The forensic investigation of cyber attacks and IT incidents is becoming increasingly difficult due to increasing complexity and intensify networking. Especially with Advanced Attacks (AT) like the increasing Advanced Persistent Threats an agile approach is indispensable. Several systems are involved in an attack (multi-host attacks). Current forensic models and procedures show considerable deficits in the process of analyzing such attacks. For this purpose, this paper presents the novel flower model, which uses agile methods and forms a new forensic management approach. In this way, the growing challenges of ATs are met. In the forensic investigation of such attacks, big data problems have to be solved due to the amount of data that needs to be analyzed. The proposed model meets this requirement by precisely defining the questions that need to be answered in an early state and collecting only the evidence usable in court proceedings that is needed to answer these questions. Additionally, the novel flower model for AT is presented that meets the different phases of an investigation process.

中文翻译：

---

IT 取证管理的敏捷方法

由于复杂性的增加和网络的加剧，对网络攻击和 IT 事件的取证调查变得越来越困难。尤其是对于高级攻击 (AT)，比如不断增加的高级持续威胁，敏捷方法必不可少。攻击（多主机攻击）涉及多个系统。当前的取证模型和程序在分析此类攻击的过程中显示出相当大的缺陷。为此，本文提出了新颖的花卉模型，该模型使用敏捷方法并形成了一种新的取证管理方法。通过这种方式，AT 日益增长的挑战得到了满足。在对此类攻击的取证调查中，由于需要分析的数据量很大，因此必须解决大数据问题。提议的模型通过精确定义需要在早期阶段回答的问题并仅收集在法庭诉讼中可用于回答这些问题的证据来满足这一要求。此外，还提出了满足调查过程不同阶段的 AT 新型花卉模型。