The primary goals in computer forensics of collecting, preserving, filtering, and presenting digital artifacts can also be used as guidelines to describe the computer forensics process. We will structure these guidelines as phases of the computer forensics process.
It’s no accident that these exact phases are also referred to in a phased approach of the civil discovery process. Let’s discuss the four phases of computer forensics in greater detail.
The collection phase of computer forensics is when artifacts considered to be of evidentiary value are identified and collected. Normally these artifacts are digital data in the form of disk drives, flash memory drives, or other forms of digital media and data, but they can include supporting artifacts such as corporate security policies and backup procedures.
The preservation phase of computer forensics focuses on preserving original artifacts in a way that is reliable, complete, accurate, and verifiable. Cryptographic hashing, checksums, and documentation are all key components of the preservation phase. Although preservation of evidence is certainly an identifiable phase, it can also be considered iterative throughout the computer forensics process.