In this module

MF0.8 Legal Context for Memory Evidence

Module 0 · Free

What you already know

From MF0.1-0.7 you know when to acquire, how to analyse, and how to tier findings with defensible confidence language. What you don't yet know is the legal frame those findings sit inside. Memory evidence is, by design, volatile, derived, and non-replicable — three properties that challenge traditional evidence admissibility standards. MF0.8 establishes the jurisdiction-specific rules (UK CPR 35 and ACPO, US Daubert, EU eIDAS/CoE) plus the cross-jurisdiction principles that make memory evidence survive in adversarial proceedings.

Operational Objective

A memory forensics investigation can be technically excellent and still fail when the findings reach legal review. The failure mode is almost never the analysis — it's the acquisition record, the chain of custody, the methodology description, or the reporting language that doesn't match the evidence. Opposing counsel doesn't need to prove your conclusions are wrong; they only need to demonstrate that the process that produced the findings isn't reliable enough to trust.

Every memory forensics practitioner whose work may end up in an employment tribunal, a cyber-insurance claim, a regulatory investigation, or a criminal proceeding needs to understand the evidentiary standards memory evidence faces, the procedural steps that preserve admissibility, the best-evidence considerations specific to memory images, and the expert-witness reporting conventions that survive cross-examination.

This subsection establishes those standards. It is not a substitute for legal counsel — any specific matter will need a lawyer — but it is the working knowledge every practitioner needs so that an investigation stays defensible from the moment acquisition begins.

Deliverable: Working knowledge of the evidentiary standards memory evidence faces in UK civil and criminal proceedings (with reference to the parallel US Daubert standard and the EU electronic-evidence conventions), the chain-of-custody discipline that preserves admissibility, the best-evidence considerations specific to memory images, the expert-witness reporting conventions that match the confidence tiers from MF0.7, and the specific procedural steps you apply during and after acquisition to keep findings defensible.

Estimated completion: 35 minutes

Figure 0.8.1 — The four phases of the evidence lifecycle. Each has its own documentation requirements and its own failure modes. A defect in any earlier phase cascades forward; testimony cannot rescue an investigation that failed at custody.

Why memory evidence faces distinct legal challenges

Memory evidence is different from filesystem evidence in ways that courts have been slower to accommodate than the technical community has been to produce it. The differences matter for admissibility.

Memory is volatile by definition. The image captured at acquisition cannot be reproduced; a second acquisition fifteen minutes later would capture a different memory state. Filesystem evidence, by contrast, is persistent — a disk image captured today can be reproduced tomorrow with byte-for-byte identical content (assuming the disk hasn't been written to). The uniqueness of a memory image means there is no independent reference to validate against; if opposing counsel argues the image was corrupted or tampered with, the investigator cannot produce a "known-good" copy for comparison. The hash recorded at acquisition is the only anchor.

Memory is interpreted by software. Raw bytes on disk (a PDF, a DOCX, an event log entry) can be inspected with tools most judges understand — the document opens, the log line is readable. A memory image is 16 GB of binary data whose meaning depends on which operating system version, build number, and page-table structure was active when it was captured. Extracting anything useful requires running a tool (Volatility 3, MemProcFS, WinDbg) that itself interprets the bytes according to symbol tables, kernel structure definitions, and plugin logic. The evidentiary chain therefore includes not just the image but the tool, the tool's version, and the tool's symbol sources. Every one of those is an opening for challenge.

Memory contains data the law treats as privileged. Cached email content, Teams and Slack messages, document drafts in Office application memory, decrypted database buffers, clipboard contents, and browser form data all live in memory while applications are running. An investigation that routinely analyses these without scope discipline can capture communications between the target and their solicitor, personal correspondence unrelated to the incident, or information covered by legal privilege. The analysis scope and the data-minimisation discipline are not administrative overhead — they are the difference between lawful and unlawful processing of personal data under UK GDPR Article 5(1), and between admissible and inadmissible evidence under CPR 32.

