Categories of Digital Investigation Analysis Techniques Based on the Computer History Model
Author
Brian D. Carrier, Eugene H. Spafford
Tech report number
CERIAS TR 2006-57
Abstract
Several digital forensic frameworks have been proposed, yet no conclusions have been reached about which are more appropriate. This is partly because each framework may work well for different types of investigations, but it hasn’t been shown if any are sufficient for all types of investigations. To address this problem, this work uses a model based on the history of a computer to define categories and classes of analysis techniques. The model is more lower-level than existing frameworks and the categories and classes of analysis techniques that are defined support the existing higher-level frameworks. Therefore, they can be used to more clearly compare the frameworks. Proofs can be given to show the completeness of the analysis techniques and therefore the completeness of the frame-works can also be addressed.
Journal
Digital Investigations
Publication Date
2006-08-01
Contents
1. Introduction
2.1 Primitive computer history model
2.2 Complex computer history model
3.1 General investigation process
3.2 History Duration
3.3 Primitive storage system configuration
3.4 Primitive event system configuration
3.5 Primitive state and event definition
3.6 Complex storage system configuration
3.7 Complex event system configuration
3.8 Complex state and event definition
Keywords
Digital Investigation Analysis Techniques, Computer History Model
Subject
Categories of Digital Investigation Analysis Techniques Based on the Computer History Model