Digital Forensic Framework Documentation

Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

CYB-0925-2025
Crime Ref: Offence: Unauthorized Access to Computer Material

Examination Details: Location/Premise/Property ☒ Vehicle Exam ☐

Address: Original
Exam Start: 09 April 2025 N/A
Index:
Time: 11:30 AM False Index: N/A
Date: 09 April 2025 Make: N/A
Exam End: Model: N/A
Colour
Time: 04:30 PM N/A
:
Date: 09 April 2025 VIN: N/A
On-site at
Property
CT-0459/25 Examined At: CyberTech Ltd.
Ref:
IT Department

Scene Examination Report

Background Information / Briefing/Debriefing: Advice provided.

Full Name: Temporary Detective Sergeant

Role in Scene Investigation: Volatile Evidence Examiner
Date of Scene Attendance: 09 April 2025
Assigned Responsibilities
I throughout the digital forensic investigation, Mark Collins was given the crucial responsibility
of Volatile Evidence Examiner. Finding and capturing live (volatile) data from operational
systems before they were shut down or changed was his main duty. Among other things, this
involved handling:
 Acquisition of RAM
 Contents of the Clipboard
 Network Sessions That Are Active
 Command History and User Sessions
Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

 Collection of artifacts and volatile logs

Because Workstation A was in a live state, his work was crucial in protecting sensitive data that
would have been lost forever if the system had been shut down too soon.
Key Activities Performed
Under the supervision of the Officer in Charge, I carried out the following tasks:
1. RAM Acquisition
 Used FTK Imager Live to take a complete image of Workstation A's volatile memory.
 Made sure the system state didn't change until the acquisition was finished.
 Data integrity was confirmed by post-capture verification of hash values (SHA256 and
MD5).
 Recorded operator logs, tool versions, and imaging timestamps.
2. Session and Network Data Preservation
Commands were run in order to extract:
To list all open ports and connections, use netstat -ano.
 query user: To determine which sessions are logged in Using the clip command,
clipboard data
 Preserved on-screen evidence by taking screenshots of the live CMD/PowerShell output.
 Recorded every command and tool used.
3. Coordination and Communication
 Kept DI Alan Morris updated on all tasks involving volatile evidence.
 Prevented Workstation A from shutting down until all flammable evidence had been
collected.
 Worked together with the disk imaging expert to prevent data loss and avoid overlapping
access.

Evidence Managed by me

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Exhibit Ref Description

EX001 RAM Image – Workstation A (captured live)

EX003 Clipboard content, network session data, and screenshots

Under the OIC's supervision, I obtained and secured these, hashed them for integrity, and sealed
them in tamper-evident evidence bags. Both exhibits were noted in the chain-of-custody log and
subsequently brought up in the debriefing with the OIC.
Contribution to Team Outcome
I since volatile memory and live artifacts could not be recovered after the systems were shut
down, Mark Collins' contribution was crucial to their successful acquisition. His precise and on-
time work guaranteed:
 No loss of user activity logs or session memory
 Timeline reconstruction requires the preservation of real-time forensic artifacts.
 Good teamwork to prevent duplication or cross-contamination
His forensic handling demonstrated adherence to best practices as defined by ISO/IEC 27037
and ACPO Guidelines, and it closely adhered to the team's Digital Forensic Framework
(Appendix 2).

Scene observation

The crucial position of Volatile Evidence Examiner was given to me, who was tasked with
locating, obtaining, and preserving live data that would be lost after system failure.
His contribution was essential to the investigation's success because volatile memory holds
important artefacts like command-line history, network connections, clipboard content, and user
session data.

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

He worked directly under the OIC's supervision and adhered strictly to both national and
international standards while using the team's Digital Forensic Framework (Appendix 2).
Volatile Artefacts Captured by me
We were able to successfully obtain and preserve the following volatile artefacts:

Exhibit Artefact Captured Tool Used Justification

Ref

EX001 RAM image from FTK Imager Live Contained memory-resident activity,
Workstation A login sessions, encryption keys, running
apps

EX003 Netstat log, clipboard, Windows CLI & Captured current connections and in-
session data, CLI Snipping Tool use session details
screenshots

