Advertisement

The Standardised Digital Forensic Investigation Process Model (SDFIPM)

  • Reza MontasariEmail author
  • Richard Hill
  • Victoria Carpenter
  • Amin Hosseinian-Far
Chapter
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)

Abstract

The field of digital forensics still lacks formal process models that courts can employ to determine the reliability of the process followed in a digital investigation. The existing models have often been developed by digital forensic practitioners, based on their own personal experience and on an ad-hoc basis, without attention to the establishment of standardisation within the field. This has prevented the institution of the formal processes that are urgently required. Moreover, as digital forensic investigators often operate within different fields of law enforcement, commerce and incident response, the existing models have often tended to focus on one particular field and have failed to consider all the environments. This has hindered the development of a generic model that can be applied in all the three stated fields of digital forensics. To address these shortcomings, this chapter makes a novel contribution by proposing the Advanced Investigative Process Model (the SDFIPM) for Conducting Digital Forensic Investigations, encompassing the ‘middle part’ of the digital investigative process, which is formal in that it synthesizes, harmonises and extends the existing models, and which is generic in that it can be applied in the three fields of law enforcement, commerce and incident response.

Keywords

Digital forensics Standardised digital forensic investigation process model Survey digital crime scene phase Digital forensics investigation DFI DFA Event reconstruction process UML Unified modelling language Chain of custody Information flow Case management 

