1

The Digital Forensic Analyst — Role & Responsibilities

Digital forensics is the process of gathering and submitting computer evidence to trial and interpreting that evidence by providing expert analysis. A forensic analyst (also called: forensic computer examiner, digital forensic examiner, computer forensic detective) uses specialized tools and skills to recover information from computer systems, memory, and storage.

Expert witness
Testifying in civil or criminal court about the methods used and findings produced. The analysis must be repeatable, unbiased, and properly documented to survive cross-examination.
Incident reconstruction
Piecing together what happened on a network or system — timeline of access, tools installed, data retrieved, and whether exfiltration occurred.
Data exposure determination
Determining whether a data breach actually occurred — were the database files accessed? Were they extracted? Answering these questions definitively for legal and compliance purposes.
Evidence collection & protection
Collecting digital evidence in a forensically sound manner, validating integrity using hashing, and protecting the evidence against modification throughout the process.
Audit support
Helping with compliance audits (Sarbanes-Oxley, HIPAA) by verifying that records have maintained integrity and have not been tampered with.
Tool development
Creating and maintaining the tools and processes used by the forensic community — ensuring they meet industry standards for admissibility.
2

Forensic Procedures — Four Steps & Ethics

All forensic work must follow written procedures. Deviating from written procedures gives defense attorneys grounds to challenge and exclude evidence. Every step must be documented, repeatable, and performed without bias.

The four-step forensic process

1
Identification
Ensure scene safety. Prevent evidence contamination. Document the scene (video + photography before touching anything). Define the scope of collection based on the warrant or authorization.
2
Collection
Verify authorization (warrant). Create bit-by-bit copies of evidence. Document and prove integrity of evidence as it is collected (hashing). Collect in order of volatility. Never analyze the original.
3
Analysis
Make a working copy of the forensic image and analyze that — never the source image. Use repeatable, documented methods and tools. Follow a written checklist: Step 1, Step 2, Step 3…
4
Reporting
Document all methods and tools used. Present detailed findings and conclusions. Include screenshots and file paths. Prepare for expert testimony — everything will be challenged in court.

Three ethics requirements

1 — No bias
Conclusions must be based exclusively on direct evidence observed. No opinions influenced by the analyst's personal feelings about the suspect, their background, or anything outside the data.
2 — Repeatable methods
Any third party using the same evidence and the same methods must reach the same results. Document every action, timestamp, command, and result. If your methods can't be replicated, your evidence can be challenged.
3 — Evidence unchanged
Never analyse on the original device. Always work on copies. Use write blockers to prevent any writes to the source media. Hash before and after acquisition to prove nothing was modified.
Defence attorney warning: Defence attorneys are paid to get their clients off. They will challenge your credentials, your methods, every step of your process, every tool you used. Any single deviation from written procedures can cause your evidence to be thrown out — regardless of what it proves. Follow written procedures exactly, every time.

Legal hold

A legal hold is a process designed to preserve all relevant information when litigation is reasonably anticipated. The moment a legal hold is issued, no evidence may be destroyed or modified — even if routine data deletion policies would normally apply. Violations of a legal hold can result in sanctions, adverse judgements, or criminal contempt. A legal hold can also result in physical servers being seized as evidence for the entire duration of a trial — potentially months or years. Business continuity plans must account for this possibility.

3

Work Product Retention & Legal Hold

Work product retention is a contractual mechanism for hiring a forensic investigator such that their analysis is protected from disclosure by the work product doctrine. This protects the analytical findings from being handed over to the opposing party during discovery.

What IS discoverable
The forensic image itself — both the prosecution and defence receive a copy of the disk image. Each side performs their own independent analysis on their own copy of the evidence.
What is PROTECTED
The analyst's conclusions, analysis, report, and findings. This is work product — it belongs to the attorney who contracted the analyst. The opposing side does not get your analysis, only the raw evidence.
Critical procedure: Work product protection only applies when the attorney hires the analyst — not when the company hires the analyst directly. If the victim company contracts the analyst without attorney involvement, the analysis becomes discoverable. Use a three-way contract: investigator + attorney + company, with wording "at the direction of outside counsel in anticipation of litigation." The company can be on the contract if it is properly structured.
4

Order of Volatility & Data Acquisition

Evidence must be collected in order of volatility — most volatile first. The moment power is removed, everything in memory is gone forever. A forensic analyst arriving at a live scene must make rapid decisions about collection order based on this hierarchy.

