Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
net/publication/228410430
CITATIONS                                                                                                 READS
157                                                                                                       27,488
5 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by YATENDRA KUMAR GUPTA on 17 March 2016.
Abstract
Law practitioners are in an uninterrupted battle with criminals in the application of digital/computer
technologies, and require the development of a proper methodology to systematically search
digital devices for significant evidence. Computer fraud and digital crimes are growing day by day
and unfortunately less than two percent of the reported cases result in confidence. This paper
explores the development of the digital forensics process model, compares digital forensic
methodologies, and finally proposes a systematic model of the digital forensic procedure. This
model attempts to address some of the shortcomings of previous methodologies, and provides
the following advantages: a consistent, standardized and systematic framework for digital forensic
investigation process; a framework which work systematically in team according the captured
evidence; a mechanism for applying the framework to according the country digital forensic
investigation technologies; a generalized methodology that judicial members can use to relate
technology to non-technical observers.
This paper present a brief overview of previous forensic models and propose a new model
inspired from the DRFWS Digital Investigation Model, and finally compares it with other previous
model to show relevant of this model. The proposed model in this paper explores the different
processes involved in the investigation of cyber crime and cyber fraud in the form of an eleven-
stage model. The Systematic digital forensic investigation model (SRDFIM) has been developed
with the aim of helping forensic practitioners and organizations for setting up appropriate policies
and procedures in a systematic manner.
keywords : Digital Crime, Digital Devices, Forensic Investigation, Search & Seizure, Wireless devices.
1.      INTRODUCTION
Computer forensics emerged in response to the escalation of crimes committed by the use of
computer systems either as an object of crime, an instrument used to commit a crime or a
repository of evidence related to a crime. Computer forensics can be traced back to as early as
1984 when the FBI laboratory and other law enforcement agencies begun developing programs
to examine computer evidence. Research groups like the Computer Analysis and Response
Team (CART), the Scientific Working Group on Digital Evidence (SWGDE), the Technical
Working Group on Digital Evidence (TWGDE), and the National Institute of Justice (NIJ) have
since been formed in order to discuss the computer forensic science as a discipline including the
need for a standardized approach to examinations [1].
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011            118
    Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
   Digital forensics has been defined as the use of scientifically derived and proven methods
   towards the preservation, collection, validation, identification, analysis, interpretation and
   presentation of digital evidence derived from digital sources for the purpose of facilitating or
   furthering the reconstruction of events found to be criminal or helping to anticipate the
   unauthorized actions shown to be disruptive to planned operations. One important element of
   digital forensics is the credibility of the digital evidence. Digital evidence includes computer
   evidence, digital audio, digital video, cell phones, digital fax machines etc. The legal settings
   desire evidence to have integrity, authenticity, reproductively, non-interference and minimization
   [2].
   Since computer forensics is a relatively new field compared to other forensic disciplines, which
   can be traced back to the early 1920s, there are ongoing efforts to develop examination
   standards and to provide structure to computer forensic examinations. This paper attempts to
   address the methodology of a computer forensic investigation.
   2.      PREVIOUS INVESTIGATION
   Computer and network forensics methodologies consist of three basic components that Kruse
   and Heiser[3] refer to as the three as of computer forensics investigations. These are:
   •        Acquiring the evidence while ensuring that the integrity is preserved;
   •        Authenticating the validity of the extracted data, which involves making sure that it is as
   valid as the original
   •        Analyzing the data while keeping its integrity.
   The field of digital forensics is undergoing a rapid metamorphosis: it is changing from skilled
   craftsmanship into a true forensic science. Part of this change is expressed by the interest in this
   field as an academic study. Ironically, the teaching portion of academe has led the way and
   research is trying to catch up.
   Research usually starts with a literature review. That is particularly difficult in this field for a
   number of reasons. Some of the work predates the Internet and therefore is only available in
   paper form, in largely obscure or unavailable documents. Much discussion and learning has not
   been published at all. And few are familiar with the work that has been published.
   •       Examination
   This is designed to facilitate the visibility of evidence, while explaining its origin and significance.
   It involves revealing hidden and obscured information and the relevant documentation.
   •        Analysis: This looks at the product of the examination for its significance and probative
   value to the case.
   Reporting: This entails writing a report outlining the examination process and pertinent data
   recovered from the overall investigation.
   here. Write the body of the paper here. Write the body of the paper here. Write the body of the
   paper here.
   International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011          119
        Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
3. Approach strategy: that develops a procedure to use in order to maximize the collection of
   untainted evidence while minimizing the impact to the victim.
