Appendix A: Investigative Process Models
Introduction
When technology was first involved with criminal activities, investigators did not follow any guiding principles, methodologies, or techniques when it came time to collect and process digital evidence. It was only in the 1980s that law enforcement agencies realized there was a need to have an established set of processes that could be consistently followed to support their forensic investigations and guarantee the legal admissibility of digital evidence.
Over the years, several authors have taken on the task of developing and proposing a process model to formalize the digital forensics discipline and transform “ad-hoc” tasks and activities into tested and proven methodologies. Displayed in Table AA.1 is a list of different process methodologies that have been developed and proposed for digital forensics investigations.
It is important to note that while this listing may not be complete, the inclusion of a process methodology does not suggest it is better or recommended over other methodologies that were not included in the table.
Table AA.1 Investigative Process Models
ID | Year | Author(s) | Model Name | Phases |
P01 | 1995 | M. Pollitt | Computer Forensic Investigative Process | 4 |
P02 | 2001 | U.S. Department of Justice | Computer Forensic Process Model | 4 |
P03 | 2001 | Palmer | Digital Forensic Research Workshop Investigative Model (Generic Investigation Process) | 6 |
P04 | 2001 | Lee et al. | Scientific Crime Scene Investigation Model | 4 |
P05 | 2002 | Reith et al. | Abstract Model of the Digital Forensic Procedures | 9 |
P06 | 2003 | Carrier and Spafford | Integrated Digital Investigation Process | 5 |
P07 | 2003 | Stephenson | End-to-End Digital Investigation | 9 |
P08 | 2004 | Baryamureeba and Tushabe | Enhanced Integrated Digital Investigation Process | 5 |
P09 | 2004 | Ciardhuain | Extended Model of Cyber Crime Investigation | 13 |
P10 | 2004 | Beebe and Clark | Hierarchical, Objective Based Framework for the Digital Investigations Process | 6 |
P11 | 2004 | Carrier and Spafford | Event-Based Digital Forensic Investigation Framework | 5 |
P12 | 2006 | Kent et al. | Four-Step Forensic Process | 4 |
P13 | 2006 | Kohn et al. | Framework for a Digital Forensic Investigation | 3 |
P14 | 2006 | Roger et al. | Computer Forensic Field Triage Process Model | 12 |
P15 | 2006 | Ieong | FORZA—Digital Forensics Investigation Framework | 6 |
P16 | 2006 | Venter | Process Flows for Cyber Forensics Training and Operations | 3 |
P17 | 2007 | Freiling and Schwittay | Common Process Model for Incident and Computer Forensics | 3 |
P18 | 2007 | Bem and Huebner | Dual Data Analysis Process | 4 |
P19 | 2008 | Selamat et al. | Mapping Process of Digital Forensic Investigations Framework | 5 |
P20 | 2009 | Perumal | Digital Forensic Model Based on Malaysian Investigation Process | 7 |
P21 | 2010 | Pilli et al. | Generic Framework for Network Forensics | 9 |
P22 | 2011 | Yusoff | Generic Computer Forensic Investigation Model | 5 |
P23 | 2011 | Agarwal et al. | Systematic Digital Forensic Investigation Model | 11 |
P24 | 2012 | Adams et al. | Advanced Data Acquisition Model (ADAM) | 3 |
[P01] Computer Forensics Investigative Process (1995)
Consisting of four phases, this model was proposed as a means of ensuring appropriate evidence handling during a computer forensics investigation followed scientifically reliable and legally acceptable methodologies.
• Acquisition: Requires that digital evidence be collected using acceptable methodologies only after receiving proper approval from authorities
• Identification: Interprets digital evidence and converts it into a readable human format
• Evaluation: Determines the digital evidence’s relevancy to the investigation
• Admission: Documents relevant digital evidence for legal proceedings (Figure AA.1)
[P02] Computer Forensic Process Model (2001)
Consisting of four phases, this model was proposed in the Electronic Crime Scene Investigation: A guide to first responders publication and focused on the basic components of a digital forensics investigation.
