Brian D. Carrier, Eugene H. Spafford

CERIAS TR 2006-57

article

Several digital forensic frameworks have been proposed, yet no conclusions have been reached about which are more appropriate. This is partly because each framework may work well for different types of investigations, but it hasn’t been shown if any are sufficient for all types of investigations. To address this problem, this work uses a model based on the history of a computer to define categories and classes of analysis techniques. The model is more lower-level than existing frameworks and the categories and classes of analysis techniques that are defined support the existing higher-level frameworks. Therefore, they can be used to more clearly compare the frameworks. Proofs can be given to show the completeness of the analysis techniques and therefore the completeness of the frame-works can also be addressed.

PDF

2006 – 08

Digital Investigations

Carrier

121-130

Elsevier

V.3(S)

CERIAS

2006-08-01

1. Introduction 2.1 Primitive computer history model 2.2 Complex computer history model 3.1 General investigation process 3.2 History Duration 3.3 Primitive storage system configuration 3.4 Primitive event system configuration 3.5 Primitive state and event definition 3.6 Complex storage system configuration 3.7 Complex event system configuration 3.8 Complex state and event definition

Digital Investigation Analysis Techniques, Computer History Model

English

Categories of Digital Investigation Analysis Techniques Based on the Computer History Model