Investigative Process Methodology

2

Introduction

From what was covered in Chapter 1, “Understanding Digital Forensics,” the digital forensics disciple is built on an extensive common body of knowledge (CBK) of well-established and proven scientific principles, methodologies, and techniques. With the evolution of digital forensics throughout the years, consistent advancements have been made in areas such as education, technologies, and processes, all of which painted a picture that bypassing, switching, or not following proper processes could result in missed, incomplete, or inadmissible evidence.

As early as 1984, law enforcement agencies began developing processes and procedures to use as part of their computer forensics investigations. This eventually led to the realization that, from bypassing, switching, or not following correct processes, digital investigations can result in missed, incomplete, or inadmissible evidence. Since then, several authors have attempted to develop and propose digital forensics process models to address a specific need, such as law enforcement, or with a generalized scope with the intention that it could be adopted internationally.

Existing Process Models

When technology was first used as part of criminal activities, practitioners did not follow any standardized principles, methodologies, or techniques when it came to collecting and processing digital evidence. It was only in the 1980s that law enforcement agencies realized there was a need to have an established set of processes that could be consistently followed to support of their forensics investigations and guarantee the legal admissibility of digital evidence.

Since then, there have been several authors who have taken on the task of developing and proposing a process model by which digital forensics practitioners can follow as assurance that digital evidence remains authentic, maintains integrity, and is legally admissible by following repeatable methodologies and techniques. Over the years, several different process models were proposed to formalize the digital forensics discipline and transform “ad hoc” tasks and activities into tested and scientifically proven methodologies.

Displayed in Table 2.1 is a list of process methodologies that have been developed and proposed for digital forensics investigations. It is important to note that while this list may not be complete, the inclusion of a process methodology does not suggest it is better or recommended over other methodologies that were not included in the table.

Every digital forensics process model noted in Table 2.1 was developed with distinct characteristics and with the purpose of addressing a specific need of the digital forensics investigative workflow. There are, however, no criteria for stipulating which of these process models is the one and only right way for conducting a digital forensics investigation.

Depending on why the process model was developed, such as law enforcement, there are advantages and disadvantages depending on the investigative scenario, for example, being too rigid, linear, or generalized. In Appendix A, “Investigative Process Models,” further dissect the digital forensics process models identified Table 2.1 to understand the tasks performed in phases and better understand the uniqueness and commonalities with investigative workflow phases. Despite the differences noted amongst the process models, there are still significant commonalities in how some phases are used across multiple process models. These similarities confirm that while the process models address different investigative requirements, the underlying forensic science principles, methodologies, and techniques are applied consistently throughout.

As illustrated in Figure 2.1, we can get a better sense for how some phases are frequently used across multiple digital forensics process models. Without getting caught up in the subtle differences in naming conventions, it is quite apparent that there is an opportunity to consolidate all phases identified throughout each process model into these common phases. Of special note, highlighted in the graphic below are seven phases that have the highest frequency of re-occurrence:

•  Preparation includes activities to ensure equipment and personnel are prepared.

•  Identification involves detection of an incident or event.

•  Collection of relevant data is done using approved techniques.

•  Preservation establishes proper evidence gathering and chain of custody.

•  Examination evaluates digital evidence to reveal data and reduce volume.

•  Analysis examines the context and content of digital evidence to determine relevancy.

•  Presentation includes preparing reporting documentation.

Process models developed to support the digital forensics investigative workflow focus on establishing the activities and tasks performed throughout to ensure that processes are not bypassed, switched, or disregarded.

Table 2.1 Digital Forensics Process Models

ID

Name

Author(s)

Year

Phases

M01

Computer Forensics Investigative Process

M. Pollitt

1995

4

M02

Computer Forensics Process Model

U.S. Department of Justice

2001

4

M03

Digital Forensics Research Workshop Investigative Model (Generic Investigation Process)

Palmer

2001

6

M04

Scientific Crime Scene Investigation Model

Lee et al.

