TRACEMAP: A traceability model for the digital forensics investigation process

Crime inflicts immense damage upon users and systems and now it has reached a level of sophistication that makes it difficult to track its sources or origins. This paper highlights the traceability aspects in digital forensics investigation process. The research includes discovering a complex and huge volume of evidence and connecting meaningful relationships between them. The aim is to formulate a model to facilitate the investigator in tracing and mapping the evidence in order to identify the origin of a crime. The model is formulated by reviewing and analysing existing frameworks for the collection process, emphasising traceability needs and generating a general incident trace pattern involving the identification of incident trace attributes of the evidence sources to be traced and mapped. Procedures to trace and map the evidence were then constructed based on the incident trace pattern to identify the origin of the incident. Both incident trace pattern and procedures are applied and the traceability model is adapted in formulating and implementing a Trace Map Model (TraceMap). TraceMap was successfully evaluated using experimental and expert view approach. Obtaining result of 99.17% tracing rate, 100% mapping rate and 99.97% identification rate showed that TraceMap is effective to support the digital investigation process. The result is support by the expert view approach, which significantly showed that TraceMap was better able to trace and map the evidence as well as identify the origin of the incident compared to the current investigation process practice.