The examination phase details the specific tools and forensic techniques that are utilized, to discover and extract data from the evidence that is seized as part of an incident. For example, in a case where malware is suspected of infecting a desktop system as part of a larger attack, the extraction of specific information from an acquired memory image would take part at this stage. In other cases, digital forensics examiners may need to extract Secure Shell (SSH) traffic from a network capture. The examination of digital evidence also continues the process of proper preservation, in that examiners maintain the utmost care with the evidence during the examination. If the digital forensics examiner does not take care to preserve the evidence at this stage, there is the possibility of contamination that would result in the evidence being unreliable or unusable.