Make up the glossary of the text and learn these terms by heart.

Make up the glossary of the text and learn these terms by heart.







Assessment. Computer forensic examiners should assess digital evidence thoroughly with respect to the scope of the case to determine the course of action to take.

Acquisition. Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.

Examination. The purpose of the examination process is to extract and analyze digital evi­dence. Extraction refers to the recovery of data from its media. Analysis refers to the inter­pretation of the recovered data and putting it in a logical and useful format.

Documenting and reporting. Actions and observations should be documented through­out the forensic processing of evidence. This will conclude with the preparation of a written report of the findings.


1. Read the text and make up the list of verbs closely associated with each step of the process:

1. Assessment: to assess,……………………………………………………….

2. Acquisition: to handle, ……………………………………………………..

3. Examination: to extract, ……………………………………………………

4. Documenting and reporting: to document, ……………………………….


Make up your helpful tips for forensic examiner (Dos and Don’ts list) using as many verbs as possible.

Write down a memo for the staff how they should deal with evidence examined.


· The term "memorandum" can be used instead of "memo".

· A memo is generally not as formal as a written letter. However, it is certainly not as informal as a personal letter.

· The tone of a memo is generally friendly as it is a communication between colleagues.

· Keep the memo concise and to the point.

· If necessary, introduce the reason for the memo with a short paragraph.

· Use bullet points to explain the most important steps in a process.

· Use a short thank you to finish the memo. This need not be as formal as in a written letter.




Principle: The examiner is responsible for completely and accurately reporting his or her findings and the results of the analysis of the digital evidence examination. Documentation is an ongoing process throughout the examination. It is important to accurately record the steps taken during the digital evidence examination.

Procedure: All documentation should be complete, accurate, and comprehensive. The resulting report should be written for the intended audience.

Examiner's notes

Documentation should be contemporaneous with the examination, and retention of notes should be consistent with departmental policies. The following is a list of general considerations that may assist the examiner throughout the documentation process.

- Take notes when consulting with the case investigator and/or prosecutor.

- Maintain a copy of the search authority with the case notes.

- Maintain the initial request for assistance with the case file.

- Maintain a copy of chain of custody documentation.

- Make notes detailed enough to allow complete duplication of actions.

- Include in the notes dates, times, and descriptions and results of actions taken.

- Document irregularities encountered and any actions taken regarding the irregularities during the examination.

- Include additional information, such as network topology, list of authorized users, user agreements, and/or passwords.

- Document changes made to the system or network by or at the direction of law enforcement or the examiner.

- Document the operating system and relevant software version and current, installed patches.

- Document information obtained at the scene regarding remote storage, remote user access, and offsite backups.


During the course of an examination, information of evidentiary value may be found that is beyond the scope of the current legal authority. Document this information and bring it to the attention of the case agent because the information may be needed to obtain addi­tional search authorities.


1. Read the text and write out the words describing the principle and procedure ofDocumenting and Reporting (e.g. accurately, ongoing…)

