Intro to Digital Forensics [Part 2 - Methodology and Process Models]


Today’s digital world is perpetually evolving, becoming an intrinsic part of our lives, reaching almost every aspect of our society. Criminal Investigations are no exception. However, having technical knowledge and using tools alone is not enough to fully and properly investigate a digital crime. As such, Digital forensic examiners must follow a well-defined process that goes beyond the technical aspect. Considering the legal aspect of a Digital Forensic Operation, the analysis and investigation must be performed methodically and with expertise, resulting in a detailed technical report, where every aspect of the operation must properly documented.

Any probative evidence, whether physical or digital, answers at least one of the tipical questions regarding an investigation: who, what, when, where, how and why.

The most commonly followed process regarding a digital forensic op consists of four steps: seizure, aquisition, analysis and reporting.

> Seizure - prior to the actual process of investigation, the digital media must be confiscated. As I previously mentioned, when dealing with a criminal investigation, this step is usually carried out by trained technicians of law enforcement. It’s in step that we differentiate two types of personnel:

  • Digital Forensic Technician - these are the people that handle the seizure of evidence and are trained in good practices and correct handling of evidence and tech.

  • Digital Forensic Examiner - these are the people that handle the actual analysis of evidence. They have a broad knowledge over the subject or, as previously stated, they specialize in sub-field of analysis (i.e hardware).

Analysing this data is in most cases quite time-consuming, so its often recommended to produce a mirror of the systems and analyse the images in the lab instead of on site. There a few questions first responders take into consideration:

  • Is the computer running?
  • Is the computer networked?
  • Do you want to preserve volatile data?
  • Is there full-disk encryption applied?
  • Is the console unlocked?

> Acquisition - consists in extracting the storage data in the system to examined. This step handles the recording of the physical scene and duplicate digital evidence using standardized, documented and accepted procedures, to guarantee evidence preservation and subsequent pobative validation. Like it’s stated in the previous step, an expert should always mirror the data, not handle it directly.

> Analysis - involves determination of the significance and relevance, reconstructing of data and drawing conclusions based on the data recovered in the previous step.

> Presentation - refers to the production and presentation of the technical reports of the operation and their respective conclusion. The goal of this step is to demonstrate the probative value of the incidents under investigation.

The above is a generalised process model. There are many established models out there, some that build upon this and each other. We will not go through them, as there is no universally accepted model, and there are new models appearing every now and then.

Some commonly discussed models are Abstract Digital Forenscics Model (ADFM), DFRWS and Integrated Digital Investigation Process (IDIP).


In this section, we cover the principles of handling digital evidence.

First and foremost, actions taken to secure and collect digital evidence should not affect the integrity of that evidence. Failing to do this could lead to the inadmissabilty and invalidation of the evidence in court.

Second, only in special and stricly necessary occasions it is allowed to access the data directly.

Third, the examiner must create and routinely update the techincal report, where he documents his actions, why he did them and what where the outcomes (how it influenced the system). They should be documented in cronological order, thus establishing a Chain of Custody for the digital evidence. This way, this document should also allow another expert to run a “counter-forensic op” by following the same actions reported, confirming their outcomes.

Fourth, while handling and interacting with the evidence, the examiner must respect the current legislation, especially regarding the personal and private data protection laws. Of course, this will vary from country to country.


[1] The Systematic Digital Forensic Investigation Model (SRDFIM) (Agarwal, et al., 2011)
[2] Antunes, Mário, and Baltazar Rodrigues. Introdução à Cibersegurança. FCA, 2018.
[4] Forensic Examination of Digital Evidence: A Guide for Law Enforcement (April 2004, NCJ 199408)
[5] Electronic evidence - a basic guide for First Responders (March 2015, ENISA)

This covers Part 2 - Methodology and Process Models. I vividly recommend you check the sources listed in the articles (if you’re interested, of course), as they offer much more detailed and developed information. With these topics I’m trying to condense it a bit and making it more accesible.

Part 3 will cover “The course of the evidence”. We’ll talk about the course of the evidence, from the practiced crime to the presentation.


It takes a professional software (Encase) 15 - 30 minutes to analyse a Windows XP system based on my experiences (with 20GB free in storage). It takes even longer for Win7+. When you look at criminals who have several TB of evidence, the time it will take to copy that data is enormous and even longer to thoroughly comb through it.

Toss in all the principles under evidence handling and you are putting forth so much time just to preserve integrity.

1 Like

I appreciate this thread. I am currently reading this book, Digital Forensics and Incident Response:

I am curious what the methodology would be for SMBs or low staff of IT team. I am pretty sure these principles would apply regardless the size of the team.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.