4. Preservation: which involves the isolation, securing and preservation of the state of physical
   and digital evidence.
5. Collection: that entails the recording of the physical scene and duplicate digital evidence using
   standardized and accepted procedures.
6. Examination: which involves an in-depth systematic search of evidence relating to the
   suspected crime.
7. Analysis: which involves determination of the significance, reconstructing fragments of data
   and drawing conclusions based on evidence found.
8. Presentation: that involves the summary and explanation of conclusions.
9. Returning evidence: that ensures physical and digital property is returned to proper owner.
    International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011   120
      Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
1.   Preservation phase; which preserves the digital crime scene so that evidence can later be
     synchronized and analyzed for further evidence.
2.   Survey phase; whereby the investigator transfers the relevant data from a venue out of physical
     or administrative control of the investigator to a controlled location.
3.   Documentation phase; which involves properly documenting the digital evidence when it is found.
     This information is helpful in the presentation phase.
4.   Search and collection phase; whereby an in-depth analysis of the digital evidence is performed.
     Software tools are used to reveal hidden, deleted, swapped and corrupted files that were used
     including the dates, duration, log file etc. Low-level time lining is performed to trace a user’s
     activities and identity.
     International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011   121
      Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
5.   Reconstruction phase; which includes putting the pieces of a digital puzzle together, and
     developing investigative hypotheses.
6.   Presentation phase; that involves presenting the digital evidence that was found to the physical
     investigative team.
•    The prevention of further malicious events occurring against the intended “target".
•    The successful tracing back of the events that occurred which led to the crime, and determining
     the guilty parties involved.
•    Bringing the perpetrators of the crime to justice.
•    The improvement of current prevention mechanisms in place to prevent such an event from
     occurring again.
•    Improving standards used by corporate security professionals to secure their respective corporate
     networks.
•    How everyone “plugged" into this digital environment can increase their awareness about current
     vulnerabilities and prevention measures.
     There has been a need for a standard methodology used for all Digital Forensics investigations.
     There have been many initiatives made to have models that have a general process to be
     followed for such investigations [8]. Research done by the scientific community has been fairly
     recent, and has concentrated mostly upon coming up with good models that can be practiced [9].
     Yet, it can be safely said that these models are mainly ad-hoc and much needs to be
     accomplished in this particular domain.
     4. KEY CHALLENGES
     At the 2006 DFRWS conference, the keynote speech, “Challenges in Digital Forensics” was
     delivered by Ted Lindsey a computer scientist at the FBI [9]. In his speech, a number of the
     challenges were identified.
     These are presented in Table 1.
     These challenges as enumerated by Lindsey at DFRWS 2006 are a mix of: new technologies
     (e.g. wireless, whole drive encryption), situational technology trends (e.g. device diversity, volume
     of evidence, distributed evidence), and techniques (e.g. Live response, usability & visualization).
     In 2005, the following list of challenges was presented by Mohay [10]:
•    Education & certification
•    Embedded systems
•    Corporate governance and forensic readiness
•    Monitoring the internet
•    Tools
•    Data volumes
     In 2005 and 2004, Casey summarized the key challenges as:
•    Counter forensics
•    Networked evidence
     International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011   122
     Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
    International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011   123
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
                                                                            Communication
      Preparation                                                             Shielding
                                                                                                                     Forensic Law
                                                                               Evidence
                                                                               Collection
            Result
                                                                              Preservation
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011                                                             124
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
should be avoided. As the number of people at the crime scene increases, the possibilities for the
contamination and destruction of evidence also increase. The crime scene investigation should
follow Association of Chief Police Officers (ACPO), in conjunction with the National Hi-Tech
Crime Unit (NHCTU) [13] guideline for securing the scene. Top priority should be given at this
stage in minimizing the corruption of evidence. Any item that could be of evidence should not be
tampered with. This phase plays a major role in the overall investigative process as it determines
the quality of evidence.
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011       125
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011     126
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
evidence visible, while explaining its originality and significance. Huge volumes of data collected
during the volatile and non-volatile collection phases need to be converted into a manageable
size and form for future analysis. Data filtering, validation, pattern matching and searching for
particular keywords with regard to the nature of the crime or suspicious incident, recovering
relevant ASCII as well as non- ASCII data etc. are some of the major steps performed during this
phase. Personal organizer information data like address book, appointments, calendar, scheduler
etc, text messages, voice messages, documents and emails are some of the common sources of
evidence, which are to be examined in detail. Finding evidence for system tampering, data hiding
or deleting utilities, unauthorized system modifications etc. should also be performed. Detecting
and recovering hidden or obscured information is a major tedious task involved. Data should be
searched thoroughly for recovering passwords, finding unusual hidden files or directories, file
extension and signature mismatches etc. The capabilities of the forensic tools used by the
examiner play an important part in the examination phase. When the evidence is checked-out for
examination and checked-in, the date, time, name of investigator and other details must be
documented. It is required to prove that the evidence has not been altered after being possessed
by the forensic specialist and hence hashing techniques like md5 must be used for mathematical
authentication of data.
