Phases of Computer Forensics

• Collection / Preservation
• Filtering
• Presentation

Collection / Preservation

The collection of digital evidence can come from many sources. Computers, mobile phones, digital camera, PDA, USB storage devices are some of the examples. It is of great importance to take special care of the computer evidence collected as digital information is easily changed and it is impossible to detect if a change has taken place. Originals have to be preserved to ensure that digital evidence collected is reliable, complete, accurate and verifiable.

Outline on specific computer evidence handling practices:

• Handle the computer evidence in a way that changes are avoided to the originals
• Establish and maintain chain of custody
• Document every steps of the investigation
• Only use reliable and trusted tools and software that has been tested and evaluated before.

Filtering

This is also referred to as the analysis phase as investigator will be filtering out information that does not contain any potential evidences. A wide variety of forensic tools are being used in this stage. See types of computer forensic tools

Presentation

The final phase of computer forensics is to present the evidentiary data retrieved from the original media, organising them on CD-ROM or DVD-ROM. The presentation phase also includes the investigator’s reports, documentation, testimonials, declarations etc…

See types of evidence