When an investigation is initiated, the description and authorization are represented using a CASE
Investigation object. Any information related to a cyber-investigation must be wrapped within a CASE bundle.
Examples of an Authorization & Investigation Objects
An Investigation can contain any CASE object, including InvestigativeActions and Traces.
Evidence Seizure & Chain of Custody
When a device is first touched, this is represented using an InvestigativeAction with an empty input to indicate that this is the
beginning of Chain of Custody. The output of this InvestigativeAction is the seized object and an associated provenance record.
Examples of an InvestigativeAction & ProvenanceRecord Objects
All CASE objects are inserted within the associated Investigation, wrapped in a CASE Bundle.
The tool used to acquire data, options used, and the resulting forensic copy are represented as an
InvestigativeAction and associated Tool using CASE.
Example of an InvestigativeAction
[placeholder for dc3dd wrapper]
Information extracted from a forensic copy of digital evidence, along with the tool used, can be represented using CASE.
Note that the file size in the File property bundle is greater than the size in the ContentData property bundle. This highlights the context-sensitive difference in purpose of sizeInBytes. In File, the size represents the file system's record of the file's size. In ContentData, the size represents the measurable size of extracted or extractable file content. The latter can be less than the file system reports due to, for instance, a faulty storage device.