IT International Academy - Digital Forensics
IT International Academy
๐Ÿ” Empowering Future Tech Professionals

Digital Forensics Fundamentals

Reading the Evidence Machines Leave Behind

๐Ÿ” MODULE 1.0

Welcome to Digital Forensics Fundamentals

Digital Forensics Investigation Overview

Sit down for a moment before we touch a single tool. I want you to picture something first.

Somewhere, right now, a company just discovered its network was breached three weeks ago. A phone sits in an evidence bag, its owner accused of something they say they didn't do. A hard drive was "wiped clean" by someone who was certain that meant the data was gone forever. In every one of these situations, there is one kind of professional the room is waiting for: someone who can read what the machine actually remembers, and prove it.

That is what this module begins to teach you. Not theory for its own sake โ€” a working skill you will use the very first week you start practicing it, on your own phone, for free.

Why This Field Exists

Every action taken on a computer, a phone, or a network leaves a mark somewhere โ€” a timestamp, a log entry, a fragment of deleted data sitting quietly in a corner of the disk nobody thought to check. Most people never think about this. Digital forensics is the discipline built entirely around noticing it, preserving it correctly, and turning it into proof a court, an employer, or an investigator can trust.

It sits at a rare intersection of three worlds: the technical precision of computer science, the procedural discipline of law, and the pattern-reading instinct of a detective. You don't need to be an expert in all three coming in. You need curiosity, patience, and a willingness to document everything you do โ€” the rest is what this module is here to build.

Who This Course Is For

This module assumes no prior background in digital forensics, law, or investigative work. If you're a first-year cybersecurity student who has never opened a terminal for anything more serious than a school assignment, you are exactly who this was written for.

What you do need is a smartphone with Chrome, a willingness to type real commands rather than just read about them, and enough discipline to actually complete each practical exercise instead of skimming past it. Everything else โ€” the vocabulary, the tools, the mindset โ€” is built from zero, one unit at a time.

How This Course Is Built

Every unit in this module follows the exact same rhythm, deliberately, so you always know what to expect:

  1. Objectives โ€” a short, honest list of what you should be able to do by the end.
  2. Core Terms โ€” the vocabulary defined first, before any explanation, so nothing is assumed.
  3. Context โ€” why the concept matters, explained with reasoning and real-world framing, not just facts.
  4. A Video Lecture โ€” a carefully chosen video that reinforces the same material from a different voice and angle.
  5. A Practical Exercise โ€” something you actually do, on your own phone, using free tools.

This structure is intentional: 80% of your time in this module should be spent doing, not reading. Reading builds vocabulary. Doing builds skill. Only one of those gets you hired.

Your Complete Roadmap Through Module 1

Here is everything ahead of you in this module, in order:

The Tools You'll Use โ€” and Why You Don't Need a Laptop

Real digital forensics investigators use tools like FTK Imager, Autopsy, Volatility, and Wireshark. All four are free. All four are industry-standard โ€” the same software used by law enforcement, corporate security teams, and independent examiners around the world.

Where this module differs from a traditional classroom is simple: you are going to practice the underlying logic of every one of these tools using nothing but your phone's browser and Google Cloud Shell โ€” a full, free Linux terminal that runs entirely online. Every hashing command, every imaging command, every network command you'll run in this module works exactly the same way it would on a $2,000 forensic workstation. The tool is free. The terminal is free. The only thing this course asks you to invest is your attention.

How To Actually Study This Module

Three habits will decide whether this module actually sticks with you, or fades in a week:

A Note on Ethics and Responsibility

Everything in this module is taught for one purpose: to prepare you to investigate honestly, lawfully, and defensibly. The same skills that recover a deleted file or capture a memory dump can be misused if applied without authorization. Every exercise in this module works only on data you created yourself, on systems you have every right to access. As you move further into this field โ€” and especially in Module 2 and beyond โ€” that boundary of lawful authorization is not a technicality. It is the single thing that separates an investigator from an intruder.

What You'll Walk Away With

By the time you close Unit 1.7, you will have personally hashed evidence, built a chain of custody log, imaged and verified a file, recovered a deleted file conceptually through Autopsy, reasoned through a live-memory incident, read a real network exchange, and written a short forensic report โ€” all from a smartphone, all using free tools, all without ever setting foot in a physical lab.

That is not a theoretical understanding of digital forensics. That is the actual starting toolkit of a working investigator. Let's begin.

๐Ÿ” UNIT 1.1

What Is Digital Forensics?

Digital Evidence Investigation

By The End Of This Unit, You Will Be Able To:

Let me start the way I start every first lecture of this course: with a question. If I handed you a laptop that belonged to someone accused of fraud, and told you to "find the proof," what would you actually do?

