Forensics Lifecycle, Investigation Phases & OSI Model in Forensics
This final lesson covers the systematic process of conducting a digital forensics investigation — from the moment an incident is detected through to the presentation of findings in court or to management. It also explores how the OSI 7-layer model provides a framework for network forensics.
---
The Digital Forensics Lifecycle — Six Phases
The lifecycle is the structured methodology that ensures forensic investigations are thorough, repeatable, legally defensible, and scientifically rigorous.
| Phase | Name | Objectives | Key Activities | Tools Used |
|---|---|---|---|---|
| 1 | Identification | Identify what devices and data are relevant to the investigation | Interview witnesses, review logs, identify crime scene scope | Case management software |
| 2 | Preservation | Prevent alteration or destruction of evidence | Write-block devices, create forensic images, Faraday bags for mobile | Hardware write blockers, Faraday bags |
| 3 | Collection | Systematically acquire evidence following legal procedures | Bit-for-bit imaging, hash verification, document chain of custody | FTK Imager, dd, dcfldd, Guymager |
| 4 | Examination | Filter and process large data volumes to find relevant content | File system analysis, deleted file recovery, keyword search, timeline | Autopsy, EnCase, X-Ways Forensics |
| 5 | Analysis | Interpret and correlate findings to reconstruct events | Timeline reconstruction, malware analysis, attribution | Volatility, Log2Timeline, Maltego |
| 6 | Presentation | Communicate findings to stakeholders and courts | Write expert report, prepare exhibits, testify as expert witness | Report templates, courtroom presentations |
---
Phase 1: Identification — Detailed
Proper identification sets the scope and direction of the entire investigation:
- Triage assessment: Which systems, accounts, or devices are likely to contain evidence?
- Legal authority: Is there a search warrant, court order, or employee consent? What is the scope?
- Evidence potential: Is the device still powered on (volatile data available)? When was the incident?
- Documentation: Photograph the scene before touching anything — screen state, physical setup
---
Phase 2 & 3: Preservation and Collection — Detailed
Preservation protects evidence from inadvertent modification:
- Power-on systems: Use RAM capture BEFORE powering off (RAM is volatile!)
- Powered-off systems: Do NOT power on — connect write blocker, then image
- Mobile devices: Faraday bag immediately (prevents remote wipe)
- Cloud evidence: Issue legal hold or preservation request to provider
Collection — Forensic Imaging:
- Connect evidence drive to forensic workstation through hardware write blocker
- Create bit-for-bit forensic image using FTK Imager or
ddcommand - Calculate MD5 + SHA-256 hash of original evidence drive
- Calculate hash of forensic image
- Verify hashes match (proves exact copy)
- Work exclusively on the forensic image — never on the original
Hash Comparison Table:
| Hash Algorithm | Hash Length | Current Status | Speed | Use in Forensics |
|---|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Cryptographically broken (collisions) | Very Fast | Still widely used for file integrity (not security) |
| SHA-1 | 160-bit (40 hex chars) | Broken (SHAttered, 2017) | Fast | Legacy forensics tools |
| SHA-256 | 256-bit (64 hex chars) | Secure | Medium | Recommended standard |
| SHA-512 | 512-bit (128 hex chars) | Very Secure | Slower | High-value evidence |
---
Phase 4 & 5: Examination and Analysis — Detailed
Examination transforms the raw forensic image into useful data:
- File system analysis: Recover deleted files (unallocated clusters), parse file system metadata (MFT entries, inodes)
- Registry analysis: Extract user activity, installed programs, USB history, last run programs (Windows Registry)
- Browser forensics: History, downloads, bookmarks, cache, saved passwords
- Email forensics: PST/OST files, webmail cache, sent/received email
- Log analysis: Windows Event Logs (Security, System, Application), /var/log/* (Linux)
Analysis draws conclusions:
- Timeline reconstruction: Using all timestamp sources to build a chronological activity timeline
- Malware analysis: Static (strings, PE headers, hashes) and dynamic (sandbox execution) analysis
- Network forensics: Reviewing PCAP captures, firewall logs, DNS logs
- Attribution: Attempting to identify who is responsible
---
Computer Forensics Investigation Process
The investigation process (distinct from the lifecycle) focuses on the specific investigation workflow:
| Step | Activity | Decision Point | Output |
|---|---|---|---|
| Case Intake | Receive assignment, understand legal context | Civil vs criminal? Internal vs external? | Case file opened |
| Scene Documentation | Photograph and note all devices, connections, states | Devices on/off? Encryption visible? | Scene photos + notes |
| Evidence Seizure | Bag and tag all relevant devices | Follow search warrant scope exactly | Tagged evidence bags |
| Lab Intake | Log into evidence management system | Condition check, tampering signs? | Evidence log entry |
| Forensic Imaging | Create verified forensic copies | Hash verification passed? | Forensic image + hash log |
| Initial Triage | Quick scan for obvious relevant artifacts | Anything immediately visible? | Triage report |
| Deep Examination | Thorough forensic analysis | Follow the evidence | Analysis notes |
| Timeline Construction | Correlate all timestamps | Consistent with alleged events? | Activity timeline |
| Report Writing | Document findings in legally defensible report | Findings support allegation? | Expert forensics report |
| Testimony | Present findings to court or management | Findings withstand cross-examination? | Court decision |
