At the first Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics was defined as:

The use of scienti cally derived and proven methods toward the preservation, collection, validation, identi cation, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

The process of digital forensics can be broken down into three categories of activity: acquisition, analysis, and presentation.

1. Acquisition refers to the collection of digital media to be examined. Depending on the type of examination, these can be physical hard drives, optical media, stor- age cards from digital cameras, mobile phones, chips from embedded devices, or even single document les. In any case, media to be examined should be treated delicately. At a minimum the acquisition process should consist of creating a duplicate of the original media (the working copy) as well as maintaining good records of all actions taken with any original media.
2. Analysis refers to the actual media examination—the “identi cation, analysis, and interpretation” items from the DFRWS 2001 de nition. Identi cation con- sists of locating items or items present in the media in question and then further reducing this set to items or artifacts of interest. These items are then subjected to the appropriate analysis. This can be le system analysis, le content exami- nation, log analysis, statistical analysis, or any number of other types of review. Finally, the examiner interprets results of this analysis based on the examiner’s training, expertise, experimentation, and experience.
3. Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. This consists of generating a report of actions taken by the examiner, artifacts uncovered, and the meaning of those artifacts. The presentation phase can also include the examiner defending these ndings under challenge.