DIGITAL FORENSIC INVESTIGATION BEST PRACTICES

Today, most cases involve digital evidence and at ADF, we recommend taking a forensic triage approach to prioritize your investigation.  Starting with smartphone triage or computer triage means you are not conducting a deep dive investigation -- you're hitting on all the data that will keep your investigation going and allow you to make informed decisions.

  1. The first thing to do in any case is to review your report, notes, interviews, cybertips, etc.

  2. Pick out keywords for your case that are on point and unique to avoid false positives. The first unique item that most likely will be relevant is the IP address, this is the item of evidence that led you to the location of the suspect or target computer. It is an indicator of the correct location and so unique that false positives will not be an issue. Case specific keywords such as child exploitation keywords and search terms, very unique names or words, or phrases in chat and email also help to seal the deal.

  3. Consider what else is unique about your case and choose the type of artifacts that are going to help you in your case, keep the investigation going, eliminate or solidify evidence, or give you enough information to report and give a general profile of the computer usage.

  4. Keep your hashes limited to items of value, especially if speed is an issue.

  5. Consider the amount of time you have based on the situation and perform an initial Quick, Intermediate or Comprehensive scan using an out-of-the-box Digital Forensic Search Profile or one of your custom Search Profiles.

  6. Analyze your results as the scan is in process. Using ADF software you'll have the ability to start reviewing scan results, such as pictures and videos, as the scan is happening.  

  7. Build your report and export it to PDF, CSV, HTML  or the ADF Standalone Report Viewer.

  8. Share your report.  With ADF software you can share a standalone portable digital forensic report with other investigators or with prosecutors. They don't need a license to view the report or perform further analysis and tagging.  Send them a copy of the Standalone Report Viewer User Guide so they have a reference guide for the software.

We invite you to attend one of our live and on-demand Digital Investigation Best Practices webinars.  These webinars are designed for investigators, forensic examiners, prosecutors, corporate security officers or anyone performing digital evidence investigations. 

Learn how easy it is to investigate using ADF digital forensic software.  

Talk to an ADF Expert

ADF Resources

  • White Papers

    • Dive deeper into our numerous verticals and technical abilities with our white papers.

  • Webinars

    • Join our Digital Forensic Specialists and Trainers for regular webinars designed to illustrate digital forensic best practices for starting and solving your investigations quickly on-scene or in the lab.

  • How To Videos
    • View our "how-to" videos which are designed to teach key concepts in short, easy-to-learn formats. These free videos are created and frequently updated by our digital forensic specialists and trainers that come to us with experience in investigations and law enforcement.