Overview[edit | edit source]

The basic phases of the forensic process are: collection, examination, analysis, and reporting. During collection, data related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved. In the second phase, examination, forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and other processes. The next phase, analysis, involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination. The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.


The forensic process transforms media into evidence, whether evidence is needed for law enforcement or for an organization's internal usage.[1] Specifically, the first transformation occurs when collected data is examined, which extracts data from media and transforms it into a format that can be processed by forensic tools.[2] Second, data is transformed into information through analysis. Finally, the information transformation into evidence is analogous to transferring knowledge into action — using the information produced by the analysis in one or more ways during the reporting phase.

References[edit | edit source]

  1. From a legal perspective, the term evidence technically refers only to those items that are admitted into a court case by a judge. However, the term evidence is widely used in a less restrictive manner.
  2. In this context, the word media refers to both systems and networks.
Community content is available under CC-BY-SA unless otherwise noted.