Methodology and Forensic Procedure

The following forensic technique was employed by me:
 Before the system shut down, the entire RAM memory was captured using FTK Imager
Live.
 Used secure, non-intrusive Windows commands (netstat, query user, clip) to capture
volatile logs.
 Immediately following acquisition, volatile data (MD5/SHA256) was recorded and
hashed.
 Data was stored in tamper-evident packaging and on encrypted media.
 Recorded acquisition time, hash values, tool versions, and operator logs
 Workstation A was kept undisturbed until all live data had been gathered through
efficient coordination.
Contribution Analysis

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

The role of me was both forensically crucial and time-sensitive because volatile memory and live
artifacts cannot be recovered after the system has been shut down.
His efforts directly guaranteed:
 User activity logs and live session memory are preserved, protecting evidence for
laboratory analysis.
 The preservation of real-time artifacts that are necessary for event correlation and
timeline reconstruction
 The forensic team's seamless coordination prevented:
 Duplication of tasks
 Conflict with the device
 Interruptions in the chain of custody

Standards and Frameworks Followed

Standard / Framework Description

ACPO Guidelines (UK) Ensured that no data was changed without accountability

ISO/IEC 27037 International standard for evidence identification and

preservation

Digital Forensic Framework Provided team-wide structure for prioritizing and handling
(App. 2) digital evidence

I investigation benefited greatly from prompt and technically accurate acquisition of volatile
evidence. What he did:
 Preserved in-memory information that is essential for detecting administrative access
abuse
 Upheld communication and procedural integrity to support the larger team

Signed
 Digital Forensic Framework Documentation
Team:
. Crime Ref: CYB-0925-2025 Date: 07 April 2025

 Supplied two crucial exhibits (EX001 and EX003) that were properly hashed and logged.
 Strengthened best practices for forensic response in real time and the acquisition of
volatile evidence
Evidence Preservation Declaration

With regard to volatile memory and live system artifacts in particular, this declaration describes
the digital evidence that I, kept and cleared from the scene. Following forensic guidelines
ensured the data's integrity and legal admissibility, and the time-sensitive actions were completed
before the system was shut down.
Volatile Evidence Preserved and Seized
Exhibit Description Type Justification for Seizure
Ref
EX001 Full RAM Image – Volatile Captured live using FTK Imager Live to
Workstation A preserve session memory, active
processes, and keys.

EX003 Clipboard Contents, Netstat Volatile Preserved live system state and on-screen
Logs, User Sessions, activity prior to power-down.
Screenshots

These artifacts included tangible proof of:

 User activity while logged in
 TCP/IP connections that are open
 Scripts stored in memory
 Data on the clipboard
 Potential misuse of the PowerShell command line
Tools Used and Testing Methodology

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Tool Purpose Validation

FTK Imager Live Live RAM capture Pre-tested on known-good test system; output
(Workstation A) hashes verified

Windows CLI Session, clipboard, and Commands documented and screenshots

Tools netstat capture timestamped

Snipping Tool Capturing visual artefacts Screenshots saved to encrypted evidence folder;
(Win) (PowerShell) no editing performed

USB Storage Temporary evidence transfer Storage media hashed before and after use to
(Encrypted) confirm no data alteration

Potential Changes to Evidence (Fully Documented)

Exhibit Potential Change Justification and Mitigation

Ref

EX001 FTK Imager Live introduces a Expected impact. Fully documented. RAM
minimal memory footprint (~2– image hashed and tool logs saved.
5MB)

EX003 CLI commands may write to memory Screenshots captured prior to system
logs (e.g., clipboard, console history) shutdown. Commands used are standard and
low impact.

Chain of Custody and Evidence Integrity

I obtained the following two volatile exhibits:
 Captured on location (before shutdown)
 Pre/post hash values are saved to an encrypted USB.
 Sealed in tamper-evident packaging with a label
 Signed by the OIC and recorded in the official seizure log

Signed
 Digital Forensic Framework Documentation
Team:
Every chain-of- Crime Ref: CYB-0925-2025 Date: 07 April 2025

custody record includes precise timestamps and attests to the evidence's continuity from
acquisition to transfer.
Standards and Protocols Followed
I preservation measures followed:
 ACPO Digital Evidence Guidelines (UK)
 ISO/IEC 27037: Digital Evidence Handling Guidelines
 The group's previously developed Digital Forensic Framework (Appendix 2)
By following these protocols, evidence was preserved in its original condition and was
dependable for use in forensic investigations and court cases in the future. One of the main
elements of the digital artefact trail is the volatile evidence that I preserved. He made sure that all
volatile memory was recorded using forensic methods that could be defended and verified,
prevented data loss, and allowed for the reconstruction of activities in real time. These artefacts
were obtained in a controlled, timely, and law-abiding manner.

