Evidence Collection: Disk & Memory Forensics

Digital evidence collection is a critical aspect of cybersecurity, digital forensics, and incident
response. The two primary types of evidence collection are disk forensics and memory
forensics, each with its own methods, tools, and best practices.

1. Disk Forensics (Disk Acquisition)

Disk forensics involves capturing and analyzing data stored on a hard drive, SSD, or other
persistent storage media.
Methods of Disk Acquisition
1.​ Physical Imaging
○​ Creating a bit-by-bit copy of the entire disk, including deleted files and
unallocated space.
○​ Example tools:
■​ dd (Linux)
■​ FTK Imager
■​ EnCase Forensic Imager
■​ Guymager
2.​ Logical Imaging
○​ Captures only allocated files and folders without deleted or unallocated space.
○​ Used when time or storage constraints prevent full disk imaging.
3.​ Live Imaging
○​ Acquiring data from an actively running system without shutting it down.
○​ Example tools:
■​ FTK Imager Live
■​ Live RAM capture tools (e.g., Belkasoft RAM Capture)
Key Considerations for Disk Collection
●​ Use write blockers to prevent modifying original evidence.
●​ Hashing (MD5, SHA-1, SHA-256) ensures integrity.
●​ Chain of custody documentation for legal admissibility.
●​ Capture unallocated space, deleted files, and file slack space.

2. Memory Forensics (RAM Acquisition)

Memory forensics involves extracting and analyzing volatile data stored in RAM. This is crucial
for identifying active processes, network connections, encryption keys, and malware artifacts.
Methods of RAM Collection
1.​ Full Memory Dump
○​ Capturing the entire contents of RAM for later analysis.
○​ Tools:
■​ DumpIt
■​ Belkasoft RAM Capture
 ■​ WinPmem
■​ AVML (Linux)
2.​ Selective Memory Extraction
○​ Extracting specific processes, network connections, or registry values.
Key Considerations for Memory Collection
●​ Perform RAM capture before shutting down (volatile data is lost on reboot).
●​ Use trusted tools to avoid contamination.
●​ Analyze memory dumps using forensic tools:
○​ Volatility (command-line forensic framework)
○​ Rekall (memory analysis tool)
○​ Redline (FireEye’s forensic tool)

Best Practices for Evidence Collection

●​ Follow forensic procedures (ACPO guidelines, NIST 800-86)
●​ Document every step to maintain chain of custody.
●​ Use trusted forensic tools to prevent evidence tampering.
●​ Ensure evidence integrity by hashing before and after imaging.

Evidence Collection: Registry & Logs Forensics

When investigating cybersecurity incidents or digital crimes, registry and log forensics play a
crucial role in uncovering user activity, system changes, and potential malware footprints.

1. Windows Registry Forensics

The Windows Registry is a hierarchical database that stores configuration settings, user

✅
activities, and software/hardware details. It can provide evidence of:​

✅
User activity (recently accessed files, mounted devices, executed programs)​

✅
Malware persistence mechanisms​
System and application settings
Key Registry Hives for Forensics
Hive Location Forensic Importance

SAM (Security C:\Windows\System32\Config\SAM Stores user account info,

Account Manager) password hashes.

SYSTEM C:\Windows\System32\Config\SYSTE Stores system startup

M configs, connected devices.

SOFTWARE C:\Windows\System32\Config\SOFT Contains installed

WARE programs and settings.
 SECURITY C:\Windows\System32\Config\SECU Stores security policies,
RITY authentication settings.

NTUSER.DAT C:\Users\<Username>\NTUSER.DAT Tracks user-specific

settings and activity.
Important Registry Keys for Investigation
●​ Last Executed Programs:​
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
○​ Shows programs configured to start at login (possible malware persistence).
●​ Recently Opened Files:​
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Rece
ntDocs
●​ USB Devices History:​
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
●​ Network Connections:​
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles
Registry Collection & Analysis Tools
●​ RegRipper – Extracts and analyzes key registry artifacts.
●​ FTK Imager – Can acquire registry hives from a live system or disk image.
●​ Volatility – Extracts registry information from memory dumps.

2. Log Forensics
System logs provide a timeline of events, including user activity, security alerts, and application

✅
behaviors. These logs help investigators detect:​

✅
Unauthorized access attempts​

✅
Malware execution​
System crashes or suspicious process activity
Common Windows Logs (Stored in EVT/EVTX Format)
Log Type Location Forensic Use

Security C:\Windows\System32\winevt\Logs\Security.evtx Tracks login

Logs attempts, failed
authentications.

