UNIT 4

Evidence Management
Evidence
Evidence refers to any digital data that can be used to support or refute an
investigation, particularly in legal contexts. The goal is to identify, preserve, analyze,
and present digital evidence in a manner that is admissible in a court of law.
Characteristics of Good Digital Evidence
For evidence to be useful in an investigation or court, it must meet the ACPO
(Association of Chief Police Officers) or Daubert standards depending on the
jurisdiction:
1. Admissible – Must be legally obtained and relevant
2. Authentic – Must be provably what it claims to be
3. Complete – Should present the whole story
4. Reliable – Should be collected and analyzed using tested methods
5. Believable – Should be clearly explained and defensible in court
Sources of Digital Evidence
1. File systems: Deleted files, file timestamps (MAC times)
2. Registry entries: User preferences, installed software
3. Event logs: Login attempts, software crashes, security incidents
4. Browser history & cookies: User activity
5. RAM dumps: Volatile data like passwords, open connections
6. Metadata: Hidden details in documents and media
Legal Considerations
• Chain of Custody: A documented history of who handled the evidence, when,
and how.
 • Search Warrants: Required for legal access to systems in most cases.
• Privacy Laws: Handling of personal or sensitive data must comply with laws
like GDPR, HIPAA.
Types of Digital Evidence
a. Computer-Based Evidence
• Stored on hard drives, SSDs, USB drives
• Includes emails, documents, internet history, logs, application data
b. Network-Based Evidence
• Packet captures (PCAP files)
• Firewall, router, or switch logs
• IDS/IPS alerts
• VPN and proxy logs
c. Mobile Device Evidence
• Call logs, SMS, GPS data
• App data (e.g., WhatsApp, Telegram)
• Photos, browsing history, etc.
d. Cloud-Based Evidence
• Stored on services like Google Drive, Dropbox, AWS
• Includes shared documents, activity logs, access records
e. IoT and Embedded Systems
• Smart cameras, sensors, vehicles
• Log files, firmware data, usage patterns
Physical evidence

Physical evidence includes any hardware devices, printed materials, or physical

artifacts that may help prove the involvement of a suspect in a cyber incident or
support digital evidence in a forensic investigation.
Importance of Physical Evidence
• Corroborates Digital Evidence: Helps link a device or suspect to specific
actions
• Establishes Possession/Intent: Proves access to tools, plans, or devices
• Supports Timeline Reconstruction: Logs and timestamps from physical
systems (e.g., printers, CCTV)

Type of Evidence Examples Purpose

Hardware PC, router, phone Source of digital data

Storage Media USB, SD card Hidden/stolen data

Printed Notes Passwords, plans Show intent or access

Peripherals Printer, keyboard Cache/logs, keyloggers

Cameras, smart
IoT Devices Behavioral logs
locks

Malware-injected Evidence of physical access or

Tampered Hardware
USB sabotage

Collection and Preservation of Physical Evidence

• Secure the Scene: Isolate the area to avoid tampering
• Document Everything: Photograph devices and their connections before
disconnection
• Use Anti-Static Bags: Prevent damage to components
 • Label and Log: Assign identifiers to maintain chain of custody
• Avoid Powering On: If the device is off, do not turn it on without forensic
precautions
Tools for Physical Evidence Handling
• Forensic Toolkits: Contain gloves, evidence bags, tags, tamper-proof seals
• Write Blockers: Prevent modification of storage devices during acquisition

Real evidence

Real evidence, also called physical or tangible evidence, refers to objects or

materials that are directly involved in a cybercrime or security incident and can be
physically presented in court. In cybersecurity, real evidence bridges the gap
between digital activity and physical proof of involvement, tools used, or outcomes
of cybercrime.

Circumstantial evidence

Circumstantial evidence refers to indirect evidence that suggests a fact or a

conclusion but does not directly prove it. In cybersecurity, this type of evidence is
used to infer involvement or intent based on digital traces or patterns of behavior.
It requires reasoning or inference to connect the dots, unlike direct or real evidence
which is self-explanatory.
Characteristics of Circumstantial Evidence:
• Indirect – It does not directly prove the crime but supports a conclusion.
• Logical Inference – Requires reasoning to link the suspect to the incident.
• Supports the Case – Often used alongside direct or real evidence.
• Legal Value – Acceptable in court if the inference is strong and logical.

