Evidence acquisition
Snapshots, memory, integrity, chain of custody.
Evidence acquisition is the technical heart of DFIR — getting a complete, trustworthy copy of what happened without altering it. In the cloud, the primitives are snapshots, memory capture, and the log trail, each with its own handling.
Disk, memory, and logs
Disk evidence in the cloud is acquired by snapshotting the volume — a point-in-time copy you can attach to an isolated analysis instance and examine without touching the original. Memory is more volatile and more valuable for active intrusions (it holds injected code, decrypted secrets, and network state), but must be captured from the running instance before termination, using an agent or the platform’s capabilities. Logs — the audit trail, flow logs, application logs — are the most durable evidence if you shipped them to immutable central storage beforehand, and they often tell the clearest story of what an identity did. Acquire in order of volatility, and never analyze the only copy.
# Snapshot the disk (immutable point-in-time copy), then analyze a COPY:aws ec2 create-snapshot --volume-id vol-0abc --description "IR-8891 evidence"# → create a volume from the snapshot, attach to an ISOLATED analysis instance.# Never mount/modify the original volume; work on the copy.# Memory (if an agent/capability exists): dump BEFORE terminating.# Logs: pull from the central immutable store (already tamper-evident).# Hash each artifact on acquisition to prove it was not altered afterward.
Integrity and timeline
Two disciplines make evidence trustworthy. Integrity: hash each artifact at acquisition and preserve the original untouched, working only on copies, so you can prove nothing was altered — this is what chain of custody documents. Timeline: correlate events from disk, memory, and logs into a single chronological narrative (a "super timeline") that reconstructs the intrusion end to end — initial access, escalation, persistence, lateral movement, impact. The timeline is what turns scattered artifacts into understanding, and it directly feeds detection engineering: each step in the reconstructed attack is a technique you should now be able to detect automatically. Forensics and detection close the loop.