An Extended Model of Cybercrime Investigations
A comprehensive model of cybercrime investigations is important for standardising terminology, defining requirements, and supporting the development of new techniques and tools for investigators. In this paper a model of investigations is presented which combines the existing models, generalises them, and extends them by explicitly addressing certain activities not included in them. Unlike previous models, this model explicitly represents the information flows in an investigation and captures the full scope of an investigation, rather than only the processing of evidence. The results of an evaluation of the model by practicing cybercrime investigators are presented. This new model is compared to some important existing models and applied to a real investigation. A good model of cybercrime investigations is important, because it provides an abstract reference framework, independent of any particular technology or organisational environment, for the discussion of techniques and technology for supporting the work of investigators. It can provide a basis for common terminology to support discussion and sharing of expertise. The model can be used to help develop and apply methodologies to new technologies as they emerge and become the subject of investigations. Furthermore, the model can be used in a proactive way to identify opportunities for the development and deployment of technology to support the work of investigators, and to provide a framework for the capture and analysis of requirements for investigative tools, particularly for advanced automated analytical tools. At present, there is a lack of general models specifically directed at cybercrime investigations. The available models concentrate on part of the investigative process (dealing with gathering, analysing and presenting evidence) but a fully general model must incorporate other aspects if it is to be comprehensive.