Which action is typically not performed during a digital forensic examination?

The action of modifying files for analysis is typically not performed during a digital forensic examination because preserving the integrity of the original evidence is paramount. Digital forensic investigators follow strict protocols to ensure that any data collected remains unchanged throughout the examination process. This is crucial for maintaining the evidentiary value and ensuring that the findings can withstand scrutiny in a legal context.

In contrast, identifying evidence is a fundamental step in the forensic process, where investigators determine where relevant data may be located. Collecting data from a live system is a practice that, while it presents challenges like the potential alteration of evidence, can be necessary in situations where volatile data must be captured quickly. Documenting the process is vital for transparency and reproducibility, forming a comprehensive record of how evidence was handled and analyzed. All of these actions support the integrity and validity of the forensic examination, while modifying files contradicts the foundational principles of preserving evidence.