Identifying evidence
Preserving evidence
Analyzing evidence
Presenting evidence
The goal of computer forensics is to get to the truth. You get to the truth by identifying and acquiring sufficient evidence to prove the identity or the activities of a computer user . Items of interest to investigators and examiners are either the result of prohibited activity or those that support other prohibited activity. The previous chapter discussed computer evidence and the process of collecting and handling it. This chapter looks at the entire forensic process from a common flow approach.
You will learn the basic tasks present in nearly all forensic investigations. When you first approach a crime scene, you must identify any and all pertinent evidence. After you have identified the evidence, you will collect it and handle it in a manner that preserves its state. Remember from the previous chapter that you always want to treat evidence, at least initially, as though it will be admitted into a court of law. After you have custody of the evidence, you can analyze it and present your findings.
This chapter addresses common tasks that are common to computer investigations.