Formalisierung digitaler Spuren und ihre Einbettung in die Forensische Informatik

Today, digital forensics (also known as computer forensics) already is a common instrument in forensic investigations. It is due to its massive presence in the media that digital forensics more and more comes to the public mind, too. However, today’s practices and methods are of a more pragmatic kind and a comparison with other forensic sciences shows clear deficits. Those deficits can be divided into two areas: 1. A lack of orientation towards other forensic sciences. 2. A lack of fundamental theory. This thesis tries to address both domains and thus to contribute to the scientific foundation of the area of digital forensics. For that purpose, this work examines the origin and fundamentals of forensic science in general and identifies parallels in digital forensics. The relationship between the established practices in digital forensics and the theory of classical forensic sciences is determined. Especially, one of the most fundamental theories in forensics — the theory of the origin of evidence by Inman and Rudin (2000) — is transferred from the physical world to the digital world. Following this theory, the establishment of associations form the core of every forensic investigation. That is why this thesis introduces the notion of forensic computing (ger.: forensische Informatik) as exactly that core area of digital forensics that has a focus on the pure establishment of associations by applying scientific methods of computer science. To comply with the demand for a theoretic foundation, this work formalizes the term of evidence on the basis of an abstract model. For the first time, this formalisation puts us in a position to make exact (formal) statements about what digital evidence is and about its origin. Further, the types of reconstruction problems that are answered by forensic computing is examined formally, as well as factors that are relevant to the solvability of those problems. The results of this formal considerations are then demonstrated and explained as a proof of concept in practical case studies.