Digital forensic process

[1][2] Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings.

Investigators employ the scientific method to recover digital evidence to support or disprove a hypothesis, either for a court of law or in civil proceedings.

In civil proceedings, the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are preserved.

Given the problems associated with imaging large drives, multiple networked computers, file servers that cannot be shut down and cloud resources new techniques have been developed that combine digital forensic acquisition and ediscovery processes.

After acquisition the contents of (the HDD) image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).

The type of data recovered varies depending on the investigation, but examples include email, chat logs, images, internet history or documents.

[9][10] Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff.

[3] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify "in the form of an opinion or otherwise" so long as: (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.