Digital forensics is the set of scientific and technical procedures used to identify, collect, preserve, analyze and present digital evidence in a way that keeps its integrity and authenticity defensible in court. This page covers the collection and preservation stages — the foundation of any successful investigation.
Core principles of digital forensics
Three principles, set out both by NIST SP 800-86 and by ISO/IEC 27037:2012, govern all responsible forensic work.
Do not alter the evidence. Any interaction with a system can modify data. Mounting a file system updates timestamps; running an antivirus scan can delete malware artifacts; rebooting a machine destroys RAM. The examiner must act with the least possible interference and record every action taken, even the unavoidable ones.
Follow the order of volatility. RFC 3227 (Guidelines for Evidence Collection and Archiving) states that the most volatile data must be collected first: (1) CPU registers and cache, (2) RAM, (3) network connection state and ARP table, (4) running processes, (5) temporary file systems and swap, (6) permanent disk, (7) removable media and remote logs. Ignoring this hierarchy is the equivalent of leaving the crime scene unprotected.
Document everything. Every action — who, when, with which tool, on which device — makes up the record that sustains the chain of custody. Without continuous documentation, evidence can be challenged even when it is technically intact.
Types of digital evidence
Digital evidence falls into categories with distinct characteristics and collection challenges:
Disk and persistent storage. Hard drives, SSDs, USB sticks and memory cards store files, file-system metadata, deleted records and unallocated space. Bit-by-bit imaging captures everything — including sectors marked as free — and is the standard technique for this category.
RAM. Contains active processes, open network connections, loaded encryption keys, cleartext passwords and malware artifacts that never touch the disk (fileless malware). Memory is lost entirely when the equipment is powered off, which is why it sits at the top of the order of volatility.
Network traffic. Packet captures (PCAP) make it possible to reconstruct sessions, identify data exfiltration, map communications with command-and-control (C2) servers and correlate event timestamps. Tools such as Wireshark, tcpdump and Zeek are the references in this category.
Mobile devices. Smartphones and tablets require specific tools (Cellebrite UFED, Oxygen Forensic Detective) that perform logical, physical or chip-off extraction depending on the level of access. Airplane mode must be enabled immediately to prevent a remote wipe and to preserve the state of communications.
Cloud evidence. Provider logs (AWS CloudTrail, Azure Monitor, GCP Audit Logs), volume snapshots, object metadata in S3 buckets and identity records (IAM) make up the native evidence of cloud environments. Collection depends on APIs and on the provider's retention policies, which requires fast action before the logs expire.
Collection with bit-by-bit imaging and a write-blocker
A bit-by-bit image (forensic image) replicates every sector of the source device, including unallocated space, deleted files and hidden metadata. This level of fidelity is required by ISO/IEC 27037 for evidence that may be submitted in court.
The write-blocker — a hardware device such as the Tableau T8-R2 or an equivalent software solution — acts as a one-way barrier: data flows from the original device to the acquisition tool, but no byte is written back. Without this control, imaging tools and even the operating system itself can update file-system metadata during the read, invalidating timestamps and compromising the evidence.
Established tools for disk acquisition:
- FTK Imager (AccessData/Exterro): graphical interface, support for E01, AFF and RAW images, built-in hash verification.
- dd and dcfldd: Unix command-line utilities; dcfldd adds hash computation and real-time verification.
- Guymager: high-performance Linux GUI with support for parallel acquisition.
- EnCase: commercial platform widely accepted in international legal proceedings.
RAM capture
Volatile memory analysis (memory forensics) is one of the most important frontiers of modern investigation, because fileless attacks, running ransomware and credentials in use exist exclusively in RAM.
On Windows, WinPmem is the reference open-source utility; Magnet RAM Capture offers a simplified interface for less experienced operators. On Linux, the kernel module LiME (Linux Memory Extractor) dumps RAM directly to a .lime file over the network or to local disk with minimal system disturbance. On macOS, AVML (developed by Microsoft's security team) supports recent kernels.
