Digital evidence may be found in computers, mobile devices, internet infrastructure, industrial systems, and other digital devices. The application of the forensic process and its underlying principles will ensure that an investigation is forensically sound. In this chapter, we present the five phases of the digital forensics investigation process, based on the principles of digital forensics and common law enforcement and industry practices. The process is considered in the context of digital investigations, and we will look into examples and scenarios that address how investigators work, or should work, and the tools they use.

Just as in our daily lives, from work to school to all kinds of social situations, crimes may involve one or more digital devices and services. Fortunately, many well-established principles of physical investigations and forensic science can also be applied to digital forensics. The motivations for crime do not change much simply because new technology is involved. The traditional robbery of a physical grocery store in pre-digital societies can easily parallel the hacking of web-shops to steal credit card information. Physical criminal activity (e.g., murder) cannot generally be committed with the use of digital services alone, but these services may facilitate the planning or communication for the execution of a crime.