Most people's instinct is to open the laptop, click around, look at recent files, maybe check the browser history. That instinct, understandable as it is, would destroy your case before it even started. Why? Because the moment you touch a live system carelessly, you change timestamps, overwrite memory, and give a defense lawyer every reason to say "how do we know you didn't plant that evidence?"

This is the gap that digital forensics exists to close. It is not simply "IT skills applied to crime." It is a discipline built entirely around one demand: prove that what you found is real, and prove it in a way a court will accept.

Let's define our vocabulary before we go further โ€” precision of language matters here the way it matters in a courtroom.

Digital Forensics is the scientific process of identifying, preserving, analyzing, and presenting digital evidence in a way that is legally admissible. Notice the word scientific. In science, a result only counts if someone else can repeat your method and get the same answer. That is exactly the standard digital forensics holds itself to โ€” every action must be documented well enough that another examiner, using your notes alone, could redo your work and reach the same conclusion.

Evidence is any piece of data โ€” a file, a deleted email, a log entry, a snapshot of memory โ€” that can prove or disprove a fact in an investigation.

Chain of Custody is the unbroken, documented record of everyone who touched a piece of evidence, when, and what they did with it. We will spend an entire unit on this next, because breaking it is the single most common reason strong evidence gets thrown out of court.

A Hash Value is a unique digital fingerprint generated from a file's exact contents, typically using an algorithm called SHA-256. Change even a single character inside that file, and the entire hash changes, unrecognizably. This is how an investigator proves, mathematically, that a file was never altered.

A Forensic Image is an exact, bit-for-bit copy of a storage device โ€” not just the visible files, but every sector, including ones marked "empty." Investigators never work on the original device; they always work on a verified image of it.

A Write Blocker is hardware or software that lets you read a device with zero possibility of accidentally writing to it, guaranteeing the original stays untouched.

Now that you have the vocabulary, here is the bigger picture. Every crime, every breach, every workplace dispute today leaves a digital trace somewhere โ€” a browser history, a router log, a phone's location cache, a deleted photo that isn't actually gone. Digital forensics is the discipline that turns that trace into proof.

It sits at the intersection of computer science, criminal law, and detective work โ€” you need all three instincts at once. The field breaks into four main branches, and this module gives you one unit on each:

As a cybersecurity student, this is the skill that turns "we got hacked" into "here is exactly how, when, and by whom, and here is proof strong enough to hold up in court."

A Real-World Case, Told Simply

Picture a mid-size company that notices money missing from an account only it and one employee could access. The employee denies everything. Investigators image the employee's work laptop, and inside a folder that had been emptied weeks earlier, they recover spreadsheets showing the exact transfers, along with browser history showing searches for "how to permanently delete files." The employee's own attempt to hide the evidence is what makes the case airtight โ€” because the recovered files were hashed, logged, and imaged following the exact process you are about to learn in this module.

Notice what actually won the case: not a clever hack, not guesswork โ€” a disciplined, repeatable process that any other examiner could have followed and reached the same conclusion. That is the entire game in this field.

Common Misconceptions โ€” Let's Clear These Up Now

"Digital forensics is basically hacking." Not quite. Hacking is about finding a way in. Forensics is about proving, after the fact, exactly what happened โ€” often the opposite skill set, focused on documentation and restraint rather than exploitation.

"If I can't see the file anymore, it's gone." You already know from this unit that this is usually false. Visibility and existence are two different things on a disk.

"You need expensive lab equipment to start." You need a write blocker and specialized hardware for real casework eventually โ€” but the reasoning, the commands, and the mindset can all be practiced today, on a phone, for free.

"Formatting a drive destroys everything." A quick format mostly clears the file system's index, very similar to deletion. A full, multi-pass wipe is a different story โ€” but most people never actually do that.

Watch This Before Your First Practical

This short lecture introduces the field from the ground up and pairs well with everything above. Watch it fully before attempting the exercise below.

DFS101: Introduction to Digital Forensics

Practical Exercise 1 โ€” Hash Your First Piece of "Evidence"

You don't need a laptop or any special hardware for this. Open Google Cloud Shell in Chrome on your phone (console.cloud.google.com โ†’ tap the Cloud Shell icon at the top right), and follow along step by step:

echo "Case File 001 - Original Statement" > evidence.txt sha256sum evidence.txt

Write down that hash value somewhere โ€” it is your file's unique fingerprint. Now make a tiny, almost invisible change to the file:

echo " " >> evidence.txt sha256sum evidence.txt

Compare the two hash values carefully. They will look completely different, even though your change was one invisible space character. In your own words, write 2โ€“3 sentences explaining what just happened, and why this matters in a real investigation where evidence must never be altered after it is collected.

