Digital forensic analysis is
|“||the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.||”|
Digital forensic analysis can be conducted on different types of media, such as global positioning system devices, memory cards, or compact discs, and can be conducted by federal, state, and local law enforcement agencies in support of a variety of investigations, such as online child pornography crime and identity theft.
The process for performing digital forensics comprises the following basic phases:
- Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.
- Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
- Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
- Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.
- DFARS Clause 252.204-7012(a).
- NIST Special Publication 800-86, at ES-1.