Digital forensic goals

The main object in the digital forensic analysis is the digital device related to the security incident under investigation. The digital device was either used to commit a crime, to target an attack, or is a source of information for the analyst. The goals of the analysis phase in the digital forensics process differ from one case to another. It can be used to support or refute assumptions against individuals or entities, or it can be used to investigate information security incidents locally on the system or over a network.

Consider analyzing a compromised system, the goals of the digital forensics, as a whole, are to answer these questions:

• What happened to the system under analysis?
• How was it compromised?

During the analysis too, the analyst could answer some other questions based on their findings, such as the following:

• Who is the attacker? This asks whether the analyst could find the attacker IP and/or an IP of the command and control server or in some cases the attacker profile.
• When did it happen? This asks whether the analyst could ascertain the time of the infection or compromise.
• Where did it happen? This asks whether the analyst could identify the compromised systems in the network and the possibility of other victims.
• Why did it happen? This is based on the attacker's activities in the hacked system, the analyst can form an idea of the attacker's motivation, either financial, espionage, or other.