Pre-investigation Phase

The pre-investigation phase is the planning phase of the computer forensics investigation process. During this phase, the investigator will gather information about the case, such as the type of crime, the potential suspects, and the evidence that needs to be collected. The investigator will also develop a plan for how the investigation will be conducted.

Steps involved in the pre-investigation phase:

  1. Identify the scope of the investigation. What is the purpose of the investigation? What evidence is needed to meet the purpose of the investigation?
  2. Identify the stakeholders. Who is involved in the investigation? Who will be affected by the results of the investigation?
  3. Assess the risks. What are the risks associated with the investigation? What steps can be taken to mitigate these risks?
  4. Develop a plan. The plan should outline the steps that will be taken during the investigation, including the evidence that will be collected, how it will be collected, and how it will be analyzed.

Investigation Phase

The investigation phase is the execution phase of the computer forensics investigation process. During this phase, the investigator will collect, preserve, and analyze the digital evidence.

Steps involved in the investigation phase:

  1. Secure the scene. The investigator should secure the scene to prevent any tampering with the evidence.
  2. Identify the evidence. The investigator should identify all of the digital evidence that is relevant to the investigation.
  3. Collect the evidence. The investigator should collect the evidence in a way that preserves its integrity.
  4. Preserve the evidence. The investigator should store the evidence in a secure location.
  5. Analyze the evidence. The investigator should analyze the evidence to identify any relevant information.

Post-investigation Phase

The post-investigation phase is the reporting phase of the computer forensics investigation process. During this phase, the investigator will generate a report that documents the findings of the investigation. The report will include the evidence that was collected, the analysis that was performed, and the conclusions that were reached.

Steps involved in the post-investigation phase:

  1. Generate a report. The report should be clear, concise, and well-organized. It should include the following information:
    • The purpose of the investigation
    • The scope of the investigation
    • The methodology used
    • The results of the investigation
    • The conclusions of the investigation
  2. Review the report. The report should be reviewed by other qualified individuals to ensure that it is accurate and complete.
  3. Present the report. The report may be presented to the stakeholders in the investigation, such as law enforcement, corporate executives, or attorneys.

Example of a computer forensics investigation

A company suspects that one of its employees is stealing trade secrets. The company hires a computer forensics investigator to investigate the matter.

The investigator begins by interviewing the company’s management and employees to learn more about the situation. The investigator then develops a plan for collecting and analyzing the employee’s computer.

The investigator secures the employee’s computer and creates an image of the hard drive. The investigator then analyzes the image of the hard drive to look for any evidence of trade secrets theft.

The investigator finds evidence on the employee’s computer that shows that the employee has been stealing trade secrets. The investigator generates a report that documents the findings of the investigation. The company uses the report to fire the employee and to take legal action against the employee.

Challenges of computer forensics investigations

Computer forensics investigations can be challenging for a number of reasons. One challenge is that digital evidence can be easily destroyed or tampered with. It is important for investigators to take steps to preserve the integrity of the evidence during the collection and analysis process.

Another challenge is that the volume of digital evidence can be overwhelming. Investigators may need to analyze large amounts of data, such as hard drives, email servers, and network logs.

Finally, computer forensics investigations can be complex and time-consuming. Investigators may need to learn about new technologies and techniques in order to successfully investigate a crime.


Computer forensics investigations play a vital role in the criminal justice system and in the corporate world. By collecting, preserving, and analyzing digital evidence, computer forensics investigators can help to bring criminals to justice and protect organizations from harm.