Domain 7 Β· Lesson 2 of 6

Digital Forensics & Investigations

PhΓ‘p y Kα»Ή thuαΊ­t sα»‘ & Điều tra

Order of Volatility β€” Collect Most Volatile FIRST

Critical Rule: RAM is lost when the system powers off

Never collect disk first. Start with what disappears β€” CPU registers, RAM, network state β€” then move to persistent storage.

1

CPU Registers & Cache

Lost immediately on power off β€” most volatile of all

2

RAM / Main Memory

Running processes, network connections, decryption keys in memory, user sessions

3

Virtual Memory / Swap File

RAM overflow paged to disk β€” may contain sensitive data

4

Network State

ARP cache, routing table, open connections, active sessions

5

Running Processes & System State

Process list, open file handles, loaded kernel modules

6

Disk / SSD Storage

Survives power off β€” file system, logs, application data, artifacts

7

Removable Media

USB drives, backup tapes

8

Remote Logs & Monitoring Data

Datadog, GCP Audit Logs, CloudTrail β€” least volatile, stored externally

9

Physical Configuration & Network Topology

Static documentation β€” architecture diagrams, hardware inventory

Forensic Principles & Process

Never Touch the Original

Always create a forensic copy (image) first. Analyze the copy. Any modification to original evidence β€” even opening a file β€” changes metadata timestamps and may make it inadmissible.

Write Blockers

Hardware device placed between storage media and investigation machine. Allows reading but prevents any writes β€” ensures the original is not modified during imaging. Required for court-admissible evidence.

Forensic Imaging

Bit-for-bit copy of all data including deleted files and unallocated space. Tools: dd, FTK Imager, EnCase. Every bit is copied β€” not just visible files.

Hash Verification

Calculate MD5/SHA-256 of original BEFORE imaging, then hash the copy. Both hashes must match exactly. Proves the copy is identical to the original and has not been tampered with.

Chain of Custody

Document every person who handled the evidence: who, when, why, and what they did. A complete, unbroken chain of custody is required for evidence to be admissible in court.

Broken chain = evidence potentially inadmissible. The case may fail because of this single failure, regardless of technical findings.

Investigation Types & Standards of Proof

Type Standard of Proof Who Investigates Outcome
Administrative Preponderance of evidence (51%+ likely) HR / Security team Discipline, termination
Criminal Beyond reasonable doubt (~99%) Law enforcement (Police, FBI) Prosecution, imprisonment
Civil Preponderance of evidence (51%+ likely) Attorneys / Court Lawsuit, monetary damages
Regulatory Varies by regulator Government agency (BSP, SBV, NPC) Fines, license sanctions

E-discovery & Legal Hold

E-discovery: Legal process of identifying, preserving, and collecting electronic evidence for litigation. Legal hold: Directive to preserve all potentially relevant data β€” must be applied BEFORE e-discovery begins. Destroying data after a legal hold is issued = spoliation (serious legal offense).

Anti-Forensics & Cloud Forensics Challenges

Anti-Forensics Techniques

  • Log deletion: removing evidence of activity from system logs
  • Timestomping: modifying file timestamps to confuse timeline analysis
  • Steganography: hiding data inside innocent-looking files (images)
  • Encryption: making data unreadable without the key
  • Secure deletion: overwriting data so recovery tools can't recover it

Cloud Forensics Challenges

  • Shared infrastructure β€” you don't own the hardware
  • Multi-tenancy β€” physical media shared with other customers
  • Data spread across multiple geographic regions
  • Limited physical access β€” can't image a cloud server directly
  • Solution: GCP Audit Logs, AWS CloudTrail + contractual forensic access rights in cloud SLA

Key Terms

Order of Volatility Write Blocker Forensic Image Hash Verification Chain of Custody E-discovery Legal Hold Spoliation Anti-Forensics Timestomping
Exam Tips
  1. Collect evidence in ORDER OF VOLATILITY β€” RAM before disk. RAM is lost when the system powers off.
  2. Chain of custody broken = evidence potentially inadmissible in court. Document every hand-off.
  3. NEVER analyze the original evidence β€” always create a forensic copy and work from that.
  4. Hash before AND after imaging β€” both hashes must match. This proves no tampering during the copy process.
  5. Legal hold must be in place BEFORE any deletion or modification of potentially relevant data. Violating a legal hold = spoliation.
  6. Timestomping = modifying file timestamps to hide when files were created/modified β€” a key anti-forensics technique.
Work Application β€” Platform C Forensics for PII Incident

If law enforcement involved: Follow chain of custody for all logs, Datadog exports, and ArgoCD deployment records. Every piece of evidence needs documentation of who handled it, when, and what they did.

