GENERAL PROCEDURE

When collecting and analyzing evidence, there is a general four-step procedure you should follow. Note that this is a very general outline—you should customize the details to suit your situation.

Identification of Evidence

You must be able to distinguish between evidence and junk data. For this purpose, you should know what the data is, where it is located, and how it is stored. Once this is done, you will be able to work out the best way to retrieve and store any evidence you find.

Preservation of Evidence

The evidence you find must be preserved as close as possible to its original state. Any changes made during this phase must be documented and justified.

Analysis of Evidence

The stored evidence must then be analyzed to extract the relevant information and recreate the chain of events. Analysis requires in-depth knowledge of what you are looking for and how to get it. Always be sure that the person or people who are analyzing the evidence are fully qualified to do so.

Presentation of Evidence

Communicating the meaning of your evidence is vitally important—otherwise you can’t do anything with it. The manner of presentation is important, and it must be understandable by a layman to be effective. It should remain technically correct and credible. A good presenter can help in this respect.