Process of collecting, analyzing and preserving digital evidence.
DFIR is digital forensics and incident response
Digital Forensic Process
Consists of three steps: Acquisition, analysis and reporting
Acquisition can be broken down into: identification, preservation and collection.
Identification - identify potential sources of evidence, key custodians and locations of data.
Preservation - the process of preserving relevant electronically stored information. Document all relevant information about evidence and how it was acquired.
Collection - collecting digital information that may be relevant to the investigation. Can include removing electronic devices from the scene, imaging , copying or printing out its content.
Analysis - in-depth systematic search of evidence relating to the incident. The outputs are data objects found in the collected information.
Reporting - reports are based on proven techniques and methodology and other competent forensic examiners should beagle to duplicate and reproduce the same results