Practical Exercise 2 โ€” Two Files, Same Content, Different Names

Now let's test whether a hash cares about a file's name, or only its contents:

echo "Identical content" > file_a.txt echo "Identical content" > file_b.txt sha256sum file_a.txt file_b.txt

Look closely at the two hash values. Are they the same or different? Write one sentence explaining what this tells you about what a hash actually measures โ€” and why an investigator can use hashing to prove two files found in different locations are, in fact, the exact same piece of evidence.

Self-Check โ€” Can You Answer These?

  1. In your own words, what makes digital forensics "scientific"?
  2. Name the four branches of digital forensics and give one example of evidence each branch would recover.
  3. What is the difference between a file being "deleted" and a file being permanently destroyed?
  4. Why does a forensic investigator always work from an image rather than the original device?
  5. If two files produce the same SHA-256 hash, what does that prove about their contents?

๐Ÿ’ก Remember: You don't need expensive forensic hardware to start learning this field. A phone, a browser, and Google Cloud Shell give you a real Linux terminal to practice on โ€” the exact same command family professionals use every day. Your device is not your limitation โ€” your discipline is.

๐Ÿ” UNIT 1.2

The Forensic Process & Chain of Custody

Evidence Documentation and Chain of Custody

By The End Of This Unit, You Will Be Able To:

Before we walk through the process, let's define the terms that make it up.

Chain of Custody Document โ€” a physical or digital form that logs every person who has handled a piece of evidence, the exact time they handled it, and what action they took.

Preservation โ€” the act of protecting evidence from being altered, damaged, or destroyed, starting the moment it is discovered.

Acquisition โ€” the step where an investigator makes a verified forensic copy of the original evidence, so the original itself is never touched again.

Analysis โ€” examining the acquired copy carefully to extract meaningful, factual findings.

Presentation โ€” reporting those findings clearly enough that a judge, jury, or a manager with zero technical background can understand and trust them.

Evidence Tag / Evidence ID โ€” a unique label attached to every item the moment it is seized, so it can never be confused with another item in the same case, or another case entirely.

Custodian โ€” whoever currently holds legal and physical responsibility for a piece of evidence at any given moment. There is always exactly one custodian, never zero, never two.

Here is something I want you to remember for the rest of your career: the technical finding is rarely what gets a case thrown out โ€” sloppy documentation is. A defense lawyer's very first move, almost every single time, is to ask: "can you prove nobody tampered with this evidence between the moment it was seized and the moment it was presented here today?" If your paper trail has even one gap, the honest answer becomes no โ€” and the evidence can be dismissed, no matter how strong or damning it is.

Every real investigation โ€” whether it's a stolen company laptop or a nation-state breach โ€” follows the same five-stage process:

  1. Identification โ€” recognizing that a device or data source might contain evidence, and formally deciding what will be seized.
  2. Preservation โ€” isolating the device (for example, pulling it off the network) and attaching write blockers so nothing on it can change.
  3. Acquisition โ€” creating a bit-for-bit forensic image of the device and hashing it immediately, before anything else happens.
  4. Analysis โ€” working only on the verified image, never the original, to recover files, build timelines, and surface artifacts.
  5. Reporting โ€” writing up findings in plain, defensible language, every claim backed by hashes and logged actions.

Miss a step anywhere in that sequence, or fail to log it properly, and the chain breaks โ€” permanently. There is no "fixing it later." Once a gap exists in the documentation, it exists forever.

What Belongs In A Chain of Custody Log

A proper log is more detailed than most beginners expect. At minimum, every entry needs:

Notice the pattern: every single field exists to answer one question in advance โ€” "who could have tampered with this, and when?" A complete log makes the answer, provably, "no one."

Three Ways a Chain of Custody Actually Breaks

1. The gap in time. Evidence sits somewhere for two hours with no logged custodian. Even if nothing happened, you cannot prove that โ€” and "we're pretty sure" is not admissible.

2. The missing signature. A transfer happens, but the receiving examiner forgets to sign and date the log. On paper, the evidence appears to have vanished and reappeared.

3. The mismatched hash. A verification hash doesn't match the previous one on record. This doesn't always mean tampering โ€” sometimes it's a labeling error โ€” but it must be investigated and documented immediately, never quietly ignored.

Watch: Understanding Chain of Custody

This short video walks through exactly why chain of custody is treated as a legal requirement, not a formality, using real examples of cases that fell apart because of documentation gaps.

Understanding Chain of Custody in Digital Forensics

Practical Exercise 1 โ€” Build a Chain of Custody Log

Using Google Docs or Sheets on your phone, create a simple chain of custody log with these columns:

Now repeat the hashing exercise from Unit 1.1 on a brand-new file, and log it in your custody form exactly as if it were real case evidence you had just seized. Fill in every column โ€” this discipline is the entire point of the exercise.

