Intake, Scoping and Evidence Preservation

Every cybercrime investigation begins with a complaint or a referral. The complaint may come from an individual victim, a corporate security team, an automated alerting system, or another law-enforcement agency. Before any technical collection begins, the investigator must assess the complaint against a triage framework to determine two things: how urgent is the response, and what immediate evidence-preservation steps are required right now, before the investigation is formally scoped.

A practical triage framework scores four factors. First, is the attack ongoing? An active intrusion or live ransomware encryption requires an immediate response because evidence is being generated and possibly destroyed in real time. Second, what is the harm category? Financial fraud with active transactions, child exploitation material, attacks on critical infrastructure, and attacks on emergency services all receive elevated priority. Third, which evidence types are at risk? If the complaint involves a cloud account or an ISP log with a short retention window, the clock for a preservation order started the moment the incident occurred. Fourth, what is the scale of affected systems? A single-user compromise can usually wait for proper planning; a compromise spanning hundreds of machines in an organisation cannot.

Triage also defines the initial scope: which systems, accounts, and network segments are believed to be involved. Scope is never final at the intake stage, and the investigation will expand or contract as evidence is gathered, but a documented initial scope prevents both over-reach, collecting material with no connection to the offence, and under-reach, missing compromised systems that are still live.

A large proportion of cybercrime evidence sits with third parties: ISPs hold connection logs; cloud providers hold account activity, email, and file storage; social media platforms hold messages and metadata; financial institutions hold transaction records. Third parties delete this data routinely. An investigator who waits until a full warrant is ready before contacting a provider may find that the critical log file was overwritten 48 hours ago.

The preservation request tells the provider to freeze a specific account or dataset; it does not give the investigator access to the content. That access requires a separate warrant, court order, or mutual legal assistance treaty (MLAT) request when the provider is in a different jurisdiction. This two-step process, preserve first, then obtain access, is standard practice. It means the data still exists by the time the warrant arrives, even if the warrant takes weeks to obtain.

When a victim system is still running, the investigator faces a structured choice: capture volatile data first, or image the disk first. The answer is always volatile data first, because disk content can be recovered from a powered-off machine but RAM content cannot. The sequence below is the standard order, based on the principle that the most perishable evidence must be collected earliest. Deviating from this order without a documented reason is a procedural error that may be challenged in court.

• System time and date: Record the system clock and compare it to a known accurate time source. Clock skew affects the interpretation of every other timestamp in the investigation.
• Logged-in users: Who is currently authenticated on the system. This may reveal an active attacker session or an account used by the attacker.
• Running processes: A process list (with PIDs, parent PIDs, and command-line arguments) documents what is executing at the moment of collection. Malware often runs as a process that disappears after reboot.
• Open network connections: Active TCP/UDP connections and listening ports. An established connection to an unfamiliar external IP is a high-value finding that disappears when the session closes.
• RAM dump: A full physical memory image. Contains running process memory, decryption keys for encrypted volumes, cached credentials, and network packet fragments. Requires forensic memory acquisition tools and takes several minutes on a large machine.
• Disk image: Acquired last, after all volatile data is captured. Use a write blocker on removable media; for on-site live imaging, use a forensic imaging tool that opens the disk in read-only mode.

Each step must be documented as it is performed: the tool used, the command run, the time, and the outcome. If a step fails, for example the RAM dump tool crashes, that failure is recorded too. Silences in the documentation are interpreted as gaps in custody.

The choice between live and dead-box acquisition is not merely a preference; it is often dictated by the evidence situation. The critical factor is full-disk encryption. If the victim system uses full-disk encryption such as BitLocker on Windows, FileVault on macOS, or LUKS on Linux, and the decryption key is held in memory, then powering off the machine before imaging means the disk is unreadable. In that case, live acquisition of the decrypted disk while the system is running is the only viable path to content. Shutting down first means the encrypted disk is acquired but cannot be read.

Live acquisition tools write a small footprint to the target system's RAM and page file because the tool itself must execute. This is unavoidable and is documented in the acquisition notes. Modern forensic practice accepts this as necessary and requires only that it is recorded. The alternative, doing nothing to preserve volatile data, is always worse than the small contamination introduced by a legitimate forensic tool.

Chain of custody is not a form filled in after the investigation; it is a continuous log that begins with the first contact. The moment a complaint is received, the investigator records the date and time, the identity of the complainant, the method of contact, and the substance of what was reported. From that point forward, every action taken in relation to the evidence must be logged: who did it, when, using what tools, and with what outcome.

For each piece of acquired data, a cryptographic hash is generated immediately after acquisition. SHA-256 is the current standard; MD5 was widely used but is now considered insufficient for new acquisitions because of known collision vulnerabilities. The hash is recorded alongside the acquisition entry in the custody log. At every subsequent handling event, including transfer to another investigator, submission to a lab, or production for court, the hash is recomputed and compared. A hash mismatch after transfer is proof that the data changed in transit. A hash that matches through every step is proof that the data has not been altered.

The Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872) governs the admissibility of electronic records in Indian courts, requiring that electronic evidence be accompanied by a certificate under Section 63 specifying the device, the manner of production, and the person responsible. The US Federal Rules of Evidence Rule 901(b)(9) requires authentication by evidence that a process was applied correctly. The UK's Police and Criminal Evidence Act 1984 Codes of Practice set documentation requirements for seized material. All of these frameworks converge on the same practical requirement: a contemporaneous, complete written record.

Scope defines what the investigator is authorised to examine and what the investigation is trying to establish. Scope is set at intake and updated as evidence is gathered. An overly narrow scope misses related compromised systems; an overly broad scope raises legal and privacy concerns and wastes resources. The initial scope is derived from the triage assessment and the legal authorisation in hand: a search warrant for one device does not authorise examination of a second device found at the same location unless the warrant is extended.

In a corporate cybercrime case, scope is often negotiated between the investigator and the organisation's legal counsel. The organisation may be concerned about examining employee devices for privacy reasons, or about the investigation uncovering unrelated matters. These tensions are managed by defining the scope in the letter of engagement or the search authority and updating it formally when the investigation expands. Informal scope expansion, looking at additional systems or accounts without updating the legal basis, creates admissibility risks for any evidence found.

The attack lifecycle concept is directly relevant to scoping. An attacker who entered through a phishing email, moved laterally across several machines, and exfiltrated data through a cloud storage account has touched at least three distinct evidence locations. An investigation scoped only to the initial point of entry will not recover the exfiltration evidence. Investigators should review the known attack lifecycle phases when setting scope, because attackers rarely confine themselves to one system.