Erin Kenneally (Department of Homeland Security)
Christopher Brown


Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection that emphasized disk imaging procedures. In their paper Risk Sensitive Digital Evidence Collection [3], the authors posit that the current methodology which focuses on collecting entire bit-stream images of original evidence disk could increase legal and financial risks. The authors go on to state that the rapidly increasing and changing volume of data within corporate network information systems and personal computers is driving the need to revisit current evidence collection methodologies. No assertion is made in the foundation paper that current methodologies are no longer valid; moreover it is presented that in some situations selective evidence extraction could be accomplished while still ensuring reliability, completeness, accuracy, and verifiability of computer disk evidence. Risk Sensitive Digital Evidence Collection was presented in three sections with the first section framing the debate and change drivers for a risk-sensitive approach to digital evidence collection. Section 2 outlined the current methods of evidence collection along with a cost-benefit analysis. Section 3 described the methodology components of the risk-sensitive approach to collection, and then concludes with a legal and resource risk assessment of this approach. This paper will revisit the original abstract methodology framework proposal highlighting the work to be done for successful evaluation and peer review.