An Event-Based Digital Forensic Investigation Framework∗
Brian D. Carrier carrier@cerias.purdue.edu Eugene H. Spafford spaf@cerias.purdue.edu

Center for Education and Research in Information Assurance and Security - CERIAS Purdue University West Lafayette, IN 47907 USA

Abstract In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses.

1

Introduction

Since the first Digital Forensic Research Workshop (DFRWS) in 2001 [Pal01], the need for a standard framework has been understood, yet there has been little progress on one that is generally accepted. A framework for digital forensics needs to be flexible enough so that it can support future technologies and different types of incidents. Therefore, it needs to be simple and abstract. On the other hand, if it is too simple and abstract then it is difficult to create tool requirements and test procedures for each phase. For this paper, we have examined the concept of an investigation to determine what is required. The result is an event-based framework that can be used to develop hypotheses and answer questions about an incident or crime. Hypotheses are developed by collecting objects that may have played a role in an event that was related to the incident. Once the objects are collected as evidence, the investigator can