References

  1. AccessData (2016) Forensic toolkit (FTK). Available at http://accessdata.com/products/computer-forensics/ftk. Accessed 14 May 2018
  2. ACPO (2012) ACPO good practice guide for digital evidence. U.K. Association of Chief Police Officers. Available at: http://www.digital-de-tective.net/digital-forensics-docu-ments/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf. Accessed 14 May 2018
  3. Adams R (2012) The advanced data acquisition model (ADAM): a process model for digital forensic practice. PhD thesis. Murdoch UniversityGoogle Scholar
  4. Adams R, Hobbs V, Mann G (2014) The advanced data acquisition model (ADAM): a process model for digital forensic practice. J Digit Forensic Secur Law 8(4):25–48Google Scholar
  5. Agarwal A, Gupta M, Gupta S, Gupta C (2011) Systematic digital forensic investigation model. Int J Comput Sci Secur 5(1):118–130Google Scholar
  6. Armstrong C, Armstrong H (2010) Modeling forensic evidence systems using design science. IFIP WG 8.2/8.6 international working conference, pp 282–300Google Scholar
  7. Ashcroft J (2001) Electronic crime scene investigation: a guide for first responders. U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Accessed 10 June 2016
  8. Baryamureeba V, Tushabe F (2004) The enhanced digital investigation process model. 4th digital forensic research workshop, 1–9Google Scholar
  9. Beebe N, Clark J (2005) A hierarchical, objectives-based framework for the digital investigations process. Digit Investig 2(2):147–167CrossRefGoogle Scholar
  10. Bulbul H, Yavuzcan H, Ozel M (2013) Digital forensics: an analytical crime scene procedure model (ACSPM). Forensic Sci Int 233(1):244–256CrossRefGoogle Scholar
  11. Carlton H, Worthley R (2009) An evaluation of agreement and conflict among computer forensic experts. 42nd Hawaii international conference on system sciences, pp 1–10Google Scholar
  12. Carrier B, Spafford E (2003) Getting physical with the digital in-vestigation process. Int J Digit Evid 2(2):1–20Google Scholar
  13. Casey E (2011) Digital evidence and computer crime: forensic science, computers and the internet, 3rd edn. Elsevier Academic Press, New YorkGoogle Scholar
  14. Ciardhuáin O (2004) An extended model of cybercrime investigations. Int J Digit Evid 3(1):1–22Google Scholar
  15. Cohen F (2009) Digital forensic evidence examination, 2nd edn. Fred Cohen & Associates, LivermoreGoogle Scholar
  16. Cohen F (2010) Towards a science of digital forensic evidence examination. In 6th IFIP WG 11.9 international conference on digital forensics, pp 17–35CrossRefGoogle Scholar
  17. Cohen F (2011) Putting the science in digital forensics. J Digit Forensic Secur Law 6(1):7–14Google Scholar
  18. Cohen F (2012) Update on the state of the science of digital evidence examination. In: Proceedings of the conference on digital forensics, security, and law, pp 7–18Google Scholar
  19. Farrell M (1993) Daubert v. Merrell Dow Pharmaceuticals, Inc.: Epistemilogy and legal process. Cardozo L Rev 15:2183Google Scholar
  20. Freiling C, Schwittay B (2007) A common process model for incident response and computer forensics, 3rd international conference on IT-incident management & IT-forensics, pp 19–40Google Scholar
  21. Garfinkel S, Farrell P, Roussev V, Dinolt G (2009) Bringing science to digital forensics with standardized forensic corpora. Digit Investig 6:2–11CrossRefGoogle Scholar
  22. Garrie D (2014) Digital forensic evidence in the courtroom: understanding content and quality. Northwest J Technol Intellect Prop 12(2). [i]–128Google Scholar
  23. Grobler CP, Louwrens CP, Solms SH (2010) A multi-component view of digital forensics. In: ARES’10 international conference on availability, reliability and security, pp 647–652Google Scholar
  24. Guidance Software (2016) EnCase forensics. Available at https://www.guidancesoftware.com/encase-forensic. Accessed 14 May 2018
  25. Harrison W, Heuston G, Morrissey M, Aucsmith D, Mocas S, Russelle S (2002) A lessons learned repository for computer forensics. Int J Digit Evid 1(3):1–9Google Scholar
  26. Hauck R, Atabakhsh H, Ongvasith P, Gupta H, Chen H (2002) Using coplink to analyze criminal-justice data. IEEE Comput 35(3):30–37CrossRefGoogle Scholar
  27. Holder E, Robinson L, Rose K (2009) Electronic crime scene investigation: an on-the-scene reference for first responders, U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/227050.pdf. Accessed 14 May 2018
  28. Ieong R (2006) FORZA-digital forensics investigation framework that incorporate legal issues. Digit Investig 3:29–36CrossRefGoogle Scholar
  29. International Organisation for Standardization (2005) ISO/IEC 17799:2005. In: Information technology – security techniques – code of practice for information security management. International Organization for Standardization, GenevaGoogle Scholar
  30. International Organisation for Standardization (2011) ISO/IEC 27035:2011. In: Information technology – security techniques – information security incident management. International Organization for Standardization, GenevaGoogle Scholar
  31. International Organisation for Standardization (2012) ISO/IEC 27037:2012. In: Information technology – security techniques – guidelines for identification, collection, acquisition and preservation of digital evidence. International Organization for Standardization, GenevaGoogle Scholar
  32. International Organisation for Standardization (2013) ISO/IEC 27001:2013. In: Information technology – security techniques – information security management systems – requirements. International Organization for Standardization, GenevaGoogle Scholar
  33. International Organisation for Standardization (2015) ISO/IEC 27043:2015. In: Information technology – security techniques – incident investigation principles and processes. International Organization for Standardization, GenevaGoogle Scholar
  34. IP Location (2016) Where is geolocation of an IP address?. Available at: https://www.iplocation.net/. Accessed 14 May 2018
  35. Karyda M, Mitrou L (2007) Internet forensics: legal and technical issues. 2nd international workshop on digital forensics and incident analysis, pp 3–12Google Scholar
  36. Kent K, Chevalier S, Grance T, Dang H (2006) Guide to integrating forensic techniques into incident response. U.S. Department of Commerce. Available at: http://cybersd.com/sec2/800-86Summary.pdf. Accessed 16 June 2016
  37. Kessler C (2010) Judges’ awareness, understanding, and application of digital evidence. PhD thesis, Nova Southeastern UniversityGoogle Scholar
  38. Khatir M, Hejazi M, Sneiders E (2008) Two-dimensional evidence reliability amplification process model for digital forensics. Third international annual workshop on digital forensics and incident analysis, pp 21–29Google Scholar
  39. Kohn M, Eloff J, Olivier M (2006) Framework for a digital forensic investigation. In: Information security South Africa conference, pp 1–7Google Scholar