Practical Exercise 2 โ€” Simulate a Multi-Party Transfer

Real evidence rarely stays with one person. Simulate a three-step transfer of your evidence file from Exercise 1:

  1. Log yourself as the original collector, with today's date and time.
  2. Log a fictional "Examiner B" receiving the evidence one hour later, for the purpose of "initial imaging."
  3. Log a fictional "Evidence Custodian C" receiving it two hours after that, for the purpose of "secure storage."

Re-hash the file at each stage and confirm the value hasn't changed. Then write 2โ€“3 sentences: if "Examiner B" had failed to log the handoff, what specific argument could a defense lawyer make in court?

Self-Check โ€” Can You Answer These?

  1. List the five stages of the forensic process in the correct order.
  2. What is the difference between "preservation" and "acquisition"?
  3. Name three fields that must appear in every chain of custody log entry.
  4. Why is a two-hour unlogged gap in custody a serious problem, even if nothing happened during that time?
  5. What should an examiner do if a verification hash doesn't match the previous record?

๐Ÿ’ก Remember: In real investigations, technical brilliance rarely saves a case with broken paperwork. Discipline in documentation is a forensic skill in its own right, not a side task.

๐Ÿ” UNIT 1.3

Evidence Acquisition & Disk Imaging

Disk Imaging and Forensic Acquisition

By The End Of This Unit, You Will Be Able To:

New unit, new vocabulary โ€” let's lock these in first.

Disk Imaging is the process of creating an exact, bit-for-bit copy of a storage device โ€” every sector, including deleted and "empty" space, not just the files a user can see.

Write Blocker is hardware or software that guarantees you can read a device without any possibility of writing to it, so the original stays completely untouched during examination.

FTK Imager is a free forensic tool used to create disk images and generate their hash values, with a simple graphical interface.

dd is a Linux command-line tool that can also create raw disk images, byte for byte โ€” the terminal-based cousin of FTK Imager.

Physical Acquisition โ€” imaging an entire physical device, sector by sector, capturing everything: visible files, deleted files, unallocated space, and hidden partitions.

Logical Acquisition โ€” copying only the files and folders visible under the active file system. Faster, but leaves deleted data and hidden artifacts behind.

Here is the single rule that governs this entire unit, and honestly, most of your career if you go into this field: you never analyze the original evidence directly. You image it first, verify the image matches the original using hash values, and only then do you work โ€” on the image, never the source.

Think about why this matters. If your analysis software crashes, or you make a mistake halfway through, or a file gets accidentally modified โ€” none of that matters, because you can simply re-image from the untouched original. But if you had worked directly on the original device, one mistake could destroy the only copy of the evidence that will ever exist.

The standard acquisition workflow looks like this, every single time, without exception:

  1. Attach a write blocker to the original device before connecting it to anything.
  2. Hash the original device before imaging begins.
  3. Create the forensic image using a tool like FTK Imager or dd.
  4. Hash the resulting image file once imaging is complete.
  5. Compare both hashes side by side โ€” they must match exactly, character for character.
  6. Store the original securely in an evidence locker, and work only from the verified image from this point forward.

Physical vs. Logical โ€” Choosing the Right Acquisition

A physical acquisition captures the entire drive โ€” every sector, whether it contains a visible file, a deleted file, or nothing the operating system currently recognizes. This is the gold standard for serious investigations, because it captures everything a later analysis might need, including data the suspect believed was gone.

A logical acquisition only grabs what the active file system shows โ€” the files and folders a normal user would see. It's much faster and sometimes appropriate for quick triage, but it will completely miss deleted files, slack space, and hidden partitions. As a rule for this course: when in doubt, go physical. You can always extract a logical view from a physical image later, but you can never go the other way around.

Common Image Formats

Raw / DD โ€” an exact byte-for-byte copy with no extra structure. Universally compatible with almost every forensic tool, but offers no built-in compression or metadata.

E01 (EnCase Evidence Format) โ€” the most widely used professional format. Supports compression and stores case metadata (examiner name, case number, hash values) directly inside the image file.

AFF (Advanced Forensic Format) โ€” an open-source alternative to E01, less common today but still seen in some toolchains.

For this course, we'll work primarily with raw/dd images, since they're the simplest to create and verify from a command line โ€” but you should recognize all three names when you see them in the field.

Watch: Creating a Drive Image with FTK Imager

This demonstrates the graphical workflow professionals use day to day. Pay close attention to the hash verification step at the end โ€” that's the part students most often forget.

