2019 4th International Conference on Information Systems and Computer Networks (ISCON)

GLA University, Mathura, UP, India. Nov 21-22, 2019

Cyber Forensics and Comparative Analysis of

Digital Forensic Investigation Frameworks
Kumar Shanu Singh Annie Irfan Neelam Dayal
Department of Computer Sci & Eng. Department of Computer Sci & Eng. Department of Computer Sci & Eng.
Centre for Advanced Studies, Institute of Engineering & Technology, Centre for Advanced Studies,
Lucknow, India Lucknow, India Lucknow, India
17mcs06@cas.res.in annieirfan.cs@gmail.com neelamdayal@cas.res.in

Abstract— With industrial revolution 4.0, automation foster own processes and focuses on some technical aspects/
communications between digital devices around the globe phases. To date, technology investigated and available tools
which involves several digital devices including cyber physical have guided the digital phases. As a result, when the
system devices, IoT devices, mobile devices, storage devices and underlying technology of the target device varies, new
network devices or even PCs as digital evidence; increasing the processes have to be developed. This brings us to the need
number of cybercrime rate. This brings us to question a comprehensive analysis of DFIF, as mapped in our paper.
necessity for advanced Digital Forensics Investigation
Framework (DFIF) for the effective prosecution of digital Further, in Section 2, we discuss the predominant cyber-
crime in court of law; such that the framework should preserve attacks in I4.0, complying standard OWSAP vulnerability
integrity of evidence throughout steps while in process. Our and related forensic techniques. Section 3 gives a review of
paper is descriptive in nature that surveys recent trends of related works in the development of various DFIF. Paper
cybercrime attacks and explored associated Cyber Forensics. proposes a mapping activity that can simplify the overall
In addition, we have mapped process and output produced by process of previous research within the Digital Forensic
different phase in the DFIF that have been examined from Testing Framework in Section 4. Section 5 gives a
previously proposed frameworks and represented a comparative result analysis of our study to show the balance
comparative mapping of all frameworks. The mapping process of the investigation process for preparation of appropriate
results in optimized investigation process.
solid evidence that is to be presented in the court of law.
Keywords— Cyber crime attack; Digital forensic
Conclusion and future work is in Section 6.
investigation framework (DFIF); Incident Response; Analysis; II. CYBER FORENSICS AND DIGITAL EVIDENCE: RECENT
Investigation.
DEVELOPMENT
I. INTRODUCTION Digital evidences are the central component that needs to
With advent of industrial revolution 4.0 (I4.0), the era be examined for any criminal activities. It comprises both the
had marked upon the birth of various startups as well as giant traditional or physical evidence and cyber digital evidence.
companies in various sectors for automation. With prevailing However, here we are scrutinizing the case of digital
traditional systems, I4.0 leads to computerization and evidences. The current cybercrimes in I4.0 has possibly
inclusion of new technologies as cyber physical system, IoT, made large scope for various category of forensics.
cloud computing and cognitive computing. Thus, the range According to a survey report of EY Global Information
of cyber-attacks and crime is exponentially increasing in Security Survey 2018-19 [1] which presented the top 10
number thereby producing a variety of digital marks and biggest cyber threats to an organization worldwide contains
evidences. These evidence thus, need to be preserve for are Phishing and Malware as top threats. Attacks like DDoS
integrity to be prosecuted in court of law. Ever since the Attacks for disrupting services of an organization are ranked
beginning of understanding, need for building DFIF was third, followed by Financial Frauds. Although there are more
introduced which expanded the domain of digital forensic to threats mentioned in the report, Internal Threats are also one
a number of various fields like IoT forensics, Cloud of the rising concern. The attack percentage occurring is
Forensics, Network Forensics and Storage device forensics depicted in Figure 1.
nevertheless the general concept of preserving evidence in
Chain of Custody (CoC) has not changed significantly. The
origin of forensics is due to cybercriminal incidents reported,
i.e. an illegitimate and inapt behavior of any individual or
group with an intention. The role of forensics can be
cataloged into different areas which facilitate analysis of
criminal activities exploiting forensic methodologies and
investigation framework, elaborated in further sections.
In essence, a DFIF phases include collecting, preserving,
analyzing and providing scientific supported evidence for the
criminal or civilian courts of law prosecution in
appropriately documentation. In digital forensic investigation Fig. 1. Cyber Crime Reported data by EY Global in 2018-19
practices, there are bundle of digital forensic investigation
frameworks developed by organizations / researchers with its

