06
18 min read · 6 briefings

Digital Forensics & Threat Intelligence

Reconstruct exactly what happened, then turn that knowledge into a weapon against the next attacker.

01 The forensic process

Digital forensics is the disciplined recovery, preservation, and analysis of digital evidence such that findings are accurate and — when needed — legally defensible. It answers the investigator's questions: what happened, when, how, and what was affected. The practice follows a rigorous process, articulated in frameworks like NIST SP 800-86, that generally runs: Identification → Preservation → Collection → Examination → Analysis → Reporting.

Two principles govern everything. First, preserve integrity: work from verified forensic copies, never the original, and prove nothing changed by hashing (e.g. SHA-256) the evidence before and after. Second, maintain an unbroken chain of custody so the evidence stands up to scrutiny.

Pro tip Use a write blocker — hardware or software — whenever imaging a disk. It permits reads but physically prevents any write to the source, so the mere act of examining the drive cannot alter it. Then hash the image and work only on copies.

A related concept is forensic soundness: the collection method itself must not materially alter the evidence, and any unavoidable change (common in live acquisition) must be documented and justified. Forensics is as much about process discipline and documentation as it is about technical tooling.

02 Volatile vs non-volatile data

Not all evidence is equally durable, and this drives the order in which you collect it. Volatile data exists only while the system is powered and vanishes on shutdown: the contents of RAM, running processes, active network connections, logged-in users, and cached credentials. Non-volatile data persists across reboots: files on disk, logs, registry hives, and firmware.

RFC 3227 codifies the order of volatility — collect the most ephemeral evidence first, before it evaporates:

  1. CPU registers and cache
  2. RAM and running process/network state
  3. Temporary file systems and swap/paging space
  4. Disk (files, logs)
  5. Remote logging and monitoring data
  6. Physical configuration and archival media
Watch out This is exactly why "just reboot it" or "power it off to be safe" can be a catastrophic first move. Memory-resident (fileless) malware, decryption keys, and the attacker's live session can exist only in RAM — pulling the plug destroys them forever. Capture volatile memory before you touch the power.

The tradeoff is real: acquiring live memory changes some system state, which is a small forensic compromise made deliberately to preserve evidence that would otherwise be lost entirely.

03 Disk, memory, and network forensics

Forensics specializes by evidence source. Disk forensics examines storage media: recovering deleted files, parsing file-system metadata, and reconstructing user activity. Because deleting a file typically only removes its directory entry, file carving can rebuild data from the raw bytes still on disk. Classic tooling includes Autopsy/The Sleuth Kit and commercial suites like EnCase and FTK.

Memory forensics analyzes a RAM capture to reveal what disk cannot: injected code, hidden or terminated processes, in-memory-only malware, unpacked payloads, network connections, and cached credentials or encryption keys. The open-source Volatility framework is the field standard here.

Network forensics examines traffic captures (PCAP) and flow records to reconstruct communications — identifying command-and-control channels, data exfiltration, and lateral movement. Tools like Wireshark and Zeek (formerly Bro) do the heavy lifting.

The connective tissue across all three is timeline analysis: correlating timestamps from disk, memory, and network into a single, ordered narrative of the intrusion — the super timeline. It answers the crucial questions of sequence and dwell time: when did the attacker get in, what did they touch, in what order, and when were they evicted? Tools like Plaso/log2timeline automate building these unified timelines from disparate artifacts.

04 The intelligence lifecycle

Cyber Threat Intelligence (CTI) is evidence-based knowledge about threats — actors, their motives, capabilities, and methods — that is processed to inform decisions. The keyword is processed: raw data (a list of IPs) is not intelligence. Intelligence is analyzed, contextualized, and actionable. CTI is produced through a repeatable intelligence lifecycle inherited from traditional intelligence tradecraft:

  1. Direction/Planning — define the requirements: what questions must we answer, for whom?
  2. Collection — gather raw data from sources (feeds, OSINT, telemetry, dark web, sharing partners).
  3. Processing — normalize, decode, translate, and structure the raw data.
  4. Analysis — turn processed data into assessed, contextual intelligence with judgments.
  5. Dissemination — deliver it to the right consumers in a usable form.
  6. Feedback — consumers respond, refining the requirements and starting the loop again.
Insight Intelligence exists to drive action. If a report does not change a decision — a detection written, a control funded, a risk accepted — it was interesting, not intelligent. Requirements defined up front in the Direction phase are what keep intel from becoming a firehose of trivia.

