4.1 The digital forensic process
The digital forensic process has the following five basic stages:
- Identification – the first stage identifies potential sources of relevant evidence/information (devices) as well as key custodians and location of data.
- Preservation – the process of preserving relevant electronically stored information (ESI) by protecting the crime or incident scene, capturing visual images of the scene and documenting all relevant information about the evidence and how it was acquired.
- Collection – collecting digital information that may be relevant to the investigation. Collection may involve removing the electronic device(s) from the crime or incident scene and then imaging, copying or printing out its (their) content.
- Analysis – an in-depth systematic search of evidence relating to the incident being investigated. The outputs of examination are data objects found in the collected information; they may include system- and user-generated files. Analysis aims to draw conclusions based on the evidence found.
- Reporting – firstly, reports are based on proven techniques and methodology and secondly, other competent forensic examiners should be able to duplicate and reproduce the same results.
A crucial activity that accompanies the first four steps is contemporaneous note-taking. This is the documentation of what you have done immediately after you have done it in sufficient detail for another person to reproduce what you have done from the notes alone.
This activity is for the technically minded or curious only who would like a preview of the digital forensics process: watch the YouTube video A Geek’s Guide to Digital Forensics [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] (2011) (you may want to use the fast-forward feature to skip some sections).
Digital forensics is not solely about the processes of acquiring, preserving, analysing and reporting on data concerning a crime or incident. A digital forensic scientist must be a scientist first and foremost and therefore must keep up to date with the latest research on digital forensic techniques. They may also contribute to the discipline through their own research and publish it in peer-reviewed journals.