How to Create a Drive Image Using FTK Imager

Practical Exercise 1 โ€” Image and Verify a File

We'll simulate the imaging workflow using Cloud Shell, since true disk imaging requires physical hardware you don't have yet โ€” but the logic is identical.

dd if=evidence.txt of=evidence.img bs=1M

This creates a raw copy, exactly like imaging a full disk would โ€” just at a much smaller scale. Now hash both files to compare them:

sha256sum evidence.txt evidence.img

If the two hashes match exactly, you've just proven your "image" is a perfect, unaltered copy โ€” this is precisely what a real investigator does with FTK Imager on a 500GB hard drive, just scaled up enormously.

Practical Exercise 2 โ€” Double-Verify with Two Hash Algorithms

Professional reports often include more than one hash algorithm, since it makes a coincidental collision astronomically less likely. Run both against your image file:

md5sum evidence.img sha256sum evidence.img

Record both values as if writing them into a real acquisition report. Then explain in one or two sentences: why would an investigator bother recording two different hash values for the same file instead of just one?

Self-Check โ€” Can You Answer These?

  1. Why do investigators always image a device rather than analyze it directly?
  2. What is the difference between a physical and a logical acquisition?
  3. Name two forensic image formats besides raw/dd, and one advantage each offers.
  4. At what two points in the imaging workflow should you generate a hash value?
  5. If a re-verification hash doesn't match the original, what should an investigator conclude, and what should they do next?

๐Ÿ’ก Remember: The moment you skip verifying a hash after imaging, everything you find afterward becomes questionable in court. Verify first, analyze second โ€” always, no exceptions.

๐Ÿ” UNIT 1.4

File Systems & Data Recovery

File Recovery and Forensic Analysis

By The End Of This Unit, You Will Be Able To:

New unit โ€” new vocabulary, as always.

File System is the structure an operating system uses to organize and keep track of files on a storage device โ€” examples include NTFS on Windows, ext4 on Linux, and APFS on iPhone.

Deleted File โ€” when you "delete" a file, the operating system usually only removes the pointer to it from its index. The actual data itself stays sitting on the disk, untouched, until something else happens to overwrite that exact spot.

Unallocated Space is disk space the file system marks as free and reusable โ€” even though old data may still physically be sitting there, fully recoverable.

Slack Space is the small leftover gap at the end of a file's last storage block. Files rarely fill a block exactly, and whatever data used to occupy that leftover space before can sometimes still be recovered.

MAC Times โ€” Modified, Accessed, and Created timestamps attached to every file. Comparing these three times often reveals exactly what a user did, and when.

Autopsy is free, open-source forensic software used to browse disk images, recover deleted files, and build timelines of user activity.

This is the single most important idea in this entire unit, so read it twice: deleting a file almost never destroys it.

Picture a disk like a library's card catalogue. Every book has a card telling you exactly where on the shelf to find it. When you "delete" a book, the librarian doesn't burn it โ€” they just pull its card out of the catalogue and mark that shelf spot as "available." The book itself stays exactly where it was, until someone else requests a book and happens to get assigned that same spot. A forensic investigator's job, in this analogy, is to walk the shelves directly and ignore the missing cards entirely.

Autopsy does exactly this through a process called file carving โ€” it scans unallocated space for recognizable file signatures (the unique byte patterns that mark the start of a JPEG, a Word document, a PDF, and so on) and rebuilds files the file system itself has already forgotten about.

This is precisely why criminals who think hitting "delete" protects them are, more often than not, dead wrong โ€” and why understanding this gap is genuinely one of the most valuable skills you can bring into a security role.

A Quick Tour of File Systems

NTFS (Windows) โ€” keeps a master index called the Master File Table (MFT), which records the location, size, and timestamps of every file. When a file is deleted, its MFT entry is usually just marked as free โ€” the data itself often survives untouched.

ext4 (Linux) โ€” uses a similar concept called inodes to track file metadata separately from the actual file content, and behaves similarly around deletion.

APFS (iPhone / macOS) โ€” a newer file system that uses "snapshots," which can sometimes preserve earlier states of the file system even after changes, making certain recoveries easier than on older systems.

You don't need to memorize the internal structure of each โ€” what matters is the shared pattern: every file system separates "where the data physically lives" from "whether anything currently points to it." That gap is where recovery lives.

Reading MAC Times Like a Detective

Every file carries three timestamps that, read together, tell a story: when it was Modified (content last changed), Accessed (last opened or read), and Created (first written to this location).

A file created and modified at the same second, but accessed hours later, suggests it sat untouched until someone opened it. A file modified moments before a device was wiped often points directly at intent. Reading MAC times is rarely about any single timestamp โ€” it's about the relationship between all three, compared across multiple files, that builds a timeline of what a user actually did.

Watch: Recovering Deleted Files with Autopsy

Watch how a real deleted file is located and restored inside Autopsy's interface โ€” notice how the "Deleted Files" category in the sidebar makes this almost effortless once you know where to look.

