Step 1: Preparation
The first phase of a forensic investigation involves setting up an investigative environment (crime lab). The investigation environment includes the infrastructure, hardware, software, the logbook, and protocols for action, such as determining who is ultimately responsible. In this phase, the preliminary investigation also takes place and the plan of approach is drawn up. The plan of approach determines what will be investigated, what the main and sub-questions are, and whether hypotheses can be drawn up. Naturally, this is always done in consultation with the client.
Step 2: Acquisition
In this phase of the forensic investigation, the research data is obtained or secured. This is usually done by "imaging". The acquisition of data carriers is described and consent will be recorded in a statement. All further investigative activities are conducted on forensic copies. The original data carriers will remain untouched.
Step 3: Processing
The process steps "Processing" and Analysis" can take place simultaneously. In these phases, data is identified, file types are recognized, files are decrypted, and duplicate files will be taken into account.
Step 4: Analysis
During a forensic investigation, it is customary to establish a timeline. A timeline is used to map potentially suspicious activity to performed actions within a specified timeframe. To this end, data will be indexed in specialized software for faster analysis. From this, a timeline of events will be created (e.g., who was logged into the system when, when which programs were started, when which websites were visited, etc.).
Step 5: Verification
The verification phase will verify whether alleged evidence can actually be used as evidence. Data must relate back to an identifiable source and be linked to a suspected or suspicious activity. In this step, the conclusions from the analysis will be validated.
Step 6: Presentation
At this stage, the report will be shared and findings may be presented. Any statements from witnesses will be discussed during this phase. If there is indeed a possible crime, findings will be prepared that can be used in a criminal investigation.
Step 7: Archiving
The final phase of the forensic process will involve archiving. Any data related to the investigation, evidence, software, and hardware can be archived. If indeed a criminal investigation will take place, then the availability of this information must comply with legislation.