With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations.
Beebe, N. & Clark, J. (2004). A hierarchical, objectives-based framework for the digital investigations process. Paper presented at the DFRWS, June 2004, Baltimore, MD.
Casey, E. (2001). Handbook of Computer Crime Investigation: Forensic Tools and Technology. San Diego: Academic Press.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. San Diego: Academic Press.
Carrier, B., & Spafford, E. (2003). Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, Volume 2 (Issue 2), 20.
DeBrota, S. (2005). Computer Forensic Analysis Checklist. US Attorney’s Office, Southern District of Indiana checklist. Updated March 28, 2005.
Farmer, D., Venema, W. (2005) Forensic Discovery. Pearson Education, Inc, Upper Saddle River, NJ Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley Professional.
Institute for Security Technology Studies. (2004). Law enforcement tools and technologies for investigating cyber attacks: A national research and development agenda. Retrieved Sept 9, 2004 from http://www.ists.dartmouth.edu
Lee, H., Palmbach, T, and Miller, M. (2001). Henry Lee's crime scene handbook. San Diego: Academic Press.
National White Collar Crime Center. (2005). Registry Windows NT/2000/XP. Unpublished training presentation from Cybercop 301 course.
National White Collar Crime Center. (2003). Windows NT/2000/XP Security and Processing issues. Unpublished training presentation from Cybercop 301 course.
Reith, M., Carr, C., & Gunsch, G. (2002). An Examination of Digital Forensic
Rogers, Marcus K.; Goldman, James; Mislan, Rick; Wedge, Timothy; and Debrota, Steve
"Computer Forensics Field Triage Process Model,"
Journal of Digital Forensics, Security and Law: Vol. 1
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol1/iss2/2