CASE Objects in the Real World
When an investigation is initiated, the description and authorization are represented using a CASE Investigation object. Any information related to a cyber-investigation must be wrapped within a CASE bundle.
An Investigation can contain any CASE object, including InvestigativeActions and Traces.
When a device is first touched, this is represented using an InvestigativeAction with an empty input to indicate that this is the beginning of Chain of Custody. The output of this InvestigativeAction is the seized object and an associated provenance record.
All CASE objects are inserted within the associated Investigation, wrapped in a CASE Bundle.
The tool used to acquire data, options used, and the resulting forensic copy are represented as an InvestigativeAction and associated Tool using CASE.
[placeholder for dc3dd wrapper]
Information extracted from a forensic copy of digital evidence, along with the tool used, can be represented using CASE.