Reference and guide to SFIA version 7. Framework status: Requirements.

#52 Digital Forensics - Add 'totality of findings': change request pending

The explicit reference to "computer' related evidence is too restrictive and incorrect.

From Australian Public Sector SFIA Cyber Security and Digital Workshop Oct12:

  Why the explicit reference to “Computer” related evidence? 

  • Analysis is not just data extraction but building up a forensically sound evidence base (SAN’s Chain of Custody) by attempting to determine the 5 W’s (Who, What, When, Where and Why) and then How.  
  • Forensic evidence is based on the totality of the findings…which may include evidence sourced from a number of locations, including the Computer…for example, the evidence could be correlated with findings from other system event logs (eg Exchange Server or Network Switch logs, Webserver transactions, etc etc)…

Attached to Digital forensics