  40. Kohn M, Eloff M, Eloff J (2013) Integrated digital forensic process model. Comput Secur 38:103–115CrossRefGoogle Scholar
  41. Leigland L, Krings A (2004) A formalization of digital forensics. Int J Digit Evid 3(2):1–32Google Scholar
  42. Montasari R (2016a) The comprehensive digital forensic investigation process model (CDFIPM) for digital forensic practice. PhD thesis, University of DerbyGoogle Scholar
  43. Montasari R (2016b) A comprehensive digital forensic investigation process model. Int J Electron Secur Digit Forensics 8(4):285–302CrossRefGoogle Scholar
  44. Montasari R (2016c) An ad hoc detailed review of digital forensic investigation process models. Int J Electron Secur Digit Forensics 8(3):205–223CrossRefGoogle Scholar
  45. Montasari R (2016d) Formal two stage triage process model (FTSTPM) for digital forensic practice. Int J Comput Sci Electron Secur 10(2):69–87Google Scholar
  46. Montasari R (2016e) Review and assessment of the existing digital forensic investigation process models. Int J Comput Appl 147(7):41–49Google Scholar
  47. Montasari R (2017a) Digital evidence: disclosure and admissibility in the United Kingdom jurisdiction. In: Proceedings of the 11th international conference on global security, safety, and sustainability, London, UK, pp 42–52Google Scholar
  48. Montasari R (2017b) A standardised data acquisition process model for digital forensic investigations. Int J Inf Comput Secur 9(3):229–249Google Scholar
  49. Montasari R (2017c) An overview of cloud forensics strategy: capabilities, challenges, and opportunities. In: Hosseinian-Far A, Ramachandran M, Sarwar D (eds) Strategic engineering for cloud computing and big data analytics. Springer, Cham, pp 189–205CrossRefGoogle Scholar
  50. Montasari R (2018) Testing the comprehensive digital forensic investigation process model (the CDFIPM). In: Dastbaz M, Arabnia H, Akhgar B (eds) Technology for smart futures. Springer, Cham, pp 303–327CrossRefGoogle Scholar
  51. Montasari R, Peltola P (2015) Computer forensic analysis of private browsing modes. In: Proceedings of 10th international conference on global security, safety and sustainability: tomorrow’s challenges of cyber security, pp 96–109Google Scholar
  52. Montasari R, Peltola P, Evans D (2015) Integrated computer forensics investigation process model (ICFIPM) for computer crime investigations. International conference on global security, safety, and sustainability, London, UK, pp 83–95Google Scholar
  53. Mukasey M, Sedgwick J, Hagy D (2008) Electronic crime scene investigation: a guide for first responders. U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/219941.pdf. Accessed: 14 May 2018
  54. Mumba E, Venter H (2014) Testing and evaluating the harmonized digital forensic investigation process in post mortem digital investigations. ADFSL conference on digital forensics, security and law, pp 83–97Google Scholar
  55. Nance K, Hay B, Bishop M (2009) Digital forensics: defining a research agenda. 42nd Hawaii international conference on system sciences, pp 1–6Google Scholar
  56. NIST (2015) Computer forensics tool testing handbook. U.S. Department of Commerce. Available at: http://www.cftt.nist.gov/CFTT-Booklet-08112015.pdf. Accessed 14 May 2018
  57. Palmer G (2001) A road map for digital forensic research. 1st digital forensic research workshop (DFRWS), pp 27–30Google Scholar
  58. Pollitt M (2008) Applying traditional forensic taxonomy to digital forensics. In: Advances in digital forensics IV. Springer, New York, pp 17–26CrossRefGoogle Scholar
  59. Reith M, Carr C, Gunsch G (2002) An examination of digital forensic models. Int J Digit Evid 1(3):1–12Google Scholar
  60. Rogers M (2004) DCSA: a practical approach to digital crime scene analysis, vol 3, 5th edn. Purdue University, West LafayetteGoogle Scholar
  61. Rogers M, Goldman J, Mislan R, Wedge T, Debrota S (2006) Computer forensics field triage process model. Conference on digital forensics, security and law, pp 27–40Google Scholar
  62. Selamat S, Yusof R, Sahib S (2008) Mapping process of digital forensic investigation framework. Int J Comput Sci Netw Secur 8(10):163–169Google Scholar
  63. Sherman S (2006) A digital forensic practitioner’s guide to giving evidence in a court of law. Proceedings of the 4th Australian Digital Forensics conference, 1–7Google Scholar
  64. Sommer P (2008) Directors’ and corporate advisors’ guide to digital investigations and evidence. U.K. Information assurance advisory council. Available at: https://www.ucisa.ac.uk/~/media/Files/members/activities/ist/DigitalIn vestigationsGuide.ashx. Accessed 14 May 2018
  65. Stanfield A (2009) Computer forensics, electronic discovery and electronic evidence. LexisNexis Butterworths, ChatswoodGoogle Scholar
  66. Trcek D, Abie H, Skomedal A, Starc I (2010) Advanced frame-work for digital forensic technologies and procedures. J Forensic Sci 55(6):1471–1480CrossRefGoogle Scholar
  67. Turnbull B (2008) The adaptability of electronic evidence acquisition guides for new technologies. In: Proceedings of the 1st international conference on forensic applications and techniques in telecommunications, Information and Multimedia and WorkshopGoogle Scholar
  68. US-CERT (2012) Computer forensics. U.S. Department of Homeland Security. Available at: https://www.us-cert.gov/security-publica-tions/computer-forensics. Accessed 14 May 2018
  69. Valjarevic A, Venter H (2012) Harmonised digital forensic investigation process model. In: Proceedings of information security for South Africa, pp 1–10Google Scholar
  70. Valjarevic A, Venter H (2015) A comprehensive and harmonized digital forensic investigation process model. J Forensic Sci 60(6):1467–1483CrossRefGoogle Scholar
  71. Venter J (2006) Process flow for cyber forensics training and operations. Available at: http://researchspace.csir.co.za/dspace/handle/10204/1073. Accessed 17 June 2015
  72. WhatIsMyIPAddress (2016) How you connect to the world. Available at:http:/whatismyipaddress.com/. Accessed: 14 May 2018
  73. Yusoff Y, Ismail R, Hassan Z (2011) Common phases of computer forensics investigation models. Int J Comput Sci Inf Technol 3(3):17–31CrossRefGoogle Scholar
  74. Zainudin N, Merabti M, Llewellyn-Jones D (2011) Online social networks as supporting evidence: a digital forensic investigation model and its application design. International conference on research and innovation in information systems, pp 1–6Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Reza Montasari
    • 1
    Email author
  • Richard Hill
    • 1
  • Victoria Carpenter
    • 2
  • Amin Hosseinian-Far
    • 3
  1. 1.Department of Computer Science School of Computing and EngineeringThe University of HuddersfieldHuddersfieldUK
  2. 2.Research Development Innovation and Enterprise ServicesUniversity of BedfordshireLutonUK
  3. 3.Faculty of Business and LawUniversity of NorthamptonNorthamptonUK

Personalised recommendations