Forensic evidence preservation during a live incident

Indicators

• Active incident requiring rebuild — but root cause not yet known
• Insurer / legal / regulator likely to require evidence
• Possibility of prosecution (insider, external) being pursued
• Notifiable breach under UK GDPR — accuracy of report depends on evidence

Likely causes

• Not applicable — this is a methodology entry, not a fault entry.

Diagnostic steps

1. Order of volatility — capture in this order: CPU registers/cache (rarely useful), running memory, network state, disk, archived/backup data
2. Memory image with FTK Imager / Magnet RAM Capture / DumpIt before any reboot
3. Running process list, network connections, logged-on sessions — automated by KAPE / Velociraptor with documented modules
4. Event logs — copy via wevtutil epl, not via GUI
5. Disk image — physical level if feasible; otherwise targeted KAPE collection of high-value artefacts (MFT, Prefetch, AmCache, ShimCache, SRUM, browser, logs)
6. Hash everything (SHA-256), document chain of custody — date/time, who collected, where stored

Resolution path

• Stand up clean evidence-collection station before touching incident
• Capture in volatility order, hash on collection
• Preserve in tamper-evident storage with chain of custody
• Hand over to specialists / legal / insurer as required

Prevention

• Pre-incident IR plan with evidence-handling steps
• KAPE / Velociraptor server pre-deployed for ready use
• Log retention policy meeting regulatory and forensic needs
• Insurance / legal contacts maintained current

Tools

• KAPE (Kroll Artifact Parser & Extractor)
• Velociraptor
• FTK Imager (free)
• Magnet RAM Capture
• wevtutil for event log export
• PowerShell scripts for documented evidence collection

References

• NIST SP 800-86 — Guide to integrating forensic techniques
• SANS Forensics — Order of volatility
• ACPO Good Practice Guide for Digital Evidence (UK)