Honing digital forensic processes

The number of forensic examinations being performed by digital forensic laboratories is rising, and the amount of data received for each examination is increasing significantly. At the same time, because forensic investigations are results oriented, the demand for timely results has remained steady, and in some instances has increased. In order to keep up with these growing demands, digital forensic laboratories are being compelled to rethink the overall forensic process. This work dismantles the barriers between steps in prior digital investigation process models and concentrates on supporting key decision points. In addition to increasing efficiency of forensic processes, one of the primary goals of these efforts is to enhance the comprehensiveness and investigative usefulness of forensic results. The purpose of honing digital forensic processes is to empower the forensic examiner to focus on the unique and interesting aspects of their work, allowing them to spend more time addressing the probative questions in an investigation, enabling them to be decision makers rather than tool runners, and ultimately increase the quality of service to customers. This paper describes a method of evaluating the complete forensic process performed by examiners, and applying this approach to developing tools that recognize the interconnectivity of examiner tasks across a digital forensic laboratory. Illustrative examples are provided to demonstrate how this approach can be used to increase the overall efficiency and effectiveness of forensic examination of file systems, malware, and network traffic.