The U.S. Department of Defense (DoD) coordinates and supervises agencies and functions of the government related to national security and the U.S. armed forces. The DoD uses system forensics to evaluate and examine data related to cyberattacks. The DoD estimates the potential impact of malicious activity. It also assesses the intent and identity of perpetrators. The DoD Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics. It is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media. DC3 is also involved in criminal law enforcement forensics and counterintelligence. It assists in criminal, counterintelligence, counterterrorism, and fraud investigations. In addition, it supports safety investigations, commander-directed inquiries, and inspector-general investigations.

DC3 provides computer investigation training. It trains forensic examiners, investigators, system administrators, and others. It also ensures that defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 partners with government, academic, and private industry computer security officials. For more information on DC3, see http://www.dc3.mil.

The Digital Forensic Research Workshop (DFRWS) is a nonprofit volunteer organization. Its goal is to enhance the sharing of knowledge and ideas about digital forensics research. DFRWS sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development. In 2001, the DFRWS developed a framework for digital investigation that is still applicable and followed. The DFRWS framework is a matrix with six classes:

• Identification

• Preservation

• Collection

• Examination

• Analysis

• Presentation

The Scientific Working Group on Digital Evidence (SWGDE) promotes a framework process that includes four stages:

• Collect

• Preserve

• Examine

• Transfer

That final step means any sort of transfer. This includes moving evidence from the lab to a court, or even returning evidence when no longer needed.

In 2004, Brian Carrier and Eugene Spafford, researchers at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, proposed a model that is more intuitive and flexible than the DFRWS framework.

This model has five primary phases, each of which may contain additional subphases. The primary phases are the Readiness phase, the Deployment phase, the Physical Crime Scene Investigation phase, the Digital Crime Scene Investigation phase, and the Presentation phase. The Readiness phase contains the Operations Readiness subphase, which involves training people and testing investigation tools, and the Infrastructure Readiness subphase, which involves configuring the equipment. The Deployment phase includes the Detection and Notification subphase, in which someone detects an incident and alerts investigators, and the Confirmation and Authorization subphase, in which investigators receive authorization to conduct the investigation.