Digital Forensics Process

The digital forensic process must adhere to four important principles (see Figure 1). They are acquisition, preservation, analysis, and presentation.

                                                     Figure 1. Digital forensics process

Acquisition: Data acquisition is the first stage of the evidence acquisition process. It is here that the data is copied from the hard drive of a computer, from mobile devices, databases, servers, and cloud computing. Getting in touch with the evidence ensuring its integrity.

Preservation: 

The collected evidence must remain as it was found. Therefore, it is necessary to isolate and protect the evidence to avoid modifications or losses by creating and maintaining the chain of custody (see Figure 2). The chain of custody must cover the entire digital forensic process and ensure that there are no breaks at any time.

 

                                                        Figure 2. The chain of custody 

Analysis: It is during the analysis that the forensic expert tests his experience and skills to obtain the probative elements of the evidence using the appropriate forensic techniques and methods.

Presentation: The presentation of the findings must be clear, concise, accurate and accurate. Explain what was tested, how it was tested, what tools were used, and the results obtained. Write forensic report, create affidavit, deposition of expert, and court testimony.