The forensic process

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Helpful Hint!
Wikipedia has related information at Digital forensic process

A digital forensic investigation usually consists of three main stages, and one preliminary stage (which is beyond the scope of this book). As you will see these stages have different requirements and technical skills - from attention to detail, through to technical skills and a good writing ability.

Evidence seizure

[edit | edit source]

The seizure of evidence is considered largely outside the scope of this book; because it could be an entire book on its own. For the most part a forensic examiner will not be involved in seizures except in a technical capacity (i.e performing an on-site acquisition), however you do need to question where the evidence has come from.

Seizure of evidence can take many forms. From law enforcement using a court warrant through to a company "seizing" an employee's laptop. When conducting a forensic examination you are responsible for your actions, and if the material you are examining was illegally seized there could be serious consequences (even rising to the level of yourself being accused of computer crime!).

You must always be happy with the source of evidence, and that you are authorised to continue with an examination.

Criminal Cases

[edit | edit source]

Where evidence has been seized by law enforcement it almost certainly has been done within procedure. If so, there are unlikely to be any problems for the examiner, because it is reasonable to assume that the police have done their job correctly.

Civil/Private Cases

[edit | edit source]

For private work this consideration is much more important. If a company, for example, owns the digital device being examined then it is usually acceptable to examine. But if the device is the employees own this requires permission, or a court order. Whenever you are examining a piece of evidence question whether it belongs to the company, and if it does not ensure that the correct permission has been obtained.

The forensic process

[edit | edit source]
The process of collecting/documenting digital media exhibits, then the creation of a bit copy.
The actual (free form) process of investigation, which can take many forms
Production of an evidence package along with analysis/description in layman's terms
Introduction to Digital Forensics
The forensic process Terminology