capture volatile data in the right order, image without altering, and prove integrity with hashes.
Why: some evidence disappears faster than others — memory and network connections vanish on reboot, disk persists — so you collect in order of volatility, most-fleeting first, or you lose it. When: capture RAM and live state before powering off or imaging disk. Where: pulling the plug to "preserve" a machine actually destroys the most valuable evidence (memory), so live capture usually comes first.
Collect MOST volatile first (it's gone on reboot):
1. CPU registers / cache (essentially instant)
2. RAM (memory) <- malware, keys, connections live here
3. network state, running procs
4. disk (persists)
5. logs on remote systems
6. archival / backups (least volatile)
Reboot/shutdown destroys 1-3. Capture memory + live state BEFORE imaging.Why: forensic analysis must never change the evidence, so you work on a bit-for-bit copy (an image) made with a write blocker, keeping the original untouched. When: image disks and capture memory to separate media, then analyze the copy. Where: any analysis on the original risks altering timestamps and metadata, which can invalidate findings and legal standing.
# Bit-for-bit disk image to a SEPARATE drive (use a hardware write blocker):
dd if=/dev/sdb of=/evidence/disk.img bs=4M conv=noerror,sync
# ...or dcfldd / ewfacquire (E01 format) for hashing + metadata built in.
# Capture RAM (before shutdown) on a live host:
# Linux: avml /evidence/memory.raw Windows: WinPMEM / DumpIt
# Analyze the COPY. Never touch the original.Why: to trust (and legally rely on) evidence, you must prove it has not changed since collection — a cryptographic hash taken at acquisition and re-checked later does this, and a chain-of-custody log records everyone who handled it. When: hash immediately on acquisition and document every transfer. Where: a broken chain of custody or a mismatched hash can render evidence inadmissible and conclusions doubtful.
# Hash the image at acquisition; re-verify before/after any analysis:
sha256sum /evidence/disk.img > /evidence/disk.img.sha256
sha256sum -c /evidence/disk.img.sha256 # must match, always
# Chain of custody log — for EVERY piece of evidence:
# what it is · when + how collected · by whom · every transfer (who/when/why)
# stored where, and its hash. An unbroken chain is what makes it trustworthy.