2001

4

M05

Abstract Model of the Digital Forensics Procedures

Reith et al.

2002

9

M06

Integrated Digital Investigation Process

Carrier and Spafford

2003

5

M07

End to End Digital Investigation

Stephenson

2003

9

M08

Enhanced Integrated Digital Investigation Process

Baryamureeba and Tushabe

2004

5

M09

Extended Model of Cyber Crime Investigation

Ciardhuain

2004

13

M10

A Hierarchical, Objective Based Framework for the Digital Investigations Process

Beebe and Clark

2004

6

M11

Event Based Digital Forensics Investigation Framework

Carrier and Spafford

2004

5

M12

Four Step Forensics Process

Kent et al.

2006

4

M13

Framework for a Digital Forensics Investigation

Kohn et al.

2006

3

M14

Computer Forensics Field Triage Process Model

Roger et al.

2006

12

M15

FORZA—Digital Forensics Investigation Framework

Ieong

2006

6

M16

Common Process Model for Incident and Computer Forensics

Freiling and Schwittay

2007

3

M17

Dual Data Analysis Process

Bem and Huebner

2007

4

M18

Digital Forensics Model Based on Malaysian Investigation Process

Perumal

2009

7

M19

Generic Framework for Network Forensics

Pilli et al.

2010

9

M20

Generic Computer Forensics Investigation Model

Yusoff

2011

5

M21

Systematic Digital Forensics Investigation Model

Agarwal et al.

2011

11

Image

Figure 2.1 Phases as used across digital forensics process models.

As outlined in the previous section, there are seven common phases of a digital forensics investigation workflow: preparation, identification, collection, preservation, examination, analysis, and presentation. From the descriptions of each of these phases, we see that there are further commonalities between them that allow for further consolidation of these phases into a higher-level grouping of workflow categories:

Image

Figure 2.2 High-level digital forensics process model.

•  Preparation includes activities to ensure administrative, technical, and physical provisions are in place.

•  Gathering involves following proven techniques to identify, collect, and preserve evidence.

•  Processing reveals data and reduce volume based on contextual and content relevancy.

•  Presentation includes preparing reporting documentation.

In Figure 2.2, the seven phases have been placed into higher-level groupings based on the commonalities of when they are performed during the investigative workflow. The inter-relationships between these higher-level groupings are illustrated in the order of how they are performed in an investigative workflow. Note the bi-directional interactions between specific phases.

Digital Forensics Readiness Model

A process model developed to support digital forensics readiness is somewhat different than a process model developed for the digital forensics investigative workflow. Unlike the digital forensics investigative workflow, digital forensics readiness is not a linear process in which activities and steps are executed sequentially and there are established “start/end” criteria.

A process model for digital forensics readiness consists of activities and steps within a circular and redundant hierarchy. Initiation of the digital forensics readiness process model can originate from any activity or step and can subsequently lead to any other phase. The digital forensics readiness process model must establish administrative, technical, and physical foundations to effectively support the activities and tasks performed in all phases of the digital forensics process model by:

•  Maximizing the potential use of digital evidence

•  Minimizing the cost(s) of digital forensics investigations

•  Minimizing the interference disruption of business processes

•  Preserving and improving the information security posture

Image

Figure 2.3 Digital forensics readiness process model.

High-level groupings of a digital forensics readiness process model follow the same naming convention as in the digital forensics process model. Figure 2.3 illustrates the activities and steps that make up the digital forensics readiness process model. Within this process model, there is a combination of sequential steps within each phase as well as redundant workflows that are dependent on the nature of the investigation at hand. This digital forensics process model serves as the basis for the detailed topics addressed in Section B of this book.

Summary

Digital forensic science has long established itself as a discipline that adheres to consistent, repeatable, and defensible processes. Although there have been several models developed to meet the unique needs of how digital forensics is practiced, they are all homogenous in the design methodology. Following a process methodology that is ambiguous to the context of its implementation, the digital forensics community adopts a common model as the basis for conducting consistent, repeatable, and defensible processes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.117.56