Digital Evidence Object Model for Situation Awareness and Decision Making in Digital Forensics Investigation

The aim of a forensic investigation is to provide situation awareness in terms of identification and preservation of digital evidence, extraction of information, and analysis of extracted information to facilitate time-critical decision making. Digital forensic investigation is a process of collecting, examining, and analyzing digital data from various places such as digital devices, networks, and big data in the cloud. Here we propose a novel digital evidence object (DEO) model for the reduction of forensics data in digital forensic investigation and describe its application. The proposed DEO model is based on the synergy of category theory and integration of 5Ws (Who, What, When, Where, and Why) of digital investigation analysis techniques for digital evidence acquisition. We present a real-life case study to demonstrate its suitability for assisting computer forensics experts in the digital evidence investigation. Our results demonstrate that the application of the DEO model can noticeably decrease the number of false positive evidence objects submitted to a forensics expert, thus reducing his/her workload and improving decision making performance in a time-critical setting.