Digital Forensics & Threat Intelligence
Reconstruct exactly what happened, then turn that knowledge into a weapon against the next attacker.
01 The forensic process
Digital forensics is the disciplined recovery, preservation, and analysis of digital evidence such that findings are accurate and — when needed — legally defensible. It answers the investigator's questions: what happened, when, how, and what was affected. The practice follows a rigorous process, articulated in frameworks like NIST SP 800-86, that generally runs: Identification → Preservation → Collection → Examination → Analysis → Reporting.
Two principles govern everything. First, preserve integrity: work from verified forensic copies, never the original, and prove nothing changed by hashing (e.g. SHA-256) the evidence before and after. Second, maintain an unbroken chain of custody so the evidence stands up to scrutiny.
A related concept is forensic soundness: the collection method itself must not materially alter the evidence, and any unavoidable change (common in live acquisition) must be documented and justified. Forensics is as much about process discipline and documentation as it is about technical tooling.
02 Volatile vs non-volatile data
Not all evidence is equally durable, and this drives the order in which you collect it. Volatile data exists only while the system is powered and vanishes on shutdown: the contents of RAM, running processes, active network connections, logged-in users, and cached credentials. Non-volatile data persists across reboots: files on disk, logs, registry hives, and firmware.
RFC 3227 codifies the order of volatility — collect the most ephemeral evidence first, before it evaporates:
- CPU registers and cache
- RAM and running process/network state
- Temporary file systems and swap/paging space
- Disk (files, logs)
- Remote logging and monitoring data
- Physical configuration and archival media
The tradeoff is real: acquiring live memory changes some system state, which is a small forensic compromise made deliberately to preserve evidence that would otherwise be lost entirely.
03 Disk, memory, and network forensics
Forensics specializes by evidence source. Disk forensics examines storage media: recovering deleted files, parsing file-system metadata, and reconstructing user activity. Because deleting a file typically only removes its directory entry, file carving can rebuild data from the raw bytes still on disk. Classic tooling includes Autopsy/The Sleuth Kit and commercial suites like EnCase and FTK.
Memory forensics analyzes a RAM capture to reveal what disk cannot: injected code, hidden or terminated processes, in-memory-only malware, unpacked payloads, network connections, and cached credentials or encryption keys. The open-source Volatility framework is the field standard here.
Network forensics examines traffic captures (PCAP) and flow records to reconstruct communications — identifying command-and-control channels, data exfiltration, and lateral movement. Tools like Wireshark and Zeek (formerly Bro) do the heavy lifting.
The connective tissue across all three is timeline analysis: correlating timestamps from disk, memory, and network into a single, ordered narrative of the intrusion — the super timeline. It answers the crucial questions of sequence and dwell time: when did the attacker get in, what did they touch, in what order, and when were they evicted? Tools like Plaso/log2timeline automate building these unified timelines from disparate artifacts.
04 The intelligence lifecycle
Cyber Threat Intelligence (CTI) is evidence-based knowledge about threats — actors, their motives, capabilities, and methods — that is processed to inform decisions. The keyword is processed: raw data (a list of IPs) is not intelligence. Intelligence is analyzed, contextualized, and actionable. CTI is produced through a repeatable intelligence lifecycle inherited from traditional intelligence tradecraft:
- Direction/Planning — define the requirements: what questions must we answer, for whom?
- Collection — gather raw data from sources (feeds, OSINT, telemetry, dark web, sharing partners).
- Processing — normalize, decode, translate, and structure the raw data.
- Analysis — turn processed data into assessed, contextual intelligence with judgments.
- Dissemination — deliver it to the right consumers in a usable form.
- Feedback — consumers respond, refining the requirements and starting the loop again.
05 Strategic, operational, and tactical intel
Threat intelligence serves different audiences at different altitudes, and matching the type to the consumer is what makes it useful.
| Level | Audience | Content | Shelf life |
|---|---|---|---|
| Strategic | Executives, board | Big-picture trends, geopolitics, risk to the business | Long |
| Operational | IR, hunt, SOC leads | Adversary campaigns, TTPs, who is targeting whom and how | Medium |
| Tactical | SOC analysts, tools | IOCs and specific technical indicators to detect and block | Short |
Tactical intel (feed an IOC to the SIEM) is immediate but perishable — recall from the Pyramid of Pain that indicators change fast. Operational intel about an adversary's TTPs and campaigns is more durable and drives detection engineering and hunting. Strategic intel informs long-horizon investment and risk decisions at the top of the house.
Frameworks connect them: MITRE ATT&CK gives a shared language for operational TTPs, while models like the Diamond Model and the Cyber Kill Chain structure how analysts reason about intrusions. The F3EAD cycle (Find, Fix, Finish, Exploit, Analyze, Disseminate) is a popular way to fuse operations and intelligence so a finding from an incident feeds straight back into detection.
06 Sharing intelligence: STIX, TAXII, and ISACs
Defenders have one structural advantage attackers lack: they can cooperate at scale. When one organization's incident becomes another's early warning, the whole community's cost of defense drops. That is the premise of threat intelligence sharing.
To share machine-to-machine, the community standardized two OASIS specifications:
- STIX (Structured Threat Information eXpression) — a standardized language and data format for describing threat intelligence: indicators, threat actors, campaigns, TTPs, and their relationships. It is the common grammar.
- TAXII (Trusted Automated eXchange of Intelligence Information) — the transport protocol for exchanging STIX data between systems. Loosely: STIX is what you say; TAXII is how it travels.
Human and organizational sharing happens through ISACs (Information Sharing and Analysis Centers) — sector-specific trust communities such as FS-ISAC (financial services), H-ISAC (health), and MS-ISAC (state and local government) — as well as national bodies like CISA in the US. Open platforms like MISP are widely used to store, correlate, and exchange indicators.
⌘ Field Glossary
- Digital forensics
- The disciplined recovery, preservation, and analysis of digital evidence to produce accurate, legally defensible findings about an incident.
- Order of volatility
- The RFC 3227 principle of collecting the most ephemeral evidence (RAM, running state) first, before it is lost, then progressing to durable storage.
- Memory forensics
- Analysis of a RAM capture to reveal injected code, fileless malware, hidden processes, and cached credentials or keys; Volatility is the standard tool.
- Timeline analysis
- Correlating timestamps from disk, memory, and network into a single ordered narrative (a super timeline) of an intrusion.
- Intelligence lifecycle
- The repeatable cycle producing intelligence: Direction, Collection, Processing, Analysis, Dissemination, and Feedback.
- STIX / TAXII
- OASIS standards for threat intel sharing: STIX is the structured language for describing threats; TAXII is the transport protocol for exchanging it.
- ISAC
- Information Sharing and Analysis Center; a sector-specific trust community (e.g. FS-ISAC, H-ISAC) for exchanging threat intelligence among members.
Knowledge Check
Field Assessment
01 Following the order of volatility, which evidence should generally be collected FIRST?
02 What is the relationship between STIX and TAXII?
03 Which type of threat intelligence is aimed at executives and has the longest shelf life?