The memory image file should be analyzed with the Volatility Framework (versions 2 and 3), which makes it possible to list processes, identify code injection, extract network artifacts, recover passwords from registry hives and detect rootkits by comparing kernel structures.
Hashing and integrity verification
A cryptographic hash is the mathematical signature that proves a piece of evidence was not altered between the moment of collection and its presentation. The process is simple but critical: compute the hash of the original device before imaging, compute the hash of the generated image, and confirm the values are identical. Any difference — even a single bit — produces a completely different hash.
NIST SP 800-86 recommends using two algorithms simultaneously. In Brazilian forensic practice, the pair MD5 + SHA-256 is the standard: MD5 for compatibility with legacy tools and SHA-256 for cryptographic robustness. SHA-3 (Keccak) is starting to appear in more recent specifications, but it is not yet required by current standards.
The hash values, along with the tool used, its version, the date, the time and the examiner's name, must be recorded on the chain-of-custody form and repeated every time the image is accessed or copied.
Remote and cloud forensics
In incidents involving distributed systems, remote servers or public cloud infrastructure, physical collection is impossible. Remote forensics operates on copies and logs generated by the environment itself:
In AWS, the examiner exports CloudTrail (API calls), VPC Flow Logs (network traffic), CloudWatch Logs (applications) and creates EBS snapshots of the compromised volumes. The snapshots are copied to an isolated investigation account and mounted with write-blocking via an IAM policy.
In Microsoft Azure, the equivalents are Azure Monitor, Log Analytics, Activity Log and managed-disk snapshots. The Microsoft 365 Compliance Center offers email and Teams chat preservation tools integrated directly into the legal workflow.
A challenge specific to the cloud is shared custody: the provider controls the hardware and part of the infrastructure logs. ISO/IEC 27050 (Cloud Forensics) provides guidance on how to formalize preservation requests to the provider and on which artifacts are accessible without a court order and which require a legal warrant.
Forensic analysis tools
Collection produces raw images; analysis turns bytes into investigative facts. The following tools are widely accepted in legal proceedings and technical audits:
- Autopsy: open-source platform with modules for timeline analysis, recovery of deleted files, browser analysis and email extraction.
- The Sleuth Kit (TSK): the command-line library that underpins Autopsy; enables granular file-system analysis.
- Volatility Framework: the standard for RAM analysis, with profiles for Windows, Linux and macOS.
- FTK (Forensic Toolkit): Exterro's commercial platform with full-text indexing, email analysis and legal report generation.
- EnCase: a reference in large corporate investigations and criminal cases; its proprietary E01 format is widely accepted in international courts.
- Magnet AXIOM: specialized in artifacts from mobile, cloud and collaboration apps (Slack, Teams, WhatsApp).
Preservation and chain of custody
Collecting the evidence correctly is necessary but not sufficient. Preservation ensures the evidence remains intact from collection to eventual presentation in court — an interval that can last years.
Essential preservation practices include: storage on dedicated forensic media (a sealed hard drive or an immutable repository), physical and logical access control over the storage location, logging of every entry and exit of the evidence, duplication in at least two distinct locations and periodic re-verification of the hashes to detect media degradation.
The chain of custody is the document that records this history without interruption. Any gap — a period with no record of who held the evidence — can be used to challenge its authenticity in court. Law 13.964/2019 (the Anti-Crime Package) explicitly codified this requirement in the Brazilian Code of Criminal Procedure. For an in-depth study of the concept and the forms, see the page on chain of custody for digital evidence.
Legal admissibility in Brazil
Brazil recognizes digital evidence in the Code of Civil Procedure (art. 369, which admits all lawful means of proof) and in the Code of Criminal Procedure, which received articles 158-A through 158-F via Law 13.964/2019 — the first criminal procedural provisions to deal specifically with the digital chain of custody.
For digital evidence to be admitted, the examiner must demonstrate: (1) that the collection process did not alter the original data, shown by the hashes; (2) that the chain of custody is uninterrupted and documented; (3) that the tools used are recognized and their versions recorded; and (4) that the expert report describes the methodology in reproducible technical language.
