IT Forensic

The responsibility of the IT or digital forensic is to identify and/or exclude criminal acts in connection with IT systems, but also to analyze or reconstruct, if necessary. Next to the common data carrier analysis of hard discs of PC and server systems, the evaluation of digital traces on mobile consumer equipment becomes more and more important.

The correct handling of evidence is the basic prerequisite for achieving comprehensible results. Normally, a forensic analysis of IT systems is carried out in four Steps:

• identification of data carriers, data, files, structures, surroundings
• securing of evidence
• analysis of relevant ascertained data of evidence
• preparation and documentation of data that can be used in court in report format

The basis for each report and each forensic examination are "reproducible" results .


The following needs to be observed to ensure reproducibility:

• The original evidence should be "moved" as little as possible, because each "movement" could result in a falsification of the evidence. Each "movement" should be documented.
• The evidence chain must be ensured. This means that a perfect and complete documentation is necessary.
• The integrity of the data must be secured at all times. There are numerous methods to guarantee this.

Personal knowledge must never be overestimated. The consultation of different specialists for special subjects should be considered.

Tools used for the evaluation are e.g. the newest versions of X-Ways Forensics, Encase, Forensik Toolkit, FASTBLOCKIDE, Tableau Write Blocker (hard disc writing protection), system analysis software, as well as PERKEO libraries.