学术文献库

Digital forensic investigation is used in various areas related to digital devices including the cyber crime. This is an investigative process using many techniques, which have implemented as tools. The types of files covered by the digital forensic investigation are wide and varied, however, there is no way to express the results into a standardized format. The standardization are different by types of device, file system, or application. Different outputs make it time-consuming and difficult to share information and to implement integration. In addition, it could weaken cyber security. Thus, it is important to define normalization and to present data in the same format. In this paper, a 5W1H-based expression for information sharing for effective digital forensic investigation is proposed to analyze digital forensic information using six questions--what, who, where, when, why and how. Based on the 5W1H-based expression, digital information from different types of files is converted and represented in the same format of outputs. As the 5W1H is the basic writing principle, application of the 5W1H-based expression on the case studies shows that this expression enhances clarity and correctness for information sharing. Furthermore, in the case of security incidents, this expression has an advantage in being compatible with STIX.