Acquisition. Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.
Examination. The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format.
Documenting and reporting. Actions and observations should be documented throughout the forensic processing of evidence. This will conclude with the preparation of a written report of the findings.
Acquisition: A process by which digital evidence is duplicated, copied, or imaged.
Analysis: To look at the results of an examination for its significance and probative value to the case.
Compressed file: A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP with an extension of .zip.
Copy: An accurate reproduction of information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction.
Deleted files: If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate the evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data.
Digital evidence: Information stored or transmitted in binary form that may be relied on in court.
Duplicate: An accurate digital reproduction of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and attributes (e.g., bit stream, bit copy, and sector dump).
Encryption: Any procedure used in cryptography to convert plain text into cipher text in order to prevent anyone but the intended recipient from reading that data.
Examination: Technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.
File slack: Space between the logical end of the file and the end of the last allocation unit for that file.
File system: The way the operating system keeps track of the files on the drive.
Hashing: The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.
Image: An accurate digital representation of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and attributes, but may include metadata such as CRCs, hash value, and audit information.
Network: A group of computers connected to one another to share information and resources.
Password protected: Many software programs include the ability to protect a
file using a password. One type of password protection is sometimes called "access denial." If this feature is used, the data will be present on the disk in the normal manner, but the software program will not open or display the file without the user entering the password. In many cases, forensic examiners are able to bypass this feature.
System administrator: The individual who has legitimate supervisory rights over a computer system. The administrator maintains the highest access to the system. Also can be known as sysop, sysadmin, and system operator.
Unallocated space: Allocation units not assigned to active files within a file system.
Write protection: Hardware or software methods of preventing data from being written to a disk or other medium.