These three properties — uniqueness, tool-dependent interpretation, and privilege exposure — mean memory forensics has to do more procedural work than disk forensics to meet the same evidentiary bar. The practitioner who treats memory acquisition as an extension of disk acquisition, without these specific disciplines, produces evidence that a careful opposing counsel can contest in ways that are harder to rebut than equivalent challenges to disk evidence.

Extended context — ACPO principles and the memory-acquisition exception

The UK legal context for digital evidence is anchored in the ACPO Good Practice Guide for Digital Evidence (now maintained by the National Police Chiefs' Council). The guide's four principles — that no action should change data held on a computer or storage media relied on in court, that where a person must access original data they must be competent to do so, that an audit trail of actions taken must be created and preserved, and that the person in charge of the investigation has overall responsibility for ensuring adherence to these principles — date from 1998 and were written with disk forensics in mind. Memory acquisition inherently changes the system being investigated (the acquisition tool loads into memory and alters the very data being captured), which creates friction with Principle 1. The resolution is that memory acquisition is treated as a carefully-documented, minimised intervention — the acquisition tool is chosen to minimise its footprint, the timing and method are documented, and the rationale for altering the system (rather than preserving it unchanged) is recorded. The ACPO framework doesn't reject memory forensics; it requires that memory forensics be performed with explicit acknowledgement of the principle it bends, documented at the time.

UK admissibility: civil and criminal

In UK civil proceedings (Civil Procedure Rules), memory forensics evidence is admitted primarily as expert evidence under CPR Part 35. The expert must be identified, must provide a statement of truth and a declaration of their duty to the court, and must produce a written report that conforms to the requirements of CPR 35 and Practice Direction 35. The expert's duty is to the court, not to the party instructing them — a requirement that places the forensic practitioner in an unusual position compared to routine consulting work. The report must disclose material that could undermine the expert's opinion, must state the expert's qualifications and the scope of the instructions, and must address the methodology in enough detail that the court can assess reliability.

For memory forensics specifically, the CPR 35 report treats the memory image, the acquisition record, the tool inventory, and the analysis logs as exhibits — they are cited in the report rather than reproduced wholesale, and they must be available for disclosure to opposing parties. A report that references "Volatility 3 analysis" without specifying the tool version, plugin versions, and command sequences used produces immediate questions under CPR 35. A report that properly cites these produces a reproducible analysis that opposing experts can audit.

In UK criminal proceedings (Criminal Procedure Rules), the standard is higher because criminal liberty is at stake. CrimPR Part 19 governs expert evidence and requires earlier disclosure, formal notice of intended expert testimony, and compliance with the same duty-to-the-court standard as CPR 35. The Police and Criminal Evidence Act 1984 (PACE) governs evidence collection by police; for privately-commissioned forensic work that ends up in criminal proceedings (a company's internal investigation that is later referred to police), the PACE standards are not directly applicable but the defence can still challenge admissibility on grounds the evidence was obtained or handled in ways that would not meet PACE.

Consider a worked example. A memory image from NE-FIN-014 was captured at 09:42 UTC on 2026-03-15 by a named SOC analyst using WinPmem version 4.0.RC2. The acquisition record shows the trigger (a Defender for Endpoint alert at 09:38 UTC), the authorisation (the SOC shift lead's sign-off, logged in the ticketing system), the handler (the analyst's initials), the tool (with version), the hash (SHA-256, recorded immediately after capture), and the initial storage location (encrypted evidence locker on the analyst workstation, transferred within two hours to the central IR evidence store). If the credential harvest from this incident reaches an employment tribunal over the affected employee's dismissal, or a cyber-insurance claim for the exfiltrated data, the acquisition record is the first thing scrutinised. Every field needs to be there, and every field needs to match the reality of what happened.