Examples in Cybersecurity:
 Type Example
Suspect’s account accessed a compromised system at the time
Login Records
of attack.
Browsing
Suspect visited hacking forums or tutorials before the incident.
History
Email Traces Sent phishing emails from an account linked to the suspect.
System Time
System activity aligns with the timing of a known attack.
Logs
Location Data Device was near the targeted system during the breach.
Stolen documents have fingerprints of the suspect's software or
File Metadata
username.

Network Evidence
Network evidence refers to digital traces collected from the communication between
computers, servers, and devices over a network. In cybersecurity investigations,
analyzing this evidence helps track suspicious activities like unauthorized access,
data exfiltration, malware communication, and denial-of-service attacks. Unlike
static data from a hard drive, network evidence is often volatile—meaning it can
disappear quickly unless captured in real-time.
Network evidence comes from various components of an IT infrastructure. Some
common sources include:

Source Description Importance

Packet Captures Raw data packets captured Provides low-level details like
(PCAP) on the network IPs, ports, protocols

Records of allowed and Shows incoming/outgoing

Firewall Logs
blocked traffic traffic patterns

Router/Switch Track routing and device

Helps in tracing traffic flow
Logs communication

Intrusion Detects known attack

IDS/IPS Alerts
detection/prevention systems signatures
 Source Description Importance

Summarized network traffic Useful for identifying

NetFlow Data
info anomalies in large networks

Tracks web requests via Reveals website access and

Proxy Server Logs
proxy potential tunneling

Key Elements in Network Evidence

When analyzing network traffic, investigators look for key attributes:
• IP addresses – Who is talking to whom
• Ports and protocols – What services were used (e.g., HTTP, FTP, SSH)
• Time stamps – When the communication occurred
• Payloads – What data was transmitted (sometimes encrypted)
• Connection attempts – Unsuccessful logins or scans indicate probing behavior
Importance of Network Evidence
• Incident Detection – Suspicious behavior (e.g., beaconing to C2 servers) can
signal malware.
• Timeline Creation – Time-stamped logs help build a clear sequence of events.
• Attribution – Identifying internal or external IPs can point to potential
attackers.
• Legal Proof – Logs and captures can be presented in court as circumstantial
or direct evidence.
Network evidence is a critical part of cyber forensic investigations, especially when
attackers leave minimal traces on host machines. By capturing and analyzing traffic
data, cybersecurity professionals can detect intrusions, prevent future attacks, and
build strong cases for legal action.
Evidence Collection
Evidence collection is a fundamental step in cybersecurity and digital forensics. It
involves identifying, preserving, acquiring, and documenting digital evidence from
systems, networks, and devices that may be involved in a cybercrime or security
incident.
The goal is to collect legally admissible, reliable, and authentic evidence without
altering or damaging the original data. Proper evidence collection ensures that
security incidents can be investigated, mitigated, and prosecuted if necessary.
Principles of Evidence Collection
1. Integrity – Ensure that the evidence is not modified during collection.
2. Preservation – Secure the scene and devices to prevent loss or contamination.
3. Authentication – Verify that the evidence is what it claims to be.
4. Documentation – Maintain a clear record of every action taken.
5. Chain of Custody – Track who handled the evidence, when, where, and why.

Types of Evidence to Collect

Type of Evidence Examples

Digital Evidence Hard drives, SSDs, USBs, cloud storage

Network Evidence Firewall logs, packet captures, NetFlow data

Volatile Data RAM contents, running processes, open ports

System Logs Event logs, application logs, authentication attempts

Physical Evidence Devices, handwritten notes, removable media

Steps in Evidence Collection

1. Identification
• Determine which systems, accounts, or devices are involved.
 • Identify potential sources of digital evidence (files, logs, network traffic).
2. Preservation
• Isolate the system to prevent remote access.
• Take photographs or videos of the setup.
• Avoid powering off systems unless necessary (especially for volatile data).
3. Acquisition
• Use forensic tools (e.g., FTK Imager, EnCase, dd) to make bit-by-bit copies
of drives.
• Capture RAM dumps using tools like DumpIt or Volatility.
• Log and export data from firewalls, routers, and IDS/IPS systems.
4. Documentation
• Record all actions: who performed them, when, and how.
• Include device serial numbers, timestamps, and location of collection.
• Create a chain of custody form to prove the evidence has not been tampered
with.
5. Analysis (Post-Collection)
• Conduct forensic analysis on cloned copies, never the original.
• Use tools like Autopsy, Sleuth Kit, Wireshark, and forensic suites to analyze
the data.

