Examination

The examination phase details the specific tools and forensic techniques that are utilized to discover and extract data from the evidence that is seized as part of the incident. For example, in a case where malware is suspected of infecting a desktop system as part of a larger attack, the extraction of specific information from an acquired memory image would take part in this stage. In other cases, digital forensic examiners may need to extract Secure Shell (SSH) traffic from a network capture. The examination of digital evidence also continues the process of proper preservation in that examiners maintain the utmost care with the evidence during the examination. If the digital forensic examiner does not take care in the preservation of the evidence in this stage, there is the possibility of contamination that would result in the evidence being unreliable or unusable.