Extended context — CPR 35 duty-to-court as genuine constraint

The CPR 35 duty to the court is genuinely constraining. Practitioners who have only done internal IR reports sometimes misunderstand it as a formality. It isn't. The duty means the expert must disclose findings that are unhelpful to the instructing party's case if those findings are material. In the worked example above, if the memory analysis surfaced evidence of an unrelated issue — say, the user had been storing personal files on the work machine in violation of policy — and the question in the tribunal concerned only the credential theft, the expert would still be required to disclose the personal files if they bore on the tribunal's determination (they probably don't, but the judgment has to be made). The duty cannot be contracted away by the instructing solicitor. An expert who allows an instructing solicitor to remove material adverse findings from a report has failed in their duty and exposed themselves professionally.

The US and EU parallels

US federal civil and criminal proceedings apply Federal Rule of Evidence 702 governing expert testimony, interpreted through the 1993 Daubert v. Merrell Dow Pharmaceuticals decision and subsequent cases. The Daubert factors — whether the technique has been tested, whether it has been subjected to peer review and publication, its known or potential error rate, the existence and maintenance of standards controlling operation, and general acceptance in the relevant scientific community — map onto memory forensics imperfectly. Volatility 3 is tested (extensive public test suite), is peer-reviewed (active open-source community, published research using it), has known limitations (documented by the Volatility Foundation), is maintained with versioned releases under formal governance, and has general acceptance (used across commercial DFIR and law-enforcement forensics worldwide). A memory forensics expert testifying under FRE 702 addresses each factor explicitly — the expert's report and testimony should demonstrate that the methodology meets Daubert, not assume it.

Some US state courts still apply the older Frye standard (general acceptance in the relevant scientific community), which is a lower bar than Daubert in some ways and stricter in others. For memory forensics, general acceptance is not controversial; the risk in Frye jurisdictions is the opposite, where opposing counsel argues a specific plugin or technique is not generally accepted even if the broader methodology is. An expert addresses this by citing the published literature for the specific plugin or technique in use.

EU electronic evidence is governed at the union level by the eIDAS Regulation (EU 910/2014) for trust services and by GDPR for personal data processing, with substantive evidence rules set at member-state level. The cross-border investigation complication — that memory evidence acquired in one jurisdiction may be presented in proceedings in another — means practitioners working multinational incidents need to track which jurisdiction's rules govern each piece of evidence. For most UK-primary practitioners, this becomes relevant when NE-style environments span UK, EU, and occasionally US operations, and the incident touches multiple jurisdictions; the pragmatic rule is to acquire and document to the highest applicable standard (typically UK CPR 35 or US Daubert), which will meet most lower-bar jurisdictions automatically.

Best evidence and memory images

The best-evidence rule (English common law, parallel concepts in US and EU law) holds that where an original document or recording exists, the original should be produced in evidence, not a copy. For memory forensics, this creates an interesting problem: the memory image is itself a copy of the volatile state of the system, and there is no "original" to produce — the memory that existed at acquisition time no longer exists. The image is the evidence; there is nothing older it is a copy of.

In practice, courts treat the acquisition-time memory image as the primary evidence, provided the acquisition record supports that claim. The hash recorded at acquisition is the anchor. Any subsequent working copy of the image must be verifiable against that hash — if the working copy hashes differently, it has been altered (or the hash was miscalculated initially) and the evidence chain is broken. The practical protocol is: capture the image, hash it immediately, store the original-capture copy in write-protected storage, and perform all analysis against copies verified to match the hash. The original is preserved. The working copies are demonstrably identical. The best-evidence rule is met.

Where this discipline fails in practice is small: the investigator who captures the image, hashes it correctly, but then performs analysis directly against the original file (which most modern tools do read-only, but some edge cases do not). Opposing counsel will ask "was the evidence altered during analysis?" and the defensible answer is "the original was preserved unmodified in write-protected storage; analysis was performed against a verified copy." An investigator who has to answer "analysis was performed directly against the acquired image" has an opening to defend that isn't necessary.

