Steps to Take in a Computer Forensics Investigation
Part of the Computer Forensics For Dummies Cheat Sheet
Computer forensics is a meticulous practice. When a crime involving electronics is suspected, a computer forensics investigator takes each of the following steps to reach — hopefully — a successful conclusion:
Obtain authorization to search and seize.
Secure the area, which may be a crime scene.
Document the chain of custody of every item that was seized.
Bag, tag, and safely transport the equipment and e-evidence.
Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.
Keep the original material in a safe, secured location.
Design your review strategy of the e-evidence, including lists of keywords and search terms.
Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy.
Interpret and draw inferences based on facts gathered from the e-evidence. Check your work.
Describe your analysis and findings in an easy-to-understand and clearly written report.
Give testimony under oath in a deposition or courtroom.