« « Phases of Computer Forensics

Phases of Computer Forensics (2)

computer forensicFiltering

This can also be referred to as the analysis phase of computer forensics. In this phase investigators will attempt to filter-out data which is determined not to contain any artifacts of evidentiary value and filter-in artifacts of potential evidentiary value.

A wide array of tools and techniques are utilized in the filtering phase, some of which include comparing cryptographic hash values of known good and known suspect files against a known dataset. Other operating system and application specific tools used to locate and extract data are essential to the filtering phase. One such class of tool is an Internet history specific tool which will locate and extract the trail of data available left behind by Web browser activity.


The final phase of computer forensics is when the potential artifacts of evidentiary value are presented in a variety of forms. Presentation normally starts with the investigator extracting the artifacts from the original media, and then staging and organizing them on CD-ROM or DVD-ROM.

The investigator’s reports, supporting documentation, declarations, depositions, and testimony in court can all be considered the presentation phase of computer forensics. What may not be clear from the description of each phase is how time consuming the computer forensics process can be and how much attention to detail the profession requires.

To perform a formalized computer forensics investigation on a single desktop computer takes an average of 25 to 35 hours to complete; it can take much more time, depending on the history of the case. It’s not uncommon for keyword searches of a suspect’s hard drive to take more than eight hours.

Related entries

Digg it StumbleUpon del.icio.us Google

Leave a reply