↑ collect first (most volatile)
1
CPU registers & cache
The smallest and fastest memory — processor registers and cache. Changes with every CPU cycle. Must be captured immediately if live acquisition is possible.
2
System memory (RAM)
Running processes, routing tables, ARP cache, process tables, temp swap files, cryptographic keys, open file contents. Gone when power is cut.
3
Persistent mass storage
Hard drives, SSDs, flash drives. Retains data without power, but changes continuously while the system is running. ⚠ Windows registry HKLM\Hardware hive is memory-only — capture via memory dump first.
4
Remotely logged data
SIEM data, remote syslog, monitoring systems. Not on the target device, but continuously being written to by other systems — may be modified before you can collect it.
5
Physical configuration
Network topology, cable connections, device physical layout. Documents the infrastructure as it existed at time of collection.
6
Remotely logged data
External logging, cloud logs, SIEM historical data. Still changing remotely, but more slowly than RAM or local disk.
7
Archival media
Backup tapes, CD-R, DVD-R, offsite storage. Written once and not touched again. Lowest priority but still must be collected and preserved.
↓ collect last (least volatile)
HKLM\Hardware hive — junior analyst trap: Most of the Windows registry lives on disk, but the HKLM\Hardware hive exists only in memory — it records every device ever connected to the computer (including USB drives). Always capture this via memory dump first. Shutting down the machine first means losing this evidence permanently.

Authorization before collection

Company-owned device
The company has the right to collect evidence from its own assets without a warrant. Acceptable use policies signed by employees reinforce this right.
BYOD device
The employee owns the device — the company may not have the legal right to search or seize it. A warrant or explicit consent is required. Any evidence collected without authorization may be inadmissible.
5

Forensic Tools — EnCase, FTK & The Sleuth Kit

Forensic evidence cannot be collected with a simple file copy — specialized tools are required to ensure the acquisition is forensically sound (bit-by-bit, with integrity verification). Three tools are specifically covered in the CySA+ curriculum.

EnCase
Commercial · Windows · GUI
Guidance Software's digital forensic case management platform. Built-in pathways (workflow templates) guide analysts through investigation types step-by-step. Handles acquisition, analysis, timeline generation, file carving, and reporting. Widely used in law enforcement. File format: .e01.
paid
FTK (Forensic Toolkit)
Commercial · Windows server · GUI
AccessData's digital forensic suite. Runs on Windows servers or server clusters for speed through data indexing on import. Feature-equivalent to EnCase. Both are market leaders — which one you use depends on your employer. File format: .aff.
paid
The Sleuth Kit + Autopsy
Open-source · cross-platform
Collection of open-source command-line tools for disk imaging and file analysis. Autopsy is the graphical front-end (Windows, Linux, macOS). Includes Scalpel for file carving. Free — the recommended starting point for students. Feature parity approaching commercial tools.
free / open-source

Forensic workstation requirements

Hardware
Multiple processors and cores, 32–128 GB RAM, fast SSDs. Wide variety of host bus adapters: EIDE, SATA, SCSI, USB, FireWire, Thunderbolt. Optical drives: CD, DVD, Blu-ray. Memory card readers. High-capacity RAID or SAN for evidence storage.
⚠ No internet access
A forensic workstation must never connect to the internet. An internet connection means remote attackers could potentially access and manipulate evidence. Air-gap the forensic workstation — permanently.
Working copies only
Analysis is always performed on a copy of the forensic image — never on the source image and never on the original evidence. Source → forensic image → working copy → analysis. This hierarchy is inviolable.
Exam tip: Know the three tool names and that they are digital forensic tools. Know their differentiators: EnCase = .e01, FTK = .aff, both commercial. The Sleuth Kit = free, open-source, uses dd format. dd is the universal format all tools can read. You do not need to know how to operate these tools on the exam.
6

Memory Acquisition — Four Methods

System memory must be collected early — it contains running processes, cryptographic keys, registry data, open file contents, network connections, and password hashes. All of this is lost the moment power is removed.

Live acquisition
Captures memory while the computer is running using specialist software tools (Memoryze by FireEye, F-Response TACTICAL). Requires kernel-mode drivers — these must be pre-installed as part of the enterprise build. Captures a snapshot of memory at that instant — memory is constantly changing.
Crash dump
Contents written to a dump file when Windows encounters an unrecoverable kernel error (BSOD). Usually only a mini dump — not the full memory contents, because there isn't time to write all of RAM to disk before the crash. Contains partial but potentially valuable evidence.
Hibernation file
Written to disk when the computer enters sleep/hibernate mode. Contains a snapshot of memory at that point. Readable by forensic tools. Limitation: some malware detects hibernate events and performs anti-forensic cleanup before the file is written.
Page / swap file
Pages of memory that exceeded physical RAM capacity written to disk as a swap file. Persists after shutdown — readable from the disk. Fragmented and random — can't reconstruct whole files, but string searches can find valuable fragments like URLs, commands, or partial file contents.