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011   127
                  Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
ene
gnition
of Scene
n Shielding
ce Collection
idence Collection
                 There may not always be a one-to-one mapping between the activities in the proposed model and
                 other previous models. In some cases, though the process is similar, the terms used in other
                 International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011    128
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
existing forensic models may differ. Table 2 gives a comparison of terminology used for different
processes in the proposed model and various other models discussed in the previously.
                                                                                         Abstract
    NIJ Law
                                               DRFWS                                     Digital
    Enforcement                                                                                             ID
                                               Model                                     Forensic
    Model
                                                                                         Model
                                                                                          Preparation
           --                                         --
                                               Preservation
           --                                                                                   --
                                               Identification                            Identification
           --
-- -- --
-- -- --
                                                                                                            D
           --                                         --                                        --
-- -- --
-- -- --
                                               Preservation                              Preservation
           --
-- -- --
CONCLUSION
Motivated by the rapid increase in computer frauds and cyber crimes, this research work took the
challenge to explore some of the open issues of digital forensic research. This paper starts with
the discussion digital forensic technology then the discussion moves on to digital forensic
investigation models. Some of the open problems of digital forensic research have been
identified.
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011         129
 Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
Then the proposed work provides Systematic Digital Forensic Investigation Model which is very
use-full variety of digital forensic investigation.
The benefits of work are as follows:
•        This will help in evidence dynamics and reconstruction of events by realizing the
properties of Individuality, Repeatability, Reliability, Performance, Testability, Scalability, Quality
and Standards in analysis of computer frauds and cyber crimes (CFCC).
•        It will serve as benchmark and reference points for investigating cases of computer
frauds and cyber crimes.
•        It will help in the development of generalized solutions, which can cater to the need of
rapidly changing and highly volatile digital technological scenario.
•        The integrity and admissibility of digital evidence can be attained.
FUTURE SCOPE
In this study, work has been done in development of Systematic Digital Forensic Investigation
Model. Following are few pointers for direction of future scope of research in these areas:
1.       Application of the new model in variety of cases and improvement in light of feedback.
2.       Identification of new constraints in terms of technological advancement will require model
to be updated with time.
REFERENCES
1. Michael Noblett, Mark.M.Pollitt and Lawrence Presley. (2000) Recovering and Examining
      Computer Forensic Evidence, Forensic Science Communications, Volume 2, Number 4.
2. Gary L Palmer.(2001). A Road Map for Digital Forensic Research. Technical Report DTR-
      T0010-01, DFRWS. Report for the First Digital Forensic Research Workshop (DFRWS).
3. Kruse II, Warren and Jay, G. Heiser (2002) Computer Forensics: Incident Response
      Essentials. Addison-Wesley.
4. National Institute of Justice. (July 2001) Electronic Crime Scene Investigation. A Guide for
   First Responders.
Available from: http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
5.     Mark Reith, Clint Carr and Gregg Gunsch.(2002)An Examination of Digital Forensic
Models International Journal of Digital Evidence, Fall 2002,Volume 1, Issue 3.
6. Digital Forensic Research Workshop (DFRWS) Research Road Map, Utica, NY. (2001)
      http://www.dfrws.org/archive.html
7. Brian Carrier and Eugene H Spafford,(2003) Getting Physical with the Investigative Process
      International Journal of Digital Evidence.Fall 2003,Volume 2, Issue 2.
10. Toward Models for Forensic Analysis, Sean Peisert, Matt Bishop, Sidney Karin, Keith
      Marzullo.Mohay, G. Technical Challenges and Directions for Digital Forensics. in 1st
      International Workshop on Systematic Approaches to Digital Forensic Engineering,. 2005.
11. Casey, E., State of the field: growth, growth, growth. Digital Investigation, 2004.
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011     130
                   Ankit Agarwal, Megha Gupta, Saurabh Gupta & Prof. (Dr.) S.C. Gupta
12. Casey, E., Digital arms race, The need for speed. Digital Investigation, 2005.
                13.     ACPO. Good Practise Guide for Computer based Electronic Evidence. 2006
                Available from:
                   http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf.
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) : 2011 131