A practical, field-tested structure for digital evidence handling.
This article summarizes a complete set of tools and methods used during forensic examinations and OSINT-assisted investigations. The goal is simple: collect, preserve, analyze, correlate, and report digital evidence without contaminating it.
The workflow is divided into multiple phases: 1) Identification 2) Acquisition 3) Validation 4) Analysis 5) Correlation 6) Reporting
1. Identification Phase
Before touching any device, you determine:
- What device type you are dealing with
- What potential evidence might exist
- Whether volatile data may be at risk
- What legal authority applies
- Whether the device is network-connected or running any remote-access tools
Common indicators to check:
- Running processes (possible RAT/VNC/remote-desktop apps)
- Logged-in user sessions
- Open ports
- Known communication software
- Browser sessions
- Recently installed applications
2. Acquisition Phase
The goal here is bit-by-bit preservation of the device, ensuring nothing can be challenged later.
Recommended tools:
- FTK Imager – full disk imaging
- Magnet Acquire – mobile & disk acquisition
- dd / dc3dd / Guymager – Linux disk imaging
- USB Write Blocker – hardware-level evidence protection
- Velociraptor (Live Triage) – safe live data extraction
- KAPE – targeted collection of key forensic artefacts
- Autopsy – file system extraction and timelines
Typical outputs:
- Full disk image (
.dd,.E01) - Hashes (SHA256) for verification
- Triage bundle (browser history, logs, registry hives)
- Export of volatile data if applicable (RAM, network connections)
3. Validation Phase
Every collected image or file must be verified.
Tools:
sha256sum/md5deep- HashCalc
- Autopsy verification
Purpose:
- Demonstrate integrity
- Demonstrate no tampering
- Ensure chain of custody
4. Analysis Phase
This is the heart of the forensic/OSINT workflow — extracting meaning from the collected data.
Core analysis tools:
- Autopsy / Sleuth Kit – file system, timeline, deleted files
- KAPE – browser data, registry, logs
- Velociraptor – live investigations, IOC detection
- Bulk Extractor – emails, URLs, credit cards
- ExifTool – metadata inspection
- RegRipper – registry forensics
- Strings, xxd – low-level binary inspection
- PEStudio – malware triage
- CyberChef – decoding, deobfuscation
- Hash databases – NSRL, VirusTotal (cleaned, anonymized queries)
OSINT-specific tools:
- Shodan / Censys – infrastructure fingerprinting (use anonymized IPs)
- Wayback Machine – historical content
- Whois / RDAP – domain attribution
- DNS trails – DNS history
- Blockchain explorers – crypto tracing
- Metadata extraction suites
5. Correlation Phase
Here you assemble the big picture.
Examples of correlation tasks:
- Matching browser sessions with transaction timestamps
- Linking communication apps with external infrastructure
- Aligning clipboard history with crypto transactions
- Pairing remote access tool activity with log-in events
- Cross-checking timeline evidence with OSINT sources
- Mapping IP activity to anonymized external infrastructure
This phase often decides the success of the entire investigation.
6. Reporting Phase
Your output must be:
- Clear
- Reproducible
- Legally defensible
- Structured chronologically
Typical structure:
- Executive summary
- Timeline of events
- Evidence overview
- Screenshots of artefacts
- Hash verification table
- Analysis conclusions
- Recommendations / mitigation
Summary
This workflow is a distilled version of real-world digital forensics and OSINT practices. It ensures evidence is collected, validated, analyzed, correlated, and documented in a way that withstands scrutiny — whether for internal investigations or legal proceedings.
Future articles in the Forensics section will go deeper into every phase, including:
- Full remote-access forensic triage scripts
- Detecting screen-sharing malware
- Behavioral analysis of compromised systems
- Crypto tracing and identity correlation
- Building automated OSINT pipelines with n8n and a local LLM