Evidence to preserve (in order of volatility):

  • Kubernetes pod logs from time of incident (container stdout β€” volatile if pods restarted)
  • PostgreSQL WAL (Write-Ahead Log) from affected tables β€” shows all data changes
  • Vault audit logs β€” who accessed which secrets, when, from where
  • ArgoCD deployment history β€” what was deployed and when (immutable Git history)
  • GCP Audit Logs β€” available for 400 days β€” configure export to BigQuery for long-term retention

Cloud forensics note: Container stdout logs in RAM may be lost if pods were restarted during containment. This is why runbooks should specify: collect logs BEFORE stopping pods.

Legal hold trigger: If regulators (NPC Philippines, SBV Vietnam) request records, issue an immediate legal hold on all Platform C data from the incident window. Do NOT rotate logs or archive according to normal retention policy until the hold is lifted.

Practice Quiz

Q1. You arrive at a running server involved in a potential breach. Why should you collect RAM before disk?

β–Ό Reveal Answer
RAM is volatile β€” its contents are completely lost when the system powers off or restarts. Disk storage persists. By collecting RAM first, you capture running processes, active network connections, decryption keys in memory, and user session data that would otherwise be permanently destroyed.
Order of volatility is about collecting what you'll lose first. RAM may contain the malware process, a decryption key that unlocks evidence, or an attacker's active session. If you power down the machine to image the disk "safely," you permanently lose all RAM evidence. The correct approach: image RAM first (live acquisition), then power off for disk imaging with a write blocker.

Q2. During a forensic investigation, the chain of custody is broken. What is the consequence?

β–Ό Reveal Answer
The evidence may be ruled inadmissible in court. A broken chain of custody means there is no documented proof that the evidence wasn't tampered with between collection and courtroom presentation. Defense attorneys will argue the evidence could have been modified.
Chain of custody is a legal requirement for evidence admissibility. Every person who touches the evidence must be documented: who, when, why, and what they did. Even one undocumented transfer breaks the chain. This is why forensic investigators use evidence bags, tamper-evident seals, and detailed logs. For FinTech Company X, any evidence intended for regulatory proceedings (BSP, NPC) must follow chain of custody from the moment of collection.

Q3. What is a write blocker and why is it required during evidence collection?

β–Ό Reveal Answer
A write blocker is a hardware device placed between storage media and the investigation system that allows reading data but prevents any writes. It ensures the original evidence is not modified during imaging β€” even by the operating system writing timestamps or metadata.
When you connect a storage device to a computer, the OS may write to it automatically (updating last-access timestamps, creating hidden files). Without a write blocker, you inadvertently modify the evidence you're trying to preserve. Even if the modification is minor, it can compromise the integrity of the forensic image and break chain of custody. Hardware write blockers are preferred over software write blockers for court-admissible evidence.

Q4. After imaging a disk, the hash of the original is SHA-256: abc123. The hash of the forensic copy is SHA-256: abc123. What does matching hashes prove?

β–Ό Reveal Answer
Matching hashes prove that the forensic copy is a bit-for-bit identical replica of the original β€” not a single bit has been changed. This demonstrates the integrity of the copy and confirms the imaging process introduced no modifications.
SHA-256 is cryptographically collision-resistant β€” it is computationally infeasible for two different pieces of data to produce the same hash. If both hashes match, the copy is provably identical to the original. This is calculated BEFORE imaging (hash of original) and AFTER imaging (hash of copy). Any single bit difference would produce a completely different hash β€” making tampering immediately detectable. This is what allows forensic copies to be used in court instead of originals.

Q5. An attacker modifies the created/modified timestamps on malware files to match innocent system files. What is this technique called?

β–Ό Reveal Answer
Timestomping. It is an anti-forensics technique used to confuse timeline analysis by making malicious files appear to have been created or modified at an innocent time (e.g., months before the attack began).
Forensic timeline analysis relies on file system timestamps (MACE: Modified, Accessed, Created, Entry) to reconstruct attacker activity. Timestomping corrupts this analysis β€” a malware file created during the attack might appear to have been created years earlier. Forensic examiners counter this with multiple timestamp sources: the $MFT (NTFS Master File Table), Windows event logs, and external log sources like Datadog or GCP Audit Logs which cannot be modified by the attacker.
← Lesson 1: Incident Response Lesson 3: Monitoring & SIEM β†’