Digital Survival Field Guide: Turn Your Devices from Liability into Intel

They call it a device. You call it reconnaissance. Your smartphone can betray you; your laptop can be the smoking gun. This field guide trains you to think like a digital survivalist — legally, methodically, and with military precision. Follow the links, follow the law, and secure the facts so they stand up in court.

Recognizing the Enemy

Know the artifact targets — these are the enemy positions you must map before you move.

1. Windows

   Targets: Master File Table (MFT), Prefetch, NTFS timestamps, Event Logs, Registry hives, user profiles.

   Artifact locations: C:\$MFT (via raw image), C:\Windows\System32\winevt\Logs\.evtx, C:\Windows\System32\config\SYSTEM, %USERPROFILE%\NTUSER.DAT, %LOCALAPPDATA%\Google\Chrome\User Data\Default\History.

2. macOS

   Targets: /var/log, ~/Library/Preferences, Unified Logging, Spotlight DB, browser databases, system and user plists.

   Artifact locations: /var/db/diagnostics/, /Users/<user>/Library/Preferences/.plist, /Users/<user>/Library/Safari/History.db.

3. Linux

   Targets: /var/log, /etc, ~/.bashhistory, systemd-journal, crontabs, package manager logs.

4. Mobile

   Targets: call/SMS databases, app data, system logs, artifacts in backups.

   Legal Protection Matters: Cybersecurity incidents often have significant legal implications. Our sister firm Steele Family Law helps Illinois families navigate complex legal situations with the same commitment to protection and discretion we bring to cybersecurity.

   Artifact locations: Android app data /data/data/<package>/databases/; iOS backups and Manifest.db within encrypted backups.

5. Network & Memory

   Targets: PCAP files, DNS cache, ARP tables, RAM images for credentials, in-memory malware.

   Tools: memory capture + analysis (Volatility), packet capture analysis (Wireshark/pcap).

Your Counter-Attack Strategy

This is your incident playbook. Follow orders exactly — preserve evidence, document everything, notify stakeholders per contract and law.

1. Secure the scene

   Isolate affected hosts from the network. Do not destroy volatile evidence by powering off devices unless instructed. Photograph and log device state, connections, and peripheral devices.

2. Preserve the evidence

   Create forensic images using hardware write-blockers for storage media. Capture volatile data (memory, running processes, network connections) before reboot if live response is authorized.

   Tools & references: Autopsy (desktop triage & timeline): https://www.sleuthkit.org/autopsy/; Volatility (memory analysis): https://www.volatilityfoundation.org/; timeline tooling: Plaso/Log2Timeline: https://plaso.readthedocs.io/.

3. Hash and document

   Compute SHA-256 (and MD5/SHA1 for legacy) hashes of original media and images. Record examiner, date/time (UTC), hash values, tool used, and personnel signatures in a chain-of-custody log.

4. Collect logs & network captures

   Pull Windows Event Logs, syslogs, firewall/IDS logs, and PCAPs. Time-sync logs to a single timeline baseline (UTC) and note any time-zone offsets or clock skew.

5. Analyze memory and disk

   Use Volatility for RAM (processes, sockets, DLLs), Autopsy/SleuthKit for disk artifacts and timelines, and Plaso for global timeline aggregation. Correlate to reconstruct the kill-chain.

6. Contain, eradicate, recover
7. Notify per contract & law

   For federal contracts, follow DFARS reporting requirements: DFARS 252.204-7012 (DoD contractors) — https://www.acquisition.gov/dfars/252.204-7012. Follow NIST SP 800-171 controls: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.

Timeline Assembly — The Tactical Map

Build a single timeline to see the battle unfold. Timestamp normalization is your reconnaissance photo.

1. Collect timestamp sources: MFT, $LogFile, Prefetch, EVTX, browser SQLite files, syslogs, DHCP leases, PCAP times, mobile app DBs.
2. Normalize to UTC: document time zone sources and convert; note system clock changes and NTP adjustments.
3. Use automated tools then validate: run Plaso to create a supertimeline, feed parsed events into Autopsy timeline viewers; corroborate with Volatility findings from RAM.
4. Correlate network & host events: map network sessions (PCAP) to process-level sockets in memory; link authentication events to user activity.

Chain of Custody — Your Evidence Manifesto

Chain of custody isn’t bureaucratic — it’s armor. Every transfer is logged. Every handler signs.

1. Identify and tag: assign exhibit IDs, label with case number, date/time, item description.
2. Hash-original & image: compute hashes pre- and post-transfer; store hashes in log.
3. Bag & secure: use evidence bags, tamper-evident seals, and locked storage with restricted access.
4. Document transfers: for every handoff, record personnel, date/time, reason, and condition. Maintain continuous custody chain until final disposition.
5. Legal readiness: preserve chain-of-custody documentation to satisfy FRE 901 authentication standards: Federal Rule of Evidence 901.

Legal Precedents You Must Know

Legal terrain shapes tactical choices. Know which moves require warrants and which evidence courts trust.

• Cellphone searches require a warrant: Riley v. California (2014) — https://www.supremecourt.gov/opinions/13pdf/13-1328l9c.pdf
• Cell-site location information needs probable cause: Carpenter v. United States (2018) — https://www.supremecourt.gov/opinions/17pdf/16-402h315.pdf
• Limits on retention and scope of searches of electronic copies: Ganias v. United States — https://casetext.com/case/ganias-v-united-states-1
• For investigative playbooks and incident response doctrine: SANS Incident Handler’s Handbook — https://www.sans.org/white-papers/incident-handlers-handbook/
• For evidence collection standards: NIST SP 800-86 (Integrating Forensic Techniques into Incident Response) and NIST SP 800-101 (Mobile Device Forensics) — SP 800-86, SP 800-101

Incident Response Playbook — Mission Template

1. Identification: triage alerts, confirm compromise, gather initial indicators.
2. Containment: isolate systems, block C2, preserve volatile data (memory), take images.
3. Eradication: remove malware artifacts from images (not originals), coordinate with legal for remediation steps.
4. Recovery: validate restorations, harden controls, rotate credentials, monitor for recurrence.
5. Lessons Learned: produce incident report with timeline, artifacts, hashes, chain-of-custody log, and legal notifications made.

Final orders: document everything, maintain legal counsel along the way, and use court-tested tools and procedures. Your survival depends on evidence that is defensible — accurate timestamps, unbroken chain of custody, and transparent methodology. Train like a guerrilla, operate like a prosecutor.

Resources: Autopsy — Autopsy; Volatility — Volatility; SANS Incident Handler’s Handbook — SANS; NIST guides — NIST.

---

Related Articles

• The Hidden Privacy Time Bomb Living in Ambient Computing and Invisible Interfaces
• 7 Silent Persistent Storage Risks That Can Bleed Your Users’ Data — Fix Them Before Your Next Breach
• Stop Pretending Deletion Is Protection — An Incident Shattered Three Dangerous Assumptions