Forensic Strategy

Purpose of This Strategy

The steps 1 I, intended to take during the digital crime scene investigation at CyberTech Ltd. are
described in this forensic strategy. In line with our team's Digital Forensic Framework, I
concentrated on locating and preserving volatile digital evidence (Appendix 2).
The plan was created to reduce data loss, preserve the integrity of the evidence, and adhere to the
guidelines provided by:
 ACPO Digital Evidence Principles
 ISO/IEC 27037
 Guidelines for NCSC Incident Response
Objectives
 Prior to system shutdown or power changes, record all volatile data.
 Find and protect any active network connections, memory artefacts, or live sessions.
 Keep track of all actions, timestamps, hash values, and tool usage.
Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

 Effectively coordinate with your teammates to avoid cross-contamination or duplication.

Forensic Tasks Assigned to me
Task Planned Tools Purpose
RAM Imaging FTK Imager Live Capture volatile memory from live systems (e.g.,
(USB) Workstation A)
Network Session Logging netstat -ano / arp -a Identify active TCP/UDP sessions and IP routing
information
Clipboard & Session clip / query user Extract contents in memory and logged-in user
Capture data
Screenshot of Terminal Windows Snipping Preserve visual evidence of active PowerShell or
Activity Tool CMD interfaces
Hashing Captured Data HashCalc / FTK Validate evidence integrity with MD5 and
Imager SHA256 hashes
Documentation and Notepad / Pre-filled Record actions, timestamps, tool versions, hash
Evidence Log Forms values, and observations

Sequence of Execution (On Scene)

 Verify with the OIC that Workstation A is operational and unaltered.
 Take pictures of the system environment, peripherals, and screen.
 Use FTK Imager Live to start RAM capture (check tool success and hash result).
 Follow right away with CLI captures:
 -ano netstat (save output)
 query ipconfig /all, tasklist, and user
 clip to record any copied data or stored text.
 Capture screenshots of the terminals that are open (PowerShell, CMD).
 All volatile data should be moved to an encrypted evidence drive.
 Compute and record MD5/SHA256 hashes.
 Put the data in a tamper-evident container.
 Fill out seizure logs and send them to the OIC for validation.
Pre-Scene Risk Mitigation

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

 The tools' functionality was confirmed through pre-testing on a pristine test system.
 Prepared chain-of-custody forms, hashing templates and evidence bags with labels
already applied.
 Arranged pre-scene tool responsibilities with imaging and documentation staff
 Verified that every device was time-synchronized for precise reconstruction of the
timeline.
Digital Forensic Process Map (Applied Strategy)

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Pre-Planning & Toolkit Prep

Scene Briefing Identification of

& Team Role Volatile
Confirmation Devices

RAM / Session /
Log Acquisition

Hashing &
Sealing of
Evidence

Documentation & Chain-of-

Custody

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Compliance and Best Practice

Every action was prearranged to adhere to the following guidelines:
 ACPO Principle 1: Data should never be altered without first being accounted for.
 ISO/IEC 27037: Specified protocols for preservation and identification
 GDPR: No user data, whether personal or unrelated, may be accessed without
authorization
 Team Forensic Framework, Appendix 2: This tactic is based on our common DFF.
This forensic approach made sure that I was ready to gather and store sensitive digital evidence
in a timely, forensically sound, and legally acceptable way. The organized strategy reduced the
possibility of data loss or contamination and contributed to the investigation's overall success.

Scene Notes/Further documentation

Scene Arrival and Initial Briefing

 Reached CyberTech Ltd. at around 11:25 a.m.
 Admitted by internal security to the protected IT department
 At 11:35 AM, I went to the team briefing that OIC was leading.
 Secure live volatile data from Workstation A is the main goal.
 Avoiding system interaction prior to documentation is advised.
 Tasks for capturing volatile evidence were assigned.
Initial Observations (Workstation A)
 Workstation A's screen was active, the PowerShell window was visible, and it was
powered on.
 There are no external media or USB devices attached to the front ports.
 Recent command-line activity involving network commands was shown on the screen.
 "Admin-Cyber1" is the user session, as verified by the command prompt and visual
 There were currently no other workstations in use.
Actions Taken on Scene
Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Time Action
11:50 AM Verified system state of Workstation A, took pre-capture photos

11:55 AM Executed FTK Imager Live to perform RAM acquisition

12:10 PM Verified RAM image creation, recorded MD5/SHA256 hashes, saved logs to encrypted
media
12:15 PM Captured netstat, arp, query user, and clipboard data via Windows CLI tools

12:25 PM Took screenshots of open PowerShell/CMD interfaces using Snipping Tool

12:35 PM Transferred all captured data to secure external USB (pre-hashed)

12:45 PM Sealed USB device in tamper-evident evidence bag, assigned label EX001 / EX003

01:00 PM Completed exhibit log, chain-of-custody form, and updated team documentation

Notes on Evidence Handling

 Used write-protected USB to store logs and RAM.
 Screenshots that were taken were saved as [Link]-labeled PNG files
 Verified hashes both prior to and following transfer to guarantee file integrity
 Examiner information, timestamps, and a handover record were all included in the chain-
of-custody form.
Equipment utilized:
 FTK Imager Live 4.2
 Windows CLI (inbuilt commands)
 Snipping Tool (for taking screenshots)
 HashCalc (for secondary integrity verification)
Final Advice to OIC
I gave OIC DI Alan Morris the following at 4:30 PM:
 A written and spoken account of every volatile artefact that was recorded

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

 It is advised to keep the remaining systems disconnected and powered down.

 Verification that every action and exhibit was meticulously recorded and safely sealed

Exhibits

Date of Seizure: 09 April 2025

Location: CyberTech Ltd., 3rd Floor IT Department

Exhibit Ref Exhibit Description Time / Unique Location

EX001 RAM Image of Workstation A (captured live using 11:55 AM / Desk 1 (Live
FTK Imager Live) System)

EX003 Clipboard content, netstat logs, open sessions, 12:15–12:30 PM / Workstation

and CMD screenshots A (Live)

 As soon as they were acquired, both exhibits were placed in tamper-evident packaging.
 For every evidence file, the MD5 and SHA256 hashes were computed and recorded.
 I and OIC DI officer both signed off on the exhibits after they were added to the chain-of-
custody form.
 Prior to any power outage, these artefacts which represent brittle digital evidence were
given top priority.
Evidence Preservation Declaration
Prepared by: ME
Role: Volatile Evidence Examiner
Date of Attendance: 09 April 2025
Location: CyberTech Ltd., IT Department
The volatile digital evidence that I collected and stored during the crime scene investigation at
CyberTech Ltd. on April 9, 2025, is documented in this declaration. Every action was carried out
Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

in accordance with ISO/IEC 27037, the ACPO Guidelines, and the team's Digital Forensic
Framework (Appendix 2).
Preserving non-recoverable volatile data from operational systems before any shutdown or state
change was the main goal.
Volatile Evidence Seized

Exhibit Description Type Time / Location Justification

Ref
EX001 RAM Image of Volatile 11:55 AM / Preserved in-memory data
Workstation A (Captured Desk 1 including running
using FTK Imager Live) processes, login sessions,
and scripts
EX003 Netstat logs, clipboard Volatile 12:15–12:30 PM Captured live artefacts
contents, user sessions, / Workstation A relevant to network activity
and terminal screenshots and user interactions

Tools and Methods Used

Tool Purpose Validation & Integrity

FTK Imager Live RAM capture from live system Tool tested pre-scene, hashes generated
(MD5 & SHA256) post-acquisition

Windows CLI Netstat, clipboard, session data Logged and documented with screenshots,
Commands timestamps captured

Snipping Tool Captured CMD/PowerShell Saved as PNG images, copied to

terminal windows encrypted USB, no alterations

Encrypted USB Temporary holding of captured Device hashed before and after use,
Storage artefacts verified for data integrity

Every artefact was properly labelled and sealed in tamper-evident packaging. Forms pertaining
to chain of custody were filled out, signed, and confirmed with OIC.
Potential Changes to Evidence (Documented)

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Exhibit Potential Change Mitigation and Justification

EX001 Minor memory impact from FTK Documented in seizure log, minimal footprint,
Imager Live tool integrity validated by hashing

EX003 Use of command-line may alter Actions were limited, low-risk, and screenshots
memory state taken immediately for validation

No evidence was altered without permission. Under the direction of the OIC, every action was
authorized, time-stamped, and forensically sound.

Compliance with Standards

I evidence preservation efforts followed these guidelines:
 ACPO Principle 1: Data should never be altered without a good reason.
 ACPO Principle 2: Documentation and reproducibility are essential
 ISO/IEC 27037: Legal and defendable acquisition and preservation of digital evidence
 Digital Forensic Framework: Coordinated evidence handling and sequencing protocol for
teams
Handover and Final Record
I formally gave OIC DI Alan Morris the following at 4:30 PM:
 A verbal and written synopsis of all volatile evidence gathered
 Suggestions to maintain all remaining systems disconnected and powered down
 Confirmation that every exhibit was properly sealed, hashed, and logged
Digital Forensic Framework
Purpose of the Framework
The purpose of this framework was to guarantee that the digital crime scene investigation was
conducted in a methodical, legally compliant, and forensically sound manner. It describes the

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

precise procedures I devised and carried out in order to record session-level data and volatile
memory, which are crucial and irretrievably lost after a system is shut down.
The team's agreed-upon framework and globally accepted standards serve as the strategy's
compass:
 Guidelines for identifying, gathering, acquiring, and preserving digital evidence are
provided by ISO/IEC 27037.
 Principles of best practices for handling digital evidence are outlined in the ACPO
Guidelines (UK).
 NCSC Incident Response Guidance: Best Practices for Live System Analysis
Individual Responsibilities
As the Volatile Evidence Examiner, I was tasked with the following duties:
 Finding any active systems that have active memory or session data
 capturing ephemeral artifacts like
 RAM
 Open meetings
 Data on the clipboard
 Links within networks
 outputs from the terminal window
 Logging, storing, and hashing all of the information gathered
 Minimizing contact with live systems to lower the possibility of evidence manipulation
Pre-Scene Planning & Toolkit Validation

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Prepared Item Purpose Validation

FTK Imager Live Memory capture from Workstation A Tested on sandbox PC, confirmed hash
accuracy

Windows CLI (netstat, Collect volatile session/network data Commands logged, screenshots planned
query)

Snipping Tool / Capture live CMD/PowerShell Saved as .png, time-stamped, no

Screenshot interfaces alterations made

Encrypted USB (pre- Store volatile evidence securely Hash verified before/after transfer
hashed)

Evidence bags, tags, For packaging and cataloging seized Prepared with EX identifiers and
labels artefacts timestamps

Volatile Evidence Acquisition Flow

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Confirm Scene Status

with OIC

Photograph Perform RAM

Workstation A Capture (FTK
Imager Live)

Collect Netstat /
Session / Clipboard
Data

Screenshot CLI Transfer to

& Save Live Encrypted USB
Evidence

Calculate Hashes
(MD5/SHA256)

Seal, Label, Log &

Handover to OIC

Signed
 Digital Forensic Framework Documentation
Team:
Crime Ref: CYB-0925-2025 Date: 07 April 2025

Forensic Steps Followed On-Scene

Step Action Tool/Command Logged?

1 Capture RAM from Workstation A FTK Imager Live ✅
2 Capture netstat, user sessions, clipboard data netstat -ano, query user, clip ✅

3 Screenshot terminal activity (CMD/PowerShell) Windows Snipping Tool ✅

4 Save all data to encrypted USB, hash before/after transfer HashCalc / FTK Imager ✅

5 Tag and seal exhibits, enter into seizure record and CoC log Tamper-evident bags ✅

Legal & Ethical Compliance

I made certain that every action adhered to:
Principles of ACPO
 Principle 1: Only justified and documented data was altered.
 Principle 2: Every action was transparent and repeatable.
ISO/IEC 27037
 centered on chain-of-custody dependability and minimal evidence disturbance
GDPR/DPA 2018
 prevented needless access to irrelevant personal information or systems

Signed