Phases of the digital forensic process













                Assess                   Collect                  Examination               Analysis                 Reporting

                    •Seriousness             •Secure and              •Encrypted vs non-       •Booting a disk           • Factual summary
                    •Urgency                  document the site        encrypted devices        copy vs mounting          of activities and
                    •Sophistication          •Log evidence            •Looking for              a disk copy               steps taken
                    •Whether to power         (relevant serial         countermeasures         •Examine system           • Evidences
                    down the device           numbers)                •Securing a               log files                 maintenance of
                                             •Secure evidence          forensic image          •Using indexing to         chain-of-custody
                                              bags                     (bit-by-bit image)       locate keywords
                                             •Take photographs         - original copy         •Recover deleted
                                                                       - client copy            files
                                                                       - counsel copy
                                                                       - working copy












         5 5  © 2019 Association of International Certified Professional Accountants. All rights reserved.