How to Find and Recover Deleted Files using Autopsy

Practical Exercise 1 โ€” Recover a "Deleted" File

Using Cloud Shell, create and then delete a file:

echo "Confidential note" > secret.txt rm secret.txt

As far as the file system is concerned, that file is now gone. In a full lab session, you would load a disk image containing a deletion exactly like this into Autopsy, and use its file recovery module to bring the file back โ€” proving to yourself, hands-on, that "delete" rarely means gone.

Practical Exercise 2 โ€” Read a File's Timestamps

Create a file, wait a moment, then modify it, and inspect its metadata:

echo "Draft version" > report.txt sleep 5 echo "Final version" >> report.txt stat report.txt

Look at the Modify, Access, and Change fields in the output. Write 2โ€“3 sentences explaining what story these timestamps would tell an investigator who found only this file, with no other context.

Self-Check โ€” Can You Answer These?

  1. Why does a "permanently deleted" file often remain recoverable months later?
  2. What is file carving, and what does it rely on to rebuild a file?
  3. Name one file system and explain how it tracks file locations.
  4. What do MAC times stand for, and why are all three read together rather than individually?
  5. What is the difference between unallocated space and slack space?

๐Ÿ’ก Remember: Criminals who think deleting evidence protects them are almost always wrong. Understanding this gap is exactly what makes you valuable as an investigator.

๐Ÿ” UNIT 1.5

Memory Forensics

RAM and Memory Forensics

By The End Of This Unit, You Will Be Able To:

Let's define this unit's vocabulary before anything else.

RAM (Random Access Memory) is the computer's short-term, working memory. It holds everything the system is actively doing right now โ€” and it empties completely the instant power is cut.

Memory Dump is a saved snapshot of everything that was sitting in RAM at one specific moment in time.

Volatility is the leading free, open-source framework for analyzing memory dumps โ€” used to extract running processes, active network connections, and even encryption keys.

Volatile Evidence is any evidence that disappears once a device loses power. RAM is, by far, the most important example of this.

Order of Volatility โ€” a ranked list, from most fragile to least fragile, of what evidence to capture first during a live investigation: CPU registers and cache, then RAM, then network state, then running processes, and only afterward disk data, which is comparatively stable.

Live Forensics โ€” examining a system while it is still running, as opposed to "dead" forensics performed on a powered-off image.

Here's why this unit matters more than most students expect walking in: some of the most damaging evidence in modern cases never touches the hard drive at all. Malware that runs entirely inside memory, a password typed into a login form seconds before capture, a chat message before it was encrypted โ€” all of it can live only in RAM and nowhere else. If an investigator pulls the plug before capturing memory, that evidence is gone permanently. There is no second chance.

This is exactly why the very first instinct you learned in disk forensics โ€” "preserve, don't touch anything" โ€” actually reverses here. With a live, running system suspected of compromise, the correct order of operations is: capture memory first, power down second. Get that order backwards, and you lose evidence that can never be recovered by any other means.

From a single memory dump, Volatility can extract:

The Order of Volatility, Explained

Not all evidence disappears at the same speed. Forensic responders follow a ranked order, from most fragile to least, so nothing irreplaceable is lost while collecting something that would have survived anyway:

  1. CPU registers and cache โ€” gone within nanoseconds of any change, almost never captured in practice.
  2. RAM (main memory) โ€” gone the instant power is lost. Capture this before anything else touches the system.
  3. Network state โ€” active connections that could close or change at any moment.
  4. Running processes โ€” reflected in RAM, but worth confirming through live tools too.
  5. Disk data โ€” comparatively stable; this is what Units 1.3 and 1.4 focused on.

This ordering is why memory forensics gets its own unit, separate from disk forensics โ€” the two operate on completely different clocks.

Live vs. Dead Forensics

Dead forensics โ€” the approach from Units 1.3 and 1.4 โ€” examines a powered-off, imaged system. Nothing changes while you work, which is exactly why it's the safer default whenever it's an option.

Live forensics examines a system while it's still running, which is riskier โ€” every command you type on a live system potentially changes something โ€” but it's the only way to capture volatile evidence at all. This is why live forensics demands extreme discipline: use trusted, verified tools, document every single command you run, and capture memory before doing anything else.

Watch: Introduction to the Volatility Framework

This walks through installing Volatility and running your first commands against a memory dump โ€” pslist, netscan, and a few others you'll recognize from the notes above.

Introduction to Volatility Framework: Memory Forensics Made Easy

Practical Exercise 1 โ€” Think Like a First Responder

No memory dump needed for this one โ€” this is a decision-making drill, and it's one of the most important habits you'll build in this unit.

