•  A.k.a. Electronic data discovery.
                   •  Digital forensic science (DFS):
                          •  Media analysis (computer forensics) –
                              physical media.
                          •  Software analysis (software forensics)
                              – review software for malicious
                              signatures, the identity of the author.
                          •  Network analysis – network traffic &
                              logs
                   •  Rules of Evidence: electronic evidence is
                       fragile, and you must maintain the integrity
                       of the scene to ensure it is admissible in
                       court.
                   •  Chain of Custody = maintains the integrity of
                       reliability.
                   •  Hearsay rule – An out-of-court statement
                       offered as proof of an assertion.
                   •  Business records exemption: a record used
                       on the normal course of business can be
                       admitted.  Computer records may not be
                       hearsay if there was 1) no human
                       intervention; 2) system was operating
                       correctly; and, 3) you can prove no one
                       changed the data.
                   •  Forensic copies:
                          •  Bit-for-bit – includes hidden & residual
                              data.
                          •  Ensure integrity with the hash (e.g.,
                              MD5, SHA1).  Should use duplicate
                              hashes because there are weaknesses