Digital Forensics Acquisition Documentation
A practical guide to recording forensic sources, destinations, methods, tools, versions, write protection, timestamps, hashes, errors, and outputs.
ByteCase Guide Hub
Original ByteCase explanations, checklists, and practical references for digital forensic examiners, technical reviewers, and people learning core technical concepts.
Browse by category
Hashes, manifests, re-verification, comparison results, and integrity records.
Open category → 1 guideSource, destination, method, tooling, integrity, errors, and acquisition documentation.
Open category → 1 guideRequest scope, authority references, devices, accounts, urgency, and examiner handoff.
Open category → 1 guideKnown-value testing, expected results, limitations, environments, and revalidation.
Open category → 1 guideCase folders, repeatable processes, workflow states, handoff, and closeout.
Open category → 1 guideExaminer actions, observations, interpretations, sources, and report preparation.
Open category → 2 guidesSQLite, relational data, SQL, NoSQL models, and database artifacts.
Open category →All guides
A practical guide to recording forensic sources, destinations, methods, tools, versions, write protection, timestamps, hashes, errors, and outputs.
A practical local folder model for keeping intake, acquisition, verification, examiner notes, timelines, exhibits, reports, and supporting records predictable.
The information a forensic examiner should receive about the case, requestor, authority, scope, devices, accounts, urgency, credentials, and delivery needs.
A practical approach to recording examiner actions, observations, interpretations, questions, timestamps, tools, sources, screenshots, and report-ready facts.
A practical explanation of file hashes, saved manifests, later re-verification, comparison results, and the limits of what a matching hash establishes.
A plain-language guide to validation, verification, known-value testing, expected and observed results, versions, environments, limitations, and revalidation triggers.
A straightforward guide to forensic hash manifests, the fields they should contain, how they differ from a single hash value, and why paths and metadata matter.
How to interpret matching, changed, missing, new, inaccessible, skipped, path-changed, and error results during hash re-verification.
A deeper guide to relational data models, normalization, joins, transactions, SQLite sidecar files, and document, key-value, wide-column, and graph databases.
A straightforward explanation of SQLite, tables, rows, columns, keys, relationships, SQL, and how relational databases differ from spreadsheets and NoSQL databases.
External references
Return to the broader Resources page for NIST, SWGDE, SANS, practitioner projects, validation data, and recommended books.