From what was covered in Chapter 1, “Understanding Digital Forensics,” the digital forensics disciple is built on an extensive common body of knowledge (CBK) of well-established and proven scientific principles, methodologies, and techniques. With the evolution of digital forensics throughout the years, consistent advancements have been made in areas such as education, technologies, and processes, all of which painted a picture that bypassing, switching, or not following proper processes could result in missed, incomplete, or inadmissible evidence.
As early as 1984, law enforcement agencies began developing processes and procedures to use as part of their computer forensics investigations. This eventually led to the realization that, from bypassing, switching, or not following correct processes, digital investigations can result in missed, incomplete, or inadmissible evidence. Since then, several authors have attempted to develop and propose digital forensics process models to address a specific need, such as law enforcement, or with a generalized scope with the intention that it could be adopted internationally.
When technology was first used as part of criminal activities, practitioners did not follow any standardized principles, methodologies, or techniques when it came to collecting and processing digital evidence. It was only in the 1980s that law enforcement agencies realized there was a need to have an established set of processes that could be consistently followed to support of their forensics investigations and guarantee the legal admissibility of digital evidence.
Since then, there have been several authors who have taken on the task of developing and proposing a process model by which digital forensics practitioners can follow as assurance that digital evidence remains authentic, maintains integrity, and is legally admissible by following repeatable methodologies and techniques. Over the years, several different process models were proposed to formalize the digital forensics discipline and transform “ad hoc” tasks and activities into tested and scientifically proven methodologies.
Displayed in Table 2.1 is a list of process methodologies that have been developed and proposed for digital forensics investigations. It is important to note that while this list may not be complete, the inclusion of a process methodology does not suggest it is better or recommended over other methodologies that were not included in the table.
Every digital forensics process model noted in Table 2.1 was developed with distinct characteristics and with the purpose of addressing a specific need of the digital forensics investigative workflow. There are, however, no criteria for stipulating which of these process models is the one and only right way for conducting a digital forensics investigation.
Depending on why the process model was developed, such as law enforcement, there are advantages and disadvantages depending on the investigative scenario, for example, being too rigid, linear, or generalized. In Appendix A, “Investigative Process Models,” further dissect the digital forensics process models identified Table 2.1 to understand the tasks performed in phases and better understand the uniqueness and commonalities with investigative workflow phases. Despite the differences noted amongst the process models, there are still significant commonalities in how some phases are used across multiple process models. These similarities confirm that while the process models address different investigative requirements, the underlying forensic science principles, methodologies, and techniques are applied consistently throughout.
As illustrated in Figure 2.1, we can get a better sense for how some phases are frequently used across multiple digital forensics process models. Without getting caught up in the subtle differences in naming conventions, it is quite apparent that there is an opportunity to consolidate all phases identified throughout each process model into these common phases. Of special note, highlighted in the graphic below are seven phases that have the highest frequency of re-occurrence:
• Preparation includes activities to ensure equipment and personnel are prepared.
• Identification involves detection of an incident or event.
• Collection of relevant data is done using approved techniques.
• Preservation establishes proper evidence gathering and chain of custody.
• Examination evaluates digital evidence to reveal data and reduce volume.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Presentation includes preparing reporting documentation.
Process models developed to support the digital forensics investigative workflow focus on establishing the activities and tasks performed throughout to ensure that processes are not bypassed, switched, or disregarded.