978-1-7281-3651-6/19/$31.00 ©2019 IEEE 584

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
 To understand the 5W i.e. ‘who, what, when, where and making the framework from right at the beginning of the
why’ of a cyber-incident, the evidence collected from the investigation is established to investigation termination.
crime origination is wisely observed. This whole process of Secondly, any framework must include at least three phases
validating the findings with the details/ information obtained so as to meet the minimum requirements of forensic
from evidence is known as cyber forensics. Table 1 given investigation. Therefore, Kohn has organized the stages in
elaborates major forms of cyber forensics. The new emerging three stages and proposed their structure. The benefits of this
fields of forensics is the consequences of the new proposed structure can undoubtedly augmented to include
technological development for measuring web app security number of additional steps, if required.
risk. This can be additional understood in reference to the list
in OWASP 2017[2]. Computer Forensic Field Triage Process Model
(CFFTPM) [12] recommends an onsite or field approach to
However, the different forms of digital evidence are still provide system/media for deep examination, without the
needed to be prosecuted within the same laws of court to need to get a full forensic image or to return to the laboratory
prove the guilty, with change in the technique for analysis of for identification, analysis, and interpretation of digital
evidence. Further, in Section 3, we have reviewed various evidence. This structure, developed by the IDIP Framework
DFIF from 2003 to present, for understanding and to bring a [13] and Digital Crime Scene Environmental Analysis
structured and comprehended Forensic framework as area for (DCSA) framework [14]. This framework gives a formal
further research. approach of real-world investigative approaches and their
applicability and that adds an advantage of CFFTPM in
III. REVIEW OF DIGITAL FORENSIC INVESTIGATION contrast to other DFIFs.
FRAMEWORKS
Freiling et al. [15] proposed a forensics that outlines
This section studies the significantly popular related work computer security incidents as a combination with data of
on DFIFs. These DFIFs had been divided into several phases accident response and computer forensics so as to improve
as described in Table 2. Our work starts a comprehensive the overall process of investigation into 4 phases
analysis from the earliest and prominent work of Carrier et concentrating on majorly on analysis. The Analysis phase
al. [3] in 2003, which recommended a model for dealing include pre, actual and post analysis phase refers to all the
with examining potential evidence. The emphasis was to steps and activities that are formerly executed to the real
combine both law and forensic science and to document the analysis starts, examination of evidence to finally
process involve in the investigation into standard acceptable documenting of the entire activities during the investigation
form. Five different phases were introduced in this method, consecutively. This framework provides a method for
which can be acknowledged for admission of any evidence conducting the proper phenomenon and also integrates a
in the court. forensic analysis into an incident response framework.
In 2004, the Digital Forensic Research Working Group In 2007, Bem et al. [16] proposed a new structure that
[4] recommended a standard investigation process, which involves analyzing a case in two environments, the first is the
stands applicable to all or most of the investigations virtual environment and the second is the traditional
involving digital systems as well as for networks. In this environment comprises of four phases. The proposed work
framework, processes are defined in a way to handle both focuses primarily on the analysis phase of a digital case in a
physical and digital evidence. This framework marks the virtual environment. They have listed different boundaries of
foundation for more of work published. virtual environments. Although virtual environments can be
However, Career et al in 2004, based on the earlier work, a replacement for the traditional environment, the virtual
proposed framework named "Event-Based Digital Forensic environment helps in the better use of less qualified
Testing Framework" that includes five steps. It provides a personnel.
model that can be applied to classify events and also In 2009, Perumal et al.[17] proposed another digital
provides many benefits as a mechanism listed by the authors forensic investigation model which is based on Malaysian
in the form of a mechanism to implement the same investigative procedures. There are 7 steps in the proposed
framework for future digital technologies. However, this model. The framework include an additional feature for the
framework in real life the model was challenged by forensic evidence in running (in operation) which is similar to the
experts like Kohn [5] and Hevner [6]. In this model, the performance of live forensics. The author argued that the
author did not separate primary crime scene (from which the presence of live data acquisition, which is centered on
digital crime commenced) and secondary crime scene delicate proofs. Data will be analyzed and tested using the
(victim's location), hence it affects rebuilding of events or appropriate tools and techniques. In the previous models,
incomplete findings. similar to the presentation phase, here this is named as Proof
Ciardhuáin et al. [7] proposed a clear investigating and Defense phase. Finally, the archive storage phase is
framework till the matter is not reported, steps will be taken performed, related evidence is properly stored for future
from the beginning of the investigation process with the references, and may also be used for training purposes.
preparation of the investigation and throughout the process. Pili et al.’s in [18] propose of a new framework based on
This framework offers development of techniques and tools the network forensics The structure is organized in nine
to support investigators and such structure can be considered phases where the frame network provides a foundation for
as a comprehensive package. the development of techniques and tools. Therefore, this
Kohn et al. [5] proposed compiled framework based the structure is probably considered to be the most suitable for
works in [4][8][9][7][10][11]. Their research work has network forensics.
emphasized on two important points. Firstly, acquaintance of Roger et al. [19], proponents a multi-perspective
relevant lawful foundation is most important step before cybercrime investigation process modeling framework that is

