The forensic analysis process
Forensic analysis is a process. Investigations are rarely solved in a linear manner. Typically, an investigation begins with a hypothesis that is tested against the data. During the analysis, additional clues or details are uncovered that change or add to the original hypothesis. The process continues iteratively until the investigator can determine exactly what occurred and can provide supporting evidence from the data. This iterative process applies to both traditional computer forensics and Big Data forensics. The following diagram illustrates the steps of the analysis phase:
The starting point of the analysis phase is the investigation hypothesis. The hypothesis is based on the facts of the case and is often developed well in advance of the analysis phase. One example of a hypothesis is, "Former employee X stole trade secrets from Company Y, and then implemented a solution based on those trade secrets for his new employer...