While all computer forensic examination are unique, it is essential that certain procedures be adhered to whenever possible. The following are some of our most important procedural guidelines:

1. Subject computers should be documented and photographed prior to handling and especially before any invasive procedures are attempted. Computer make, model, serial number and inventory number should be noted and photographed. Any other identifying features should be documented. Condition and location of the computer should be noted as well.
2. If computers are running and volatile data is important to the investigation, methods should be taken to capture this data before the machines are shut down. State of the computers and methods used for volatile data acquisition should be noted.
3. Media should be documented and photographed. Condition and position of media in computer should be documented and photographed. Make, model, serial number, manufacturing date and condition should be noted and photographed.
4. Some form of write-blocking must be in place before the subject media is imaged. Any attempt to acquire a forensic image of media without proper write blocking may result in spoiled evidence.
5. Proper forensic imaging procedures utilize some method of validating the data after acquisition. It is essential to be able to prove that the data acquired and preserved is an exact copy of the computer media as presented to the examiner.
6. Forensic images must be verified as exact duplicates before the acquisition is concluded. If there are problems with verification, another image should be obtained.
7. Proper chain of custody procedures should be observed at all times. It should be noted what was taken away from the acquisition by the examiner and what happens to each piece of material as it is transferred to other individuals.
8. The forensic images must be analyzed in such a fashion as to avoid contaminating the images during the process.
9. Each examination has its own requirements but in general a thorough forensic examination includes analysis of the existing file system, the unallocated portion of the media, and slack space.
10. Examiner should note the presence of any disk scrubbing or wiping applications installed on the machine.
11. Relevant material should be documented and produced in a legible report along with information identifying the data  analyzed or produced and the procedures used to acquire and examine it.
12. Everything produced from a computer forensic examination must be able to be traced back to the original forensic image. Results should be repeatable by other technicians.