Various digital forensic examination models are in use, each emphasizing slightly different stages in the investigation process, with no universally agreed-upon model used by practitioners. I have examined the structure of each model and propose that a typical digital forensic examination may be divided into the evidence-recovery and preservation stage and then locating, sorting, selecting, and analyzing the evidence recovered that may support (or refute) a legal argument. The next stage is validating the evidence, ensuring that it is what it purports to be. The final stage is presenting the selected evidence in a formal report. This may be to the legal team or the investigator or may be made by the practitioner testifying during a legal hearing.
The examination is often an iterative process, in that the various stages may be revisited before the examination is finally concluded. For example, another device that may be recovered later...