The digital forensics process:

Today, we’ll go through whe whole chain (really a spiral model). But first, “Why do we need one?”.

Why do we need a process? To ensure we do the right things, and that we do them right, every time. Basically, for quality control purposes.

But in order for the process to be good we have to invest time and effort, that means we have to be able to reuse it, and it has to be applicable to many different scenarios (from fraud / spionage investigation, to computer intrusion).

Process

→ has to be general:

• works for everything (means that it can’t be too specific, it’s an abstraction)

• for particular cases you need more details that this process can provide.

  a general process can’t work for all types of cases, obviously.

What requirements are there on the process itself?

It needs to be forensically sound — Maximise the probability to find the strongest evidence with the resources (time, tools, man power) available.

Two main features:

• Preserve chain of custody
• Provide evidence integrity

The process must:

• Adhere to the leading practice and theory from traditional forensics investigations
• Be easily adaptable and pratically oriented and support traditional investigation steps
• Remain independent of technology, product and procedure indipendent