ABSTRACT
In the last chapter, we introduced a high level set of tasks to perform as part of the end-to-end process of forensic digital analysis. Those steps were:
• Collecting evidence • Analysis of individual events • Preliminary correlation • Event normalizing • Event deconfliction • Second level correlation (consider both normalized and non-nor-
malized events) • Timeline analysis • Chain of evidence construction • Corroboration (consider only nonnormalized events)
If we look at the process in more detail, however, we find that really is a lot more to the process. In support of the above, we need to:
• Identify and isolate the victim • Identify of the vector by which the victim was attacked • Backtrace to the attacker • Identify and isolate intermediate devices along the path between
attacker and victim • Identify and isolate the attacker • Collect evidence from all involved devices • Correlate evidence along the path from attacker to victim, including
intermediate devices • Create an event timeline • Corroborate each and every element of evidence in the event timeline • Consider exculpatory evidence, possible alternative explanations, etc.
