Forensic Process Guidelines
Digital forensics refers to any forensics scene activity or investigation involving computer-based or network-based digital data in a system and/or network. This activity is usually in response to some incident, event or activity that resulted in an incident response action. Digital forensics is the detailed process invoked during incident response when the event is found to have some legal, criminal or civil component or potential result for the organization.
Any forensics activity is more likely to have a legal association and thus requires a very cautious and comprehensive approach. Even a small mistake can alter the digital evidence and make it non-admissible in the court of law. The following simplistic structured process is therefore recommended to ensure that best practices are adhered to throughout this activity.
Figure 1: Forensics and Evidence Handling Workflow
As a general rule, all evidence should be identified, recorded, seized, bagged, and tagged on-site with no attempts to determine contents or status. Whenever given a choice between collection and analysis, collection should always take precedence over the latter. Exceptions to this rule may only be considered for devices such as tablets that need to maintain charge or systems that show evidence of their volatility raising concerns that the evidence will be lost if the device is powered off for seizure.