NCJ Number
207714
Journal
Journal of Forensic Sciences Volume: 49 Issue: 6 Dated: November 2004 Pages: 1291-1298
Date Published
November 2004
Length
8 pages
Annotation
This paper describes a procedure that can be used to reconstruct the events that produced a "digital crime scene" (computer being investigated in association with a crime).
Abstract
The ultimate goal of most digital investigations is to identify the person or persons responsible for a crime, so the digital investigation must be linked to a physical investigation. When a computer is found at the crime scene, then the digital investigation begins, using the same five major phases of physical crime scene investigation, i.e., the preservation phase, the survey phase, the documentation phase, the search phase, and the reconstruction phase. In digital crime scene investigation, the preservation phase reduces the amount of data that is overwritten on the system; a common procedure in this phase is to duplicate the data on the system and conduct the investigation in a special environment that does not modify the copy. The survey phase examines the obvious locations for evidence and develops a strategy for how to search the system for additional evidence. The system is then documented, and a full search is done. Most computer forensic tools help the investigator perform the survey, documentation, and search phases. The final phase, reconstruction, examines the evidence to identify what events may have occurred in the system. This is the phase in which the hypotheses about the incident will be formally developed and tested. The body of this paper focuses on the reconstruction process. The five event-reconstruction phases of the digital crime scene model are described. They involve evidence examination, role classification, event construction and testing, event sequencing, and hypothesis testing. The proposed model not only assists in performing the reconstruction task but also helps in developing tools to automate this process. 3 figures and 16 references