Digital forensic process: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 06:05, 24 October 2023 edit Chevy99 (talk \| contribs) 32 edits mNo edit summary ← Previous edit		Latest revision as of 07:12, 25 May 2025 edit undo OAbot (talk \| contribs) Bots 643,717 edits m Open access bot: url-access updated in citation with #oabot.
(6 intermediate revisions by 3 users not shown)
Line 6: ==Personnel== The stages of the digital forensics process require different specialist training and knowledge. There are two ~~rough~~basic levels of personnel:<ref name="casey" /> ;Digital forensic technician :Technicians gather or process evidence at crime scenes. These technicians are trained on the correct handling of technology (for example how to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence. Various tools to simplify this procedure have been produced, ~~most~~such ~~notably~~as ~~[[Microsoft]]'s~~EnCase, ~~[[COFEE]]~~Velociraptor and FTK. ;Digital Evidence Examiners Line 18: There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response.<ref name="adams" /> This is a list of the main models since 2001 in chronological order:<ref name="adams" /> * The Abstract Digital Forensic Model (Reith, et al., 2002) * The Integrated Digital Investigative Process (Carrier & Spafford, 2003) [https://web.archive.org/web/20181223073625/https://pdfs.semanticscholar.org/915b/524318e2f0689b586ba7ae89ea39e9b22ce3.pdf ] * An Extended Model of Cybercrime Investigations (Ciardhuain, 2004) * The Enhanced Digital Investigation Process Model (Baryamureeba & Tushabe, 2004)[https://www.dfrws.org/sites/default/files/session-files/pres-the_enhanced_digital_investigation_process_model.pdf ] {{Webarchive\|url=https://web.archive.org/web/20180401144648/https://www.dfrws.org/sites/default/files/session-files/pres-the_enhanced_digital_investigation_process_model.pdf \|date=2018-04-01 }} * The Digital Crime Scene Analysis Model (Rogers, 2004) * A Hierarchical, Objectives-Based Framework for the Digital Investigations Process (Beebe & Clark, 2004) * Framework for a Digital Investigation (Kohn, et al., 2006)[http://mo.co.za/open/dfframe.pdf ] * The Four Step Forensic Process (Kent, et al., 2006) * FORZA - Digital forensics investigation framework (Ieong, 2006)[https://dfrws.org/sites/default/files/session-files/paper-forza_-_digital_forensics_investigation_framework_that_incorporate_legal_issues.pdf ] {{Webarchive\|url=https://web.archive.org/web/20170808232356/https://www.dfrws.org/sites/default/files/session-files/paper-forza_-_digital_forensics_investigation_framework_that_incorporate_legal_issues.pdf \|date=2017-08-08 }} * Process Flows for Cyber Forensics Training and Operations (Venter, 2006) * The Common Process Model (Freiling & Schwittay, (2007) [https://www.imf-conference.org/imf2007/2%20Freiling%20common_model.pdf ] * The Two-Dimensional Evidence Reliability Amplification Process Model (Khatir, et al., 2008)[https://www.researchgate.net/publication/232619841_Two-Dimensional_Evidence_Reliability_Amplification_Process_Model_for_Digital_Forensics Two-Dimensional Evidence Reliability Amplification Process Model for Digital Forensics \| Request PDF] * The Digital Forensic Investigations Framework (Selamat, et al., 2008) * The Systematic Digital Forensic Investigation Model (SRDFIM) (Agarwal, et al., 2011)[https://www.researchgate.net/publication/228410430_Systematic_Digital_Forensic_Investigation_Model (PDF) Systematic Digital Forensic Investigation Model] * The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice (Adams, 2012) [http://researchrepository.murdoch.edu.au/id/eprint/14422/2/02Whole.pdf Research Portal] ==Seizure== Prior to the actual examination, digital media will be seized. In criminal cases this will often be performed by [[Law enforcement agency\|law enforcement]] personnel trained as technicians to ensure the preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the [http://www.duhaime.org/LegalDictionary/S/Seizure.aspx seizure] {{Webarchive\|url=https://web.archive.org/web/20140821103731/http://www.duhaime.org/LegalDictionary/S/Seizure.aspx \|date=2014-08-21 }} of material. In criminal matters, law related to [[search warrants]] is applicable. In civil proceedings, the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are preserved. ==Acquisition== Line 85: <ref name="first" >{{cite web\|title='Electronic Crime Scene Investigation Guide: A Guide for First Responders\|publisher=National Institute of Justice\|year=2001\|url=http://www.ncjrs.gov/pdffiles1/nij/187736.pdf}}</ref> <ref name="casey">{{cite book\|last=Casey\|first=Eoghan\|title=Digital Evidence and Computer Crime, Second Edition\|year=2004\|publisher=Elsevier\|isbn=0-12-163104-4\|url=https://books.google.com/books?id=Xo8GMt_AbQsC&q=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition}}</ref> <ref name="carrier" >{{cite web\|last=Carrier\|first=B\|title=Defining digital forensic examination and analysis tools\|citeseerx = 10.1.1.14.8953\|publisher=Digital Research Workshop II\|year=2001 \|url=https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.14.8953}}</ref> <ref name="horenbeeck">{{cite web\|title=Technology Crime Investigation\|url=http://www.daemon.be/maarten/forensics.html\|accessdate=17 August 2010\|author=Maarten Van Horenbeeck\|date=24 May 2006\|url-status=dead\|archiveurl=https://web.archive.org/web/20080517022757/http://www.daemon.be/maarten/forensics.html\|archivedate=17 May 2008}}</ref> <ref name="ijde-2002" >{{cite web\|title=An examination of digital forensic models\|citeseerx = 10.1.1.13.9683\|publisher=International Journal of Digital Evidence\|author1=M Reith \|author2=C Carr \|author3=G Gunsch \|year=2002 \|url=https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.13.9683}}</ref> <ref name="rule702" >{{cite web\|title=Federal Rules of Evidence #702\|url=http://federalevidence.com/rules-of-evidence#Rule702\|accessdate=23 August 2010\|archive-url=https://web.archive.org/web/20100819114909/http://federalevidence.com/rules-of-evidence#Rule702\|archive-date=19 August 2010\|url-status=dead}}</ref> <ref name="df-basics">{{cite web\|last=Carrier\|first=Brian D\|title=Basic Digital Forensic Investigation Concepts\|url=http://www.digital-evidence.org/di_basics.html\|date=7 June 2006}}</ref> Line 100: ==Further reading== * {{cite journal\|last=Carrier\|first=Brian D.\|title=Risks of live digital forensic analysis\|journal=Communications of the ACM\|date=February 2006\|volume=49\|issue=2\|pages=56–61 \|doi=10.1145/1113034.1113069\|s2cid=16829457\|url=http://portal.acm.org.libezproxy.open.ac.uk/citation.cfm?doid=1113034.1113069\|accessdate=31 August 2010\|issn=0001-0782\|url-access=subscription}} {{Digital forensics}}