Brian Carrier (Honorary Board Member) , Ph.D. (Basis Technology)


   The high-level process of digital forensics includes the acquisition of data from a source, analysis of the data and extraction of evidence, and preservation and presentation of the evidence. Previous work has been dnoe on the theory and requirements of acquisition [5] and the presevation of evidence. This paper addresses the theory and requirements of analysis and extracction of evidence from the acquired data. 

   This paper examines the nature of tools in digital forensics and purposes definitions and requirements. Current digital rforensic tools produce results that have been suddessfully used in prosecutions, but lack designs that were created with forensic science needs. They provide the investigator with access to evidence, but typically do not provide access to methods for verifying that they are performing correctly. This is ncecessary when approaching digital forensics from a cientific point of view.

   This paper addresses the layers of abstractions that exist in all igital data and the tools used to analyze them. The idea of using tools for layers of abstration is not new, but a discussion of the definitions, properties,a nd error typies of abstartion layers twhen used with digital fornesics has not occurred. The concepts proposed here are applicable to any digital forensic analysis type, including those proposed by Baker in [6]:

  • Media Analysis
  • Code Analysis
  • Network Analysis

   This paper begins with definitionsregarding digital fornesic anlalysis tools, followed by sdiscussions of abstraction layers. The abstraction layer properties are used to promote requirements for digital forensics analysis tools and finally an example of how the FAT file wystem uses abstraction layers is given.