• Collection involves searching for digital evidence sources and ensuring their integrity is maintained while gathering.
• Examination evaluates digital evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Reporting includes presenting digital evidence through investigation documentation (Figure AA.2).
Figure AA.1 Computer forensic investigative process 1995.
Figure AA.2 Computer forensic process model 2001.
[P03] Digital Forensic Research Workshop (DFRWS) Investigative Model (2001)
Consisting of six phases, this model was proposed as a general-purpose process for digital forensic investigations.
• Identification involves detection of an incident or event.
• Preservation establishes proper evidence gathering and chain of custody.
• Collection gathers relevant data using approved techniques.
• Examination evaluates digital evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Presentation includes preparing reporting documentation (Figure AA.3).
Figure AA.3 Digital forensic research workshop investigative model 2001.
[P04] Scientific Crime Scene Investigation Model (2001)
Consisting of four phases, this model was proposed to strictly address scientific crime scene investigations, not the entire investigative process.
• Recognition identifies items or patterns seen as potential evidence.
• Identification classifies evidence and compares it to known standards.
• Individualization determines evidence uniqueness in relation to the investigation.
• Reconstruction provides investigative details based on collective findings (Figure AA.4).
[P05] Abstract Model of the Digital Forensic Procedures (2002)
Consisting of nine phases, this model enhances the DFRWS model by including three additional phases; preparation, approach strategy, and returning evidence.
• Identification involves detection of an incident or event.
• Preparation includes activities to ensure equipment and personnel are prepared.
• Approach strategy focuses on maintaining evidence integrity during acquisition.
• Preservation establishes proper evidence gathering and chain of custody.
• Collection gathers relevant data using approved techniques.
• Examination evaluates digital evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Presentation includes preparing reporting documentation.
• Returning evidence includes, where feasible, returning evidence to its original owner (Figure AA.5).
Figure AA.4 Scientific crime scene investigation model 2001.
Figure AA.5 Abstract model of the digital forensic procedures 2002.
[P06] Integrated Digital Investigation Process (2003)
Consisting of five phases, this model was proposed with the intention of merging the various investigative processes into a single integrated model. This model introduced the idea of a digital crime scene created because of technology where digital evidence exists.
• Readiness includes activities to ensure equipment and personnel are prepared.
• Deployment enables the detection and validation of an event or incidents.
• Physical crime scene involves the collection and analysis of physical evidence.
• Digital crime scene involves the collection and analysis of digital evidence.
• Review assesses the entire investigative process to identify opportunities for improvement (Figure AA.6).
Figure AA.6 Integrated digital investigation process 2003.
[P07] End-to-End Digital Investigation (2003)
Consisting of six phases, this model was proposed as a general-purpose process for digital forensic investigations.
• Collecting evidence involves acquiring and preserving digital evidence.
• Analysis of individual events examines digital evidence to assess relevancy.
• Preliminary correlation assesses events to determine when events occurred and what technology is involved.
• Event normalizing de-duplicates and standardizes events into a unified structure.
• Event deconfliction consolidates multiple common events into a single event.
• Second-level correlation assesses the normalized events to further refine when events occurred and what technology is involved
• Timeline analysis builds the chronological sequence of events.
• Chain of evidence construction establishes the correlation based on sequential events.
• Corroboration validates evidence and events against other evidence and events (Figure AA.7).
Figure AA.7 End-to-end digital investigation 2003.
[P08] Enhanced Integrated Digital Investigation Process (2004)
Consisting of five phases, this model is based on the integrated digital investigation process. This model introduces the traceback phase, which allows investigators to backtrack to the actual technology used in the crime.
• Readiness includes activities to ensure equipment and personnel are prepared.
• Deployment enables the detection and validation of an event or incidents.
• Traceback tracks back to the source crime scene including technology and location.