585

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
based on the generalization of the settings that were user, call log, user
previously proposed. The proposed structure is made up of dictionary content,
data from installed
three phases which have been further classified in twenty applications,
steps. The framework is mainly focused on examining and media (audio,
approach for various tasks, which are to be done under each video, images,
process to achieve the respective test targets. Saleem et other files), system
al.[20] proposed a model which is an expansion of Reath's files, usage logs,
abstraction model. The model has seven steps and talks about and any other
deleted data.
maintaining the integrity of digital evidence and preserving Social Media
human rights from overlapping umbrella principles. accounts, Game
consoles.
A new structure was proposed by Bashir et al.[21] 2015 Network Investigating Covers intrusion Spoofing, ,
which is known as the Triage Framework for Digital forensics network detection and password attack,
Forensics. This framework is based on the live analysis of traffic and firewalls. Being Broken Access
the system. This paper represents a forensic examination network volatile and not Control
method, in which machines have suffered many steps from packets over easy to log
different network data as
identifying the machines' to making reports. The paper networks. the attacker may
forensics determines the comprehensive steps involved in its be passive or
triage. They describe step-by-step procedures for forensic active.
analysis on compounding machines and for storing all these Database Study of Analyses of SQL Injection
activities in the database for later use. In the proposed Forensics databases and database content, attack , Broken
framework, triage is performed done after the date its metadata log files, and in- Access Control ,
RAM data Cross Site
acquisition and before the detailed analysis phase. Scripting ,
Al-Khateeb et al.[22] proposed a new forensic model, in Insecure
Deserialization
which the chain of custody is based on distributed IoT Study of IoT Analyse the IoT Spoofing,
distribution. They provided a scenario related to eHealth to forensics devices as devices as password attack,
show the value of this approach to introduce forensic embedded embedded system, Botnets,
readiness in computer systems and enable better police systems and wearables, Enterprise
intervention. devices that independent hacking,
communicate products that
A Blockchain-based framework was proposed by Lone et interact like toys
al. [23] in 2019, the modern digital forensics is known as and home-kitchen
appliances, etc.;
Blockchain: Chain-of-Custody as a distributed ledger. In the CCTV camera,
proposed framework, the author implemented Blockchain in drones, CPS.
a chain of custody to tackle challenges faced while Software/ Study of code Analysis to check Broken
maintaining the integrity and authenticity of digital evidence Web of softwares whether code had Authentication,
for its acceptance in the court of law. The authors brought applicatio been copied or Security
integrity and tamper resistance to the custody of the Digital n tampered or Misconfiguration
forensics malware injection s
Forensic Chain. The author also gave proof of concept in
Hyper ledger Composer and evaluated its performance.
Fraudent Study of Analysis of Financial frauds,
Data devices that phishing websites Sensitive Data
TABLE I. CATEGORY OF FORENSICS AND TYPE OF EVIDENCE
COLLECTED
Analysis are especially or fake URL that Exposure.
designed to makes illegitimate
Forensics Description Type of potential Cyber attack gain financial transactions, ATM
evidences Vulnerability gains. cloning, UPI
exploited frauds, may
Computer Originally Evidence from Malware, Email include linkage to
Forensics known as computers systems Phishing, DDoS, SNS accounts.
digital and any primary Internet bomb
forensics, memory and threat, cyber
includes secondary memory bullying and After a comprehensive analysis of the DFIFs, three major
laptops, (like USB pen harassment, finding that we established are process redundancy, area
computers drives), Enterprise focus, and framework features. For instance, [11] and [24]
Documents, Email hacking,
(Non-web-based), Financial frauds.
their structure consists of duplication process or activities.
Files stored locally Spoofing, [8] and [12] were focusing on creating a method for quick
or on a media password attack, forensic analyses, while [19], [16] and [21] are focusing on
card, Internet Potentially the analysis process so that the evidence can be obtained and
Search History, unwanted increase the whole process for investigation. [14] and [20]
Social Media programs PUPs.
accounts,
frameworks have characteristics of specificity, and
Everything from pragmatism. [22] and [23] have implemented Blockchain to
All Categories ensure integrity in chain of custody. All these settings have
Mobile Additionally Are not limited to Spoofing, , their own strength; however, as of today, no single
device contains an short message password attack, framework can be used as a general guideline for examining
forensics inbuilt services or emails; Cyber Staking, the cases of all incidents. Therefore, to overcome this issue, a
communicatio it also includes Identity theft
n system such data regarding the
general framework is required and research is needed.
as GSM, GPS. location of the

