The phases of a forensic report - Forensics
Some or all of the following activities can be carried out to carry out a forensic report: identification, acquisition and preservation, analysis, reporting.
The identification activity consists in recognizing what could be the sources of origin of the data.
It is a less trivial phase than one might think, in fact the number of digital devices capable of containing information is increasing more and more, whether they are design backup systems or IOT devices, such as smartwatches, smart bracelets, etc.
The activity of forensic acquisition and preservation first of all presents two distinct scenarios:"live" acquisition of a system already turned on and the acquisition of a digital system turned off. If the system is switched on, technologies capable of collecting the so-called "volatile evidence" must be used, such as memories, active processes and connections, logged in users…, which are lost when the system is switched off. In this phase, the technician will also take care to use the functions of Hash calculation (MD5, SHA256 for example) to demonstrate that the finding of origin coincides with the digital copy used for the forensic report, also guaranteeing its repeatability.
Once all the preliminary operations have been carried out, you can then proceed with the pivotal activity of a forensic report: analysis. In this phase, the forensic expert uses his computer knowledge and various software to bring out deleted data, build timelines, search for keywords and identify digital traces.
