I. Background of Digital Forensic (cont'd)

  1. Acquisition and Forensic Imaging / Data Collection
  2. After seizure, the digital media will be duplicated with a write blocking device, which creates a forensic duplication. The original digital media is then securely stored to prevent tampering.

    In some case the original digital data is directly collected and examined on the digital media without duplication.


  3. Analysis of Digital Media
  4. The contents of the image files are analysed by forensic examiners with specialised tools, such as Guidance EnCase and Sleuth Kit ("TSK"), to identify evidence.


  5. Reporting
  6. This is the final stage after analysis of the digital media to convert data into a form which is suitable for non-technical individuals to become evidence in court. A "digital forensic report" should be compiled to include the following information:


    • Any relevant information regarding what lead to you as the forensic examiner and when you become involved with the digital evidence;
    • Detailed steps taken and people interviewed to preserve and forensically acquire the evidence, including any additional steps that you take (e.g. forensically wiping storage / examination media, etc.);
    • All facts that you find during your analysis relating to the case; and
    • Conclusion drawn from the forensic evidence;


International Standard for Digital Forensic

The International Organization on Computer Evidence ("IOCE") outlined principles for digital evidence collection, which include the following:

  • Upon seizing digital evidence, actions taken should not change that evidence;
  • When it is necessary for a person to access original digital evidence, that person should be trained for the purpose; and
  • All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.