The server’s been compromised. Everyone knows it. The C-suite wants answers: who did it, what did they take, how long were they inside. The IT manager’s instinct is to wipe the machine, rebuild from backup, and get back to business. That instinct will destroy every piece of evidence you need to answer those questions — and if this goes to court, you’ll have nothing. Forensics is the discipline of extracting truth from digital systems without destroying it in the process. It’s equal parts computer science, investigative methodology, and legal procedure, and cutting corners on any of them makes the evidence worthless.

The TLDR

Digital forensics is the systematic process of identifying, preserving, collecting, analyzing, and presenting digital evidence. The evidence comes from disk images, memory captures, network traffic, and log files. The methodology is defined by strict procedures designed to ensure evidence integrity — because digital evidence is trivially easy to alter, and if you can’t prove it hasn’t been tampered with, it’s inadmissible. Chain of custody documentation tracks every person who handles the evidence. Cryptographic hashing verifies it hasn’t changed. And the whole process follows standards like NIST SP 800-86 because “we looked at the server and it seemed bad” doesn’t hold up in court or in front of regulators.

The Reality

Most organizations don’t do forensics. They do cleanup. They discover a breach, panic, wipe the affected systems, restore from backup, change some passwords, and call it handled. That approach answers zero questions: Was data exfiltrated? How did the attacker get in? Are they still inside through a different persistence mechanism? Are other systems compromised? How long were they in the environment? Without forensic analysis, you’re guessing at all of these — and guessing wrong means you’re disclosing inaccurately to regulators, insurance carriers, and affected individuals.

The legal dimension is non-negotiable. Under regulations like GDPR, HIPAA, and state breach notification laws, organizations must determine what data was accessed and notify affected parties within specific timeframes. You can’t determine what was accessed if you destroyed the evidence. The SEC’s cybersecurity disclosure rules (effective December 2023 for public companies) require material incident disclosure within four business days. That timeline demands rapid, rigorous forensic analysis — not guesswork.

The Verizon DBIR consistently shows that forensic analysis reveals compromise scope far beyond what the initial alert suggested. The alert says one server. The forensics say twelve servers, three domain accounts, and six months of access. If you only cleaned the one server, you’re still compromised.

How It Works

The Forensic Process

NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response defines the standard methodology. Four phases, each critical.

Identification. Determine what evidence exists, where it resides, and what’s relevant to the investigation. A compromised web server has disk-based evidence (logs, files, malware) and volatile evidence (running processes, network connections, memory contents). A phishing attack involves email headers, attachment metadata, and endpoint telemetry. Know what you’re looking for and where to find it before you start collecting.

Collection. Acquire the evidence without altering it. This is where methodology matters most. For disk evidence, you create a forensic image — a bit-for-bit copy of the storage media, not a file copy. For volatile evidence (RAM), you capture a memory dump before powering off the system, because everything in memory disappears when the power goes out. For network evidence, you pull packet captures and log files. Every collection action is documented: who collected what, when, how, using what tools.

Analysis. Examine the collected evidence to reconstruct what happened. Timeline analysis correlates events across sources — file system timestamps, log entries, network connections — to build a chronological narrative. Malware analysis identifies what the attacker deployed and what it did. Data access analysis determines what information was viewed, copied, or exfiltrated.

Reporting. Document findings in a format suitable for the audience — technical details for the security team, executive summary for leadership, evidence documentation for legal counsel, and potentially expert testimony for court proceedings.

Evidence Acquisition

The golden rule of forensic acquisition: never work on the original evidence. Always create a forensic copy and work on that. The original is preserved as evidence. If you make a mistake during analysis, you can create another copy from the original. If you contaminate the original, it’s gone forever.

Disk Imaging. Tools like FTK Imager and dd (with write-blocking hardware) create bit-for-bit copies of storage media. Not a file copy — a sector-by-sector duplicate that captures everything, including deleted files, slack space, and unallocated areas. A file copy misses the data that matters most in an investigation.

Write blockers — hardware or software devices that prevent any write operations to the source media — are mandatory during acquisition. Without a write blocker, the simple act of connecting a drive to a computer can alter metadata (last accessed timestamps, for example), contaminating the evidence. Hardware write blockers are preferred because they operate at the physical layer and can’t be bypassed by software.

Memory Forensics. RAM contains evidence that exists nowhere else: running processes, network connections, encryption keys, command histories, injected code. Tools like Volatility analyze memory dumps to extract this information. Memory forensics can reveal malware that never touched disk — fileless malware running entirely in memory is invisible to disk-based analysis.

