Engineering Adaptive Digital Investigations using Forensic Requirements

A digital forensic investigation aims to collect and analyse the evidence necessary to demonstrate a potential hypothesis of a digital crime. Despite the availability of several digital forensics tools, investigators still approach each crime case from scratch, postulating potential hypotheses and analysing large volumes of data. This paper proposes to explicitly model forensic requirements in order to engineer software systems that are forensic-ready and guide the activities of a digital investigation. Forensic requirements relate some speculative hypotheses of a crime to the evidence that should be collected and analysed in a crime scene. In contrast to existing approaches, we propose to perform proactive activities to preserve important potentially ephemeral evidence, depending on the risk of a crime to take place. Once an investigation starts, the evidence collected proactively is analysed to assess if some of the speculative hypotheses of a crime hold and what further evidence is necessary to support them. For each hypothesis that is satisfied, a structured argument is generated to demonstrate how the evidence collected supports that hypothesis. Our evaluation results suggest that the approach provides correct investigative findings and reduces significantly the amount of evidence to be collected and the hypotheses to be analysed.