What are the Phases of Computer Forensics Investigation?


There are several phases or steps involved in a computer forensics investigation which begin with the most critical and important phase of securing the computer system in order to secure the data and equipment safe for further investigation. This means the investigator should make sure that nobody should access the computer except him or her or somebody who is authorised by him or her. The securing the system is also involves severing the computer from internet connection so that no unauthorised access to the computer be permitted. It is important to follow the appropriate phases of the computer forensics investigation particularly the first phase of securing the system because there are probabilities of loss of evidence if the system is accessed by an unauthorised user. This is the reason most cases of computer forensics investigations are normally entrusted to professional and experienced forensics firms such as Elijaht m&a due diligence who can efficiently and confidently handle cases and strictly follow the phases or steps of a computer forensics investigation.

After securing the computer system, the investigator should find and check all the files in the computer including the encrypted, protected by password, deleted, hidden etc. The investigator then makes a copy of the files including the copy of the hard drive, storages, and other essential places. The investigator never tries to open the file in the original place because once it is opened the original information in the files may vary by automatically getting changed. Therefore, the investigator only copies the files and later opens the files for investigation from the copied files.

The third important phase of the computer forensics investigation is the recovery of files. At this phase, the investigator recovers as much deleted files and information as possible by using applications which can retrieve data and information from the deleted data and files. Similarly, the investigator also recovers the data or files which are hidden and decrypt and gets the protected files. If the investigator feels that there are other spaces where the data may be stored, they may further analyse special areas of the computer which are normally inaccessible.

Whatever the investigator may be doing in the process, he or she must document all that is happening in the entire investigation process. As a matter of fact, the investigator has to report that their investigation has not damaged any data or information that were stored in the computer. Once all the investigation is over, the investigator compiles the final report and prepares the presentation for trial in the court.