If it was not labeled pre- and post- I would clearly lose track of my place. Once in the middle, if there was no reference, how would I know which step to take? After all, you can do 1. or 3. With the pre- and post- present, it is perfect position to postulate the proper part of the process.
It is an interesting topic, probably worth looking into EDRM and incident response lifecycles as other models "used" in industry (certainly mentioned a lot in job postings)
All the models look very linear and process oriented to me, I would be interested to see an actual "investigation" model that includes new information being identified halfway through the case changing the course of an investigation, or a model that illustrated a case scaling up to include other subjects/machines, or process of feedback between parties involved in the case inside and outside of the digital forensic domain
Please check the link below for a brief description of the models I posted earlier.
Interesting. But I don't see that they are comparable. 2.1 says, reasonably clearly, that the the purpose is to produce scientifically and legally acceptable evidence – but it doesn't say anything about timeliness or cost efficiency. Other say nothing on these – at least not in this paper. 2.6 is somewhat interesting, as it goes deeper into how the analysis is structured, but leaves the main phases very much waterfall.
Models can be of many kinds – they can be prescriptive, saying 'this is how we should do things'. Or descriptive, saying 'this is how we actually do things'. But it's usually the way exceptions are handled that really decide how they work. Models can also be for establishing a terminology, so that peope in different areas can talk to each other and know that they talk about the same thing. (The ISO OSI model was one of those – it didn't say how to build a network stack, only what terminology to use.) That is, without going back to the original papers its difficult to know if we compare apples with apples or not. And that's clearly a large work.
However, I AM ALSO INTERESTED IN KNOWING THE PROCESS YOU FOLLOW IN CONDUCTING A DIGITAL FORENSIC INVESTIGATION.
Whatever makes sense for that investigation. That is, it's the job that determines the model. There's a selection of methodology fairly early, and it can be revised at any time as requirements change.
And waterfall models are in general out. They may make sense in some aspects, but they seem to make no sense in others. 2.5 seems to be the only on in which 'Review' is mentioned, and where that block goes back into the general process. Perhaps the other models include as a self-evident part of each of the blocks, and see no need to mention it. But unless that 'Review' is in there somewhere, I would not follow it.
3.8 is probably the one that comes closest, but it would need 'Review' to be part of each and every box, and the outcome of that review to decide where some of the outgoing lines from that box actually lead. That is, the model I do isn't really that static.
Static models serves some purpose, but I don't see where any of these models do their improvement work. Surely they must? If that is not part of the model, then … perhaps I'm not looking at the right models. (Exception handling, as already noted, is another important aspect.)
My general (and superficial) impression is that this paper looks like the kind of things people did back in the 1970s when 'Software Engineering' was thought to be about fairly large development models in projects with unchanging agendas, and relative lack of concern about cost efficiency. Look at software development today – it's very much different. Rapid prototyping (short bursts of work, followed by reviews) was the last model I was actively involved with, but even that has been modified on, and seemingly occasionally also improved on.
But then, I'm not LE, which probably influences my point of view.
Perhaps it would be a an idea to ask an archaeologist for a process how to do a dig, and compare.
Perhaps it would be a an idea to ask an archaeologist for a process how to do a dig, and compare.
Possibly the base philosophy is different re timeliness roll
http//
In archaeology it is usually considered best practice to not excavate a site if there is no strong reason to do so. As part of this thinking, it is most ideal if the evidence from the past can be left intact in place for future generations of archaeologists who will have better methods than we have now. But that option is not always possible or even desired. Sometimes sites are in the way of modern needs and archaeological research can recover at least some of the endangered site’s information before the site is destroyed. Other times, questions about the past can only be solved with new archaeological evidence and so researchers elect to excavate a site in order to deepen historical understanding.
Just imagine that you prefer to not analyze a cellphone or a PC so that a future generation of digital detectives (with better tools/methods) can have a go at it….. wink
jaclaz