586

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
 TABLE II. A COMPARATIVE ANALYSIS ON PHASES OF DFIFS Preparation,
Incident
No of Phases in reaction,
No DFIF Author Year Network
Phases DFIF Detection,
Readiness, forensic
Collection,
Deployment, frameworks:
Integrated 10 Pilli et al. 2010 9 Protection,
Physical Crime Survey and
Digital Examination,
Scene research
Investigation Carrier et Analysis,
1 2003 5 Investigation challenges
Process al. Investigation,
and Digital and
(IDIP)
Crime Scene Presentation.
Investigation;
Multi-
and Review
perspective
The Multi- Cybercrime
Readiness, 3
Enhanced Perspective Investigation
Deployment, phases
Digital Baryamur Cybercrime Roger et Process
2 2004 5 Traceback, 11 2012 compri
Investigation eeba et al. Investigation al., Modeling,
Dynamite and sing 20
Process Process Active
Review steps
Model Modeling investigation
Readiness, and Reactive
Deployment, investigation
An Event-
Physical and Extended
Based Digital Preparation
Carrier et Digital crime abstract
3 Forensic 2004 4 and Planning,
al., scene digital
Investigation Collection,
investigation forensics
Framework Examination,
and model with Saleem et
Presentation 12 2014 7 Analysis,
preservation al.
Awareness, Reporting,
and
Authorization, Presentation,
protection as
Planning, Archiving and
umbrella
Notification, Returning
principles
Search, Identification,
Extended Identification, Data
Model of Ciardhuái Collection, A triage
4 2004 13 preservation,
Cybercrime n et al. Transport, framework Bashir et
13 2015 5 Extraction,
Investigation Storage, for digital al., 2015
Triage and
Examination, forensics
Evidentiary
Hypothesis, Report
Presentation
Blockchain
and
for Modern Identification,
Dissemination.
Digital Al- Preservation,
Framework Preparation, Forensics: Khateeb Collection,
for a Digital Kohn et Investigation 14 2019 6
5 2006 3 The Chain- et al., Examination,
Forensic al. and of-Custody as 2019 Analysis and
Investigation Presentation. a Distributed Presentation
Planning, Ledger
Triage, User Forensic-
Computer
profile, chain:
Forensics Identification,
Rogers et Chronology/ti Blockchain
6 Field Triage 2006 6 Search &
al. meline, based digital
Model Seizure,
Internet forensics Lone et
(CFFTPM) 15 2019 6 Preservation,
activity, and chain of al.2019
Case. Examination,
custody with
Common Analysis and
Pre-incident PoC in
Process Reporting
preparations, Hyperledger
Model for Freiling et Composer
7 2007 4 Pre-analysis,
Incident and al.
Analysis and
Computer
Forensics
Post analysis. IV. MAPPING SCHEME FOR DFIF
Computer
Access, With the popular structure outlined in Section 3, it can be
Forensic contemplated that each frameworks is evolved on the
Acquire,
8 Analysis in a Bem et al. 2007 4
Virtual
Analyze and preceding experiences and many of them focus on different
Environment
Report areas of investigation. However, the computational output of
Plan, all frameworks is the same, regardless of sequence of
Identification. processes and activity used are slightly different.
Reconnaissanc
Digital e, In this section, we introduce a mapping scheme for the
