Digital Forensics Fundamentals
Digital forensics (DFIR) is the practice of acquiring, preserving, and analysing digital evidence in a way that is accurate and defensible. Whether you are responding to an incident or supporting an investigation, the same core principles apply.
Core principles
- Preserve first, analyse later. Work on copies, never the original evidence.
- Maintain integrity. Hash evidence (e.g. SHA-256) at acquisition and verify it has not changed before and after analysis.
- Document everything. Who did what, when, and with which tool, the chain of custody is as important as the findings.
Order of volatility
When collecting evidence, capture the most volatile data first, because it disappears soonest:
- CPU registers and cache
- RAM (running processes, network connections, encryption keys)
- Network state (active connections, ARP cache, routing tables)
- Running system / temporary files
- Disk
- Logs and archival media
The DFIR workflow
| Phase | Goal |
|---|---|
| Identification | Determine what happened and what may hold evidence |
| Acquisition | Create verified forensic images (disk, memory) |
| Preservation | Protect integrity; record hashes and custody |
| Analysis | Examine timelines, artefacts, and indicators of compromise |
| Reporting | Present findings clearly, with evidence and methodology |
Common artefacts by platform
- Windows: Event logs, registry hives,
$MFT, prefetch, shimcache, amcache. - Linux:
/var/log, bash history, cron, systemd journals,/etcconfigs. - Mobile: App databases (SQLite), keychains, backups, location history.
- Memory: Process lists, injected code, network sockets, credentials.
Starter tooling
- Imaging:
dd, FTK Imager, Guymager - Memory: Volatility, MemProcFS
- Disk/triage: Autopsy / The Sleuth Kit, plaso/log2timeline
- Hashing:
sha256sum,md5sum
See the platform-specific guides (Windows, Mobile) in this section for deeper walkthroughs.