Structured investigation of digital incidents in complex computing environments

Critics, unimpressed by the rigor of the forensic digital examination process, have taken the position that forensic digital analysis is, more rightly, simply little more than ad hoc data collection and analysis. The reality is that forensic digital analysis as a whole, in its relative infancy, is the unwilling victim of the rapid advancement of computer technology. Struggling to keep pace with the giant steps taken in recent years by the computing industry, forensic digital analysis is, as are many defensive computing technologies, at the mercy of ever more new and complex computing approaches. Chief among these new paradigms is the need to analyze forensic materials over complex chains of evidence that may range around the globe over a wide variety of heterogeneous computing platforms, environments and transports. This paper discusses a formalized approach to the forensic collection, management and analysis of digital evidence involved in complex cases occurring over complex networks. Its objective is to begin the processes of instilling the same rigor in the practice of forensic digital analysis that exists in many other branches of forensic science. 1.0 Background and Problem Statement In August of 2001 over 50 university researchers, computer forensic examiners and analysts attended the first Digital Forensic Research Workshop (DFRWS) in Utica, New York. Although the objective of the workshop was the forming of the beginnings of a community to engage in research involving digital forensics, much more actually came out of the effort. Perhaps the most important contribution to the near term goals of incorporating appropriate rigor into the science of forensic digital analysis was the definition of what the state of the practice must be to approach the status of an accepted science. [DFRWS01] The workshop defined a “generic investigative process that can be applied to all (or the majority of) investigations involving digital systems and networks.” The generic process, as defined at the time is: • Identification • Preservation • Collection • Examination • Analysis • Presentation • Decision For our purposes we will accept this top level process and develop our approach around it.