In the worked example, the protocol was followed: NE-FIN-014-mem.raw was captured and hashed, the original was moved immediately to the evidence locker, a working copy was created with a second hash calculation confirming match, and all Volatility 3 and WinDbg analysis was performed against the working copy. The acquisition record, the evidence-store log, and the analyst's working notes all cite the same SHA-256. That traceability is what best-evidence compliance looks like operationally.

Extended context — best-evidence framing for snapshots and hibernation files

The "best copy" framing is also useful when considering partial acquisitions, hypervisor memory snapshots, and hibernation files. A hypervisor-provided snapshot of a VM's memory is a complete capture from the hypervisor's perspective; it is the best available evidence of that VM's state at snapshot time. A hibernation file (hiberfil.sys) is a compressed snapshot written by the OS at hibernation time; it is the best available evidence of the system's state immediately before hibernation, albeit not the state at the time of investigation. When analysing a hibernation file, the report must make clear what the evidence represents: the memory state at hibernation, not at acquisition. Misstating this is an overclaim that opposing counsel will exploit — "the analyst's report says the process was running at 14:22 on the date of the investigation, but the hibernation file shows the state at the time of hibernation, which was twelve hours earlier; the analyst has no evidence about 14:22." The scope of the claim must match the scope of the evidence.

Expert reporting language in a legal frame

MF0.7 established the three-tier confidence framework and the reporting language that corresponds to each tier. For legal reporting, that same mapping carries one additional load: each tier's language has to satisfy the specific evidentiary standard that will review the report. The mechanics are unchanged — high-confidence findings are direct assertions, medium-confidence findings are hedged, low-confidence findings are qualified — but the legal context sharpens what the hedges must accomplish.

Under CPR 35, the expert's statement of truth extends to every tier-matched claim. A hedged medium-confidence sentence ("the evidence is consistent with a reflective DLL injection having occurred") is a sworn statement that the hedge is accurate — the expert cannot later argue in court that the finding was actually high-confidence and the hedge was excessive caution. The tier is a claim, and the claim is sworn. Under Daubert, each tier's language must survive the reliability factors (tested methodology, peer review, error rate, standards, general acceptance) at the strength the tier asserts. High-confidence claims carry the highest Daubert burden; low-confidence claims carry the least.

Low-confidence findings deserve particular attention in legal reporting. In an internal report, a low-confidence finding labelled as such is acceptable context. In an external-facing CPR 35 or FRE 702 report, a low-confidence finding is often better removed from the findings section entirely and moved to an "evidence of interest" appendix. Cross-examination of low-confidence findings is disproportionately damaging — opposing counsel will use the weakest finding to question the methodology producing the strongest. When in doubt, consult with the instructing solicitor about whether a low-confidence finding should appear at all.

Guided Procedure — Draft a CPR 35-compliant expert report skeleton

A CPR 35 expert report has six mandatory sections. This procedure walks through each in the order they appear in the final document. The end state: a skeleton that any memory-forensics finding from a real investigation can drop into, with the legal wrapper satisfying Part 35 and the Practice Direction 35 requirements.

Step 1 — Expert's statement of duty (CPR 35.3). The opening section is a statement of the expert's duty to the court. Paragraph 1: "I understand that my duty is to help the court on matters within my expertise, and that this duty overrides any obligation to the parties who instructed me. I have complied with this duty and will continue to comply with it." Paragraph 2: a brief statement of the expert's qualifications, experience, and basis for expertise (years in DFIR, relevant certifications, prior expert-witness experience).

Expected output: Two opening paragraphs under heading "Expert's Duty." Roughly 150 words. The duty statement is boilerplate but cannot be omitted; the qualifications statement is the only place the expert's credentials appear.

If it fails: The duty statement must be verbatim or near-verbatim — judges test this by comparing against the Practice Direction wording. If you reword it loosely, you risk a procedural challenge before the substance is heard.

