A forensic investigator must focus on fundamental areas such as standalone computers, workstations, servers, and online channels. Investigation of standalone computers, workstations, and other removable media can be simple. Examination of servers and online channels, however, can be complicated and tricky.
During investigations, logs are often not examined or audited. The investigator must realize that logs play a key role during investigations. They must be given due importance, as they could provide a lead in the case. Computer forensic methodologies consist of the following activities
- Preservation: The forensic investigator must preserve the integrity of the original evidence. The original evidence should not be modified or damaged. The forensic examiner must make an image or a copy of the original evidence and then perform the analysis on that image or copy. The examiner must also compare the copy with the original evidence to identify any modifications or damage.
- Identification: Before starting the investigation, the forensic examiner must identify the evidence and its location. For example, evidence may be contained in hard disks, removable media, or log files. Every forensic examiner must understand the difference between actual evidence and evidence containers. Locating and identifying information and data is a challenge for the digital forensic investigator. Various examination processes such as keyword searches, log file analyses, and system checks help an investigation.
- Extraction: After identifying the evidence, the examiner must extract data from it. Since volatile data can be lost at any point, the forensic investigator must extract this data from the copy made from the original evidence. This extracted data must be compared with the original evidence and analyzed.
- Interpretation: The most important role a forensic examiner plays during investigations is to interpret what he or she has actually found. The analysis and inspection of the evidence must be interpreted in a lucid manner.
- Documentation: From the beginning of the investigation until the end (when the evidence is presented before a court of law), forensic examiners must maintain documentation relating to the evidence. The documentation comprises the chain of custody form and documents relating to the evidence analysis.