System C:\Windows\System32\winevt\Logs\System.evtx Records driver

Logs issues, shutdowns,
errors.
 Application C:\Windows\System32\winevt\Logs\Application.evtx Tracks application
Logs crashes, software
installations.

PowerShell C:\Windows\System32\winevt\Logs\Windows Shows executed

Logs PowerShell.evtx PowerShell
commands
(potential malware
use).

Firewall C:\Windows\System32\LogFiles\Firewall\pfirewall.log Records

Logs blocked/allowed
network traffic.
Log Collection & Analysis Tools
●​ Event Viewer (eventvwr.msc) – Native Windows tool to view event logs.
●​ LogParser – Extracts and analyzes log data via SQL queries.
●​ SIEM Solutions (Splunk, ELK, Graylog) – Aggregates and correlates log data for
deeper analysis.

✅
Best Practices for Registry & Log Evidence Collection
Collect evidence before shutting down – Some logs and registry data may be lost upon

✅
restart.​

✅
Use trusted forensic tools – Ensure integrity and avoid contamination.​

✅
Maintain chain of custody – Document all steps for legal admissibility.​
Hash collected files – Use MD5, SHA-256 to verify data integrity.

Evidence Acquisition in Digital Forensics

Evidence acquisition is the process of collecting and preserving digital evidence from various
sources, ensuring its integrity for forensic analysis and legal proceedings. The process must
follow strict forensic guidelines to prevent data alteration or corruption.

1. Types of Digital Evidence Sources

A. Volatile Data (Live System Data)
●​ RAM (Memory Dump)
●​ Running Processes
●​ Open Network Connections
●​ Logged-in Users
●​ Clipboard Contents
●​ Encryption Keys
Tools for Acquisition:
●​ Volatility, Rekall (Memory analysis)
●​ FTK Imager, DumpIt, WinPmem (RAM capture)
●​ netstat, tasklist, pslist (Command-line tools for active processes)

B. Non-Volatile Data (Disk & Storage)

●​ Hard Drives (HDD, SSD)
●​ External Storage (USB, SD Cards)
●​ Cloud Storage (Google Drive, OneDrive, AWS)
●​ Mobile Devices (iOS, Android)
Methods of Acquisition:
1.​ Bit-by-Bit Imaging (Best for forensic accuracy)
○​ Captures entire disk, including deleted files and unallocated space.
○​ Example tools: dd, Guymager, FTK Imager, EnCase
2.​ Logical Imaging
○​ Captures only allocated files and folders.
○​ Example tools: X-Ways Forensics, FTK Imager
3.​ Live Disk Acquisition
○​ Used when the system cannot be powered down.
○​ Example tools: FTK Imager Live, Autopsy

C. System Artifacts & Logs

●​ Windows Registry: Stores user activity and system changes.
●​ Event Logs: Contains login attempts, system errors, security events.
●​ Browser History & Cookies: Tracks web activity and credentials.
●​ Email & Chat Logs: For tracking communication.
Tools for Acquisition:
●​ RegRipper (Registry extraction)
●​ Event Viewer, LogParser (Windows logs)
●​ Browser History Capturer, NirSoft tools (Web activity)

D. Network Evidence
●​ Firewall Logs
●​ Packet Captures (PCAP)
●​ Intrusion Detection System (IDS) Logs
●​ VPN Logs
Tools for Acquisition:
●​ Wireshark (Packet capture)
●​ Tcpdump (Command-line packet capture)
●​ Snort, Suricata (IDS/IPS logs)
2. Steps for Evidence Acquisition
Step 1: Identify & Secure Evidence
●​ Locate relevant digital assets (disks, USBs, servers, memory, logs).
●​ Isolate compromised systems (disconnect from the network if necessary).
Step 2: Use Forensic Imaging
●​ Create a forensic image instead of working on the original media.
●​ Use write blockers to prevent altering disk data.
●​ Calculate hash values (MD5, SHA-256) before and after imaging for integrity
verification.
Step 3: Document Everything
●​ Maintain a chain of custody (who handled the evidence and when).
●​ Use timestamps, location details, and investigator credentials.
Step 4: Store & Secure Evidence
●​ Store forensic copies on encrypted storage.
●​ Keep backups in multiple secure locations.
●​ Use tamper-proof seals if storing physical devices.

✅
3. Best Practices for Evidence Acquisition

✅
Minimize system interaction to avoid modifying evidence.​

✅
Always use trusted forensic tools for imaging and data extraction.​

✅
Maintain integrity with hashing (MD5, SHA-1, SHA-256).​

✅
Follow legal guidelines (NIST 800-86, ACPO principles).​
Document every action to ensure chain of custody.