Sign In

TR1.6 Disk and Log Evidence: Collection Without Contamination

· Module 1 · Free
Operational Objective
The Contamination Risk: Every action on a running system modifies it. Logging in creates session entries. Running commands creates process entries. Copying files updates access timestamps. The triage responder cannot avoid ALL modification — but they can MINIMISE modification and DOCUMENT every action. The distinction between "forensically sound" and "forensically contaminated" is not whether modification occurred (it always does on a live system) but whether the modification was minimised, documented, and distinguishable from the attacker's activity. This subsection teaches disk and log evidence collection techniques that minimise contamination while capturing the artifacts the investigation team needs.
Deliverable: KAPE triage procedure for Windows, Cat-Scale procedure for Linux, UAL export procedure for M365, the contamination minimisation checklist, and the write-blocker decision tree.
Estimated completion: 30 minutes
DISK + LOG EVIDENCE — PER ENVIRONMENTWINDOWS: KAPE$MFT, Event Logs, Registry, PrefetchTargeted collection: 2-10 min, 500MB-5GBLINUX: CAT-SCALEauth.log, journal, cron, configs, historyComprehensive script: 5-15 min, 50-200MBM365: UAL + GRAPHUnified Audit Log, Sign-in logs, Mailbox auditAPI/PowerShell export: 5-30 min (retention-dependent)

Figure TR1.6 — Disk and log evidence collection tools per environment. KAPE for Windows (targeted artifact collection), Cat-Scale for Linux (comprehensive bash-based collection), and UAL/Graph API export for M365 (cloud log preservation).

Windows: KAPE triage collection

KAPE (Kroll Artifact Parser and Extractor) collects specific forensic artifacts from a Windows system using pre-defined “targets” (what to collect) and “modules” (how to parse). For triage, KAPE runs in TARGET mode only — collecting raw artifacts without parsing. The investigation team runs the modules later.

Six-step method — KAPE triage collection:

What to look for: The high-value Windows forensic artifacts: $MFT (filesystem metadata), Event Logs (Security, System, PowerShell, Sysmon), Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT), Prefetch files (execution history), AmCache (application execution), USN Journal (filesystem changes), SRUM (System Resource Usage Monitor), and browser history.

How to extract:

1
2
3

# KAPE — pre-staged on triage USB at E:\tools\KAPE\
# Triage target: collect key artifacts without full disk imaging
E:\tools\KAPE\kape.exe --tsource C: --tdest E:\IR\%COMPUTERNAME%\KAPE --target KapeTriage --vhdx %COMPUTERNAME% --zv false

Key KAPE targets for triage:

KapeTriage — the recommended compound target that collects: $MFT, $LogFile, $UsnJrnl, Event Logs (all .evtx), Registry hives, Prefetch, AmCache, Shimcache, SRUM, PowerShell console history, browser history, and Windows.old. This target captures the complete artifact set needed for DFIR analysis in 2-10 minutes depending on disk speed and artifact volume.

Output verification:

1
2
3
4
5

# Verify KAPE collection completed
Get-ChildItem E:\IR\$env:COMPUTERNAME\KAPE -Recurse | Measure-Object -Property Length -Sum
# Expected: 500 MB - 5 GB depending on system activity level
# Hash the collection
Get-FileHash "E:\IR\$env:COMPUTERNAME\KAPE.vhdx" -Algorithm SHA256 | Out-File "E:\IR\$env:COMPUTERNAME\kape_hash.txt"

What KAPE does NOT collect (by design): Full disk contents, user documents, application data, database files. KAPE’s triage targets are specifically forensic ARTIFACTS — the metadata and logs that tell the investigation story. Collecting the full disk is a forensic imaging task (TR0.7), not a triage task.

Linux: Cat-Scale and the custom triage script

Cat-Scale (WithSecure) is the Linux equivalent of KAPE — a bash script that collects the high-value artifacts from a Linux system into a compressed tarball.

1
2
3
4

# Cat-Scale — pre-staged on triage USB
/mnt/usb/tools/Cat-Scale/Cat-Scale.sh --output /mnt/usb/IR/$(hostname)_catscale/
# Or the production triage script from TR4.10 (which includes Cat-Scale's artifact coverage)
/mnt/usb/tools/triage.sh /mnt/usb/IR/$(hostname)/

What Cat-Scale collects: /var/log/ (auth, syslog, kern, daemon, audit), systemd journal, crontab (system + user), systemd service and timer files, /etc/passwd + /etc/shadow + /etc/group + /etc/sudoers, SSH configuration and authorized_keys, bash history for all users, network configuration, running process list, active connections, loaded kernel modules, Docker/K8s state, and package verification output.

M365: Unified Audit Log preservation

The Unified Audit Log (UAL) in M365 has rolling retention: E5 licences retain 1 year, E3 retains 180 days, E1 retains 90 days. But the UAL is the PRIMARY cloud evidence source — if the organisation’s licence changes or the retention window expires, the evidence is permanently lost. Preservation during triage ensures the investigation team has access to the full log history.

1
2
3
4
5
6
7

# Connect to Exchange Online PowerShell
Connect-ExchangeOnline
# Export UAL for the incident window + 30 days prior (for baseline comparison)
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -ResultSize 5000 | Export-Csv "E:\IR\UAL_export.csv" -NoTypeInformation
# For large tenants: paginate with SessionCommand ReturnLargeSet

Alternative: Sentinel already ingests UAL data. If the organisation forwards UAL to Sentinel via the Office 365 connector: the data is preserved in Sentinel’s retention (30-90 days depending on workspace configuration, extendable to 2 years with archival tier). Verify: OfficeActivity | summarize min(TimeGenerated), max(TimeGenerated) — if the earliest event is older than 90 days, Sentinel retention is working and UAL export may be unnecessary.

Forensic soundness principles for triage

The triage responder operates on a LIVE system — zero contamination is impossible. The standard is MINIMAL, DOCUMENTED contamination:

Principle 1: Write to external media, never the target disk. The memory dump, the KAPE collection, the Cat-Scale archive, and the triage script output all go to the USB drive or network share — not to C:\ or /tmp on the target. Writing to the target disk overwrites unallocated space where deleted files might be recoverable.

Principle 2: Use pre-staged tools from external media. Installing a tool during triage (apt install, pip install) modifies the system: new files created, package database updated, disk space consumed. Pre-staging tools on the triage USB eliminates installation contamination.

Principle 3: Document every command executed on the target. The investigation team needs to distinguish the responder’s actions from the attacker’s actions. If the responder ran cat /etc/shadow during triage (to check for modifications), this creates an access timestamp that could be confused with the attacker reading /etc/shadow. Documenting the exact time of the responder’s access prevents this confusion.

Principle 4: Hash everything at collection time. SHA256 hashes prove the evidence has not been modified since collection. Any analysis that produces results inconsistent with the original hash indicates either corruption or tampering — both of which must be investigated.

Write-blockers in triage context. Hardware write-blockers prevent write operations to a disk — ensuring read-only access for forensic imaging. For LIVE SYSTEM triage, write-blockers are NOT used on the running system’s disk (the system needs write access to function). Write-blockers are used when: mounting a removed disk on the forensic workstation for imaging, mounting an external disk that may contain evidence, or mounting a backup disk for comparison. During triage, the equivalent of write-blocking is the “write to external media” principle — the target’s disk is read but not written to (beyond the unavoidable modifications from running commands).

Try it: run KAPE or Cat-Scale on a test system and verify the output
  1. Windows: Download KAPE. Run the KapeTriage target against a test workstation. Check: how many files were collected? What is the total size? How long did the collection take?
  2. Linux: Download Cat-Scale. Run on a test server. Check: what artifacts are in the output tarball? Is auth.log included? Are SSH keys included?
  3. Both: hash the output and record the hash. This is the baseline — if you later verify the hash still matches, the evidence has not been modified.
Compliance Myth: "Triage on a live system contaminates the evidence — it is better to image the disk first"

The myth: Running commands on a live system modifies it, contaminating the evidence. The forensically correct approach is to power off the system, remove the disk, and create a forensic image before any analysis.

The reality: Powering off the system DESTROYS all volatile evidence: memory contents (including the attacker’s running processes, encryption keys, and C2 configuration), active network connections (the C2 channel disappears), logged-in sessions, and running containers. The disk image preserves non-volatile evidence but loses everything in RAM. For incidents where volatile evidence is critical (active C2 beacons, running cryptominers, live SSH sessions, encryption keys in memory), live triage and memory acquisition BEFORE power-off preserves evidence that disk imaging alone would permanently lose. The forensic standard (NIST SP 800-86, RFC 3227) recommends live acquisition of volatile data FIRST, followed by disk imaging — not disk imaging alone.

Troubleshooting

“KAPE is blocked by endpoint protection.” Some EDR solutions flag KAPE as a potential attack tool (it accesses sensitive system files). Whitelist KAPE’s hash in your EDR policy BEFORE an incident. If KAPE is blocked during triage: use PowerShell to collect the critical artifacts manually: Copy-Item "$env:SystemRoot\System32\winevt\Logs\Security.evtx" E:\IR\ for event logs, reg save HKLM\SYSTEM E:\IR\SYSTEM for registry hives.

“Cat-Scale fails with permission errors.” Cat-Scale requires root access. If running as a non-root user: some artifacts (auth.log, shadow, sudoers) will not be collected. Document the limitation and escalate for root access.

Beyond this investigation: Disk and log collection connects to Practical Incident Response IR3-IR4 (where KAPE's collected artifacts are parsed with MFTECmd, PECmd, AmcacheParser, EvtxECmd, and RECmd — the tools that transform raw artifacts into investigation evidence), Practical Linux IR LX1-LX2 (where Cat-Scale output is analysed for timeline construction and artifact correlation), and Practical Threat Hunting in M365 (where the preserved UAL data enables historical hunting queries that span the full retention window).
Operational Artifact — Evidence Collection Quick Reference

Windows (KAPE): kape.exe --tsource C: --tdest E:\IR\%COMPUTERNAME%\KAPE --target KapeTriage Output: 500MB-5GB. Time: 2-10 min. Hash the output.

Linux (Cat-Scale): Cat-Scale.sh --output /mnt/usb/IR/$(hostname)_catscale/ Output: 50-200MB. Time: 5-15 min. Hash the archive.

M365 (UAL): Search-UnifiedAuditLog -StartDate $start -EndDate $end -ResultSize 5000 | Export-Csv Or verify Sentinel ingestion: OfficeActivity | summarize min(TimeGenerated)

Contamination minimisation: External media only. Pre-staged tools. Document every command. Hash at collection.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TR1.5 Memory Acquisition: Tools, Techniques, and Verification TR1.7 The Preservation Decision Tree →