Forensic Investigation, Digital Forensic Investigation Framework (DFIF) to the
Model based Transportation group and merges all activities/processes that generate the
Perumal
9 on Malaysian 2009 7 and storage, same output. The mapping scheme is intended in order to
et al.
Investigation Analysis and
Process tested, Proof of balance the process of obtaining prevailing direction that can
(DFMMIP) Defense and make strong evidence for presentation. The steps
archive implemented to design the DFIF charting scheme are as
storage. follows:

587

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
 Step 1. Identify existing structures 1. Readiness: In this phase, we determined all the
activities/processes which deal with maximizing
Step 2. Formation of phase name the potential of an organization by reducing the
Step 3. Mapping the Process cost of the investigation.

In this phase, we have analyzed the previous structure 2. Reconnaissance/Footprinting: All the phases
which deal with collection & preservation of
a) Identify existing structures evidence or deals with the collection of
In this phase, we have analyzed the previous structure by evidential data using several techniques and
identifying the activities/processes and output. The result of mechanisms are included in this single phase.
this identification is summarized into five categories on the 3. Investigation: This phase includes
basis of activities/processes related to awareness and activities/processes that deal with analysis and
increasing potential of the forensic organization, evidence examination of digital evidence using various
collection, analysis of evidence, presenting of result and forensic techniques to relate to crime.
termination of the case as shown in Table 3.
4. Presentation: This phase involves all those
b) Formation of phase activities/ processes, which include
After the first step based on the activities/processes and dissemination of findings of the investigation, so
output, phases have been categories as Readiness, on the basis which decision can make.
Reconnaissance/Footprinting, Investigation, Presentation, 5. Incidence Closure: It includes phases which
and Presentation as shown in Table 3. Output of the phases involve the termination of cases and sharing of
are also depicted in same table. outputs of an investigation to other forensic
organizations for future reference.

TABLE III. PHASES OF OPTIMIZED DFIF WITH ACTIVITIES AND OUTPUT

588

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
 c) Mapping the Process TABLE V. MAPPING PROPOSED AND OPTIMIZED DFIF
This step comprises analysis of previous Phase Phase Phase Phase Phase
activities/processes and output are identified and mapped in Phase
1 2 3 4 5
the name of the new defined phase. Using a table we have Carrier et al., 2003 ▄ ▄ ▄
summarized all the activities/processes and output of selected Baryamureeba et
DFIF into defined five phases. The overview of the result ▄ ▄ ▄ ▄ ▄
al., 2004
generation is shown in Table 4. Carrier et al., 2004 ▄ ▄ ▄ ▄
Ciardhuáin et al.

