Examination process is certainly the core of computer forensics. The structure and methodology of this process must above all provide a rigorous and detailed investigation. Moreover, it is vital to ensure proper handling of evidence and thus reduce chance of omissions and mistakes. This process is common to both criminal investigations and military and corporate examinations in cases when safety of computer systems is endangered (hacker’s intrusions, viruses, omissions, misuse…).

After completed examination, forensic technicians and investigators deliver the obtained data to prosecution office and competent bodies to decide on the meaning of such evidence. When a case comes to trial, investigators present their findings and give evidence on the authenticity of disclosed data.

Each forensic investigation seeks to ensure:

1. acceptability – procedures and methods are accepted by the professionals
2. reliability – findings may be proved through applied methods
3. repeatability – the process may be repeated by anyone, regardless of the time and place
4. integrity – original evidence integrity is preserved
5. logical relation between the suspect, event and finding, cause and consequence
6. documentation – noting key points for expert/forensic investigator testimony.

They all have one thing in common – to ensure the most convincing arguments, based on facts and within legal criteria on evidence admissibility.