Media Examination

Examination of media should be conducted in a forensic environment.

one which is completely under the control of the examiner.
no actions are taken without the examiner permitting them to happen.
when the examiner permits or causes an action, he must be able to predict with reasonable certainty the outcome of the action.
use a forensically sound operating system.
physical write-blocking devices are mandatory in OS that are not forensically sound.
avoid examining the original evidence media, always use forensic copies.

Digital evidence is said to be forensically sound if it is collected, analyzed, handled, and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so.

PreviousExamining a computer NextExamples of things to write in the report

Last updated 10 months ago