Step 2 — Instructions received (CPR 35 PD 3.2(3)). Record what you were asked to do. "I was instructed by [instructing party] on [date] to examine the memory image acquired from [host] on [date] and to determine whether evidence of [specific allegation, e.g., unauthorised credential access] is present in the image." Include the written instructions verbatim if they were short, or reference them as an appendix if long.

Expected output: Single paragraph (or short multi-paragraph if instructions were complex). The instructions establish the scope — anything outside this scope should not appear in the findings; anything inside this scope must be addressed, even if the answer is "no evidence found."

If it fails: Vague or post-hoc instructions ("the client wanted a forensic analysis") are a common defect. If instructions weren't recorded at engagement, reconstruct them from emails or ticketing entries; if no record exists at all, note that the instructions are reconstructed from practitioner recollection — this is weaker than contemporaneous written instructions but is not automatically fatal.

Step 3 — Material examined (CPR 35 PD 3.2(4)). List every piece of evidence you examined. "The memory image `[filename].raw` was received on [date] with SHA-256 hash `[hash]`. The acquisition record `[filename]` was received alongside and reviewed. No other material was examined in support of this report." List any material you reviewed but chose not to rely on, with a brief note on why.

Expected output: Enumerated list of materials with hashes, sources, and dates. Typically 3-10 items for a memory-forensics report. Each item has provenance (who provided it, when, in what form).

If it fails: Undeclared material — reviewing something informally and not listing it — is a disclosure failure that opposing counsel will exploit if it emerges during cross-examination. If in doubt about whether to list something, list it; the cost of over-disclosure is cosmetic, the cost of under-disclosure can be the expert being stood down.

Step 4 — Methodology and tests performed (CPR 35 PD 3.2(5)). Describe what you did with the material. "The memory image was parsed with Volatility 3 version 2.7.0 and MemProcFS version 5.x. The following plugins were run against the image: [list]. Output files from each plugin run are provided at [appendix reference]. Specific findings were validated in WinDbg version [X] via the commands listed at [appendix reference]." Include version numbers; they matter for reproducibility.

Expected output: Methodology section of 300-600 words plus one or more appendices with raw tool output. Every claim in the findings section should be traceable to a specific command in the methodology.

If it fails: Methodology that's too generic ("I analysed the memory image using standard forensic tools") won't survive cross-examination. Be specific: tool, version, command, result. If a tool or technique you used isn't standard, cite the published literature establishing it.

Step 5 — Findings with confidence tiers (drawing from MF0.7). The substantive section. Each finding gets a statement at the tier-matched language level, followed by the evidence and the tier's modifier reasoning. "Finding 1: PID 4872 (powershell.exe) was running at the time of acquisition (high confidence). The evidence is: three-method discovery agreement (`pslist`, `psscan`, `pstree`), cross-source corroboration from Windows Security event 4688, no plausible alternative explanation. Raw-memory verification was performed via WinDbg [details at appendix]."

Expected output: One labelled "Finding N:" paragraph per finding, typically 5-15 findings for a memory-forensics report. Each with a tier-matched claim sentence, followed by the supporting evidence and reasoning. Appendix references for the raw tool output.

If it fails: The most common failure is tier-language drift — findings written at a stronger level than the tier justifies. Protection: lift the tier and reasoning verbatim from the case file (the output of MF0.7's tier-assignment procedure). Don't let the report's prose upgrade or soften what the analysis recorded.

Step 6 — Statement of truth and signature (CPR 35 PD 3.3). The closing section. "I confirm that I have made clear which facts and matters referred to in this report are within my own knowledge and which are not. Those that are within my own knowledge I confirm to be true. The opinions I have expressed represent my true and complete professional opinion on the matters to which they refer." Signed, dated, expert's name, qualifications.

Expected output: The closing paragraph and signature block. The statement of truth is, like the duty statement, near-verbatim — the courts have specific wording that must be present.

If it fails: Missing statement of truth renders the report inadmissible as expert evidence — not "weakened," actually inadmissible. The procedural failure is fatal. Double-check the statement is present and correctly worded before signing.

