Computer Forensics Phases and Common Tasks
Computer Forensics Phases and Common Tasks
Computer Forensics Phases and Common Tasks
1. First Response
2. Search and Seizure
3. Evidence Collection
4. Securing of the Evidence
5. Data Acquisition
6. Data Analysis
7. Evidence Assessment
8. Documentation and Reporting
9. Expert Witness Testimony
Identification
The first step is identifying evidence and potential
containers of evidence.
9
Collection
Collection, in which relevant data are being
collected based on the approved methods utilizing
various recovery techniques.
12
Collection
13
Collection
• Take detailed photos and notes of the computer /
monitor
• If the computer is “on”, take photos of what is
displayed on the monitor – Do Not Alter The Scene
14
Collection
• Make sure to take photos and notes of all
connections to the computer/other devices
15
Collection: Imaging
• Rule of Thumb: make 2 copies and don’t
work from the original (if possible)
17
Securing of the evidence:
Preservation
20
Securing of the evidence :
Imaging
• Forensic Copies (Bitstream)
➢ Bit for Bit copying captures all the data on
the copied media including hidden and
residual data (e.g., slack space, swap,
residue, unused space, deleted files etc.)