BPMN4FRSS

BPMN Forensic-Ready Software Systems (BPMN4FRSS) is an extension of BPMN 2.0, adding the specific notation to describe forensic-ready software systems as models. Such systems are designed to support a potential digital forensic investigation that might concern the system in question. In other words, the systems are made with the capability to produce forensically sound evidence and handle it appropriately. The extension focuses on capturing the forensic-ready controls (i.e., implementation of requirements), revolving around potential digital evidence, including its source, storage, and mutual corroboration with others. Subsequently, the models can be analysed and reasoned about to determine whether the systems correctly address the goals of forensic readiness.

The model represents the target system, or its part, as a process using the standard BPMN. It describes systems activities (Task), happenings (Event), exchanged data (Data Object), parts of the system and other participants (Pool), and communication between them (Message Flow). Such a simple asset-level model describes a process of regular operation of the system (IS Assets) involving the Business Assets. Then, BPMN4FRSS enhances it with forensic readiness aspects, the most important being Evidence (specialised Data Object), Evidence Source (magnifying glass symbol), and Evidence Store (specialised Data Store). Furthermore, the BPMN4FRSS allows a description of tasks and external participants relevant to forensic readiness (e.g., creating a proof of integrity for some potential evidence).