• Dynamite involves conducting investigations at the primary crime scene with intentions of identifying the potential offender(s).
• Review assesses the entire investigative process to identify opportunities for improvement (Figure AA.8).
[P09] Extended Model of Cyber Crime Investigation (2004)
Consisting of thirteen phases, this model was proposed as a generalized approach to the investigative process to assist the development of new tools and techniques.
• Awareness allows the relationship with investigation event to be identified.
• Authorization involves obtaining approval to proceed with the investigation.
• Planning scopes out how and where evidence will be collected.
• Notification informs stakeholders of the investigation.
• Search for and identify evidence locates and identifies evidence sources.
Figure AA.8 Enhanced integrated digital investigation process 2004.
Figure AA.9 Extended model of cyber crime investigation 2004.
• Collection of evidence involves acquiring and preserving evidence.
• Transport of evidence includes moving evidence into a secure location.
• Storage of evidence includes placing evidence in protective custody.
• Examination of evidence evaluates evidence to reveal data and reduce volumes.
• Hypothesis constructs a theory based on the events that occurred.
• Presentation of hypothesis allows for a decision on the appropriate course of action.
• Proof/defense of hypothesis involves demonstrating the validity of the theory.
• Dissemination of information distributes information to stakeholders (Figure AA.9).
[P10] A Hierarchical, Objective-Based Framework for the Digital Investigations Process (2004)
Consisting of six phases, this model was proposed as a means of addressing all phases and activities described in preceding process models.
• Preparation includes activities to ensure equipment and personnel are prepared.
• Incident response detects and acknowledges an event or incident.
• Data collection gathers digital evidence in support of the response and investigation.
• Data analysis validates the detected event or incident using collected digital evidence..
• Presentation of findings communicates findings to stakeholders.
• Incident closure includes acting upon decisions and assessing the investigative process (Figure AA.10).
Figure AA.10 A hierarchical, objective based framework for the digital investigation process 2004.
[P11] Event-Based Digital Forensic Investigation Framework (2004)
Consisting of five phases, this model proposes following the processes for investigating physical crime scenes while considering the digital crime scene investigation as a subset.
• Readiness includes activities to ensure equipment and personnel are prepared.
• Deployment involves the detection of an incident and notification of investigators.
• Physical crime scene investigation phases is a series of steps and activities to search for, identify, and collect physical evidence to reconstruct physical events.
• Digital crime scene investigation phases is a subset of the physical crime scene investigation that involves a series of steps and activities to examine digital evidence.
• Presentation includes preparing reporting documentation (Figure AA.11).
Figure AA.11 Event based digital forensic investigation framework 2004.
[P12] Four-Step Forensic Process (2006)
Consisting of four phases, this model proposes that forensics investigations can be conducted by even non-technical persons through increased flexibility of steps and activities performed.
• Collection involves searching for digital evidence sources and ensuring their integrity is maintained during the gathering process.
• Examination evaluates digital evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Reporting includes presenting digital evidence through investigation documentation (Figure AA.12).
[P13] Framework for a Digital Forensic Investigation (2006)
Consisting of three phases, this model proposes merging existing process models into a broader and more adaptable model.
• Preparation includes activities to ensure equipment and personnel are prepared.
• Investigation involves all steps and activities performed to preserve, analyze, and store evidence.
• Presentation includes preparing reporting documentation (Figure AA.13).
Figure AA.12 Four step forensic process 2006.
Figure AA.13 Framework for a digital forensic investigation 2006.
[P14] Computer Forensics Field Triage Process Model (2006)
Consisting of six primary phases and six sub-tasks, this model proposes performing investigative tasks onsite, in a short timeframe, without seizing technology or acquiring forensic images.
• Planning includes activities to ensure equipment and personnel are prepared.
• Triage identifies evidence and determines its relevance to the investigation.
• User usage profile focuses on analyzing user activity and behavior.
• Chronology timeline establishes a date/time sequence of digital evidence events.