Tools Used in Evidence Collection

Tool Purpose
FTK Imager Create forensic images of drives
Wireshark Capture and analyze network traffic
Volatility Analyze memory dumps (RAM)
EnCase Full forensic investigation suite
Write Blockers Prevent modification of original data
Evidence Analysis
Evidence analysis is a critical stage in the cyber forensic process, where the digital
evidence collected from various sources is examined to reconstruct events, identify
culprits, and understand the scope of an incident. Once evidence is properly acquired
and preserved, it must be analyzed using specialized tools and techniques to extract
meaningful insights. The primary goal of evidence analysis is to answer key
questions such as what happened, how it happened, when it occurred, who was
involved, and whether data was altered, stolen, or deleted. This process requires not
only technical knowledge but also a logical and methodical approach, as the results
may be used in legal or disciplinary proceedings.
The analysis process begins by working on copies or forensic images of the original
evidence to ensure that the integrity of the original data is maintained. Investigators
use a range of tools, such as Autopsy, The Sleuth Kit, EnCase, and Volatility, to
analyze files, system logs, memory dumps, and network captures. One of the first
steps often includes verifying the file system for hidden or deleted files, checking
timestamps, analyzing registry entries (in Windows systems), and looking into
browser histories or application logs. This helps in building a timeline of user or
attacker activity.
Another vital aspect of evidence analysis is correlation of data from multiple
sources. For example, matching firewall logs with system access logs can reveal a
pattern of unauthorized access attempts. Network evidence such as packet captures
(PCAP files) can show data exfiltration attempts or communication with known
malicious IP addresses. If malware is suspected, the forensic team may reverse-
engineer executable files to understand their behavior, including persistence
mechanisms or payloads. Similarly, analysis of memory dumps can reveal currently
running processes, open connections, encryption keys, or traces of volatile data that
would otherwise be lost after a system reboot.
During the analysis, investigators also look for indicators of compromise (IOCs),
such as unusual login times, suspicious IP addresses, altered system files, and
anomalies in log files. These indicators help determine whether a system has been
compromised and how deeply. All findings must be meticulously documented, with
clear references to the original evidence, timestamps, and analytical steps taken. This
ensures that the analysis is reproducible and defensible in court if needed.
Finally, the analysis results are compiled into a forensic report, which includes a
summary of findings, evidence mapping, timeline reconstruction, and conclusions
or recommendations for remediation. This report may be presented to stakeholders,
management, or legal authorities, depending on the case. Overall, evidence analysis
is where technical skill meets investigative intuition, and it plays a pivotal role in
uncovering the truth behind digital incidents.

Contextual Information
In cybersecurity and digital forensics, contextual information refers to the
background data that surrounds and gives meaning to digital evidence. While raw
evidence (like log files or a packet capture) provides technical details, it is often not
meaningful without context. Understanding when, where, how, and under what
circumstances the data was generated is essential for drawing accurate conclusions.
For example, a login from a foreign IP address may appear suspicious on its own.
However, if an employee was traveling or using a corporate VPN, that activity might
be completely legitimate. Without proper context, investigators risk making
incorrect assumptions or missing key connections.
Importance of Contextual Information
Contextual information enhances evidence by providing:
• Relevance: Helps decide whether a piece of evidence is important.
• Interpretation: Aids in understanding behavior and intent.
• Correlation: Supports linking different pieces of evidence across sources.
• Credibility: Improves the reliability of the investigative conclusions.

Types of Contextual Information

Type Description Example

Info about user roles, habits, Was the user authorized? Is this
User context
location typical activity?
System settings, configurations, Was the system properly updated or
System context
time zones misconfigured?
What was happening before/after a
Temporal context Time and sequence of events
security alert?
 Type Description Example
Environmental Network layout, business Was the company under a known
context operations, holidays threat?
Has this IP or user done something
Historical context Past incidents or behavior
similar before?

Role in Investigation and Analysis

Contextual information is gathered during the evidence collection and analysis
phases. Investigators use it to:
• Validate or refute a hypothesis.
• Link suspicious behavior to legitimate or rogue users.
• Identify insider threats by comparing actions to user access levels.
• Clarify anomalies, such as scheduled tasks running after hours.
For example, an unusual file download at midnight could look suspicious. However,
if contextual data shows it was a backup script run by an automated process, the
incident may be benign.
How to Collect Contextual Information
• Interview users and system administrators.
• Review system documentation, policies, and procedures.
• Examine configuration files, time settings, and access controls.
• Correlate with logs from multiple systems (e.g., firewalls, authentication
servers).
• Use threat intelligence to provide broader environmental context (e.g., known
attack campaigns).

