In any forensic investigation, planning and analysis activities are required in order to determine what digital media will be seized, what types of information will be sought in the examination, and how the examination will be conducted. Existing literature and suggested practices indicate that such planning should occur, but few tools provide support for such activities. Planning an examination may be an essential activity when investigators and technicians are faced with unfamiliar case types or unusually complex, large-scale cases. This paper presents the results of an empirical study that evaluates two planning methods for computer forensics examination: a methodology that includes domain modeling and a more typical, ad hoc planning approach. This paper briefly describes the case domain modeling and planning methodology, describes the empirical study, and presents preliminary results of and conclusions drawn from the empirical study.
Alfred C. Bogen, David A. Dampier, Jeffrey C. Carv