Table 2.1 Digital Forensics Process Models
ID | Name | Author(s) | Year | Phases |
M01 | Computer Forensics Investigative Process | M. Pollitt | 1995 | 4 |
M02 | Computer Forensics Process Model | U.S. Department of Justice | 2001 | 4 |
M03 | Digital Forensics Research Workshop Investigative Model (Generic Investigation Process) | Palmer | 2001 | 6 |
M04 | Scientific Crime Scene Investigation Model | Lee et al. | 2001 | 4 |
M05 | Abstract Model of the Digital Forensics Procedures | Reith et al. | 2002 | 9 |
M06 | Integrated Digital Investigation Process | Carrier and Spafford | 2003 | 5 |
M07 | End to End Digital Investigation | Stephenson | 2003 | 9 |
M08 | Enhanced Integrated Digital Investigation Process | Baryamureeba and Tushabe | 2004 | 5 |
M09 | Extended Model of Cyber Crime Investigation | Ciardhuain | 2004 | 13 |
M10 | A Hierarchical, Objective Based Framework for the Digital Investigations Process | Beebe and Clark | 2004 | 6 |
M11 | Event Based Digital Forensics Investigation Framework | Carrier and Spafford | 2004 | 5 |
M12 | Four Step Forensics Process | Kent et al. | 2006 | 4 |
M13 | Framework for a Digital Forensics Investigation | Kohn et al. | 2006 | 3 |
M14 | Computer Forensics Field Triage Process Model | Roger et al. | 2006 | 12 |
M15 | FORZA—Digital Forensics Investigation Framework | Ieong | 2006 | 6 |
M16 | Common Process Model for Incident and Computer Forensics | Freiling and Schwittay | 2007 | 3 |
M17 | Dual Data Analysis Process | Bem and Huebner | 2007 | 4 |
M18 | Digital Forensics Model Based on Malaysian Investigation Process | Perumal | 2009 | 7 |
M19 | Generic Framework for Network Forensics | Pilli et al. | 2010 | 9 |
M20 | Generic Computer Forensics Investigation Model | Yusoff | 2011 | 5 |
M21 | Systematic Digital Forensics Investigation Model | Agarwal et al. | 2011 | 11 |
Figure 2.1 Phases as used across digital forensics process models.
As outlined in the previous section, there are seven common phases of a digital forensics investigation workflow: preparation, identification, collection, preservation, examination, analysis, and presentation. From the descriptions of each of these phases, we see that there are further commonalities between them that allow for further consolidation of these phases into a higher-level grouping of workflow categories:
Figure 2.2 High-level digital forensics process model.
• Preparation includes activities to ensure administrative, technical, and physical provisions are in place.
• Gathering involves following proven techniques to identify, collect, and preserve evidence.
• Processing reveals data and reduce volume based on contextual and content relevancy.
• Presentation includes preparing reporting documentation.
In Figure 2.2, the seven phases have been placed into higher-level groupings based on the commonalities of when they are performed during the investigative workflow. The inter-relationships between these higher-level groupings are illustrated in the order of how they are performed in an investigative workflow. Note the bi-directional interactions between specific phases.
Digital Forensics Readiness Model
A process model developed to support digital forensics readiness is somewhat different than a process model developed for the digital forensics investigative workflow. Unlike the digital forensics investigative workflow, digital forensics readiness is not a linear process in which activities and steps are executed sequentially and there are established “start/end” criteria.
A process model for digital forensics readiness consists of activities and steps within a circular and redundant hierarchy. Initiation of the digital forensics readiness process model can originate from any activity or step and can subsequently lead to any other phase. The digital forensics readiness process model must establish administrative, technical, and physical foundations to effectively support the activities and tasks performed in all phases of the digital forensics process model by:
• Maximizing the potential use of digital evidence
• Minimizing the cost(s) of digital forensics investigations
• Minimizing the interference disruption of business processes
• Preserving and improving the information security posture
Figure 2.3 Digital forensics readiness process model.
High-level groupings of a digital forensics readiness process model follow the same naming convention as in the digital forensics process model. Figure 2.3 illustrates the activities and steps that make up the digital forensics readiness process model. Within this process model, there is a combination of sequential steps within each phase as well as redundant workflows that are dependent on the nature of the investigation at hand. This digital forensics process model serves as the basis for the detailed topics addressed in Section B of this book.
Digital forensic science has long established itself as a discipline that adheres to consistent, repeatable, and defensible processes. Although there have been several models developed to meet the unique needs of how digital forensics is practiced, they are all homogenous in the design methodology. Following a process methodology that is ambiguous to the context of its implementation, the digital forensics community adopts a common model as the basis for conducting consistent, repeatable, and defensible processes.