What memory analysis can reveal

Running processes
The complete process list at the moment of capture — including malware running in memory that may have since been deleted from disk.
Cryptographic keys
Encryption keys for full-disk encryption (BitLocker, VeraCrypt) that are held in memory while the system is running — unavailable after shutdown.
Password hashes
Cached credentials and NTLM hashes from the Windows authentication subsystem — useful for credential analysis.
Network connections
Active and recently closed network connections — including connections to C2 servers that may not appear in persistent logs.
7

Disk Image Acquisition — Methods, Write Blockers & dd

Three acquisition methods

Live acquisition
✅ Captures encrypted disk while it's unlocked
✅ Gets currently open files and recent activity
⚠️ Data may change during acquisition
⚠️ Remote user could delete files while you copy
Static — orderly shutdown
✅ Stable state — nothing changes during imaging
✅ Normal OS shutdown completes cleanly
⚠️ Malware can detect shutdown and delete/encrypt evidence
⚠️ Volatile memory (RAM) is lost
Static — pull the plug
✅ No chance for malware to react and hide evidence
✅ Captures the exact state at that instant
⚠️ Risk of filesystem corruption (unsaved data)
⚠️ Volatile memory (RAM) still lost

Physical vs. logical acquisition

Physical (bit-by-bit)
Copies every bit on the entire disk — every sector including unallocated space, deleted files, and slack space. Slower (a 1 TB drive takes hours) but captures everything. Required for forensic soundness when hidden or deleted data is in scope.
Logical (file system)
Copies only the files and folders visible to the operating system via the file allocation table. Faster, but misses deleted files, slack space, and hidden data. Only appropriate when speed matters and deleted data is not in scope.

Write blockers

A write blocker prevents the forensic workstation from writing anything to the evidence drive during acquisition. Without one, simply connecting the drive to a PC can modify metadata, timestamps, and access records. Hardware write blockers (e.g. Tableau forensic USB bridge) are strongly preferred over software — hardware solutions are foolproof; software can be circumvented.

The dd command — disk duplication

dd — disk image acquisition on Linux/macOS
# Create a disk image of the entire physical drive (including unpartitioned space)
$ dd bs=64k if=/dev/sdb of=/evidence/usb2gb.dd
# bs = block size (64k for efficiency) if = input file (source device)
# of = output file (destination image) /dev/sdb = entire disk, not just partition

# Restore image back to a physical drive (same syntax, swap if/of)
$ dd if=/evidence/usb2gb.dd of=/dev/sdc

# Create MD5 hash of the image for chain of custody
$ md5sum /evidence/usb2gb.dd
a1b2c3d4e5f6... /evidence/usb2gb.dd ← record this in evidence log

# Also run SHA-256 (MD5 is weak — use SHA as primary)
$ sha256sum /evidence/usb2gb.dd

Image file formats

.dd (raw)
Industry-standard open format. No metadata stored in the file. Works with every forensic tool. The universal interchange format — always a safe choice.
.e01 (EnCase)
EnCase proprietary format. Stores metadata (case info, hash values, examiner notes) inside the file. Requires EnCase or EnCase-compatible tool to read.
.aff (AFF)
Advanced Forensic Format. FTK-associated format. Stores metadata like .e01. Supported by FTK and some other tools. Not as universally readable as .dd.
8

Hashing — Integrity Verification

A hash is a digital fingerprint — a fixed-length output produced by running data of any size through a cryptographic function. The same input always produces the same hash. Even a single changed bit produces a completely different hash. This makes hashing the foundation of digital forensic integrity verification.

Hash algorithm comparison

MD5
128-bit — legacy only
Created in 1990. 128-bit digest. Susceptible to collisions (two different inputs can produce the same hash). Use only as a secondary check — never as the sole integrity proof. Windows: CertUtil -hashfile file MD5. Linux: md5sum.
SHA-1
160-bit — weakening
Created in 1995. 160-bit digest. Stronger than MD5 but no longer considered sufficient for new work. Legacy use in older forensic toolchains.
SHA-256 / SHA-512
256/512-bit — current standard
SHA-2 family. The current standard for all modern forensics. 256-bit or 512-bit digest. No known practical collision attacks. Windows: CertUtil -hashfile file SHA256. Linux: sha256sum.

