Investigation, Evidence, and Forensics


Investigation: systematic or formal process of inquiring into or researching, and examining facts or materials associated with a matter.
Source: ISO/IEC 27035-3:2020 Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations


Evidence: Grounds for belief or disbelief; data on which to base proof or to establish truth or falsehood.
Note 1: Evidence can be objective or subjective. Evidence is obtained through measurement, the results of analyses, experience, and the observation of behavior over time.
Note 2: The security perspective places focus on credible evidence used to obtain assurance, substantiate trustworthiness, and assess risk.
Source: NIST SP 800-160 Vol. 1

Evidence: information supporting the occurrence of an event or action.
Note 1 to entry: Evidence does not necessarily prove the truth or existence of something but can contribute to the establishment of such a proof.
Source: ISO/IEC 13888-1:2020 Information security — Non-repudiation — Part 1: General


Forensics: The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
Source: CNSSI 4009-2015

Digital forensics: In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence – following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.
Source: CNSSI 4009-2015 from DoDD 5505.13E

Forensic science: The use or application of scientific knowledge to a point of law, especially as it applies to the investigation of crime
Source: NISTIR 8006 from SWDGE v2.0

Forensic copy: An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.
Source: CNSSI 4009-2015 from NIST SP 800-72

  • 調查(investigation): 為深入了解特定人,事,物等事實, 所採行之正式而系統化的探詢, 查驗及研究.
  • 據(evidence): 可以支持或證明某一事件、行動或判定事實真假之資訊.
  • 鑑識(forensics): 為法律檢調之目的所採行之證據採集, 保存及分析等作為.

Leave a Reply