Content deleted Content added
No edit summary |
m Reverted edits by 14.140.125.38 (talk) to last version by Tom.Reding |
||
Line 18:
There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response.<ref name="adams" /> This is a list of the main models since 2001 in chronological order:<ref name="adams" />
The Abstract Digital Forensic Model (Reith, et al., 2002)
The Integrated Digital Investigative Process (Carrier & Spafford, 2003)
An Extended Model of Cybercrime Investigations (Ciardhuain, 2004)
The Enhanced Digital Investigation Process Model (Baryamureeba & Tushabe, 2004)
The Digital Crime Scene Analysis Model (Rogers, 2004)
A Hierarchical, Objectives-Based Framework for the Digital Investigations Process (Beebe & Clark, 2004)
Framework for a Digital Investigation (Kohn, et al., 2006)
The Four Step Forensic Process (Kent, et al., 2006)
FORZA - Digital forensics investigation framework (Ieong, 2006)
Process Flows for Cyber Forensics Training and Operations (Venter, 2006)
The Common Process Model (Freiling & Schwittay, (2007)
The Two-Dimensional Evidence Reliability Amplification Process Model (Khatir, et al., 2008)
The Digital Forensic Investigations Framework (Selamat, et al., 2008)
The Systematic Digital Forensic Investigation Model (SRDFIM) (Agarwal, et al., 2011)
==Seizure==
Line 32 ⟶ 59:
==Analysis==
After acquisition the contents of (the HDD) image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).<ref name="carrier" /> In 2002 the ''International Journal of Digital Evidence'' referred to this stage as "an in-depth systematic search of evidence related to the suspected crime".<ref name="ijde-2002" /> By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"<ref name="df-basics"/>
During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, ILOOKIX, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation; but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.<ref name="casey" />
Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file; either to identify matches to relevant phrases or to parse out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file, if identified a deleted file can be reconstructed.<ref name="casey" /> Many forensic tools use [[Cryptographic hash function|hash signatures]] to identify notable files or to exclude known (benign) ones; acquired data is hashed and compared to pre-compiled lists such as the ''Reference Data Set'' (RDS) from the [[National Software Reference Library]]<ref name="horenbeeck" />
On most media types including standard magnetic hard disks, once data has been [[Secure file deletion|securely deleted]] it can never be recovered.<ref>{{cite web
| |||