CoursesDetection engineeringCloud DFIR & forensics

Evidence acquisition

Snapshots, memory, integrity, chain of custody.

Expert35 min · lesson 11 of 15

Evidence acquisition is the technical heart of DFIR — getting a complete, trustworthy copy of what happened without altering it. In the cloud, the primitives are snapshots, memory capture, and the log trail, each with its own handling.

Disk, memory, and logs

Disk evidence in the cloud is acquired by snapshotting the volume — a point-in-time copy you can attach to an isolated analysis instance and examine without touching the original. Memory is more volatile and more valuable for active intrusions (it holds injected code, decrypted secrets, and network state), but must be captured from the running instance before termination, using an agent or the platform’s capabilities. Logs — the audit trail, flow logs, application logs — are the most durable evidence if you shipped them to immutable central storage beforehand, and they often tell the clearest story of what an identity did. Acquire in order of volatility, and never analyze the only copy.

acquire without altering the original
# Snapshot the disk (immutable point-in-time copy), then analyze a COPY:
aws ec2 create-snapshot --volume-id vol-0abc --description "IR-8891 evidence"
# → create a volume from the snapshot, attach to an ISOLATED analysis instance.
# Never mount/modify the original volume; work on the copy.
# Memory (if an agent/capability exists): dump BEFORE terminating.
# Logs: pull from the central immutable store (already tamper-evident).
# Hash each artifact on acquisition to prove it was not altered afterward.

Integrity and timeline

Two disciplines make evidence trustworthy. Integrity: hash each artifact at acquisition and preserve the original untouched, working only on copies, so you can prove nothing was altered — this is what chain of custody documents. Timeline: correlate events from disk, memory, and logs into a single chronological narrative (a "super timeline") that reconstructs the intrusion end to end — initial access, escalation, persistence, lateral movement, impact. The timeline is what turns scattered artifacts into understanding, and it directly feeds detection engineering: each step in the reconstructed attack is a technique you should now be able to detect automatically. Forensics and detection close the loop.

Evidence acquisition and analysis
1snapshot disk / dump memory
order of volatility
2hash + preserve original
work only on copies
3analyze on isolated instance
do not touch production
4build timeline
reconstruct the intrusion
Capture the volatile first, prove integrity by hashing, analyze copies, and reconstruct a timeline — which becomes new detections.
Analyzing the original destroys the evidence
Mounting, modifying, or rebooting the original disk or instance alters the very evidence you are trying to preserve and can invalidate the investigation. Always snapshot and hash first, keep the original untouched, and perform analysis on an isolated copy — the first rule of forensic acquisition is do no harm to the original.