Evidence Preservation During Containment

RFC 3227, published by the IETF in 2002, formalised the concept of an order of volatility for digital evidence. The principle is simple: collect the most transient data first, because it will be lost before more stable data is processed. What matters in practice is applying this sequence in a containment scenario where there is time pressure and where some collection steps must happen before any containment action alters the system state.

The practical decision point is when to cut network access. Isolating a host from the network is usually the first containment action, but it terminates active connections and may end attacker activity that was still producing observable evidence. A brief capture window, typically using a packet capture tool already running or one deployed rapidly from a forensic toolkit, can record the last minutes of network activity before isolation. The decision to delay isolation by even a few minutes must be made by the incident commander, documented with a timestamp and the reason, and coordinated with the legal team if exfiltration is ongoing.

A write-blocker sits between the source storage device and the forensic workstation. When the operating system or imaging tool sends a read command, the write-blocker passes it through. When a write command is issued, whether intentionally or as a side effect of the operating system mounting the volume, the write-blocker intercepts and discards it. The source medium is never modified.

Hardware write-blockers are physical devices that connect between the drive and the workstation, typically via a bridge interface such as USB, SATA, or SAS. Common examples include the Tableau series (now part of Opentext Forensics) and the WiebeTech UltraDock. Hardware write-blockers are preferred in legal proceedings because their operation is independent of the host operating system: a software misconfiguration or driver issue on the forensic workstation cannot bypass them. Their use is well-established in US federal courts, UK Crown Court proceedings, and comparable judicial systems in EU member states.

Software write-blockers implement the same protection through kernel-level drivers or registry settings. On Windows, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect registry value can be set to 1 to block writes to removable storage. On Linux, the 'blockdev --setro' command marks a device read-only. Software write-blockers are faster to deploy and cheaper, but they depend on the operating system layer and can be bypassed by a privilege escalation or a kernel vulnerability. They are acceptable for internal investigations but scrutinised more closely in adversarial legal proceedings.

A forensic image is a bit-for-bit copy of an entire storage medium, not just the files visible to the operating system. It includes allocated space, unallocated space, slack space, and any sectors the file system considers deleted. This completeness is essential because deleted files, partial file fragments, and artefacts written to slack space are frequently relevant evidence that a file-level copy would miss.

The standard imaging tools in professional practice are dcfldd and dc3dd on Linux (command-line, suitable for scripted pipelines), FTK Imager (Windows GUI, widely used in law enforcement), and EnCase Forensic. Each tool produces a forensic image in one of the common container formats: raw (dd), EnCase Evidence File (E01), or Advanced Forensic Format (AFF4). E01 is most widely accepted in legal proceedings across the US, UK, Australia, and much of Europe because its internal segment headers include checksums and the format is well-documented. AFF4 is the modern open-standard alternative and is increasingly accepted.

The acquisition process follows a fixed sequence. First, document the physical state of the device: serial number, model, visible damage, and the interfaces present. Second, connect the device through the write-blocker. Third, compute a hash of the source before imaging begins. Fourth, run the imaging tool and record its command or settings. Fifth, compute a hash of the resulting image. The source hash and image hash must match; if they do not, the imaging process introduced an error or the tool is unreliable. Both hashes are recorded in the case notes and signed by the investigator. This is the baseline verification that the image is forensically sound.

Chain of custody is the paper trail that answers one question: at every point between initial collection and presentation in court, who had this evidence, and what did they do with it? The chain must be unbroken. Every transfer of physical or logical custody requires a dated entry recording the transferring party, the receiving party, the reason for transfer, and the condition of the evidence at transfer. Where a physical item is involved, a tamper-evident seal is applied after acquisition and its serial number is recorded; any subsequent opening of the seal is documented.

A chain-of-custody form typically records: unique evidence identifier (case number plus item number), description of the item, date and time of collection, location of collection, name and role of the collecting officer, hash values at acquisition, storage location, and the complete transfer log. In high-stakes proceedings the form is signed in ink; in many organisations a digital evidence management system such as Cellebrite Commander, UFED, or a custom case management platform maintains the log electronically with audit trails.

Legal requirements vary by jurisdiction. In the US, Federal Rule of Evidence 901 requires authentication, which for digital evidence means demonstrating the item is what it is claimed to be through testimony, hash comparison, or system logs. In the UK, the Forensic Science Regulator's Codes of Practice and Conduct require compliance with ISO/IEC 17025 accreditation standards for forensic laboratories. In India, the Bharatiya Sakshya Adhiniyam 2023 requires a certificate from a responsible official when electronic records are produced as evidence, specifying the device, the method of production, and the person who produced it. The EU's Directive 2014/41/EU on the European Investigation Order requires that evidence gathered under the directive follows the procedural law of the executing state, which means chain-of-custody requirements differ across member states.

Every containment action has an evidence consequence. Isolating a host from the network terminates active connections and may stop attacker activity that was being observed. Killing a malicious process removes it from the process list and may overwrite memory pages that contained its code. Changing a compromised account's password invalidates active sessions and destroys session tokens that might have identified the attacker's toolchain. These trade-offs cannot be avoided, but they must be recorded.

The practical approach is to define containment tiers in the incident response plan before an incident occurs. A low-severity tier might allow network isolation without mandatory volatile capture; a high-severity tier involving suspected ransomware or a nation-state actor requires volatile data capture as a precondition to any containment action except in defined emergency circumstances. The NIST SP 800-61 revision 2 framework and the SANS PICERL model both anticipate that containment decisions will be made with evidence considerations in mind, but neither mandates a specific sequence because that must be adapted to the organisation's risk tolerance and legal obligations.

Documentation during containment must be contemporaneous. Contemporaneous means recorded at the time of the action, not reconstructed from memory afterwards. Tools such as Notepad with timestamps, a running terminal session logged to a file, or a dictated voice memo with timestamp are all acceptable. The investigator records: the action taken, the exact time, the person who authorised it, the reason it was taken at that point rather than earlier or later, and what was observed before and after. This record is what allows a court or regulator to reconstruct the decision-making process weeks or months later.

Digital evidence is subject to the same admissibility tests as physical evidence, with additional requirements specific to electronic records. The common requirements across jurisdictions are: authenticity (this is the item that was collected), reliability (the collection method was sound and documented), integrity (the item has not been altered since collection, demonstrated by hash comparison), and proportionality (the collection was lawful and did not exceed what was authorised). Investigators who cannot demonstrate all four will face admissibility challenges.

Regulatory proceedings impose additional requirements beyond criminal admissibility. Under the EU General Data Protection Regulation and the UK GDPR, an organisation reporting a personal data breach to a supervisory authority must be able to demonstrate what data was affected, how it was protected, and what investigation steps were taken. That demonstration depends on the same chain-of-custody and forensic image records that a criminal prosecution would require. The intersection of incident response obligations and data protection law means that evidence preservation standards designed for criminal courts also serve regulatory disclosure requirements. Organisations that treat evidence preservation as a prosecution-only concern miss this second obligation.