Computer forensics in forensis
ACM SIGOPS Operating Systems Review
Weaving ontologies to support digital forensic analysis
ISI'09 Proceedings of the 2009 IEEE international conference on Intelligence and security informatics
Making sense of unstructured flash-memory dumps
Proceedings of the 2010 ACM Symposium on Applied Computing
Extending digital repository architectures to support disk image preservation and access
Proceedings of the 11th annual international ACM/IEEE joint conference on Digital libraries
Categories of digital investigation analysis techniques based on the computer history model
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.01 |
This work formally defines a digital forensic investigation and categories of analysis techniques. The definitions are based on an extended finite state machine (FSM) model that was designed to include support for removable devices and complex states and events. The model is used to define the concept of a computer's history, which contains the primitive and complex states and events that existed and occurred. The goal of a digital investigation into make valid inferences about a computer's history.Unlike the physical world, where an investigator can directly observe objects, the digital world involves many indirect observations. The investigator cannot directly observe the state of a hard disk sector or bytes in memory. He can only directly observe the state of output devices. Therefore, all statements about digital states and events are hypotheses that must be tested to some degree.Using the dynamic FSM model, seven categories and 31 unique classes of digital investigation analysis techniques are defined. The techniques in each category can be used to test and formulate different types of hypotheses and completeness is shown. The classes are defined based on the model design and current practice.Using the categories of analysis techniques and the history model, the process models that investigators use are formally compared. Until now, it was not clear how the phases in the models were different. The model is also used to identify where assumptions are made during an investigation and to show differences between the concepts of digital forensics and the more traditional forensic disciplines.