Unboxing the digital forensic investigation process.

As digital forensics continues to play an important role in criminal investigations, its investigative work must be underpinned with well-defined and robust methodologies. Over the last 20 years, a substantial body of research has been produced to define and codify the digital forensic investigation process and the stages/sub-processes involved. Whilst current digital forensic investigation process models provide a solid foundation, it is argued that existing attempts often only focus on those physical tasks, which a practitioner must carry out at any given stage of an examination, omitting to identify those core thought processes, decisions and behaviours that form part of effective investigative practices. This work presents the Digital Forensic Workflow Model (DFWM), a novel approach to the structuring and definition of the procedures and tasks involved in the digital forensic investigation process starting from the initial 'Review of Client Requirements & Planning' stage, right through to the 'Evaluation of Deployed Workflow' stage. The DFWM contributes to the digital forensic management toolbox, where it enables the identification and management of risk and supports error mitigation at each stage of the workflow. The paper demonstrates how the DFWM functions as a framework for unboxing the digital forensic investigation process based on the investigative strategy of the particular case, providing a detailed structure and depiction of the physical and investigative tasks and decisions. From a research perspective, DFWM is a descriptive starting point, and future empirical studies may expand and provide further detail to the various physical and cognitive tasks and associated risks during the DF workflow.