Six sections, in order. The skeleton produces a report that satisfies CPR 35 procedurally; the quality of the analysis itself (built from the findings in Step 5) determines the report's substantive weight. Both matter — procedural defects lose the case on a technicality; weak analysis loses it on the merits.

Decision Point

The situation. A month after the investigation concludes, the legal team asks you a question. The affected employee is considering legal action for dismissal, and their solicitor has requested disclosure of the memory forensics evidence that supported the decision. Your incident report has been written, the executive summary is defensible, but the memory image sits in the IR evidence store along with the Volatility 3 output files, the analyst's investigation notes, and the draft report versions that preceded the final. The solicitor is asking for "all memory forensics evidence relating to the incident."

The choice. Produce everything (full disclosure as safest posture), produce only the final report (report is the evidence), or consult with legal and the instructed expert before producing anything (disclosure scope is a legal question, not a technical one).

The correct call. The third, every time. The scope of disclosure under CPR 31 is determined by what's relevant to the proceedings, and "relevant" is a legal judgment. Producing everything exposes internal working material that may contain speculation, blind alleys, or incorrect early hypotheses that were corrected later — all of which can be mined by opposing counsel to create reasonable doubt about the final findings. Producing only the report may be too narrow and trigger adverse inferences for withholding material. The right answer comes from the lawyer; the investigator's job at this point is to preserve everything untouched while the legal scope is determined.

The operational lesson. Never make disclosure decisions unilaterally once legal process is foreseeable. Preserve, consult, then disclose under guidance. The preservation obligation starts the moment proceedings are reasonably anticipated, which is often earlier than the formal disclosure request arrives — a "we're considering legal action" email is typically enough to trigger the duty to preserve.

Compliance Myth: "If I follow ACPO principles, the evidence is admissible"

The myth. The ACPO Good Practice Guide for Digital Evidence sets out the standards for digital forensic work in the UK. If the practitioner follows its four principles, the evidence meets the required standard for use in UK proceedings.

The reality. ACPO principles are necessary but not sufficient. Admissibility depends additionally on CPR 35 compliance (for civil) or CrimPR 19 compliance (for criminal), proper expert instructions, and a report that discharges the expert's duty to the court.

An investigator who follows ACPO principles meticulously but delivers a report that fails CPR 35 (omits the statement of truth, doesn't specify instructions, doesn't disclose material adverse findings) produces evidence that may still be excluded or discounted — not because the technical work was wrong, but because the report that presented it didn't meet the procedural standard. Conversely, a report that meets CPR 35 perfectly but describes evidence collected in violation of ACPO principles (no audit trail, unqualified operator, contaminated source system) produces evidence that is admissible on its face but weak on scrutiny.

The two standards are complementary, and both must be met. ACPO covers collection and handling; CPR 35 covers reporting and expert conduct. A practitioner who thinks either one alone is the bar will be surprised when opposing counsel identifies the gap.

MF0.9 — Lab Environment Setup. MF0 closes with the practical infrastructure. You've covered why memory forensics matters, what lives in memory, the workflow, the tools, the evidence framework, and the legal context. MF0.9 gives you the three-VM lab (Target-Win, Target-Linux, Kali) plus the analysis workstation that every subsequent module runs against. With the lab built, you're ready for MF1's memory acquisition in depth.

Try it — Draft a CPR 35-compliant expert report skeleton

Setup. Open a blank document. You'll draft the structural skeleton of a CPR 35 expert report for a memory-forensics investigation, using the worked example in this sub as the imagined case. You don't need to write the content — just the section headings and one-sentence descriptions of what each section contains.

Task. Include: (1) front matter — expert's name, qualifications summary, instructing party, scope of instructions, date of report; (2) statement of truth and declaration of duty to the court (the CPR 35 standard wording is specific, not freestyle — look up the Practice Direction text); (3) executive summary with tier-matched language for the worked findings; (4) methodology section referencing the six-phase workflow from MF0.3 and the confidence tier framework from MF0.7; (5) detailed findings, each with evidence cited and tier stated; (6) limitations — what was not investigated, why, and what that absence means for the claims made; (7) list of exhibits (memory image, acquisition record, Volatility 3 output files, WinDbg validation log).

