What is digital forensics?

Four phases: Collection (with write blockers, hashing), Examination (extract relevant data), Analysis (draw conclusions), Reporting (document findings). ACPO principles: don't modify original, document all actions, follow lawful process. Evidence must be legally obtained and properly handled.