In this module

MF1.6 Acquisition Verification and Integrity

6 hours · Module 1 · Free

What you already know

From MF1.2-1.5 you know how to capture memory from Windows, Linux, and the hypervisor, and how to collect the pagefile and swap alongside the RAM image. Each sub included a hash step. This sub explains why that hash step matters, what it actually proves, how it differs from disk-image hashing, and how to build the chain-of-custody documentation that makes every subsequent analysis finding defensible.

Operational Objective

Hashing a memory image is not the same thing as hashing a disk image, and the chain-of-custody documentation for memory evidence serves a different function than the chain-of-custody for a hard drive in an evidence bag. Practitioners who treat the two as interchangeable produce acquisition records that don't answer the questions opposing counsel actually asks — and they discover this gap during cross-examination, not during the investigation.

The fundamental difference: a disk image hash proves that the copy is bit-identical to the source at the time of imaging. A memory image hash proves that the copy is bit-identical to the file WinPmem (or LiME, or the hypervisor) produced — but it does not prove that the file is a bit-identical copy of RAM at any single moment, because smear means it never was. The hash proves file integrity, not source fidelity. Both matter, but they prove different things, and the acquisition record must describe what each proof covers.

This sub builds the acquisition record — the document that ties together the who, what, when, where, how, and hash chain for every memory image you capture. MF0.8 established the legal standards (ACPO, CPR 35, Daubert) that the record must satisfy. This sub makes those standards operational: a concrete template you fill in for every acquisition, with the specific fields that make each standard's requirements traceable.

Deliverable: A completed acquisition record template that you can reuse for every capture in this course and in production, understanding of what the SHA-256 hash actually proves for memory images versus disk images, the four structural checks that confirm an image is structurally sound (not just hash-matching), and the documentation discipline that makes the entire chain from capture to analysis to reporting defensible.

Estimated completion: 35 minutes

Figure 1.6.1 — The chain of custody is a hash chain with documentation at each transfer point. Every break in the chain — a transfer without re-hash, an undocumented handler — is an opening for opposing counsel.

What the hash actually proves for memory images

This section corrects a misconception that causes practitioners to overclaim in reports. The hash proves file integrity, not source fidelity — and the distinction matters under cross-examination.

When you run the hash command immediately after WinPmem finishes:

certutil -hashfile image.raw SHA256

The hash proves one thing: the file on disk at that moment has this specific byte sequence. When you copy the file to the analysis workstation and re-hash, a matching hash proves the copy is byte-identical to the original file.

The chain of hashes proves that the file you're analysing is the same file the tool produced.

What the hash does not prove is that the file is a faithful representation of RAM at any specific moment. MF1.1 established why: smear means the image describes a range of moments, not one moment.

Two consecutive captures of the same system produce different .raw files with different hashes — not because either capture failed, but because memory changed between them. The hash of a memory image is not the equivalent of the hash of a disk image, where two images of the same unchanged disk produce the same hash.

This distinction matters in reports. "The SHA-256 hash confirms the integrity of the memory image" is correct. "The SHA-256 hash confirms the image is a faithful copy of the target's RAM" is an overclaim — it's a faithful copy of what the tool captured, which is a smear-affected read of RAM. The acquisition record should state: "SHA-256 hash calculated at source confirms file integrity of the acquisition output. The image represents the state of physical memory during the acquisition window [start time] to [end time], subject to acquisition smear inherent in live-system capture." That phrasing is defensible. The shorter version is not.

The four structural checks

This section goes beyond hashing. A structurally sound image is one that both hashes correctly and parses correctly — the two checks are independent.

A hash match tells you the file wasn't modified during transfer. It doesn't tell you the capture completed correctly. A partial capture (WinPmem killed mid-write, disk ran out of space, LiME module crashed during acquisition) produces a valid file with a valid hash — it's just shorter than it should be and truncated at a random physical offset. The hash of a truncated image is perfectly correct for what the file contains; it just doesn't contain all of RAM.

Four structural checks confirm acquisition quality. Size check — the image file size must equal the target's physical RAM. For a 4 GB VM, the file is 4,294,967,296 bytes. For a 128 GB server, the file is 137,438,953,472 bytes. A smaller file is a partial capture. A larger file is unusual but possible with some acquisition formats that include metadata headers (LiME format includes segment headers; raw format does not).

