Imagine the following experiment, a unique case is given to three digital forensic analysts and each is given the opportunity to engage the requester in order to develop the information needed to process the case. Based on the information gathered, each of the three analysts is asked to provide an estimate to complete the investigation and can proceed with up to 20 hours to process the case. The analysts are then measured based on the total findings, the time required to process the case, the initial information gathered, and the estimated time to process the case. The expected result is to be varied based on experience and individual characteristics, such as organization, discipline, and the attention to detail of each analyst. Imagine this same experiment but with only 8 hours to process the case, because that is the way it happens in real life.
David Smith and Samuel Petreski have developed a methodology that fits within the Analysis phase in one of the standard Digital Forensic Analysis Methodologies - PEIA (Preparation, Extraction, Identification, and Analysis), to provide a structure for consistent results, better development of the requested goals, increase efficiency in fulfilling the goals, and develop an improved estimate of the time required to complete the request.
This methodology involves the generation and validation of case goals, the evaluation of methods used to achieve the goals, a structure for estimating the effectiveness, time required, processing results of specific methods, and generalized organization and time management. The primary goal of this methodology is to address the structure and optimal path that would allow a digital forensic examiner to perform an examination with a high level of efficiency and consistent results.
This presentation provides an introduction to this methodology and applies its key concepts to real sanitized digital investigations, such as tracking down a suspected executive's adult craigslist ad, performing an analysis on a compromised system involving social security numbers, and making the determination of intellectual property theft.