ABSTRACT

This chapter began with a review of the case of Gates Rubber Company vs. Bando Chemical Industry identifying the importance of data preservation. A small error, such as forgetting to use a write blocker or creating a duplicate image, could result in a loss of potential evidence. The chapter explores in detail the examination/analysis phase of the digital forensics process by describing how and where potential evidence may be uncovered from a digital device, including the ability to recover deleted files. It concludes with a discussion of report objectivity and forensic confirmation bias; after all, the integrity of the report is just as important as the integrity of the evidence itself. Data preservation is the first step toward uncovering digital evidence and occurs during the collection/acquisition phase of the digital forensic investigation. The examination phase of the digital forensic investigation is concerned with the recovery or extraction of digital data.