Evidence Preservation

Proper evidence preservation is crucial for understanding what happened, supporting insurance claims, enabling legal action, and meeting regulatory requirements. Poor evidence handling can make forensic analysis impossible.

Fundamental Principles

1. Never modify original evidence - Always work with copies
2. Document everything - Who, what, when, where, how
3. Maintain chain of custody - Track all access to evidence
4. Hash everything - Verify integrity with MD5/SHA256
5. Photograph before touching - Document the original state

Order of Volatility

Collect evidence in this order (most volatile first):

1. Memory (RAM) - Lost when powered off
2. Network connections - Current state, routing tables
3. Running processes - What's executing now
4. Temporary files - May be overwritten
5. Disk storage - Relatively stable
6. Logs - May rotate or be deleted
7. Physical evidence - Hardware, notes, etc.

Evidence Collection Tools

Memory Capture (Windows)

WinPmem (Free, Open Source) - Download: github.com/Velocidex/WinPmem - Run from USB drive as administrator - Output: Raw memory dump file

FTK Imager (Free) - Download: exterro.com/ftk-imager - GUI-based, easier for non-experts - Can capture memory and disk

Memory Capture (Linux/Mac)

LiME (Linux Memory Extractor) - GitHub: github.com/504ensicsLabs/LiME - Kernel module for Linux memory acquisition

OSXPmem (macOS) - Part of the Pmem suite - Requires kernel extension

Triage Collection

KAPE (Kroll Artifact Parser and Extractor) - Download: kroll.com/kape - Fast collection of key forensic artifacts - Windows-focused - Free for internal use

Velociraptor - GitHub: github.com/Velocidex/velociraptor - Remote forensic collection - Scales to enterprise - Free and open source

Disk Imaging

FTK Imager (Free) - Create forensic images (E01, raw) - Verify with hash values - Mount images for analysis

dd (Linux, Free)

# Create forensic image
dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M status=progress

# Calculate hash
sha256sum /mnt/evidence/disk.img > /mnt/evidence/disk.img.sha256

Guymager (Linux, Free) - GUI for forensic imaging - Supports E01 format - Built-in hashing

What to Collect

System Artifacts (Windows)

• Event logs (C:\Windows\System32\winevt\Logs\)
• Registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT)
• Prefetch files (C:\Windows\Prefetch\)
• Recent files, jump lists, shellbags
• Browser history and cache
• Scheduled tasks
• Startup items

System Artifacts (Linux)

• System logs (/var/log/)
• Authentication logs (/var/log/auth.log, /var/log/secure)
• Command history (.bash_history, .zsh_history)
• Cron jobs
• SSH authorized keys
• Running services

Network Evidence

• Firewall logs
• Proxy logs
• DNS query logs
• NetFlow/traffic data
• Active connections (netstat -an)

Application Evidence

• Application logs
• Database logs
• Web server logs
• Email logs
• Cloud service audit logs

Chain of Custody

Document every time evidence is accessed:

Field	Description
Evidence ID	Unique identifier
Description	What is it?
Source	Where was it collected from?
Date/Time Collected	When was it acquired?
Collected By	Who collected it?
Hash Values	MD5, SHA256 at collection
Storage Location	Where is it stored?
Access Log	Who accessed it and when?

Chain of Custody Template

EVIDENCE CHAIN OF CUSTODY

Case ID: ________________
Evidence ID: ________________
Description: ________________

Collection:
  Date/Time: ________________
  Collected by: ________________
  Location: ________________
  Method: ________________

Hashes at Collection:
  MD5: ________________
  SHA256: ________________

Transfer Log:
| Date/Time | From | To | Purpose | Signature |
|-----------|------|-----|---------|-----------|
|           |      |     |         |           |

Hashing Evidence

Always calculate and record hash values:

Windows (PowerShell)

Get-FileHash -Path C:\evidence\file.img -Algorithm SHA256
Get-FileHash -Path C:\evidence\file.img -Algorithm MD5

Linux/Mac

sha256sum /path/to/evidence/file.img
md5sum /path/to/evidence/file.img

Verify Integrity

Compare hashes before and after any operation to verify evidence hasn't been modified.

Storage Best Practices

• Store on write-protected media when possible
• Use encrypted storage
• Multiple copies in different locations
• Restrict access to authorized personnel
• Document storage conditions
• Consider legal hold requirements

Official Guidelines

NIST SP 800-86: Guide to Integrating Forensic Techniques

• PDF: nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
• Comprehensive forensic guidance

SWGDE Best Practices for Digital Evidence

• Website: swgde.org/documents
• Scientific working group standards

NIJ Electronic Crime Scene Investigation

• PDF: ojp.gov/pdffiles1/nij/219941.pdf
• First responder guide

ENISA Electronic Evidence Guide

• Website: enisa.europa.eu
• European guidance for first responders

Common Mistakes to Avoid

• ❌ Running antivirus scans (modifies files)
• ❌ Turning off systems (loses memory)
• ❌ Browsing files on the original system
• ❌ Not documenting actions taken
• ❌ Using the affected system to collect evidence
• ❌ Forgetting to hash evidence immediately
• ❌ Single copy of evidence
• ❌ Unclear chain of custody

When You Need Professional Help

Consider engaging forensic professionals when: - Legal proceedings are likely - Insurance claim requires expert documentation - Attack is sophisticated/ongoing - Critical/sensitive data is involved - Internal expertise is insufficient

HackAid Volunteers

For Swedish organizations, our BTH-trained volunteers can assist with evidence collection and analysis.

Apply for assistance

---

Last updated: 2026-01