---
OSI 7-Layer Model Applied to Computer Forensics
The OSI (Open Systems Interconnection) model provides a framework for understanding where evidence exists in network communications:
| OSI Layer | Layer Name | Protocol Examples | Forensic Artifacts | Forensic Tools |
|---|---|---|---|---|
| Layer 1 | Physical | Ethernet, Wi-Fi (physical signals) | Cable taps, hardware keystroke loggers, network tap evidence | Physical inspection, spectrum analyzer |
| Layer 2 | Data Link | Ethernet frames, ARP, MAC addresses | MAC address logs, ARP cache (attacker's MAC in victim's ARP table), Wi-Fi probe requests | Wireshark (Layer 2 frames), ARP logs |
| Layer 3 | Network | IP, ICMP, routing protocols | Source/destination IPs, IP packet headers, traceroute results | Wireshark, tcpdump, firewall logs |
| Layer 4 | Transport | TCP, UDP, port numbers | TCP connection logs (source port, destination port, timestamps), session reconstruction | Zeek (Bro), NetFlow, firewall logs |
| Layer 5 | Session | NetBIOS, RPC, SMB session setup | Session establishment logs, authentication attempts, SMB shares accessed | Windows Event Logs, Wireshark SMB dissector |
| Layer 6 | Presentation | SSL/TLS, encoding, encryption | TLS certificate logs, encrypted traffic metadata, protocol fingerprinting | JA3 fingerprinting, TLS inspection logs |
| Layer 7 | Application | HTTP, SMTP, DNS, FTP, SSH | Web access logs, email headers, DNS queries, file transfer logs, command history | Web server logs, Splunk, Elastic |
---
Key Forensic Tools Reference
| Tool | Category | Primary Use | OS | License |
|---|---|---|---|---|
| Autopsy | Disk Forensics | Complete disk forensics, file system analysis, deleted file recovery | Windows, Linux | Free, Open Source |
| FTK Imager | Acquisition | Forensic imaging, hash verification, preview | Windows | Free (Imager), Paid (FTK full) |
| Volatility | Memory Forensics | RAM analysis — processes, network connections, malware detection | Windows, Linux, macOS | Free, Open Source |
| Wireshark | Network Forensics | Packet capture and analysis | All platforms | Free, Open Source |
| EnCase | Enterprise Forensics | Complete investigation platform, e-discovery | Windows | Commercial |
| Cellebrite UFED | Mobile Forensics | iOS and Android data extraction | Windows (hardware) | Commercial |
| Log2Timeline / Plaso | Timeline Analysis | Super-timeline creation from multiple evidence sources | Linux | Free, Open Source |
| Maltego | Link Analysis | Visualize relationships between entities | All platforms | Free (limited), Commercial |
Exam Tip: The six phases of digital forensics lifecycle are: Identification → Preservation → Collection → Examination → Analysis → Presentation. Remember them in order — they are a very common exam question. Also know that the OSI model's Layer 7 (Application) provides the most forensically rich evidence (email, HTTP, DNS logs), while Layer 1 (Physical) evidence includes hardware keystroke loggers and network taps.
---
Steganography in Forensics
Steganography poses unique forensic challenges:
- Detection: Analysts use steganalysis tools to detect statistically anomalous images (unusual LSB patterns, unexpected file entropy)
- Extraction: Tools like Steghide, StegSolve, and SilentEye can extract hidden data from known carrier formats
- Legal context: In the 2010 Anna Chapman spy ring case (USA), Russian spies used steganography in public website images to transmit instructions — demonstrating that steganography is a genuine operational tradecraft tool, not just academic curiosity
---
Study Deep: Investigation Process and OSI Forensics
- Timeline analysis is the gold standard: Super-timelines — created by tools like log2timeline/Plaso — aggregate timestamps from dozens of evidence sources (filesystem metadata, registry, event logs, browser history, email headers) into a unified chronological view. This enables investigators to reconstruct exactly what happened, in sequence, with second-level precision. Timeline gaps (missing logs) are themselves forensically significant.
- The OSI model guides network forensic strategy: When investigating a network intrusion, Layer 7 logs (web server, email) tell you WHAT was requested. Layer 4 logs (NetFlow, firewall) tell you HOW MUCH data moved and WHEN. Layer 3 logs (router syslog) tell you WHERE the traffic came from. Correlating all layers gives a complete picture. Attackers aware of forensics try to delete Layer 7 logs but often forget Layer 3–4 logs.
- Malware reverse engineering is a specialized forensic discipline: Analyzing malware found on a forensic image requires both static analysis (IDA Pro, Ghidra disassembly, PE header analysis) and dynamic analysis (running in a sandboxed VM, monitoring system calls with Process Monitor, network activity with Wireshark). CAPA (by Mandiant) automatically identifies malware capabilities from binary code.
- Living off the Land evidence is subtle: When attackers use native OS tools (PowerShell, WMI, PsExec), they don't leave malware artifacts. Forensic evidence is in: Windows Event Log ID 4688 (process creation), PowerShell Operational logs, WMI subscription entries, Scheduled Task XML files, Prefetch files (which executables ran and when). These are easy to overlook without systematic examination.
- Report writing is as important as analysis: A forensic report that is technically brilliant but incomprehensible to a judge or jury fails its purpose. Forensic reports must: (1) explain complex technical concepts in plain language, (2) distinguish findings (facts) from opinions (interpretations), (3) use exhibits and diagrams, (4) state methodology clearly so it can be independently reproduced, (5) comply with jurisdiction-specific expert witness report requirements.