Examination and Analysis
Tip 4: Validate your results
Before reporting on or presenting the results of your digital evidence analysis, you need to validate all results. Typically,
investigators won’t have full confidence in the digital evidence until they’ve double-checked the original data source,
because there is always a possibility that the data at that location is slightly corrupt or there’s been a software bug.
Although it’s best to verify the evidence for every case, this becomes especially crucial when one piece of evidence
carries significant weight for an investigation. For example, if an investigator found a confession in a message from a
mobile chat app that shed light on the perpetrator of a homicide, it would be important to double-check these results
since they may have a substantial impact on the verdict.
In case you are asked how the software gathers data, use the glossary from the software provider (when appropriate)
to prepare to describe what the artifacts present and where they are located. For reference, you should also record
the software version numbers used for searches.
Although some may claim that the tool they use is court-approved and doesn’t require validation, the reality is that
no such certification exists. The best way to verify your results is by either running a second tool, or by verifying the
data manually by checking the original location to confirm that it matches your original results. This ensures the
court-admissibility of your evidence, so you can stand behind your results with confidence.

Magnet Forensics - 8 Tips for Presenting Digital Evidence in Court - 4