Scenario: you arrive at a workstation that's still logged in and appears to be running unfamiliar software quietly in the background. Your manager tells you to "shut it down immediately to stop the damage." What do you do, and why? Write your answer referencing what you now know about volatile evidence and the order of volatility.

Practical Exercise 2 โ€” List Live Processes Yourself

You can practice the underlying logic of Volatility's process listing right now, on a live system, using Cloud Shell:

ps aux

This lists every process currently running on that machine, similar in spirit to Volatility's pslist command against a memory dump. Pick two unfamiliar-looking processes from the output and write one sentence each guessing what they might do, based on their name โ€” this is exactly the instinct an investigator uses when scanning a real process list for something suspicious.

Self-Check โ€” Can You Answer These?

  1. Why does memory forensics reverse the "don't touch anything" instinct from disk forensics?
  2. Put these in correct order of volatility: disk data, RAM, network state, running processes.
  3. Name two things Volatility can extract from a memory dump.
  4. What is the key risk of performing live forensics compared to dead forensics?
  5. Why is capturing memory before powering down considered irreversible if done in the wrong order?

๐Ÿ’ก Remember: The instinct to "turn it off and unplug it" is usually wrong in an active incident. Capture memory before you kill power โ€” you only get one shot at volatile evidence.

๐Ÿ” UNIT 1.6

Network Forensics Basics

Network Traffic Analysis

By The End Of This Unit, You Will Be Able To:

Vocabulary first, as always.

Packet is the basic unit of data sent across a network. Every email, web page, and file transfer gets broken into many small packets before it ever leaves your device.

Packet Capture (PCAP) is a saved file containing raw network traffic, captured exactly as it crossed a specific point on a network.

Wireshark is the industry-standard free tool for capturing and analyzing network traffic, packet by packet, in enormous detail.

IP Address is the numeric address that identifies a device on a network โ€” similar, conceptually, to a postal address for data.

Port is a numbered "door" on a device that specific types of traffic use โ€” for example, web traffic typically uses port 443, and email uses others entirely. An IP address gets data to the right building; a port gets it to the right room.

Command-and-Control (C2) Traffic is network communication between a compromised device and an attacker's remote server, used to send stolen data out or receive new instructions.

Disk and memory forensics tell you what happened on a machine. Network forensics tells you what happened between machines โ€” which is very often exactly how an attacker got in, or exactly where stolen data ended up afterward.

When you open a PCAP file in Wireshark, you can see, packet by packet:

A single suspicious connection to an unfamiliar IP address, repeating at the exact same interval every few minutes, is very often the first fingerprint of a compromised machine quietly "phoning home" to an attacker. Learning to spot that pattern is one of the most practically useful skills in this entire module.

IP Addresses and Ports, Working Together

Every network connection is really described by four pieces of information at once: the sending IP and port, and the receiving IP and port. Investigators call this a socket pair. Knowing just an IP address tells you which machine was involved; knowing the port as well tells you what kind of conversation it was likely having โ€” a web request, an email transfer, a remote login attempt, and so on.

Some ports show up constantly in investigations, and it's worth recognizing them on sight:

Patterns That Should Raise an Eyebrow

Beaconing โ€” a device contacting the same external address at suspiciously regular intervals, often a sign of malware checking in with its controller.

Unusual data volume โ€” a workstation suddenly sending far more data out than it normally receives, which can indicate information being stolen.

Traffic to unfamiliar countries or providers โ€” not proof of anything on its own, but a reasonable trigger for closer inspection when combined with other signals.

None of these signs prove compromise by themselves โ€” context and corroboration always matter โ€” but recognizing the shape of suspicious traffic is exactly the instinct this unit is building.

Watch: Learn Wireshark in 10 Minutes

A fast, beginner-friendly walkthrough of the Wireshark interface โ€” filters, packet lists, and how to read a basic conversation between two devices.

Learn Wireshark in 10 Minutes - Wireshark Tutorial for Beginners

Practical Exercise 1 โ€” Read a Network Conversation

Since Wireshark itself needs a graphical desktop, we'll start with the underlying logic using Cloud Shell's built-in network tool:

curl -v https://example.com

Read through the verbose output carefully. Identify: which IP address your request connected to, what port was used, and what response came back. This is exactly the same question-and-answer structure Wireshark shows visually for every packet on a network โ€” here, you're just reading it in text form first, before you ever open the graphical tool.

Practical Exercise 2 โ€” Resolve a Domain to an IP Address

Every connection to a website actually starts with a DNS lookup, converting a name into an address. Try it yourself:

nslookup example.com

Note the IP address returned. Then imagine a scenario where a compromised device performs this exact same lookup, but for a domain nobody in the company recognizes, every five minutes, all day long. Write 2โ€“3 sentences explaining why this pattern alone would justify a closer investigation.