• Internet examines artifacts from Internet-related service activities.
• Case specific places focus on digital evidence relating directly to the investigation (Figure AA.14).
[P15] FORZA—Digital Forensics Investigation Framework (2006)
Consisting of six layers, this model proposes linking the eight practitioner roles and their associated procedures throughout the investigative process.
• Contextual investigation layer: understands the background details of the event
• Contextual layer: recognizes the involvement of business elements with the event
• Legal advisory layer: determines the legal aspects of the event
• Conceptual security layer: explores the design of systems and relevant security controls
• Technical presentation layer: determines the strategies and steps required of the digital forensics investigation
Figure AA.14 Computer forensic field triage process model 2006.
Figure AA.15 FORZA—digital forensic investigation framework 2006.
• Data acquisition layer: involves executing the identified digital forensics strategies and steps to collect evidence
• Data analysis layer: involves executing the identified digital forensics strategies and steps to examine evidence
• Legal presentation layer: involves discussing legal components as a result of the investigation (Figure AA.15)
[P16] Process Flows for Cyber Forensics Training and Operations (2006)
Consisting of three phases, this model proposes one workflow to govern general behavior related to an electronic crime scene.
• Inspect and prepare scene contains the preparation actions to survey the scene, equipment to be seized, and evidence to be collected.
• Collect evidence and evidence information contains the elements involved in the collection of information related to evidence.
• Debrief scene and record seizure information contains the actions to record the existence and handling of evidence (Figure AA.16).
Figure AA.16 Process flows for cyber forensics training and operations 2006.
[P17] Common Process Model for Incident and Computer Forensics (2007)
Consisting of three phases, this model proposes combining incident response and computer forensics into an overall process for investigations.
• Pre-analysis contains all steps and activities that are initially completed.
• Analysis includes all steps and activities performed during evidence examination.
• Post-analysis documents all steps and activities completed throughout the investigation (Figure AA.17).
[P18] Dual Data Analysis Process (2007)
Consisting of four phases, this model proposes following parallel investigative streams. The first stream is with a less experienced “computer technician” and the second stream is with a “professional investigator.”
• Access locates and identifies evidence sources.
• Acquire involves collecting evidence and ensuring its integrity is maintained.
Figure AA.17 Common process model for incident and computer forensics 2007.
Figure AA.18 Dual data analysis process 2007.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Report includes presenting digital evidence through investigation documentation (Figure AA.18).
[P19] Digital Forensic Investigations Framework (2008)
Consisting of five phases, this model proposes:
• Preparation: involves becoming familiar with the investigations and activities to ensure equipment and personnel are prepared
• Collection and preservation: involves gathering and storing digital evidence
• Examination and analysis: evaluates the context and content of digital evidence to determine relevancy to reveal data and reduce volumes
• Presentation and reporting: includes preparing and presenting digital evidence through investigation documentation
• Dissemination: distributes information to stakeholders (Figure AA.19)
Figure AA.19 Digital forensic investigations framework 2008.
[P20] Digital Forensic Model Based on Malaysian Investigation Process (2009)
Consisting of seven phases, this model is based on the Malaysian investigation process focusing on data acquisition and fundamental phases in conducting analysis.
• Planning involves obtaining authorization and associated documentation to conduct an investigation.
• Identification identifies evidence to be seized while considering data volatility.
• Reconnaissance involves gathering and storing digital evidence.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Result includes preparing reporting documentation.
• Proof and defense proves a hypothesis with supporting evidence.
• Archive storage maintains evidence for future reference (Figure AA.20).
[P21] Generic Framework for Network Forensics (2010)
Consisting of nine phases, this model was proposed to specifically formalize a methodology for network-based digital investigations.
• Preparation and authorization includes activities to ensure equipment and personnel are prepared.
Figure AA.20 Digital forensic model based on malaysian investigation process 2009.
Figure AA.21 Generic framework for network forensics 2010.
