You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
A rigorous, repeatable methodology is the backbone of any digital forensic investigation. Without a structured process, evidence may be missed, contaminated, or rendered inadmissible in court. This lesson covers the standard forensic frameworks, the phases of an investigation, and best practices for documentation.
Several organisations have published forensic process models:
| Framework | Publisher | Key Contribution |
|---|---|---|
| NIST SP 800-86 | National Institute of Standards and Technology | Four-phase model: Collection, Examination, Analysis, Reporting |
| DFRWS Investigative Model | Digital Forensic Research Workshop | Seven-phase model including Identification and Presentation |
| ISO/IEC 27037 | International Organisation for Standardisation | Guidelines for identification, collection, acquisition, and preservation of digital evidence |
| ACPO Good Practice Guide | Association of Chief Police Officers (UK) | Four principles for computer-based electronic evidence |
| RFC 3227 | IETF | Guidelines for evidence collection and archiving, emphasising volatility order |
The most widely referenced model is from NIST SP 800-86:
Collection ──▶ Examination ──▶ Analysis ──▶ Reporting
| Phase | Description |
|---|---|
| Collection | Identify and acquire data from relevant sources while preserving integrity |
| Examination | Process the collected data to extract relevant information (e.g. carving files, parsing logs) |
| Analysis | Interpret the extracted data to answer investigative questions (who, what, when, how) |
| Reporting | Document findings, methodology, and conclusions in a clear and reproducible format |
When collecting evidence, examiners must prioritise the most volatile data first. RFC 3227 defines the order of volatility:
| Priority | Data Source | Volatility |
|---|---|---|
| 1 | CPU registers and cache | Extremely volatile — lost in nanoseconds |
| 2 | Routing tables, ARP cache, process table, kernel statistics | Lost on reboot |
| 3 | Main memory (RAM) | Lost on power-off |
| 4 | Temporary file systems (e.g. /tmp) | Lost on reboot |
| 5 | Disk storage | Persistent but can be overwritten |
| 6 | Remote logging and monitoring data | Persistent; may be overwritten by rotation |
| 7 | Physical configuration and network topology | Generally static |
| 8 | Archival media (tapes, backups) | Persistent |
Tip: Always capture RAM before powering off a system. Volatile data such as encryption keys, running processes, and network connections are irrecoverably lost once the machine is shut down.
The ACPO Good Practice Guide (now adopted by the UK College of Policing) defines four principles for handling digital evidence:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.