Self-Check โ€” Can You Answer These?

  1. What is the difference between what disk forensics reveals and what network forensics reveals?
  2. What is a socket pair, and what four pieces of information make it up?
  3. Name one port number and the type of traffic commonly associated with it.
  4. What is "beaconing," and why is it a common red flag in network forensics?
  5. Why is unencrypted traffic in a PCAP file particularly valuable โ€” and risky โ€” for investigators?

๐Ÿ’ก Remember: Attackers can hide files and even wipe logs, but the network conversation itself is much harder to erase after the fact. Traffic doesn't lie about where it went.

๐Ÿ” UNIT 1.7

Case Report Writing & Capstone Mini-Investigation

Case Report Writing

By The End Of This Unit, You Will Be Able To:

Final set of vocabulary for this module.

Forensic Report is the final written document presenting an investigator's findings clearly enough for a non-technical reader โ€” a judge, a manager, a jury โ€” to understand and trust without needing any background in technology.

Finding is a specific, evidence-backed fact discovered during analysis โ€” for example, "the file was created at 14:02 and its hash matches the original image exactly."

Methodology Section is the part of a report explaining precisely which tools and steps were used, in enough detail that another investigator could repeat the work and land on the same result.

Expert Witness โ€” a qualified investigator called to testify in court, explaining findings to a judge or jury and defending the methodology under cross-examination.

Chain of Reasoning โ€” the logical path from raw evidence to a stated conclusion, with no unstated assumptions or leaps a skeptical reader couldn't follow.

Here is a truth every experienced investigator learns eventually: all the technical skill in the world means nothing if you can't explain what you found. A brilliant discovery, written in jargon a judge cannot follow, is functionally useless in court โ€” it might as well not exist. Every professional forensic report follows roughly the same five-part structure:

  1. Case Summary โ€” what was requested, and why, in plain language.
  2. Evidence Log โ€” every item examined, with its hash values and full chain of custody attached.
  3. Methodology โ€” the tools and steps used, described in enough detail to be repeated by someone else.
  4. Findings โ€” what was actually discovered, stated as plain facts, never as opinions.
  5. Conclusion โ€” a clear, honest answer to the original question, including how confident that answer is.

Notice what's deliberately missing from that list: guesswork. A good forensic report never says "the suspect probably did X." Instead, it says "the evidence shows X occurred at this time, on this device, verified by this hash." That distinction โ€” fact versus opinion โ€” is exactly what makes a report defensible under cross-examination.

Writing Mistakes That Weaken a Strong Report

Overreaching language. "This proves the suspect is guilty" claims more than the evidence supports. "This is consistent with X, and inconsistent with Y" is more defensible and, honestly, more accurate.

Unexplained jargon. Terms like "MFT," "slack space," or "pslist" mean nothing to a judge unless you define them the first time you use them, in plain language.

Passive, vague phrasing. "It was found that..." hides who found it and how. "I examined the image using Autopsy version X and found..." is specific, attributable, and repeatable.

Missing timestamps. Every finding needs an exact date and time attached โ€” "recently" or "shortly after" invites doubt that a specific timestamp closes off entirely.

A Word on Testifying as an Expert Witness

If a case goes to trial, the investigator who wrote the report is often the one who has to defend it out loud, under cross-examination, in front of a judge or jury. This is where sloppy shortcuts from earlier in the process resurface publicly โ€” a skipped hash check, an undocumented gap in custody, a guess dressed up as a finding. Everything you documented carefully in Units 1.1 through 1.6 exists precisely to make this moment survivable. An investigator who can calmly say "here is my log, here is my hash, here is exactly what I did and why" rarely loses credibility on the stand โ€” not because they're clever in the moment, but because they did the work correctly, months earlier, without cutting corners.

Watch: Report Writing and Presentation

This closing lecture ties together everything from the module โ€” how a formal digital forensics report should actually be structured and worded before it ever reaches a courtroom or a client.

Digital Forensics: Report Writing and Presentation

Capstone Mini-Investigation

Using everything from Units 1.1โ€“1.6, complete this end-to-end mini-case on your phone:

Capstone Self-Assessment Checklist

Before considering your capstone complete, confirm each of these honestly:

Self-Check โ€” Can You Answer These?

  1. List the five parts of a professional forensic report in order.
  2. Give an example of an overreaching claim, and rewrite it as a defensible finding.
  3. Why does an expert witness's credibility depend on work done long before the courtroom?
  4. What is the difference between a "finding" and an "opinion" in a forensic report?
  5. Why should every timestamp in a report be exact, rather than approximate?

๐Ÿ’ก Remember: A forensic investigator's real product is never the discovery itself โ€” it's the report someone else can trust and act on. Write for the reader who knows nothing, not the expert who already knows everything.