JDFSL
Mission
Audience
Editorial
Publisher
Subscriptions
Call for Papers
CFP: Special Issue
Author Instructions
Issues 2008
Issues 2007
Issues 2006

 

    

Computer Forensics Field Triage Process Model

 

Marcus K. Rogers
Computer and Information Technology Department
Purdue University
rogersmk@purdue.edu

James Goldman
Computer and Information Technology Department
Purdue University

Rick Mislan
Computer and Information Technology Department
Purdue University

Timothy Wedge
National White Collar Crime Center

Steve Debrota
U.S. Attorney’s Office – Southern Indiana
 

ABSTRACT

 

With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations.

 

Keywords: Computer forensics, process model, triage, computer crime, cyber crime, digital evidence

 

Document: view document by clicking here

 

 

  
 
   

Copyright © 2006 Association of Digital Forensics, Security and Law (ADFSL)