A protocol for the forensic data acquisition of personal computer workstations

Computer forensics is a relatively new and rapidly growing field that addresses the use of computer data as evidence in legal proceedings. As a relatively new field of study, little empirical research has been conducted pertaining to computer forensics. This lack of empirical research contributes to problems for practitioners and academics alike.;For the community of practitioners, problems arise from the dilemma of applying scientific methods to legal matters based on anecdotal training methods, and the academic community is hampered by a lack of theory in this evolving field. This research study is designed to provide benefits to both communities by utilizing a multi-method approach to identify a protocol for practitioners and lay a foundation for academic theory development.;This research addresses the initial and most frequently performed phase of computer forensic examinations, data acquisition. Within the data acquisition phase, this research specifically studies the data acquisition of personal computers, the most frequently encountered target of forensic data acquisitions. A multi-method approach is utilized to identify, classify, and evaluate the tasks forensic examiners perform during forensic data acquisitions of personal computer workstations by building upon the framework of Nute's (1996) dissertation that established a scientific basis for forensic science.;The first phase of this study utilizes inductive research and is largely based on Grounded Theory (Glaser and Strauss, 1967) to empirically identify and classify tasks performed during forensic data acquisitions. The second phase of this study uses a discursive analytic strategy to evaluate the identified tasks by two review panels of experts. One review panel consists of technical experts and the other consists of legal experts.;A protocol is provided for the forensic data acquisition of personal computer workstations based on 103 tasks identified by practitioners and evaluated by experts. Each task is presented with expert panel merit ratings, examiner performance measures, and conditional performance measures. Eight constraints were identified that influence the degree in which practitioners perform the identified tasks.;The protocol provides measures not previously available to practitioners, and this study demonstrates the use of Grounded Theory for forensic protocol development.