Digital Forensic Investigation Framework/ Model

TABLE IV. MAPPING PROCESS IN DFIF ▄ ▄ ▄ ▄
2004
Kohn et al., 2006 ▄ ▄ ▄ ▄ ▄
Phase / Output 1 2 3 4 5
Rogers et al., 2006 ▄ ▄ ▄ ▄
Baryamureeba et al., 2004
Freiling et al., 2007 ▄ ▄ ▄ ▄ ▄
Readiness ‫ض‬
Deployment Bem et al., 2007 ▄ ▄ ▄
‫ض‬
Traceback ‫ض‬ Perumal et al.,
▄ ▄ ▄ ▄
2009
Dynamite ‫ض‬ ‫ض‬ Pilli et al., 2010 ▄ ▄ ▄
Review ‫ض‬ Roger et al., 2012 ▄ ▄ ▄ ▄ ▄
Perumal et al., 2009 Saleem et al., 2014 ▄ ▄ ▄ ▄
Planning ‫ض‬ Bashir et al., 2015 ▄ ▄ ▄ ▄
Identification Al-Khateeb et al., ▄
Reconnaissance ‫ض‬ ▄ ▄ ▄ ▄
2019
Transport & Storage Lone et al., 2019 ▄ ▄ ▄ ▄
Analysis ‫ض‬
Proof & Defence ‫ض‬
VI. CONCLUSION AND FUTURE WORK
Archive Storage The mapping scheme gives a standardized DFIF for
establishing clear guidelines for the forensic
V. RESULT ANALYSIS process/activities and receiving a precise idea of output for
each particular activity which is associated throughout
As per the mapping scheme defined in Section 3,
investigation. In our study of the previously proposed
simplification of the activities/processes and the output of all
framework, the overlays of steps/processes have been
the selected frameworks is done into five phases and is
detected in each stage with a different vocabulary, focus area
shown in Table 5.
and outline characteristics. The proposed mapping schema
From the analysis shown in Table IV, it is concluded attempts to reduce the existing convoluted framework to a
frameworks mostly consists of some crucial phases which universal DFIF for investigating cases of all digital incidents
include Phase 2 – Reconnaissance/Footprinting, Phase 3 - and protecting the chain of custody without tampering
Examination, and Phase 4 - Presentation excluding Phase 1 evidence. In order to augment the investigation process, the
and Phase 5. Although Phase 1 and Phase 5 are not included proposed mapping scheme can be extended to map for
in some frameworks, the learning in [5], [15], [24], [25], various cases and digital evidence. To verify the
[19], and [22] shows that both phases are important in order effectiveness of the framework, a prototype will be
to complete investigation. Phase 1 is to secure that the developed. With new technologies, challenges faced by the
investigation process has begun and it should be executed law still needs to be addressed and encountered by the
following standard procedures and the chain of custody is researcher, which opens a large scope of work[26][27].
protected. While excluding Phase 5, there will be a
circumstance of inadequate investigation and no REFERENCES
advancement in investigation procedures or policies. [1] P. Van Kessel, “Is cybersecurity about more than protection?,” Ey
Therefore, a standard framework should include all proposed Glob. Inf. Secur. Surv. 2018-2019, 2019.
phases which are the readiness phase, reconnaissance/ [2] T. Ten, M. Critical, W. Application, and S. Risks, OWSAP Top 10 -
2017. 2017.
footprinting, investigation phase, presentation, and incident
closure. [3] B. Carrier and E. H. Spafford, “Getting Physical with the Digital
Investigation Process,” Int. J. Digit. Evid. Fall, 2003.
[4] V. Baryamureeba and F. Tushabe, “The Enhanced Digital
Investigation Process Model Venansuis Baryamureeba and Florence
Tushabe,” 2004.
[5] M. Kohn, M. S. Olivier, and J. H. P. Eloff, “Framework for a Digital
Forensic Investigation.,” Communications, 2006.
[6] Hevner, March, Park, and Ram, “Design Science in Information
Systems Research,” MIS Q., 2004.