• Detection of incident/crime indicates that an incident or event has occurred.
• Incident response consists of acknowledging and responding to an event or incident.
• Collection of network traces acquires data from sensors that collect network traffic data.
• Preservation and protection involves gathering and storing digital evidence.
• Examination evaluates digital evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Investigation and attribution reconstructs the event or incident using collected evidence.
• Presentation includes preparing reporting documentation (Figure AA.21).
[P22] Generic Computer Forensic Investigation Model (2011)
Consisting of five phases, this model was proposed as a means of generalizing the investigative process.
Figure AA.22 Generic computer forensic investigation model 2011.
• Pre-process includes obtaining approval to proceed and activities to ensure equipment and personnel are prepared.
• Acquisition and preservation involves gathering and storing digital evidence.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Presentation includes preparing reporting documentation.
• Post-process includes returning evidence, where feasible, and identifying opportunities for improvement (Figure AA.22).
[P23] Systematic Digital Forensic Investigation Model (2011)
Consisting of eleven phases, this model was proposed with the goal of aiding in the establishment of appropriate policies and procedures in a systematic manner.
• Preparation involves becoming familiar with investigations and activities to ensure equipment and personnel are prepared.
• Securing the scene secures the crime scene from unauthorized access and mitigates evidence tampering.
• Survey and recognition involves assessing the crime scene for potential evidence sources and establishing an appropriate search plan.
• Documenting the scene ensures crime scene documentation is recorded, including photographs, sketches, etc.
• Communication shielding terminates all data exchange capabilities from technology.
Figure AA.23 Systematic digital forensic investigation model 2011.
• Evidence collection focuses on gathering of relevant data using approved techniques.
• Preservation establishes proper evidence gathering and chain of custody.
• Examination evaluates evidence to reveal data and reduce volumes.
• Analysis examines the context and content of digital evidence to determine relevancy.
• Presentation includes preparing reporting documentation.
• Result identifies opportunities for improvement (Figure AA.23).
[P24] Advanced Data Acquisition Model (ADAM) (2011)
Consisting of three phases, this model was proposed to function as a generally accepted standard for the acquisition of digital evidence.
• Initial planning involves becoming familiar with the investigations and activities to ensure equipment and personnel are prepared.
• Onsite planning involves learning additional specific details about the investigations to facilitate the acquisition of evidence.
• Acquisition involves the gathering and storage of digital evidence (Figure AA.24).
Figure AA.24 Advanced data acquisition model (ADAM) 2011.
Comparative Analysis
With an understanding of the phases and tasks within each process model, it is evident that each author has been variously influenced as they have developed their respective process models. Most notable is the use of non-parallel characteristics—such as the interchangeable use of procedures, processes, phases, functions, tasks, and steps—to describe their proposed investigative workflow.
Even though all identified process models have unique characteristics, each author developed theirs with the intention of upholding the application of forensic science to the investigative process. Having standardized the terminology being used to objectively compare these process models, we can easily recognize the phases of each model and extract them for further comparison.
NOTE: [M15] FORZA—Digital Forensics Investigation Framework 2006 was not included in the comparison below because of significant differences in the process model’s characteristics; it uses layers and roles instead of phases for describing the investigative workflow (Figure AA.25).
As illustrated in Figure AA.25, we can easily see which phases are more often applied across multiple process models and how frequently they occur. Of special note, highlighted in the graphic below are seven phases that have the highest frequency of re-occurrence: preparation, identification, collection, preservation, examination, analysis, and presentation. Without getting caught up in the subtle differences in naming conventions, it is quite apparent that there is an opportunity to consolidate all phases identified throughout each process model into these common phases.
Figure AA.25 Process model phase frequencies.
Summary
Since the formalization of digital forensic science, several process models have been developed and proposed to meet specific investigative needs. Regardless of the difference in structure of each process model, the underlying fundamental workflow and concepts of mandatory investigative activities remains consistent as represented within the higher-level phases.