Digital Forensics’ Principles

There are some principles that will lead you to achieve your investigation’s goals. The investigator should be aware of the following Four principles.

  1. Record everything.
  2. Minimise data loss.
  3. Analyse all data collected.
  4. Report your findings.


Now the question is “Where is the data that needs to be analysed?”.

Basically, everything should be analysed and investigated when approaching a crime scene; plus, no one is allowed to access the crime scene area. The following figure shows some of the digital hardware that can analysed with the potential of finding information inside it.Picture1


Everything in the crime scene is valuable and should be subjected to an investigation and analysis carefully; along with the computer itself. Remember: do not despise anything, even the small things. The table below shows two different scenarios when investigating a digital crime scene (Live system and Dead system):


Live System   Dead System
acquisition copies the data using the suspect’s (operating) system. Usually, people try to avoid this acquisition, because the attacker can modify data or software can produce tampered data. In the live system, the power is still on, processes are still running, disks being access, and removable media keeps changing.   acquisition copies the data without the assistance of the suspect’s (operating) system. In the dead system, the power is off, the power id unplugged, no changes in the removable media.



Remember: the evidence is volatile, where the most volatile evidence can be found in (Memory) and the least can be found in (Removable media). Below is the order for the most volatile to the least (from top to bottom):

  1. Memory.
  2. Network Status and Connections.
  3. Processes Running.
  4. Hard Drive Media.
  5. Removable Media such as, floppy drive, zip drive, USB sticks and more.

Note: the evidence in the Memory, Network Status and Connections and Processes Running will be destroyed if the power cut off.


Introduction to Digital Forensics – Part 1/2

There are Four main principles involved that you need to keep in mind:

  1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which subsequently might be relied on in court.
  2. Only in exceptional circumstances, a person finds it necessary to access original data held on a computer or storage media must be competent to do so; and be able to give evidence explaining the relevance and the implications of their actions.
  3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. Note: an independent third party should be able to examine those processes and achieve the same result.
  4. The person in charge of the investigation is responsible for ensuring that the law and these principles are adhered to.


Below are some unique characteristics of the digital evidence:

  • The evidence is invisible to the untrained eye – Electronic evidence is often retrieved from places known or accessible only to experts.
  • Sometimes, it might need to be interpreted by a specialist – In many cases information gained requires thorough analysis to uncover properties assuring the information is valid from judicial point of view.
  • The evidence is highly volatile – A powered electronic device modifies its state every time a specific event Also, lack of power or a system overwriting old data with new data requires us to preserve electronic evidence as soon as possible.
  • The evidence might be altered or destroyed through normal use – Devices constantly change the state of memory – allocating it for programs automatically, swapping it to disk or writing chunks of it to a disk file on user request.
  • It can be copied without limits – This property allows many specialists work on the same evidence at the same time in different places. It also enables the possibility of presenting the evidence as-is in the court of law along with the specialist witness report.


In conclusion, computer forensic is a process of reveal the found evidence either by criminal and civil proceedings. Digital evidence can be used by different departments such as, Criminal justice agencies, Corporate Councils, Insurance Companies, Law Enforcement Officials, Company Legal resources, Human Resources department, Auditors, Individuals, Crackers or Hackers and many more.