Hash verification — what it looks like

Source drive hash (before imaging)
SHA-256:
3a7f9b2c1d4e6f8a0b2c4d6e8f0a1b3c
d5e7f9b1c3d5e7f9a1b3c5d7e9f1a3b5
=
MATCH
integrity
preserved
Forensic image hash (after imaging)
SHA-256:
3a7f9b2c1d4e6f8a0b2c4d6e8f0a1b3c
d5e7f9b1c3d5e7f9a1b3c5d7e9f1a3b5
If the hashes match, the forensic image is an exact, unmodified copy of the source drive. Record both hashes in your evidence log — this is part of the chain of custody. If they don't match, something changed during acquisition and the image cannot be used as forensic evidence without explaining the discrepancy.

File Integrity Monitoring (FIM)

Hashing is also used proactively on live systems through File Integrity Monitoring software. FIM maintains a database of approved hash values for operating system and application files (published by vendors like Microsoft). When a file's hash no longer matches the approved value, an alert fires — indicating tampering, rootkit installation, or malware modification of system files.

Windows utilities: CertUtil (built-in) and FCIV (File Checksum Integrity Verifier, downloadable). Linux: md5sum, sha1sum, sha256sum, sha512sum.

9

Timeline Generation

A forensic timeline shows the sequence of file system events within a source image in a graphical format — who touched which files, when, and in what order. It is one of the most powerful ways to present digital evidence in a report or in court.

Without a timeline, file access events are isolated data points. With a timeline, you can demonstrate that the suspect was active on the system at a specific time, that specific files were accessed in a specific sequence, and that this sequence matches a known attack pattern.

What a timeline helps answer

Access method
Was access remote or local? Was a password guessed, stolen, or was an exploit used? When did access begin?
Tools installed
Which malware or remote access tools were installed? When? This correlates with C2 connections visible in network logs.
File changes
Which files were created, modified, or accessed? In what order? Can we attribute them to a specific user session?
Data exfiltration
Were files read and then transmitted over the network? Just because data was accessed doesn't prove exfiltration — you need the network transmission evidence too.

Timeline tools

EnCase
Built-in graphical timeline showing file events per minute. Colour-coded event types. Can correlate with SIEM log timestamps for cross-source analysis.
Autopsy (Sleuth Kit)
Open-source timeline editor with zoom (years/days/minutes), event type filtering, thumbnail view for images, and table/list views. Free and feature-rich.
Spreadsheet (manual)
If your tool lacks timeline features, manually enter events into a spreadsheet. Time-intensive but sufficient — the important thing is having the timeline in the report, whatever format it takes.
10

File Carving & Deleted File Recovery

When a file is "deleted," its data is not actually erased from the disk. Only the reference entry in the file system table (the Master File Table in NTFS, or the File Allocation Table in FAT) is removed. The actual data blocks remain on disk — marked as "free space" available for future writes. Until those blocks are overwritten, the data can be recovered.

How disk storage works (why deletion doesn't erase)

Sector
Smallest addressable unit on a disk. Standard: 512 bytes. Advanced: 4,096 bytes. Files are broken into fragments that span multiple sectors across the disk.
Block / cluster
The smallest unit the file system addresses. By default: 4,096 bytes. One block = one advanced sector, or 8 standard sectors. The file system table maps file fragments to their block locations.
MFT / FAT entry
The Master File Table (NTFS) or File Allocation Table (FAT) maps every file to the locations of its data blocks. Deletion removes this mapping — not the data. The space is marked "free" but not zeroed.
Slack space
The formerly-allocated space that is now marked free after deletion. This is where deleted file fragments live — until they are overwritten by new files. File carving searches here.
Critical advice for victims: If you accidentally delete important files — or if a criminal has deleted evidence from their machine — immediately stop using the computer. Every write operation potentially overwrites slack space and destroys recoverable data. Bring the machine to a forensic analyst as quickly as possible with minimal additional use.

File carving

File carving is the process of extracting data from a disk when the file system metadata no longer points to it. The carving engine scans the raw disk for file signatures (magic bytes) — the known header bytes that identify file types (e.g. PDF files start with %PDF, JPEG with FF D8 FF, ZIP with PK). It then extracts all data from that header through to the likely end of the file.