Profile identification — Volatility 3 must identify the operating system. windows.info for Windows images, linux.banner for Linux. If Volatility 3 can't identify the OS, either the image is corrupt, the format is wrong, or the symbol pack is missing for the target's OS build. Profile identification failure on a correctly-sized image usually means a symbol-pack issue, not an acquisition issue.

Kernel address validation — the Kernel Base reported by windows.info should start with 0xfffff8 on 64-bit Windows. A value of 0x00000000 means the kernel wasn't located. An implausible value (e.g., a user-space address) means the image is structurally damaged at the kernel offset.

Process list sanity — windows.pslist (or linux.pslist) should return a reasonable number of processes. A clean Windows 11 boot produces 80-150 processes. Zero processes means the kernel structures weren't resolved. An unusually small number (under 20) on a system that should have more may indicate structural damage or a partial capture that truncated the active process list.

All four checks are quick — under two minutes for a 4 GB image. Run them on every capture before proceeding to analysis. A capture that fails any check should be re-acquired if the source system is still available.

Extended context — hash algorithm selection and the MD5/SHA-1 retirement

The course uses SHA-256 exclusively. MD5 and SHA-1 are deprecated for forensic integrity verification because both have known collision attacks — it's computationally feasible to produce two different files with the same MD5 or SHA-1 hash. This matters forensically because opposing counsel can argue (correctly) that an MD5 hash doesn't uniquely identify the file. SHA-256 has no known practical collision attacks and is the current standard for forensic hashing.

Some organisations still use MD5 for backward compatibility with older tools and evidence management systems. If your organisation requires MD5 for legacy reasons, compute both — MD5 for the legacy system and SHA-256 for the forensic record. The acquisition record should always include the SHA-256 hash. Including MD5 additionally is fine; using MD5 alone is not defensible in 2026.

The acquisition record — a concrete template

This section provides the template you'll use for every capture. It's not a theoretical framework — it's a form with specific fields that satisfy ACPO, CPR 35, and Daubert requirements simultaneously.

The acquisition record is a single document per captured image. Every field is completed at the time of acquisition, not reconstructed later. The record lives alongside the image in the evidence store and is referenced in any report that cites findings from the image.

Header fields. Case reference (if assigned). Date and time of acquisition start (UTC). Date and time of acquisition end (UTC). Operator name and role. Authorisation reference (who authorised the capture — ticket number, verbal authorisation from the SOC lead with their name, written request from legal). Trigger condition (which of MF0.1's four categories applies: active attack, post-incident review, proactive hunting, or baseline capture).

Target fields. Hostname. IP address at time of acquisition. Asset tag or serial number (if physical). Operating system and version (as reported by the system, not as assumed). RAM size (configured, not used). Hypervisor (if virtualised — product, version, host). Environmental notes (was the system under active attack during capture? Were alerts firing? Was the user logged in? Any concurrent activity that may affect the image?).

Method fields. Acquisition tool and version (e.g., "WinPmem mini x64 RC2, build date 2024-01-12"). Acquisition method rationale (why this tool and not an alternative — reference the fidelity/footprint/feasibility analysis from MF1.1). Output format (raw, LiME, ELF, crashdump). Output file path and filename. Additional files collected (pagefile, hibernation file, swap — each with its own hash).

Integrity fields. SHA-256 hash calculated at source immediately after capture. SHA-256 hash calculated at destination after transfer. Hash match confirmed (yes/no — if no, note the discrepancy and resolution). Evidence store location (where the original is stored). Working copy location (where the analysis copy is stored). Write-protection method (how the original is protected from modification — read-only permissions, write-blocked storage, sealed evidence bag for physical media).

Post-capture fields. Structural verification results (size check, profile identification, kernel address, process list count). Anomalies noted (anything unusual about the capture — partial completion, error messages, interrupted transfer, environmental interference). Signature of operator.

Guided Procedure — Complete an acquisition record for your Target-Win baseline

This procedure uses the capture you performed in MF1.2. You'll fill in the acquisition record template for that image. By the end, you have a completed record that you can reuse as a template for every subsequent capture.

Step 1 — Fill in the header and target fields. Open a new document (Markdown, Word, or plain text — the format doesn't matter for the lab; the fields do). Fill in: date/time from your MF1.2 capture, your name as operator, "baseline capture" as the trigger condition, Target-Win's hostname, IP, OS version, and RAM size.

Expected output: A document with all header and target fields populated. The date/time should match the timestamp you recorded during MF1.2's hash step. The OS version should match what `windows.info` reported.

If it fails: If you didn't record the timestamp during MF1.2, check the file's creation timestamp on the evidence directory — it's a reasonable approximation but not as precise as a recorded timestamp. This is why the acquisition record says "record at the time of capture, not later."

Step 2 — Fill in the method and integrity fields. Tool: WinPmem mini x64 RC2. Method rationale: "In-guest capture selected for lab baseline; hypervisor suspension also available but WinPmem used to validate the in-guest pipeline." Output format: raw. SHA-256 from MF1.2's hash step. Destination hash from the analysis workstation re-hash. Hash match: yes.

Expected output: All method and integrity fields populated. Both hashes present and matching. The rationale field explains why WinPmem was chosen even though hypervisor acquisition was available — this is the kind of documentation that makes the decision traceable later.

If it fails: If you don't have the destination hash from MF1.2, re-hash the image on the analysis workstation now. If the hashes don't match, you have a corrupted transfer from MF1.2 — re-transfer and re-hash before filling in the integrity fields.

Step 3 — Fill in the structural verification results. Run the four structural checks from this sub against your baseline image: size check (4,294,967,296 bytes for a 4 GB VM), `windows.info` profile identification, Kernel Base address, `windows.pslist` process count. Record all four results in the post-capture fields.

Expected output: Size matches. Profile identified as Windows 11. Kernel Base starts with `0xfffff8`. Process count is 80-150 (clean Windows 11). All four checks pass. Record "all structural checks passed" in the post-capture fields.

If it fails: Any structural check failure on a clean baseline indicates an acquisition or transfer problem. Re-acquire from Target-Win before proceeding — the baseline image needs to be structurally sound because MF2 onward compares attack-modified captures against it.

Decision Point

The situation. You captured memory from a Northgate Engineering server at 03:15 during an active incident. In the urgency, you forgot to hash the image on the source system before transferring it to the analysis workstation. You have the image on the analysis workstation and you can hash it there. The source server has since been reimaged by the business. You cannot re-acquire.

The choice. Hash the image on the analysis workstation and use that hash as the chain-of-custody anchor. Or note the missing source-side hash in the acquisition record and proceed with the analysis, flagging the gap.

The correct call. Both — and the documentation matters more than the hash. Hash the image on the analysis workstation now (it's still useful for proving the file hasn't changed since it arrived at the workstation). But document in the acquisition record that the source-side hash was not calculated, that the image was transferred to the analysis workstation without hash verification at the source, and that the single hash covers workstation-to-report integrity only, not source-to-workstation integrity. This honest documentation is defensible: "the operator acknowledges a procedural gap and has documented what the available hash does and doesn't prove." The alternative — pretending the workstation hash is a source hash — is not defensible if the gap is discovered during review.

The operational lesson. Missing a procedural step is recoverable through documentation. Hiding a procedural gap is not. Opposing counsel's strongest attack isn't "you missed the hash" — it's "you missed the hash and didn't tell us." The acquisition record is where you tell them.

Compliance Myth: "If the hash matches, the evidence is forensically sound"

The myth. The SHA-256 hash is the ultimate proof of evidence integrity. If the hash at source matches the hash at destination, the evidence is forensically sound and the chain of custody is intact. No further verification is needed.

The reality. The hash proves file integrity — the bytes didn't change during transfer. It does not prove acquisition quality. A partial capture (half the RAM, truncated mid-write) has a perfectly valid hash that matches at both ends. A capture from the wrong system (you accidentally captured a staging server instead of the target) has a perfectly valid hash chain. A capture where the pagefile was needed but not collected has a perfectly valid RAM-image hash — it's just missing evidence.

File integrity is one of four verification requirements. The other three — size validation (does the file size match the target's RAM?), profile identification (can Volatility 3 identify the OS?), and structural sanity (does the process list look reasonable?) — catch the failure modes that hashing misses. An acquisition record that says "hash verified" but omits the structural checks leaves three classes of acquisition failure undetected. All four checks together take under two minutes. There's no reason to skip any of them.

MF1.7 — Smear Detection and Acquisition Quality. You know smear exists (MF1.1) and you know how to verify basic acquisition integrity (this sub). MF1.7 goes deeper: how to detect smear in an image you've already captured, how to assess whether the smear is bad enough to affect your analysis, and what to do when it is.

Try it — Complete an acquisition record for your Target-Win baseline and verify all four structural checks

Setup. Your Target-Win baseline image from MF1.2 on the analysis workstation. The hashes you recorded during MF1.2. A blank document for the acquisition record.

Task. Fill in every field of the acquisition record template from this sub's "concrete template" section for your MF1.2 baseline capture. Then run the four structural checks and record the results in the post-capture fields.

Expected result. A completed acquisition record with all fields populated. All four structural checks pass: size = 4,294,967,296 bytes, profile = Windows 11, Kernel Base starts with 0xfffff8, process count 80-150. Both hashes present and matching. The document is a reusable template — save it and copy it for every subsequent capture in the course.

If your result doesn't match. If you can't fill in the authorisation field, use "self-authorised baseline capture for course lab" — this is legitimate for lab work. If any structural check fails, re-acquire before proceeding; the baseline must be structurally sound. If you don't have the source-side hash from MF1.2, document the gap honestly per this sub's Decision Point — then make a habit of hashing at source for every future capture.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. State in one sentence what a SHA-256 hash proves for a memory image and what it does not prove, and explain why the distinction matters for reporting. (§ What the hash actually proves)

2. Name the four structural checks and state what each one detects that hashing alone would miss. (§ The four structural checks)

3. Given a scenario where you forgot to hash at the source and the source system is gone, state what you document in the acquisition record and why honest documentation of the gap is more defensible than pretending it doesn't exist. (§ Decision Point)

Operational Artifact — Acquisition Record Template

Header. Case reference. Date/time start (UTC). Date/time end (UTC). Operator. Authorisation reference. Trigger condition (active attack / post-incident / proactive / baseline).

Target. Hostname. IP. Asset tag/serial. OS and version. RAM size. Hypervisor (if applicable). Environmental notes.

Method. Tool and version. Method rationale (fidelity/footprint/feasibility analysis). Output format. Output file path. Additional files collected (pagefile, hiberfil, swap) with individual hashes.

Integrity. SHA-256 at source. SHA-256 at destination. Hash match (yes/no). Evidence store location. Working copy location. Write-protection method.

Post-capture. Size check result. Profile identification result. Kernel address validation result. Process list count. Anomalies. Operator signature.

Extended reference — hash algorithm selection, multi-image cases, and evidence-store discipline

Hash algorithm. SHA-256 exclusively for the forensic record. MD5 and SHA-1 are deprecated due to known collision attacks. If legacy systems require MD5, compute both and record SHA-256 as the primary. Never use MD5 alone as the integrity proof — it's not defensible under current forensic standards.

Multi-image cases. Some investigations produce multiple images from the same system (RAM + pagefile + hiberfil, or multiple captures over time as the attack progresses). Each image gets its own acquisition record. Cross-reference the records with a case-level index that lists all images, their timestamps, and which system each came from. The case index is the document a reviewer reads first to understand the evidence landscape.

Evidence-store discipline. The original image goes to write-protected storage immediately after hash verification. "Write-protected" means read-only filesystem permissions (chmod 444 on Linux, read-only attribute on Windows), not just "I won't modify it." Create a working copy for analysis; never analyse the original directly. Hash the working copy before each analysis session — if it doesn't match the original's hash, the working copy was modified (possibly by a tool that writes to the image, which some older tools do) and should be recreated from the original.

Retention policy. Determine retention before the investigation ends. HR cases: retain per the organisation's HR evidence policy (often 6 years). Legal proceedings: retain until the matter concludes and the retention period expires. Regulatory: per the regulator's guidance. Baseline captures from this course: retain for the duration of the course, then delete at your discretion. The retention decision is recorded in the acquisition record.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →