Digital Forensics DFIR Cheat Sheet

Updated 2026-04-30

Digital Forensics and Incident Response (DFIR) combines investigative techniques with real-time threat response to uncover, preserve, and analyze digital evidence from compromised systems. Operating at the intersection of law enforcement methodologies and cybersecurity operations, DFIR practitioners must balance forensic soundness with operational urgency—ensuring evidence integrity while containing active threats. The field demands mastery of both volatile memory analysis (what's running right now) and non-volatile artifact examination (what happened in the past), where a single timestamp discrepancy or overlooked registry key can make the difference between attribution and dead ends.

What This Cheat Sheet Covers

This topic spans 20 focused tables and 149 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Evidence Acquisition MethodsTable 2: Forensic Imaging ToolsTable 3: Hash Verification and IntegrityTable 4: Write Protection MethodsTable 5: Memory Forensics with VolatilityTable 6: Disk and Filesystem AnalysisTable 7: Registry Forensics (Windows)Table 8: Windows Execution ArtifactsTable 9: Timeline ReconstructionTable 10: Network ForensicsTable 11: Browser and Application ForensicsTable 12: Email ForensicsTable 13: Mobile Device ForensicsTable 14: Cloud ForensicsTable 15: Log AnalysisTable 16: Malware Analysis ForensicsTable 17: Anti-Forensics DetectionTable 18: Chain of Custody and DocumentationTable 19: Forensic Tool SuitesTable 20: Notable Mentions and Specialized Tools

Table 1: Evidence Acquisition Methods

Everything in an investigation rests on how the evidence was collected—do it wrong and nothing downstream is admissible. The methods here trade speed against completeness and span the full landscape: live captures that grab volatile RAM before it vanishes, full dead-disk images that preserve every deleted byte, and the cloud, mobile, and network variants that modern cases increasingly demand. The cardinal rule running through all of them is order of volatility—capture the fragile, disappearing data first.

Method	Example	Description
Live system acquisition	`winpmem_3.3.exe -o memory.raw` `lime-forensics.ko -f RAM.lime`	• Captures volatile data from running system • prioritizes RAM, active processes, and network connections before shutdown to preserve evidence that disappears when powered off
Dead disk imaging	`dd if=/dev/sda of=evidence.dd bs=512` `FTK Imager → Physical Drive → Create Image`	• Creates bit-for-bit copy of powered-off storage device • ensures write protection via hardware blocker • preserves slack space, unallocated clusters, and deleted file remnants
Logical acquisition	`Autopsy → Logical Files` `adb pull /data/data/com.app`	• Extracts only accessible files from mounted filesystem • faster than physical imaging but misses deleted data and unallocated space • common for live triage and mobile devices
Sparse imaging	`dcfldd if=/dev/sdb conv=sparse` `ewfacquire -t sparse`	• Skips empty sectors to reduce image size • ideal for large drives with minimal data • maintains forensic integrity while saving storage space and transfer time
Remote acquisition	`F-Response Enterprise → Remote Agent` `Velociraptor collect Windows.KapeFiles`	• Collects evidence over network from geographically distant systems • enables rapid incident response without physical access • requires secure authenticated channel to prevent tampering

Table 1: Evidence Acquisition Methods

Method	Example	Description
Live system acquisition	`winpmem_3.3.exe -o memory.raw` `lime-forensics.ko -f RAM.lime`	• Captures volatile data from running system • prioritizes RAM, active processes, and network connections before shutdown to preserve evidence that disappears when powered off
Dead disk imaging	`dd if=/dev/sda of=evidence.dd bs=512` `FTK Imager → Physical Drive → Create Image`	• Creates bit-for-bit copy of powered-off storage device • ensures write protection via hardware blocker • preserves slack space, unallocated clusters, and deleted file remnants
Logical acquisition	`Autopsy → Logical Files` `adb pull /data/data/com.app`	• Extracts only accessible files from mounted filesystem • faster than physical imaging but misses deleted data and unallocated space • common for live triage and mobile devices
Sparse imaging	`dcfldd if=/dev/sdb conv=sparse` `ewfacquire -t sparse`	• Skips empty sectors to reduce image size • ideal for large drives with minimal data • maintains forensic integrity while saving storage space and transfer time
Remote acquisition	`F-Response Enterprise → Remote Agent` `Velociraptor collect Windows.KapeFiles`	• Collects evidence over network from geographically distant systems • enables rapid incident response without physical access • requires secure authenticated channel to prevent tampering

Digital Forensics – DFIR Cheat Sheet

Table 1: Evidence Acquisition Methods

Digital Forensics – DFIR Cheat Sheet

Table 1: Evidence Acquisition Methods