A knowledge-based system for supporting the soundness of digital forensic investigations

Abstract

Performing a technically and legally sound digital forensic investigation leads to digital evidence that can be used in courts of law. However, there is no single model of a standardized procedure that investigators should abide by. This paper presents a knowledge-based system that formally specifies information about investigative procedures in accordance with standards and guidelines such as ISO/IEC 27037, ISO/IEC 27041, ISO/IEC 27042, ISO/IEC 27043, NIST’s Guide to Integrating Forensic Techniques into Incident Response and Interpol’s Guidelines for Digital Forensics First Responders. The knowledge base is created in a description logic and it represents an ontological model. The model unifies concepts from different standards and guidelines, thus enabling the system to aid investigators in executing investigative procedures that will result in admissible digital evidence. The paper uses network forensics as a case study, but it can be customized to other digital forensics domains.