589

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.
 [18] E. S. Pilli, R. C. Joshi, and R. Niyogi, “A Framework for Network
[7] Ciardhuáin, Séamus Ó, “An Extended Model of Cybercrime Analysis,” Int. J. Comput. Appl., vol. 1, no. 11, pp. 1–6, 2010.
Investigations,” vol. 3, no. 1, pp. 1–22, 2004. [19] A. EtoundiRoger and M. Moyo Achille, “Multi-perspective
[8] B. Carrier and E. H. E. H. Spafford, “An event-based digital forensic Cybercrime Investigation Process Modeling,” Int. J. Appl. Inf. Syst.,
investigation framework,” Proc. 4th Digit. Forensic Res. Work., pp. vol. 2, no. 8, pp. 14–20, 2012.
11–13, 2004. [20] S. Saleem, O. Popov, and I. Bagilli, “Extended abstract digital
[9] R. Jones, “Digital Evidence and Computer Crime: Forensic Science, forensics model with preservation and protection as umbrella
Computers and the Internet,” Int. J. Law Inf. Technol., 2004. principles,” Procedia Comput. Sci., vol. 35, no. C, pp. 812–821, 2014.
[10] J. I. Trombka et al., “Crime scene investigations using portable, non- [21] M. S. Bashir and M. N. A. Khan, “A triage framework for digital
destructive space exploration technology,” Forensic Sci. Int., 2002. forensics,” Comput. Fraud Secur., vol. 2015, no. 3, pp. 8–18, 2015.
[11] M. Reith, C. Carr, and G. Gunsch, “An examination of digital [22] H. Al-khateeb, G. Epiphaniou, and H. Daly, “Blockchain and Clinical
forensic models,” Int. J. Digit. Evid., 2002. Trial,” pp. 149–168, 2019.
[12] M. Rogers, J. Goldman, R. Mislan, T. Wedge, and S. Debrota, [23] A. H. Lone and R. N. Mir, “Forensic-chain: Blockchain based digital
“Computer Forensics Field Triage Process Model,” J. Digit. forensics chain of custody with PoC in Hyperledger Composer,”
Forensics, Secur. Law, vol. 1, no. 2, 2006. Digit. Investig., vol. 28, pp. 44–55, 2019.
[13] B. Carrier, “Defining Digital Forensic Examination and Analysis [24] V. Baryamureeba and F. Tushabe, “The Enhanced Digital
Tools Using Abstraction Layers,” Int. J., 2003. Investigation Process,” Digit. Forensic Res. Work., 2004.
[14] A. Brinson, A. Robinson, and M. Rogers, “A cyber forensics [25] M. Guido et al., “Generating a Corpus of Mobile Forensic Images for
ontology: Creating a new approach to studying cyber forensics,” Masquerading user Experimentation,” J. Forensic Sci., vol. 61, no. 6,
Digit. Investig., vol. 3, no. SUPPL., pp. 37–43, 2006. pp. 1467–1472, 2016.
[15] F. C. Freiling and B. Schwittay, “A Common Process Model for [26] J. H. Ryu, P. K. Sharma, J. H. Jo, and J. H. Park, “A blockchain-based
Incident Response and Computer Forensics,” in IT Incident decentralized efficient investigation framework for IoT digital
Management and IT Forensics, 2007. forensics,” J. Supercomput., no. 0123456789, 2019.
[16] D. Bem and E. Huebner, “Computer forensic analysis in a virtual [27] Z. Tian, M. Li, M. Qiu, Y. Sun, and S. Su, “Block-DEF: A secure
environment,” Int. J. Digit. Evid., vol. 6, no. 2, pp. 1–13, 2007. digital evidence framework using blockchain,” Inf. Sci. (Ny)., 2019.
[17] S. Perumal, “Digital Forensic Model Based On Malaysian
Investigation Process,” IJCSNS Int. J. Comput. Sci. Netw. Secur.,
2009.

590

Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 06:29:41 UTC from IEEE Xplore. Restrictions apply.