Expected result. A seven-section skeleton with each section labelled and briefly described. The statement of truth should match the wording in CPR 35 Practice Direction 3.3. The limitations and exhibits sections should be present.

If your result doesn't match. If you omitted the limitations section, you've hit the most common gap — practitioners used to internal IR reports routinely skip it. The limitations section is mandatory under CPR 35 because the expert's duty to the court includes disclosing what the investigation couldn't determine, not just what it did determine. If your exhibits list has fewer than four items, you've understated — every piece of evidence relied on in the report must appear as an exhibit, including tool output files not just the memory image.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. State the six mandatory sections of a CPR 35-compliant expert report, in the order they appear. (§ UK admissibility + Guided Procedure)

2. Explain in one or two sentences why memory evidence is non-replicable, and what practical documentation step mitigates the evidentiary risk that creates. (§ Why memory evidence faces distinct legal challenges + Best evidence)

3. A solicitor asks you to disclose "all memory forensics evidence" from a closed investigation. Name the operational rule MF0.8 establishes for responding, and state why unilateral production (of either "everything" or "only the report") is wrong. (§ Decision Point)

Operational Artifact — Legal Readiness Checklist for Memory Forensics

Apply this checklist during and after any memory forensics investigation that may reach legal review. The checklist has five phases that mirror the evidence lifecycle from acquisition through disclosure. An investigation that passes every phase produces evidence that survives adversarial review; an investigation that fails any phase has a specific, identifiable defect that opposing counsel will find.

Acquisition phase. Authorisation is documented in writing (ticket, email, or signed acquisition form) before acquisition begins. The trigger condition is specified from MF0.1's four-category list. Tool name and version are recorded. Operator identity is recorded. Start and end timestamps are recorded. The SHA-256 hash is calculated immediately after capture and logged in the acquisition record. Target system identification is recorded (hostname, asset tag, serial number, network address at acquisition time). Environmental anomalies are noted — was the system under active attack, were alerts firing during capture, was this a hypervisor-based acquisition with a specific VM snapshot mode.

Custody phase. The original image is placed in write-protected evidence storage immediately. Every handler is recorded with date, time, and purpose of access. Every transfer (evidence locker to analyst workstation, workstation to central evidence store, evidence store to disclosure storage) is logged with hash re-verification at each transfer. The disposal or retention decision is made per the organisation's evidence policy and recorded.

Analysis phase. The working copy is created from the original with the hash match verified before any analysis. All analysis is performed against the working copy. Every Volatility 3, MemProcFS, and WinDbg command is recorded with timestamp in the case log. Output files are preserved with descriptive names (phase3-pslist.csv, not output.csv). Confidence tiers are assigned per the MF0.7 framework with modifier reasoning documented. Limitations are enumerated — what wasn't investigated, why, and what the absence implies. Peer or self-review is performed with reviewer identity recorded. Report drafts are retained in the case file.

Reporting phase. The report format matches the audience (internal, CPR 35 expert report, CrimPR 19 criminal report, or cyber-insurance required format). Tier-matched language is used throughout. The executive summary signals the confidence of each claim. Exhibits are listed and cross-referenced. The expert's statement of truth and duty-to-court declaration are included for external reports.

Disclosure phase. The scope of disclosure is determined by the instructing solicitor, not by the expert unilaterally. Working materials are preserved untouched until the disclosure scope is final. Produced materials are hashed and logged.

Extended reference — internal vs CPR 35 format, acquisition records, encryption, tool preservation, cross-border incidents

Internal reports vs CPR 35 format. Internal reports don't need the statement of truth or the declaration of duty to the court. Everything else — the methodology, the findings stated at confidence tiers, the limitations, the exhibits — is worth keeping in the same format even internally, because internal reports sometimes escalate to external use without the investigator knowing in advance. An internal report written to CPR 35 format (minus the legal declarations) converts to an external report by adding the declarations; an internal report written in a loose narrative style needs significant rework to meet CPR 35 if the incident escalates.