Evidence Management
Evidence management in cybersecurity and digital forensics refers to the systematic
handling of digital evidence from the moment it is identified until it is presented in
court or archived. It ensures that the integrity, authenticity, confidentiality, and
admissibility of the evidence are maintained throughout the investigation process.
Proper evidence management is critical because mishandling or failing to document
the evidence properly can result in the evidence being ruled inadmissible or
unreliable.
Key Components of Evidence Management
1. Identification
o The first step is to recognize potential sources of evidence such as hard
drives, log files, memory dumps, or mobile devices.
o Analysts must carefully determine what data is relevant to the case.
2. Preservation
o The evidence must be preserved in its original state.
o Devices may be powered down carefully or isolated from the network
to prevent tampering.
o Use of write blockers ensures that storage devices are not modified
during access.
3. Collection
o Data is collected using forensic tools that create bit-by-bit images of
storage media.
o Volatile data (RAM, open connections) must be captured before
shutdown.
o Collection must be carried out in a forensically sound manner using
tools like FTK Imager, EnCase, or dd.
4. Documentation
o Every action taken with the evidence must be recorded.
o Information includes timestamps, methods used, individuals involved,
and equipment used.
o This documentation helps maintain transparency and
reproducibility.
 5. Chain of Custody
o A chain of custody log is maintained to track the evidence.
o It records who had access to the evidence, when, and for what purpose.
o Ensures accountability and defends against tampering claims in legal
contexts.
6. Storage
o Evidence should be stored securely, both physically and digitally.
o Access must be restricted to authorized personnel only.
o Digital evidence may be encrypted or stored in tamper-proof systems.
7. Analysis and Reporting
o Analysis is done on duplicate copies, never on the original data.
o Results are recorded and included in the final forensic report.
8. Presentation or Archiving
o If the case goes to court, evidence may be presented with supporting
documentation and expert testimony.
o After the case, evidence may be archived securely or returned to the
owner based on legal requirements.
Effective evidence management is vital for successful cybersecurity investigations.
From collection to courtroom, the evidence must be handled with care, transparency,
and professionalism. Well-managed evidence not only strengthens legal cases but
also improves organizational security response and resilience.

Pre-Search Activities
In digital forensics, pre-search activities are preparatory steps taken before the actual
search and seizure of digital evidence begins. These activities are crucial to ensure
that the investigation is conducted legally, ethically, and efficiently. They help
forensic investigators define the scope of the operation, minimize errors, and
preserve the integrity of the evidence. A well-structured pre-search plan not only
increases the chances of successful evidence recovery but also ensures that the
results are admissible in court.
Key Pre-Search Activities
1. Legal Authorization
• Investigators must secure search warrants, consent forms, or other legal
documents before searching devices.
• Ensures that the search complies with privacy laws and regulations.
• Helps protect investigators from legal consequences and ensures evidence is
admissible in court.
2. Case Briefing
• Review all available case information and understand the context.
• Identify the nature of the suspected activity (e.g., fraud, malware, insider
threat).
• Define what types of digital evidence are expected (emails, logs, documents,
etc.).
3. Reconnaissance and Site Assessment
• Gather information about the target environment (number and type of devices,
operating systems, network setup).
• Check for potential issues like hidden devices, cloud storage, or remote access
risks.
• Consider physical security, personnel on-site, and whether the suspect is
aware of the investigation.
4. Planning the Search Strategy
• Decide whether the search will be overt (with knowledge) or covert (without
suspect awareness).
• Determine the order of seizure: prioritize volatile evidence (RAM, running
processes).
 • Prepare for possible resistance, data encryption, or sabotage.
5. Team Formation and Role Assignment
• Assemble a team with the right expertise: forensic analysts, legal advisors, IT
specialists, and law enforcement.
• Assign specific roles such as device seizer, evidence logger, photographer, or
interviewer.
6. Tool Preparation
• Ensure that all forensic tools (write blockers, imaging tools, cameras, laptops)
are functional and validated.
• Carry extra storage devices, evidence bags, and documentation forms.
Pre-search activities lay the foundation for a legally sound and technically effective
digital forensic investigation. By planning thoroughly and addressing all legal,
technical, and operational considerations, investigators increase the chances of
collecting strong and admissible evidence without compromising the investigation
or individual rights.

