=======================================================================
The ForensiX Process
=======================================================================

Forensic analysis with ForensiX consists of the following steps:
	- Gather or Image data
	- Analyze data and document results
	- Store case information
	- Reproduce and present analysis and results
	- Demonstrate system integrity

------------------------------------------------------------------

Gather or Image data
	Original evidence is imaged into ForensiX on a case by case basis.

ForensiX is not intended to be used to do analysis of original evidence
as this is not forensically sound.  Rather, original evidence is
"imaged" and "fingerprinted" with MD5 checksums and analyzed in a
read-only mode.  The imaging process is done with the "Image" button on
the ForensiX menu. 

------------------------------------------------------------------

Analyze data and document results
	Imaged data is analyzed as required for the case.

Using the "Mount", "List", "Search", and "Dismount" buttons, imaged
data is processed to locate desired forensic evidence. This process
is automatically recorded and data integrity is automatically assured.
User documentation is also provided by the user pressing the "Document"
button and adding one-line comments on what was done, why, and what was
found.

------------------------------------------------------------------

Store case information
	Imaged data and processing results and commands are stored.

Detailed audits of actions requested by the user are stored in a form
that allows the actions to be replayed to produce repeatable results and
provides automatic detection of alterations to any step of the process.
Off-line storage is also possible, but provisions for long-term archival
of this data are not yet provided by the ForensiX tool.

------------------------------------------------------------------
Reproduce and present analysis and results
	Imaged data and processing is redone and presented as required.

The 'replay' capability allows the process used to generate results to
be repeated so that the process used to find the information can be
demonstrated and independently evaluated.

------------------------------------------------------------------

Demonstrate system integrity
	System configuration and content are systematically tested for
	integrity by the ForensiX package

The 'Tracer' system included with ForensiX provides the means to verify
system integrity, detect changes to system files and configurations, and
report those changes on request.