The catch: memory is volatile. It disappears when power is lost. The order of evidence collection matters — capture memory first, then image the disk. RFC 3227 — Guidelines for Evidence Collection and Archiving defines the order of volatility, from most volatile (processor cache, RAM) to least volatile (archival media). Collect in that order.

Network Evidence. Packet captures (PCAPs), netflow data, DNS query logs, firewall logs, and proxy logs. Network evidence shows communication patterns — where data went, how much was transferred, what protocols were used. If you’re trying to determine whether data was exfiltrated, network evidence is where the answer lives.

Chain of Custody

Chain of custody is the documented trail showing who had possession of evidence, when, and what they did with it. It’s the mechanism that proves the evidence presented in court (or to regulators) is the same evidence collected from the compromised system, unaltered.

Every transfer of evidence — from the forensic analyst to the evidence locker, from the evidence locker to the lab, from the lab to legal counsel — is documented with:

Cryptographic hashing provides the technical verification. Before acquisition, you hash the source media (SHA-256 or stronger). After creating the forensic image, you hash the image. The hashes must match — proving the copy is identical to the original. Every time the evidence is accessed or transferred, the hash is verified again. If the hash ever changes, the evidence has been altered and its integrity is compromised.

A broken chain of custody doesn’t necessarily mean the evidence was tampered with. But it means you can’t prove it wasn’t, and in legal proceedings, that’s enough to get it excluded. NIST SP 800-86 and the Scientific Working Group on Digital Evidence (SWGDE) both emphasize that chain of custody documentation is non-negotiable.

Timeline Analysis

Reconstructing the sequence of events is where forensic analysis transforms raw data into a narrative. Timeline analysis correlates timestamps across multiple evidence sources:

Tools like log2timeline/Plaso aggregate timestamps from all these sources into a unified, chronological super-timeline. When you’re looking at a timeline with millions of events, the patterns emerge: the attacker’s initial access at 2:47 AM, privilege escalation at 2:53 AM, lateral movement starting at 3:15 AM, data staging at 4:30 AM, exfiltration starting at 5:00 AM. That narrative is what tells the full story.

Time zone normalization is critical. A system logging in UTC, an application logging in local time, and a firewall logging in the data center’s time zone will produce a confused timeline if you don’t normalize everything to a single reference.

Legal Admissibility

For evidence to be admissible in legal proceedings, it must meet standards established by rules like the Federal Rules of Evidence (FRE) in the United States, or equivalent standards in other jurisdictions.

Authenticity — Can you prove the evidence is what you claim it is? Chain of custody and hash verification provide this.

Reliability — Were the tools and methods used to collect and analyze the evidence reliable and generally accepted? Using established tools (EnCase, FTK, Volatility) with documented procedures helps establish reliability.

Relevance — Does the evidence actually pertain to the matter at hand?

Completeness — Have you presented all relevant evidence, including evidence that might be unfavorable to your position?

Expert testimony may be required to explain forensic methods and findings to judges and juries who aren’t technical. The forensic examiner’s notes, methodology documentation, and tool validation records become part of the evidentiary record.

How It Gets Exploited

Anti-forensics is a well-documented category of adversary techniques. Attackers know you’ll investigate, and they plan accordingly.

Log destruction. MITRE ATT&CK T1070 — Indicator Removal. Clearing event logs, deleting command history, truncating application logs. If the evidence doesn’t exist, the investigator can’t find it. Centralized, immutable log storage is the counter-measure.

Timestomping. T1070.006 — modifying file timestamps to disguise when files were created or modified. That malicious DLL looks like it was installed with the operating system three years ago. Timeline analysis catches this when file system metadata (MFT entries on NTFS) tells a different story than the file timestamps.

Secure deletion and disk wiping. Overwriting data to make recovery impossible. Standard deletion just removes the file system pointer — the data remains on disk and is recoverable. Secure deletion overwrites the actual sectors. Tools like DBAN and secure-erase commands make forensic recovery of overwritten data effectively impossible with modern storage technologies.

Encryption. Encrypted volumes that the investigator can’t access without the key. Full-disk encryption, encrypted containers, and encrypted communications all create evidence black boxes. Court orders can compel key disclosure in some jurisdictions, but the legal landscape varies significantly.

Steganography. Hiding data inside innocent-looking files — images, audio, video. Exfiltrated data embedded in a JPEG that was uploaded to a social media platform looks like someone sharing a photo, not data theft. Detection requires specialized analysis tools and a reason to look.

Living off the land. Attacks that use only legitimate system tools leave fewer forensic artifacts than attacks using custom malware. There’s no malware binary to analyze, no dropped files to examine. The evidence lives entirely in process execution logs, command-line arguments, and ephemeral system state that may not be captured if logging isn’t configured correctly.

What You Can Do

Sources & Further Reading