Engineering Adaptive Digital Investigations using Forensics Requirements
This addresses the problem of time-consuming and manual case-by-case investigations for digital forensic investigators, though it appears incremental as it builds on existing forensic tools and methods.
The paper tackles the inefficiency of digital forensic investigations by modeling forensic requirements to engineer forensic-ready systems, resulting in significantly reduced evidence collection and hypothesis analysis.
A digital forensic investigation aims to collect and analyse the evidence necessary to demonstrate a potential hypothesis of a digital crime. Despite the availability of several digital forensics tools, investigators still approach each crime case from scratch, postulating potential hypotheses and analysing large volumes of data. This paper proposes to explicitly model forensic requirements in order to engineer software systems that are forensic-ready and guide the activities of a digital investigation. Forensic requirements relate some speculative hypotheses of a crime to the evidence that should be collected and analysed in a crime scene. In contrast to existing approaches, we propose to perform proactive activities to preserve important - potentially ephemeral - evidence, depending on the risk of a crime to take place. Once an investigation starts, the evidence collected proactively is analysed to assess if some of the speculative hypotheses of a crime hold and what further evidence is necessary to support them. For each hypothesis that is satisfied, a structured argument is generated to demonstrate how the evidence collected supports that hypothesis. Our evaluation results suggest that the approach provides correct investigative findings and reduces significantly the amount of evidence to be collected and the hypotheses to be analysed.