Edwin Amuga
7 min readJun 28, 2022


Digital Forensics


Computer forensics is a somewhat new topic within the forensic sciences, and researchers are prone to confuse data extraction and data analysis. Nonetheless, computer forensics is a hot topic that is merging in response to the increasing crimes committed by rogue users, criminals, hackers, and nation-state attacks. Perpetrators in this fled can use a computer system as a crime commission or an object of crime. A computer is an instrument of committing a crime or a repository or evidence related to a crime commission. In response to these, computer forensics has expanded. It is necessary to address cybercrimes’ investigation and support the mitigation vulnerabilities in a computer or cyber system to improve the security of data in an organization. The number of cyber crimes and other crimes committed using computer systems increases in scope and required advanced persistent threats and hacking. Computer and digital tools are used in this case. This paper looks into the methodologies and fundamentals in a computer forensic exercise.

Digital Forensics


Computer forensics is a relatively younger field compared to other forensic sciences. Many researchers in this new field tend to mistake between the extraction and analysis of data. There exisits no consensus on computer forensics is and the techniques involved and how the confusing fits into the field. The process is conducted using scientifically developed and verified ways in preserving, collecting, validating, identifying, interpreting, documenting, and presenting digital evidence extracted from digital sources to facilitate and further event reconstruction to be criminal (Du and Scanlon, 2019). The extracted information can consist of compromised hard drives, data sources, log files, databases, among others. Many investigative organizations prefer to divide the functions between groups but do not create misunderstanding and frustrations by communicating clearly and keeping the entire investigative process picture in mind to involve every section. Effective communication is vital in an investigative process to ensure each stage is completed as it can be iterative.

Preparation and Extraction

Investigators seek, at this stage, to establish whether there is sufficient information to start. They also ascertain an explicit request to initiate the investigative process and adequate data to answer the right questions. Effective coordination between the investigators and the requester ensues if anything is missing. The method set up continues if these questions have been sufficiently answered.

The first step of an investigative process is to validate all the hardware and software to ascertain they work properly. There is no agreed number of times in the field that software and equipment validation should be done. Still, many agree that an organization should validate every software and hardware piece once they have been purchased and before they are put into use. Retesting should also be done after every reconfiguration, patch, or update. Investigators duplicate the forensic data given in the request and verify the data’s integrity once the forensic platform has been readied. In law enforcement organizations, information is obtained through a lawful course for creation of a foresnsic image. This is done by copying the data bit by bit from the original media without any deletion or additions after the investigators have acquired a working copy of the seized data. A working copy is used instead of the original document to guard the original one’s chain of custody while ensuring that the document has not interfered. To ensure they the copy is intact and not interfered with or altered, forensic examiners verify a harsh or evidence digital fingerprint. If there is no problem, the investigators engage the petitioner on proceeding with the investigative process.

A data extraction plan is developed after the integrity of the data has been analyzed. Extraction is done by first organizing and refinement of the forensic request into understood questions and those that are not understood. The examiners then select the forensic tools that will facilitate them to find answers to the questions (Du and Scanlon, 2019). Based on the investigation request, the examiners have primary ideas on what to look out for and add them to the search lead list. The search lead list is a list containing requested matter. With the development of new leads, the new items are also added to the list, and the processed ones are labelled as ‘done’ or ‘proceed.’ The forensic investigators then dig out relevant data and keep the search lead as processes in each search lead case. Every pulled thing is added into another list referred to as the ‘Extracted Data List.’ The investigators follow each search lead and ad the results to the second list, after which they proceed through the identification segment.


At this segment, forensic invetigators go over the classification process again for each of the itrems listed as extracted data. The first move in this section is determining the type each item is. The ones that are not considered relevant to the forensic request are marked as processes. At the same time, those that are found irrelevant and are outside the original search warrant scope but are incriminating are set aside as the right persons are notified, including the petitioner, and additional directions awaited. Classification is done to expand the authority of the search warrant by obtaining a second one. If a piece is found to be applicable to the search appeal, it is noted in the third referred to as the Relevant Data List. This list collects all facts pertinent to answering the original forensic request. An item can also lead to another search lead or point to an entirely new potential data source such as an email with further information or lead to another source such as the existence of a USB drive. Many new evidence types can be identified, including firewall logs, access log building, and video security footage building. The forensic examiners then go back to the developed new leads after processing the extracted data and process each of them. In the same way for each case, examiners follow tips with new data sources and obtain and image the new forensic data (Amato, Cozzolino, Moscato and Moscato, 2019).

The requester is informed of the initial findings, and the examiner and requester discuss the ROI for the pursuit of new leads. The case may move forward to the next stage, depending on whether the information extracted is enough. If the evidence is overwhelming, a guilty plea is secured without more forensic investigation, and there is no need for additional work. If the evidence extracted is simple and not sufficient, the analysis phase is initiated.


At this stage of a forensic investigation, the dots are connected to paint a complete picture for the requester. The investigators answer items on the relevant data list based on what, how, where, who, and why involved in the case. The investigators try to find explanations to which application or user received, created, edited,or sent and its origin and where it was recovered. The significance of all the information is also explained and their relevance to the case. Coherence is established from the analysis of what happened and the timelines. Investigators pursue answers on each relevant item when they were modified, created, deleted, received, sent, viewed, accessed,and launched as they take note of the event sequence and simultaneousness.

All the analyses done by the examiners are documented, including all the relevant information to the request added to the final list known as the analysis result list. The list contains meaningful data that have answers to the what, who, where, why, when, and how questions. A new data search lead or data source can also be developed at this point, and they are added to appropriate lists as the examiners go back to examine them thoroughly.

The examiners can then respond to the forensic request after they have exhaustively circled through the steps. The response step is also known as the Forensic Reporting phase in which the investigators document the results of the investigation in a way that the requester will find easy to understand and use in the case (Amato, Castiglione, Cozzolino, and Narducci, 2020). The final report developed is the last and most significant communication between the examiners and the requester. After the requester gets the information, they go to the case-level scrutiny, the report’s findings are interpreted in the context of the case at hand.


Computer forensics involves proper, thorough, and procedural data acquisition involved in computer crime. Computer forensics uses a set of prescribed procedures to examine a computer system and associated devices using software and tools to obtain and maintain digital evidence (Amato, Cozzolino, Moscato and Moscato, 2019). Several structured approaches are used in the field, such as the Abstract Digital Forensic Model and the Systematic Digital Forensic Investigation Model, and other related models can be used to gain and group digital proof in a lawfully apt way.

Return on investment is well thought out and reconsidered through the whole process. Steps of each stage, especially the examination step, can be redone a number of times with each concerned in the case determining the invetigation boundaries to stick to the scope and timelines of the investigation. The prosecution is pursued once it is established that the information and evidence gathered is sufficient. Once the trial kicks off, the worth of any extra discovery and scrutiny reduces.


Amato, F., Castiglione, A., Cozzolino, G., & Narducci, F. (2020). A semantic-based methodology for digital forensics analysis. Journal of Parallel and Distributed Computing, 138, 172–177.

Amato, F., Cozzolino, G., Moscato, V., & Moscato, F. (2019). Analyze digital forensic evidence through a semantic-based methodology and NLP techniques. Future Generation Computer Systems, 98, 297–307.

Du, X., & Scanlon, M. (2019, August). Methodology for the automated metadata-based classification of incriminating digital forensic artifacts. In Proceedings of the 14th International Conference on Availability, Reliability, and Security (pp. 1–8).