EnCase / FTK
Both commercial tools include built-in file carving. FTK and EnCase can identify and preview carved files in their graphical interfaces, including deleted files in unallocated/slack space.
Autopsy (Scalpel)
Autopsy uses Scalpel internally for file carving. Scalpel is also available as a standalone command-line tool for Linux and Windows. Files marked with an X icon in Autopsy are deleted/carved.
Exam concept: Know that deleting a file only removes the MFT/FAT reference — not the actual data. File carving searches unallocated and slack space using file signatures (magic bytes) to recover deleted files. Tools: EnCase, FTK, Autopsy/Scalpel.
11

Chain of Custody

The chain of custody is the complete record of evidence history from the moment of collection through presentation in court to final disposal. Every person who touches the evidence, every location it moves to, and every action performed on it must be recorded. Any gap in the chain of custody can result in evidence being declared inadmissible.

Evidence handling procedures

Identify
Identify each piece of evidence. Label it with a unique identifier, description, date/time of collection, and collector's name.
Bag & seal
Place in an appropriate evidence bag. For electronic media: anti-static bags to prevent electrostatic discharge. Seal the bag — any tampering becomes visible.
Log every transfer
Every time evidence moves from one location or person to another, record: who transferred it, to whom, when, why, and under what authority.
Secure storage
Store in a locked, access-controlled location. Consider temperature, humidity, and electromagnetic interference for long-term storage of magnetic and electronic media.

Specialized evidence bags

Anti-static bag
For circuit boards, HDDs, SSDs, RAM modules. Prevents electrostatic discharge (ESD) from destroying the evidence.
Faraday bag
Blocks all radio signals. Required for mobile phones, tablets, and any device with wireless capability. Prevents remote wipe commands, new data from being written, and location tracking from corrupting the evidence state.

Evidence metadata — what to record

Every piece of evidence must be self-describing. Record: unique identifier, description of contents, why it is relevant, and a precise date/time stamp. Recommended format: YYYY-MM-DD HH:MM — unambiguous, sortable, and internationally readable. This metadata is how you find a specific piece of evidence in a room full of boxes months or years later when the court date finally arrives.

Long-term storage risk: Criminal cases can run for months or years. Magnetic media (tapes, hard drives) degrades with time and improper storage. If evidence stored on magnetic media is unreadable when the court date arrives, the case can be dismissed. Maintain proper temperature, humidity, and access controls throughout the entire lifecycle of the evidence.

Exam

Quick Reference Cheat Sheet

Four forensic steps
1 Identification (scene safety, scope). 2 Collection (authorization, bit-by-bit copy, hash). 3 Analysis (work on a copy, repeatable methods). 4 Reporting (methods + tools + findings + expert testimony prep).
Three ethics rules
No bias (evidence only). Repeatable by third parties (document everything). Evidence unchanged (never modify original; hash before and after).
Work product retention
Attorney hires analyst → analysis is protected. Company hires analyst directly → analysis is discoverable. Use three-way contract "at direction of outside counsel in anticipation of litigation."
Order of volatility
1 CPU registers/cache. 2 RAM (processes, ARP, crypto keys). 3 Disk (⚠ HKLM\Hardware = memory-only). 4 Remote logs. 5 Physical config. 6 External logs. 7 Archival media. Collect most volatile first.
Forensic tools
EnCase (.e01, commercial, Windows). FTK (.aff, commercial, Windows server). Sleuth Kit + Autopsy (free, open-source, all platforms). dd = universal raw format, works with all tools.
Memory acquisition
Live = specialist tool pre-installed (Memoryze, F-Response). Crash dump = mini-dump only. Hibernation file = sleep state snapshot (malware may hide). Page file = overflow fragments, persists on disk.
Disk acquisition
Live = disk unlocked, risk of change. Orderly shutdown = malware can hide. Pull plug = frozen state, risk of corruption. Physical = bit-by-bit (gets deleted/slack). Logical = files only (faster, misses deleted). Write blocker = hardware preferred.
Hashing
MD5 = 128-bit, weak (collisions), legacy only. SHA-1 = 160-bit, weakening. SHA-256/512 = current standard. Match = integrity preserved. No match = data changed. Windows: CertUtil / FCIV. Linux: sha256sum.
File carving
Delete = removes MFT/FAT reference, not data. Slack space = formerly used blocks marked free. Carving uses file signatures (magic bytes) to find file fragments in unallocated space. Tools: EnCase, FTK, Autopsy (Scalpel). Stop using the computer immediately after accidental deletion.
Chain of custody
Every touch, every move, every action recorded from collection to disposal. Anti-static bags for electronics. Faraday bags for wireless devices (prevents remote wipe). Date stamps: YYYY-MM-DD HH:MM. Long-term: temperature + humidity + access control.