Reports prepared in conformity with ISO/IEC 27037 and NIST SP 800-86 have been consistently accepted by the Superior Court of Justice (STJ) and by state courts. Challenging the evidence requires technical counter-proof — it is not enough to allege manipulation without presenting evidence of a discrepancy in the hash or in the chain of custody.
Standards and technical references
- NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response: a comprehensive guide to forensic methodology in incident response.
- ISO/IEC 27037:2012 — Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence: the international standard for forensic procedures.
- RFC 3227 — Guidelines for Evidence Collection and Archiving: the technical reference for order of volatility and collection procedures.
- ISO/IEC 27050 — Electronic Discovery: covers evidence in cloud environments and electronic discovery.
- Law 13.964/2019 — the Anti-Crime Package: articles 158-A through 158-F of the Code of Criminal Procedure, which establish the chain of custody in Brazilian criminal procedural law.
Frequently asked questions
What is the order of volatility in digital forensics?
The order of volatility defines the sequence for collecting evidence, from the most ephemeral data to the most persistent. RFC 3227 sets the hierarchy: CPU registers and cache, RAM, network connection state, running processes, temporary file systems, permanent disk and, last, removable media and backups. Respecting this order prevents the irreversible loss of artifacts that exist only while the system is powered on.
Why use a write-blocker during forensic collection?
A write-blocker intercepts any attempt to write to the source device, ensuring the imaging tool does not alter timestamps, metadata or disk content during acquisition. Without this control, any access to the file system can modify access dates and compromise the integrity of the evidence. Using a write-blocker is a requirement of ISO/IEC 27037 and a fundamental practice accepted by the STJ for the purposes of legal admissibility.
What is the difference between MD5 and SHA-256 for verifying integrity?
MD5 produces a 128-bit hash and is still widely used in legacy tools, but it has vulnerabilities to intentional collisions. SHA-256 produces 256 bits and is considered cryptographically secure for current forensic purposes. NIST SP 800-86 recommends using at least two algorithms in parallel — in practice, MD5 and SHA-256 — so that any future discrepancy can be detected. The hash must be computed immediately after acquisition and documented in the chain of custody.
How is RAM captured without shutting down the system?
Live capture uses tools such as WinPmem, AVML or LiME to dump the contents of RAM to an image file without restarting the system. The process runs in userspace or via a kernel module and produces a .raw or .lime file that can be analyzed with the Volatility Framework. It is essential to document the time, operating-system version and tool used, because RAM changes every millisecond and the time record is part of the evidence.
Does cloud forensics follow the same principles as traditional forensics?
The principles are the same — do not alter the evidence, document everything, compute hashes — but the execution is different. In the cloud, the examiner collects via provider APIs (AWS CloudTrail, Azure Monitor, GCP Audit Logs), volume snapshots and traffic captures via VPC Flow Logs. NIST SP 800-86 addresses the specific challenges of evidence in virtualized environments, including questions of jurisdiction and shared custody with the provider.
Is digital evidence admitted in legal proceedings in Brazil?
Yes. The Code of Civil Procedure (art. 369) and the Code of Criminal Procedure (arts. 158-A to 158-F, Law 13.964/2019) expressly recognize digital evidence. Admissibility depends on authenticity via hash, integrity of the chain of custody and conformity with ISO/IEC 27037. Reports signed by a qualified examiner carry legal standing and can be challenged only through technical counter-proof.
Digital forensics with Decripte
Decripte performs digital forensics and incident response for organizations of all sizes — from sole proprietors and startups to companies with more than 100,000 employees. Our team conducts collection in conformity with ISO/IEC 27037 and NIST SP 800-86, produces court-admissible reports and delivers reports that are understandable to both managers and technical teams.
For organizations that have not yet suffered an incident, the free Threat Plan establishes a security baseline and prepares response processes before forensic collection becomes urgent. For companies that need immediate forensic capability, the paid plans include an activation SLA and a dedicated team.
