top of page

Zatkyo Model for Digital Forensics

A process model published by Kenneth Zatkyo in Forensics Magazine in 2007 has become a widely used way of providing an outline of what is involved in the practice of digital forensics. It is referenced in the NIST Guide to Cloud Forensic Science Computing Challenges. (See page 2). Zatkyo proposed an eight step model:

1. Search authority - one must have the legal right to conduct a forensic search.

2. Chain of custody - possession of digital evidence over a time period must be documented.

3. Imaging/Hashing function - data should be correctly copied and its hash value recorded.

4. Validated tools -one must be able to proof the forensic tools employed are effective.

5. Analysis - forensics analysis examines digital evidence.

6. Repeatability and reproducibility - other forensics analysts must be able to repeat the steps performed in the analysis.

7. Reporting - the procedure and conclusions reached by the forensic analyst must be documented.

8. Possible presentation - the forensic analyst must be prepared to present his or her findings in court.

See also, John Simmons, The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics (2014), at 7-9; Bill Nelson, Guide to Computer Forensics and Investigations (2016), at 2; and Ralph Losey, Introduction to E-discovery: New Cases, Ideas, and Techniques (2009), at 102. Losey calls Zatkyo's model, "the best definition I have seen."

Perhaps one could use the anagram VAPR CHAR to help remember the 8 steps?

bottom of page