05 Strategic, operational, and tactical intel

Threat intelligence serves different audiences at different altitudes, and matching the type to the consumer is what makes it useful.

LevelAudienceContentShelf life
StrategicExecutives, boardBig-picture trends, geopolitics, risk to the businessLong
OperationalIR, hunt, SOC leadsAdversary campaigns, TTPs, who is targeting whom and howMedium
TacticalSOC analysts, toolsIOCs and specific technical indicators to detect and blockShort

Tactical intel (feed an IOC to the SIEM) is immediate but perishable — recall from the Pyramid of Pain that indicators change fast. Operational intel about an adversary's TTPs and campaigns is more durable and drives detection engineering and hunting. Strategic intel informs long-horizon investment and risk decisions at the top of the house.

Frameworks connect them: MITRE ATT&CK gives a shared language for operational TTPs, while models like the Diamond Model and the Cyber Kill Chain structure how analysts reason about intrusions. The F3EAD cycle (Find, Fix, Finish, Exploit, Analyze, Disseminate) is a popular way to fuse operations and intelligence so a finding from an incident feeds straight back into detection.

06 Sharing intelligence: STIX, TAXII, and ISACs

Defenders have one structural advantage attackers lack: they can cooperate at scale. When one organization's incident becomes another's early warning, the whole community's cost of defense drops. That is the premise of threat intelligence sharing.

To share machine-to-machine, the community standardized two OASIS specifications:

  • STIX (Structured Threat Information eXpression) — a standardized language and data format for describing threat intelligence: indicators, threat actors, campaigns, TTPs, and their relationships. It is the common grammar.
  • TAXII (Trusted Automated eXchange of Intelligence Information) — the transport protocol for exchanging STIX data between systems. Loosely: STIX is what you say; TAXII is how it travels.

Human and organizational sharing happens through ISACs (Information Sharing and Analysis Centers) — sector-specific trust communities such as FS-ISAC (financial services), H-ISAC (health), and MS-ISAC (state and local government) — as well as national bodies like CISA in the US. Open platforms like MISP are widely used to store, correlate, and exchange indicators.

Watch out Sharing runs on trust and careful handling. The Traffic Light Protocol (TLP) — TLP:RED, AMBER, GREEN, CLEAR — governs how far a given piece of intel may be redistributed. Mishandle a TLP:RED report and you break the trust the entire sharing model depends on.

Field Glossary

Digital forensics
The disciplined recovery, preservation, and analysis of digital evidence to produce accurate, legally defensible findings about an incident.
Order of volatility
The RFC 3227 principle of collecting the most ephemeral evidence (RAM, running state) first, before it is lost, then progressing to durable storage.
Memory forensics
Analysis of a RAM capture to reveal injected code, fileless malware, hidden processes, and cached credentials or keys; Volatility is the standard tool.
Timeline analysis
Correlating timestamps from disk, memory, and network into a single ordered narrative (a super timeline) of an intrusion.
Intelligence lifecycle
The repeatable cycle producing intelligence: Direction, Collection, Processing, Analysis, Dissemination, and Feedback.
STIX / TAXII
OASIS standards for threat intel sharing: STIX is the structured language for describing threats; TAXII is the transport protocol for exchanging it.
ISAC
Information Sharing and Analysis Center; a sector-specific trust community (e.g. FS-ISAC, H-ISAC) for exchanging threat intelligence among members.

Knowledge Check

Field Assessment

0 / 3

01 Following the order of volatility, which evidence should generally be collected FIRST?

02 What is the relationship between STIX and TAXII?

03 Which type of threat intelligence is aimed at executives and has the longest shelf life?

ESC
↑↓ navigate jack in