The Cyber-traceological Model: A Model-based View of the Cybercriminalistic Task

The quantity and complexity of digital evidence pose significant challenges for solving both computer- enabled and core cybercrime cases. The very nature of digital systems renders traditional procedures of evidence collection and examination, such as a meticulous and systematic analysis of each and every potential trace, infeasible. To address this issue, we apply a model-based view to the cyber- criminalistic task, which is comprised of the search for case-relevant hypotheses and the consequent identification of relevant traces to assess those previously identified hypotheses. To this end, we propose the Cyber-traceological Model helping to translate investigative questions to “relevant digital evidence” with which investigative hypotheses can be assessed. In the best case, we can use the Cyber-traceological Model to directly “compute” relevant digital evidence if a complete formal model of the system under investigation is already available. But even if such a model is not at hand, the Cyber-traceological Model can guide the search for relevant evidence in submodels, as we show in an example case of distributing prohibited multimedia data. Furthermore, we discuss the potential of model-based approaches in the field of forensic science in general, point out important research directions for shaping the emerging research discipline of cybercriminalistics, and ground it in formal methods.