A computer or smart phone under forensic examination is like a vast metropolis of neighborhoods, streets, buildings, furnishings and stuff–loads of stuff. It’s routine for a single machine to yield over a million discrete information items, some items holding thousands of data points. Searching so vast a virtual metropolis requires a clear description of what’s sought and a sound plan to find it.
In the context of electronic discovery and digital forensics, an examination protocol is an order of a court or an agreement between parties that governs the scope and procedures attendant to testing and inspection of a source of electronic evidence. Parties and courts use examination protocols to guard against compromise of sensitive or privileged data and insure that specified procedures are employed in the acquisition, analysis, and reporting of electronically-stored information (ESI).