Evidence Handling & Chain of Custody · Rolling Thunder Security

The single thing that separates forensic evidence from information you happened to collect is whether you can prove it hasn't changed since you got it. Courts and auditors don't accept "we got these logs off the box, we promise." They accept evidence that has a documented origin, an integrity hash recorded at collection time, and a chain of custody showing every person who touched it.

This page covers the four foundational practices: order of volatility (collect ephemeral data first), cryptographic hashing (prove the bytes are the same), write blockers (read from disks without modifying them), and chain of custody (the paperwork that ties it together).

Order of volatility

RFC 3227 introduced the rule that has shaped forensic acquisition for two decades: collect evidence in order of how quickly it disappears. CPU registers vanish in microseconds; archive disks survive years. If you start with the slow stuff, the fast stuff is gone before you reach it.

1
CPU registers & cache — ephemeral by definition. Practically uncollectable in most incidents.
~microseconds
2
RAM — volatile memory contains running processes, encryption keys, network connections, decrypted documents. Acquire before powering off.
lost at power-off
3
Network state — ARP cache, routing tables, active connections, listening ports, kernel statistics. Useful for current-attacker-presence questions.
seconds to minutes
4
Process state & system info — running processes, open file handles, loaded kernel modules, current user sessions.
until reboot
5
Temporary files & swap — /tmp, Windows pagefile, hibernation file, browser caches. Lost on reboot or cleanup jobs.
hours to days
6
Persistent storage — hard disks, SSDs, USB drives, backups. Survives reboots; preserved by disk imaging.
months to years

The operational implication: the first decision in any host-side forensic acquisition is do not pull the power cord. The instinct is to "freeze" the machine; the effect is to destroy levels 1–5. Acquire RAM and network state first — with a known-good toolkit on bootable media — then power down for disk imaging.

Hash for integrity

Every piece of evidence gets a cryptographic hash recorded at the moment of collection. Anyone who later wants to verify "is this the same file we acquired?" runs the hash again and compares. If the hashes match, the evidence is unchanged.

$ sha256sum disk-image-2026-06-05.dd e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 disk-image-2026-06-05.dd $ sha256sum memory-dump-2026-06-05.lime 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 memory-dump-2026-06-05.lime # Record both hashes in the chain-of-custody form. Anyone can re-verify later: $ sha256sum disk-image-2026-06-05.dd | diff - known-good.txt # Empty output = bytes are unchanged. Any difference = evidence has been altered.

SHA-256 is the modern standard. MD5 still appears in legacy tooling and is acceptable for integrity (not for security), but pair it with SHA-256 for new work.
Record both hashes in your documentation. Defense lawyers occasionally challenge MD5 alone in court because of known collisions; SHA-256 closes that door.
Hash at acquisition. The hash on the original media should be recorded before the disk is moved or imaged again. The hash on the working copy proves the copy is faithful to the original.

Write blockers

Connecting a suspect's hard drive to your forensic workstation is risky: most operating systems will write to the drive automatically — mounting it, updating last-access timestamps, writing system metadata. Any write to the original evidence invalidates its integrity.

A write blocker sits between your workstation and the suspect drive. It allows reads to pass through; it intercepts and blocks writes. The drive appears to your forensic tools normally; the OS just can't modify it. Hardware write blockers (Tableau, WiebeTech, CRU) are the field standard because they don't depend on getting the OS configuration right.

# Linux: forensic boot with everything read-only $ blockdev --setro /dev/sdb # mark suspect drive read-only at the block layer # Take a forensically-sound image with dd or dcfldd $ dcfldd if=/dev/sdb of=suspect-disk.dd hash=sha256 hashlog=acquisition.log # Modern alternative: EWF format with built-in metadata + integrity $ ewfacquire /dev/sdb # Prompts for case number, examiner, evidence label, hash type, etc.

Software write blockers vs hardware. Software is fine for triage and lab work but error-prone in the field — a misconfigured kernel module or auto-mount daemon can write to the disk before your block kicks in. Hardware write blockers are a discrete device you physically wire in — the disk is physically incapable of receiving writes. Court testimony goes more smoothly with hardware.

Chain of custody

A chain of custody is the paper trail proving the evidence has been continuously accounted for from the moment of seizure to the moment of presentation. Every transfer between people, every storage location, every analysis activity is logged.

Chain of Custody Form · Case 2026-0605-01

Evidence ID

HDS-2026-0605-001

Description

Seagate Barracuda ST2000DM008, 2 TB SATA, serial WCC8K1234567

Source

Workstation alice-laptop.heliotrope.com, removed 2026-06-05 09:42 EDT

Acquired by

Pat Lin, IR Analyst, badge 4471

Acquisition method

Tableau T35u write blocker + ewfacquire to forensic workstation FW-03

Original SHA-256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Image SHA-256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (matches)

Storage location

Evidence locker E-1, slot 47, sealed bag CB-228841

Transfer log

2026-06-05 10:14 · Lin → Evidence locker E-1
2026-06-05 14:30 · Reyes (lab examiner) signs out for analysis
2026-06-05 18:45 · Reyes returns to E-1; SHA-256 re-verified

The form looks bureaucratic and is. Its purpose is defensive: if a defense attorney later argues "the evidence was tampered with between seizure and presentation," the chain of custody is what proves it wasn't — or, if there is a gap, what surfaces the gap honestly. The discipline matters for compliance audits and internal investigations even when no court is involved.

The forensic triad

Together, the practices above give you three properties that make evidence usable:

Authenticity — we can prove the evidence is what we say it is (chain of custody + acquisition records).
Integrity — we can prove the bytes haven't changed since acquisition (hashes + write blockers).
Completeness — we acquired everything relevant, in the right order, without modification (order of volatility + thorough acquisition).

A piece of evidence that lacks any of these is a piece of information, not forensic evidence. It might still be useful for internal investigation; it will not survive scrutiny in a courtroom, by a regulator, or in a tabletop replay of how the response went.

The point

Forensic evidence handling is not about being thorough for its own sake. It is about producing artifacts that survive challenge — from opposing counsel, from auditors, from the senior leader asking "are we sure?" The four practices on this page are the floor; mature programs add tooling and procedure on top of them.

You will be tempted, in the moment, to skip steps because they slow you down. The discipline is to never skip them. The work you do now decides whether the evidence is admissible six months from now.

References

Formatted in APA 7.

Brezinski, D., & Killalea, T. (2002). Guidelines for evidence collection and archiving (Request for Comments No. 3227). Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc3227
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to integrating forensic techniques into incident response (NIST Special Publication No. 800-86). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-86
Scientific Working Group on Digital Evidence. (n.d.). SWGDE best practices for computer forensic acquisitions. https://www.swgde.org/