On-Scene Activities
On-scene activities are among the most critical phases in any cybersecurity or digital
forensic investigation. These are the tasks carried out at the location where the
suspected digital crime or incident has occurred, such as a home, office, data center,
or even a cloud-connected endpoint. The primary objective during this stage is to
identify, preserve, collect, and document digital evidence in a way that maintains its
integrity and ensures it will be admissible in a court of law.
The process typically begins with securing the scene. Investigators must ensure that
unauthorized individuals do not have access to the affected systems or devices to
prevent any alteration, deletion, or destruction of evidence. If the suspect is present,
care must be taken to isolate their access to any connected networks or systems to
avoid remote tampering. Once the scene is secure, a systematic assessment is
performed to identify all digital devices and potential evidence sources. These could
include desktop computers, laptops, mobile phones, tablets, USB drives, external
hard disks, networking equipment, or surveillance systems.
A crucial step during on-scene activities is the collection of volatile data. Volatile
data refers to information stored in temporary memory locations, such as RAM,
active network connections, open ports, running processes, and currently logged-in
users. This data can be lost if the system is powered down or restarted. Therefore,
investigators must use live forensic tools to extract this information before shutting
down the device. Tools like FTK Imager, Volatility, or Belkasoft Live RAM Capturer
are often employed for this purpose.
After volatile data is secured, the focus shifts to non-volatile evidence collection.
Investigators create bit-by-bit forensic images of storage media like hard drives,
USB sticks, and SD cards using write blockers to prevent any modification. Every
item collected is carefully labeled, placed in evidence bags, and tagged with unique
identifiers, time stamps, and descriptive details. Equally important is the
documentation process, which includes taking photographs of the devices and their
locations, sketching layouts, and recording detailed notes of actions taken.
Maintaining a chain of custody log is essential to track who has handled the evidence
at each stage, ensuring transparency and accountability.
In some cases, investigators may also conduct preliminary interviews with
individuals present at the scene. These conversations can offer valuable context
regarding user activity, access rights, and system configurations. All interviews and
observations should be documented thoroughly, as they may provide leads for deeper
analysis later.

Report Preparation
Report preparation is one of the most essential phases in any digital forensic
investigation. It is the final step where all findings, observations, analyses, and
conclusions are formally documented in a structured and professional manner. A
well-prepared report not only serves as a record of the investigation but also plays a
vital role in legal proceedings, as it may be presented in court as evidence or used to
support expert testimony. The quality and clarity of the forensic report directly
impact how effectively the case can be communicated to stakeholders such as legal
teams, law enforcement officers, or organizational decision-makers.
The forensic report begins with a clear introduction and case overview, where the
purpose of the investigation is stated along with details about the incident, date,
location, and the entities involved. This section should set the context for the reader
and explain the scope of the investigation. Following the overview, the report
typically includes a methodology section, which outlines the procedures, tools, and
techniques used during the investigation. This part is crucial as it assures readers that
the investigation was conducted using accepted forensic standards and best
practices, maintaining objectivity and reproducibility.
Next comes the evidence documentation section, where every item examined is
described in detail. This includes information about the device type, serial number,
condition, and the exact location from which it was collected. Each piece of evidence
should be linked to its respective acquisition and analysis steps. Screenshots, logs,
timestamps, and cryptographic hash values are often included to validate the
authenticity and integrity of the data. The analysis section follows, where
investigators present their findings based on the evidence examined. This could
include user activity, deleted files, log entries, malware artifacts, network traces, or
timeline reconstruction. Any patterns or indicators of compromise must be clearly
explained with supporting evidence.
Importantly, the report should present findings in a logical, unbiased, and jargon-
free manner, especially when the audience includes non-technical readers such as
legal personnel or executives. Visual aids like charts, timelines, and tables can be
added to improve comprehension. The conclusion section summarizes the key
findings, answers specific investigation questions, and provides interpretations or
implications. If applicable, recommendations for remediation, further investigation,
or system hardening may also be included.
Finally, the report should contain appendices with additional details such as full logs,
tool configurations, and chain of custody forms. It must be reviewed for accuracy,
grammatical clarity, and compliance with legal and organizational standards before
submission. Confidentiality and privacy of the parties involved should be maintained
throughout.