In order for technical research in digital forensics to progress a cohesive set of electronic forensics characteristics must be speci ed. To date, although the need for such a framework has been expressed, with a few exceptions, clear unifying characteristics have not been well laid out. We begin the process of formulating a framework for digital forensics research by identifying fundamental properties and abstractions.

The dramatic increase in crime relating to the Internet and computers has caused a growing need for computer forensics. Computer forensic tools have been developed to assist computer forensic investigators in conducting a proper investigation into digital crimes. In general, the bulk of the computer forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art computer forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet (such as employees accessing Web sites that promote pornography and other illegal activities) have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and/or reduce the monetary costs involved in gathering evidence.

This work presents a framework for automation of administrative tasks and deployment of protection mechanisms to facilitate a future forensic analysis. The main goal is to disclose and supply measures for a fast configuration of Microsoft Windows 2000 networks, when deploying incident response procedures.

Abstract. As the first part of a Analyze-Visualize-Validate cycle, we have initiated a domain analysis of email computer forensics to determine where visualization may be beneficial. To this end, we worked with police detectives and other forensics professionals. However, the process of designing and executing such a study with real-world experts has been a non-trivial task. This paper presents our efforts in this area and the lessons learned as guidance for other practitioners. 1

This Master’s thesis addresses problems in current digital forensic investigations. It proposes the XIRAF system as a novel approach towards the integration of existing forensic analysis tools using XML technology. The concept of integrating these tools can be compared to the concept of concurrent XML hierarchies. The representation of concurrent XML has been widely studied, but concurrent XML hierarchies cause a variety of unsolved problems when such data has to be queried. Querying concurrent XML hierarchies has however many practical applications, including digital forensics, question answering, and multimedia retrieval. This thesis introduces Burkowski axis steps in XPath as a viable solution for the digital forensics application area. The steps can be used in stand-off XML annotation in which the content is separated from the annotations. This approach has many advantages over inline annotation, especially in field of digital forensics. The introduced steps have been implemented in an existing open source XQuery system called MonetDB/XQuery.