Earn A Forensics Degree

Forensic Examination of Digital Evidence: A Guide for Law Enforcement


National Institute of Justice

Introduction

This guide is intended for use by law enforcement officers and other members of the law enforcement community who are responsible for the examination of digital evidence.

This guide is not all-inclusive. Rather, it deals with common situations encountered during the examination of digital evidence. It is not a mandate for the law enforcement community; it is a guide agencies can use to help them develop their own policies and procedures. Technology is advancing at such a rapid rate that the suggestions in this guide are best examined in the context of current technology and practices. Each case is unique and the judgment of the examiner should be given deference in the implementation of the procedures suggested in this guide. Circumstances of individual cases and Federal, State, and local laws/rules may also require actions other than those described in this guide.

When dealing with digital evidence, the following general forensic and procedural principles should be applied:

  • Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.
  • Persons conducting an examination of digital evidence should be trained for that purpose.
  • Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.

Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence.

How is digital evidence processed?

Assessment. Computer forensic examiners should assess digital evidence thoroughly with respect to the scope of the case to determine the course of action to take.

Acquisition. Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.

Examination. The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format.

Documenting and reporting. Actions and observations should be documented throughout the forensic processing of evidence. This will conclude with the preparation of a written report of the findings.

 Earn a Degree in Crime Scene Investigation, Forensic Science, Computer Forensics or Forensic Psychology

Read the guide:




Receive our free monthly newsletter and/or job posting alerts Click to sign up