SOC tickets as acquisition records. If the SOC ticket contains the required fields (authorisation, trigger, tool, version, operator, timestamps, hash, target identification), it is the acquisition record. If it's a narrative ticket saying "captured memory per procedure" with no specifics, it is not. The test is whether a second investigator could reconstruct from the ticket alone what was done, by whom, when, with what tool, producing what file with what hash. If the ticket doesn't support reconstruction, the acquisition record is whatever the analyst's working notes say — which may or may not meet the standard.

Encryption and admissibility. Encryption protects confidentiality, not admissibility. Admissibility depends on the hash chain and the access log. An encrypted image whose hash matches the acquisition record is admissible regardless of encryption; an unencrypted image whose hash doesn't match is not. Evidence-at-rest encryption is a data-protection requirement (UK GDPR Article 32) and prudent regardless, but it's separate from admissibility.

Tool version preservation. For long-running matters — an employment tribunal can take 12–18 months to reach hearing — the acquisition tool binaries must be preserved in the evidence store alongside the image. The specific WinPmem release used at acquisition should be retained; the opposing expert may need to reproduce the acquisition method to verify the tool's behaviour. Version tracking is cheap; version loss is expensive.

Cyber-insurance vs CPR 35. Cyber-insurance standards are contractual, not legal, and vary by insurer. Most require chain-of-custody documentation, hash verification, and an audit trail — which ACPO and CPR 35 both deliver. Specific insurers may require particular tool certifications, particular evidence-storage protocols, or specific report formats. Read the policy before the incident, not during. Insurer requirements are generally less demanding than CPR 35, so a CPR 35-standard investigation meets cyber-insurance requirements automatically; the reverse is not guaranteed.

Cross-border incidents. The evidence follows the jurisdiction of the proceedings, not the jurisdiction of the incident. An investigation of an incident affecting UK headquarters that is later the subject of litigation in the US applies US evidence standards (FRE 702 / Daubert) at the US proceedings. The UK CPR 35 standard applies to UK proceedings. For incidents that may reach multiple jurisdictions, acquire and document to the highest applicable standard and produce jurisdiction-specific reports where needed.

Six months after a memory-forensics investigation is closed, the employee whose credentials were compromised brings an employment tribunal claim against NE. Their solicitor requests disclosure of "all memory forensics evidence." The IR team's working materials include: the original acquisition image (preserved in write-protected evidence storage), the three versions of the draft report (each significantly revised before the final version shipped), the analyst's working notes with several early hypotheses that turned out to be wrong, the Volatility 3 output files from the analysis, and the final report that was released internally. The SOC lead wants to know what to produce to the solicitor. What is the correct response?

Produce everything to the employee's solicitor, on the basis that full disclosure is the safest legal posture. Incomplete disclosure risks adverse inferences for withholding material, so erring on the side of more is prudent. Redact nothing; let the solicitor see everything the IR team produced.

Produce only the final report, on the basis that the report is the evidence and everything else is working material that was never intended for external use. Draft versions and working notes are pre-decisional and should not be disclosed.

Consult NE's legal team and any instructed expert before producing anything. The scope of disclosure under CPR 31 is a legal judgment, not a technical one, and the expert's duty of preservation applies from the moment legal process is foreseeable. Preserve everything untouched while the disclosure scope is determined under legal guidance, then produce per the scope agreed. Producing everything unilaterally exposes internal working material that could be exploited by opposing counsel; producing only the report unilaterally risks an incomplete-disclosure challenge. Neither is the technical practitioner's call to make.

Produce the final report and the Volatility 3 output files, but withhold the draft reports and working notes. The finished work products are evidence; the working materials are pre-decisional and carry privilege.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →