Module Summary

What you built in this module

Module 1 established the evidence volatility framework that governs every preservation decision in this course. Here's what each section delivered.

Section 1.1 — The Order of Volatility. RFC 3227's volatility hierarchy updated for hybrid environments: network connections and process state vanish in seconds, memory survives until reboot, logs persist for days to months depending on retention configuration. The five-tier model maps every evidence type to its volatility category. The /proc capture script and the Windows volatile evidence commands gave you the Tier 1 collection tools that execute in under 60 seconds.

Section 1.2 — Cloud Evidence Volatility. The cloud volatility paradox: logs persist longer than endpoint evidence, but authentication tokens and session state are ephemeral. Entra sign-in log retention boundaries (7 days free, 30 days P1/P2), UAL retention (180 days Standard, 1 year E5 Audit Premium with per-user licensing), and the MailItemsAccessed gap for non-E5 tenants. The NE scenario showed how OAuth persistence through a malicious "Azure Backup Utility" application survives password resets — revoking the OAuth consent is the only effective containment for application-based attacks.

Section 1.3 — Windows Evidence Volatility. The 5-minute capture sequence: processes and connections first (30 seconds), WinPMem memory acquisition second (3–5 minutes), KAPE triage collection third (5–10 minutes). DNS client cache as an overlooked evidence source that reveals C2 domains resolved before the investigation began. The DLL sideloading scenario on WS-FIN-042 showed how rundll32 loads a malicious DLL from a user-writable path — evidence that exists only in the running process and its loaded modules until the next reboot.

Section 1.4 — Linux Evidence Volatility. The /proc virtual filesystem as the single most valuable Linux triage source: process state, command lines, environment variables, executable recovery via /proc/PID/exe, and LD_PRELOAD rootkit detection via /proc/PID/maps. Container evidence as a volatility tier between network state and memory — a Docker container restart destroys the entire writable layer. The auth.log entries that traced the attacker's SSH pivot and container modification on web-prod-01.

Section 1.5 — Memory Acquisition Across Platforms. What exists only in physical memory: decrypted payloads, credential material, beacon configurations, injected code, network buffers, active session tokens. WinPMem and Magnet RAM Capture on Windows. AVML (userland, no kernel module) vs LiME (kernel module, requires exact version match) on Linux. The kernel_lockdown constraint that blocks AVML on Secure Boot systems. Tom's acquisition failure on web-prod-01 — wrong LiME kernel version, AVML blocked — and the readiness checklist that prevents it.

Section 1.6 — The Preservation Decision Tree. One question determines the sequence: is the attacker actively causing damage right now? Active damage demands contain-first with evidence-preserving containment actions (network isolation, firewall block). Dormant threats permit preserve-first for complete evidence capture. The Analyst Decision block documented the NE team's reasoning at the moment of decision. The 2–3 minute assessment window for uncertain attacker states. Containment blast radius: the escalation path from network isolation through process termination to hard shutdown, ranked by evidence destruction.

Section 1.7 — Chain of Custody and Evidence Integrity. SHA256 hashing at collection, verification at every transition, documented handoff with hash confirmation. Why SHA256 specifically — MD5 and SHA-1 deprecated due to practical collision attacks. The six-field chain-of-custody log. Evidence storage on controlled media: write-protected USB, restricted-access network shares, immutable cloud storage (Azure Blob WORM, S3 Object Lock). Evidence transfer procedures — hash manifests sent over a separate channel from the evidence. The three most common CoC failures: forgetting to document, forgetting to hash, and storing evidence where the attacker can reach it.

Section 1.8 — Cross-Environment Evidence Correlation. Three correlation methods: timestamps (normalised to UTC with clock drift documented), IP addresses (same external IP across environments, internal IP for lateral movement, VPN/proxy blind spots), and entity mapping (same person under different names — UPN, SAM, Linux username). The KQL union query that merges cloud and endpoint events into a single chronological timeline. Correlation confidence levels: moderate (one shared indicator), high (two), definitive (three or more). The Incident Comment block that documents the attack chain notation for the investigation team.

Section 1.9 — Live Response Scripting and Automation. The consistency problem with manual triage — different analysts, different artifacts, different completeness. PowerShell and Bash triage scripts that produce identical evidence packages regardless of who runs them. Defender Live Response for remote single-endpoint collection through the Defender management channel. Velociraptor for fleet-wide evidence collection — scoping hunts to identify compromised endpoints, full triage hunts to collect evidence from confirmed targets. Script version control as a post-incident discipline.

Section 1.10 — Interactive Lab. Three scenarios testing the preservation decision against different attacker states: active exfiltration (contain-first with firewall block), dormant Cobalt Strike beacon (preserve-first with memory capture priority), and historical OAuth compromise (preserve-first with UAL export as first action). The scoring framework across three skills: attacker state assessment, evidence selection, and containment action selection.

The framework you now own

Two operational capabilities came out of this module. The volatility map tells you which evidence disappears first in each environment — so you never waste the first 5 minutes of a triage capturing logs that persist for months while memory evidence evaporates. The preservation decision tree tells you whether to capture evidence before or after containment — so you never destroy evidence by containing too early or allow damage by preserving too long.

The cross-environment correlation skill from Section 1.8 is what separates a single-environment triage analyst from someone who can handle the attacks that actually happen in production. Modern attackers cross environment boundaries — cloud to endpoint, endpoint to Linux, identity to infrastructure. The analyst who checks only the environment that generated the alert misses the full scope. The bidirectional correlation check takes 2 minutes and prevents the investigation team from discovering uncontained systems days later.

The chain-of-custody discipline from Section 1.7 and the scripted collection from Section 1.9 ensure that the evidence you capture is both complete and defensible. SHA256 hashing at every transition, documented handoffs, and version-controlled triage scripts mean the investigation team receives standardised evidence packages they can trust — regardless of which analyst responded, at what hour, under what pressure.

What comes next

TR2 — Cloud Identity Triage. With the evidence volatility framework established, the next module applies it to the environment where most modern attacks begin: cloud identity. You'll triage Entra ID alerts using the methodology from TR0 and the evidence preservation sequences from TR1. The focus shifts from "what evidence exists and when does it disappear" to "how do I assess this specific cloud identity alert within 15 minutes."