Digital Forensics Collection Checklist
Incident ID: [IR-YYYY-###] Examiner: [Name] Date/Time Started: [YYYY-MM-DD HH:MM TZ] System Being Examined: [Hostname/IP/Asset Tag]
Pre-Collection
- [ ] Verify authorization to collect evidence (written approval from IR Manager or Legal)
- [ ] Document your identity, role, and qualifications
- [ ] Prepare evidence collection tools (USB drive with forensic tools, write blockers, evidence bags)
- [ ] Start a contemporaneous evidence log (document every action with timestamps)
- [ ] Photograph the system as found (screen display, physical connections, indicator lights)
- [ ] Note the system's current state (powered on/off, logged in user, running applications)
Volatile Evidence Collection (Collect First -- Order of Volatility)
Important: Do NOT power off the system until volatile evidence is collected. Use scripts/incident-triage.sh to automate this collection.
Memory
- [ ] Capture full memory dump
- Tool used: [FTK Imager / WinPMEM / LiME / AVML]
- Output file: ___
- File size: ___
- MD5 hash: ___
- SHA-256 hash: ___
- Time completed: ___
Network State
- [ ] Capture active network connections (
netstat -anob/ss -tulpn) - [ ] Capture ARP cache (
arp -a) - [ ] Capture DNS cache (
ipconfig /displaydns/ check local resolver cache) - [ ] Capture routing table (
route print/ip route show) - [ ] Capture listening ports and associated processes
- [ ] Start network packet capture if ongoing activity suspected
Running Processes
- [ ] Capture process list with full command lines and parent PIDs
- [ ] Capture loaded DLLs/shared libraries for suspicious processes
- [ ] Capture open file handles for suspicious processes
- [ ] Capture scheduled tasks / cron jobs
- [ ] Capture startup items (registry Run keys, systemd services, launchd)
System Information
- [ ] Capture system time and timezone (compare to authoritative time source)
- [ ] Capture system information (hostname, OS version, installed patches)
- [ ] Capture logged-in users and recent logon sessions
- [ ] Capture environment variables
Non-Volatile Evidence Collection
Disk Imaging
- [ ] Connect write blocker to evidence drive
- [ ] Create forensic image (bit-for-bit)
- Tool used: [FTK Imager / dd / dc3dd / Guymager]
- Source drive: ___
- Image file: ___
- Image format: [E01 / dd / AFF4]
- Source hash (MD5): ___
- Source hash (SHA-256): ___
- Image hash (MD5): ___
- Image hash (SHA-256): ___
- Hashes match: [ ] Yes [ ] No
- Time started: ___
- Time completed: ___
- [ ] Verify image integrity (hash comparison)
- [ ] Create working copy for analysis (never analyze the original image)
Log Collection
- [ ] Windows Event Logs (Security, System, Application, PowerShell)
- [ ] Linux logs (/var/log/auth.log, /var/log/syslog, /var/log/secure)
- [ ] Application-specific logs (web server, database, email)
- [ ] Antivirus/EDR logs and quarantine items
- [ ] Firewall logs
- [ ] Proxy/web filter logs
- [ ] SIEM data for the relevant time period
- [ ] Cloud service logs (Azure AD, AWS CloudTrail, GCP Audit Logs)
- [ ] VPN/remote access logs
- [ ] Email gateway logs
Evidence Handling
Chain of Custody
| Date/Time | Action | From | To | Reason |
|---|---|---|---|---|
| [Timestamp] | Collected | [System] | [Examiner] | Initial collection |
| [Timestamp] | Transferred | [Examiner] | [Evidence Storage] | Secure storage |
Evidence Storage
- [ ] All evidence files stored in access-controlled location
- [ ] Evidence encrypted at rest
- [ ] Access log maintained for evidence storage location
- [ ] Physical evidence in tamper-evident bags (if applicable)
- [ ] Evidence inventory updated
Post-Collection
- [ ] Verify all hash values are recorded
- [ ] Evidence log is complete with all actions documented
- [ ] Chain of custody forms are signed
- [ ] Evidence inventory is updated in incident tracking system
- [ ] Notify IR Manager that evidence collection is complete
- [ ] Secure all collection tools (wipe and verify)
Examiner Certification
I certify that the evidence described in this checklist was collected by me in accordance with forensic best practices, and the information recorded herein is accurate to the best of my knowledge.
Examiner Name: __ Examiner Signature: __ Date: ___
Witness Name: __ Witness Signature: __ Date: ___
Template provided by Petronella Technology Group. For digital forensics services, contact 919-348-4912.