DIGITAL FORENSIC INVESTIGATION BEST PRACTICES

Today, most cases involve digital evidence and at ADF, we recommend taking a forensic triage approach to prioritize your investigation.  Starting with smartphone triage or computer triage means you are not conducting a deep dive investigation -- you're hitting on all the data that will keep your investigation going and allow you to make informed decisions.

  1. The first thing to do in any case is to review your report, notes, interviews, cybertips, etc.

  2. Pick out keywords for your case that are on point and unique to avoid false positives. The first unique item that most likely will be relevant is the IP address, this is the item of evidence that led you to the location of the suspect or target computer. It is an indicator of the correct location and so unique that false positives will not be an issue. Case specific keywords such as child exploitation keywords and search terms, very unique names or words, or phrases in chat and email also help to seal the deal.

  3. Consider what else is unique about your case and choose the type of artifacts that are going to help you in your case, keep the investigation going, eliminate or solidify evidence, or give you enough information to report and give a general profile of the computer usage.

  4. FINAL New Datasheet (June 2022) (1)

    Keep your hashes limited to items of value, especially if speed is an issue.

  5. Consider the amount of time you have based on the situation and perform an initial Quick, Intermediate or Comprehensive scan using an out-of-the-

  6. box Digital Forensic Search Profile or one of your custom Search Profiles.

  7. Analyze your results as the scan is in process. Using ADF software you'll have the ability to start reviewing scan results, such as pictures and videos, as the scan is happening.  

  8. Build your report and export it to PDF, CSV, HTML  or the ADF Standalone Report Viewer.

  9. Share your report.  With ADF software you can share a standalone portable digital forensic report with other investigators or with prosecutors. They don't need a license to view the report or perform further analysis and tagging.  Send them a copy of the Standalone Report Viewer User Guide so they have a reference guide for the software.

We invite you to attend one of our live and on-demand Digital Investigation Best Practices webinars.  These webinars are designed for investigators, forensic examiners, prosecutors, corporate security officers or anyone performing digital evidence investigations. 

Learn how easy it is to investigate using ADF digital forensic software.  

Watch Short How To Videos                                                        Try ADF for 30 Days Free