Skip to main content

The Standardised Digital Forensic Investigation Process Model (SDFIPM)

Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)

Abstract

The field of digital forensics still lacks formal process models that courts can employ to determine the reliability of the process followed in a digital investigation. The existing models have often been developed by digital forensic practitioners, based on their own personal experience and on an ad-hoc basis, without attention to the establishment of standardisation within the field. This has prevented the institution of the formal processes that are urgently required. Moreover, as digital forensic investigators often operate within different fields of law enforcement, commerce and incident response, the existing models have often tended to focus on one particular field and have failed to consider all the environments. This has hindered the development of a generic model that can be applied in all the three stated fields of digital forensics. To address these shortcomings, this chapter makes a novel contribution by proposing the Advanced Investigative Process Model (the SDFIPM) for Conducting Digital Forensic Investigations, encompassing the ‘middle part’ of the digital investigative process, which is formal in that it synthesizes, harmonises and extends the existing models, and which is generic in that it can be applied in the three fields of law enforcement, commerce and incident response.

Keywords

  • Digital forensics
  • Standardised digital forensic investigation process model
  • Survey digital crime scene phase
  • Digital forensics investigation
  • DFI
  • DFA
  • Event reconstruction process
  • UML
  • Unified modelling language
  • Chain of custody
  • Information flow
  • Case management

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-11289-9_8
  • Chapter length: 41 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   129.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-11289-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   169.99
Price excludes VAT (USA)
Fig. 8.1
Fig. 8.2
Fig. 8.3
Fig. 8.4
Fig. 8.5
Fig. 8.6
Fig. 8.7
Fig. 8.8

References

  • AccessData (2016) Forensic toolkit (FTK). Available at http://accessdata.com/products/computer-forensics/ftk. Accessed 14 May 2018

  • ACPO (2012) ACPO good practice guide for digital evidence. U.K. Association of Chief Police Officers. Available at: http://www.digital-de-tective.net/digital-forensics-docu-ments/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf. Accessed 14 May 2018

  • Adams R (2012) The advanced data acquisition model (ADAM): a process model for digital forensic practice. PhD thesis. Murdoch University

    Google Scholar 

  • Adams R, Hobbs V, Mann G (2014) The advanced data acquisition model (ADAM): a process model for digital forensic practice. J Digit Forensic Secur Law 8(4):25–48

    Google Scholar 

  • Agarwal A, Gupta M, Gupta S, Gupta C (2011) Systematic digital forensic investigation model. Int J Comput Sci Secur 5(1):118–130

    Google Scholar 

  • Armstrong C, Armstrong H (2010) Modeling forensic evidence systems using design science. IFIP WG 8.2/8.6 international working conference, pp 282–300

    Google Scholar 

  • Ashcroft J (2001) Electronic crime scene investigation: a guide for first responders. U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Accessed 10 June 2016

  • Baryamureeba V, Tushabe F (2004) The enhanced digital investigation process model. 4th digital forensic research workshop, 1–9

    Google Scholar 

  • Beebe N, Clark J (2005) A hierarchical, objectives-based framework for the digital investigations process. Digit Investig 2(2):147–167

    CrossRef  Google Scholar 

  • Bulbul H, Yavuzcan H, Ozel M (2013) Digital forensics: an analytical crime scene procedure model (ACSPM). Forensic Sci Int 233(1):244–256

    CrossRef  Google Scholar 

  • Carlton H, Worthley R (2009) An evaluation of agreement and conflict among computer forensic experts. 42nd Hawaii international conference on system sciences, pp 1–10

    Google Scholar 

  • Carrier B, Spafford E (2003) Getting physical with the digital in-vestigation process. Int J Digit Evid 2(2):1–20

    Google Scholar 

  • Casey E (2011) Digital evidence and computer crime: forensic science, computers and the internet, 3rd edn. Elsevier Academic Press, New York

    Google Scholar 

  • Ciardhuáin O (2004) An extended model of cybercrime investigations. Int J Digit Evid 3(1):1–22

    Google Scholar 

  • Cohen F (2009) Digital forensic evidence examination, 2nd edn. Fred Cohen & Associates, Livermore

    Google Scholar 

  • Cohen F (2010) Towards a science of digital forensic evidence examination. In 6th IFIP WG 11.9 international conference on digital forensics, pp 17–35

    CrossRef  Google Scholar 

  • Cohen F (2011) Putting the science in digital forensics. J Digit Forensic Secur Law 6(1):7–14

    Google Scholar 

  • Cohen F (2012) Update on the state of the science of digital evidence examination. In: Proceedings of the conference on digital forensics, security, and law, pp 7–18

    Google Scholar 

  • Farrell M (1993) Daubert v. Merrell Dow Pharmaceuticals, Inc.: Epistemilogy and legal process. Cardozo L Rev 15:2183

    Google Scholar 

  • Freiling C, Schwittay B (2007) A common process model for incident response and computer forensics, 3rd international conference on IT-incident management & IT-forensics, pp 19–40

    Google Scholar 

  • Garfinkel S, Farrell P, Roussev V, Dinolt G (2009) Bringing science to digital forensics with standardized forensic corpora. Digit Investig 6:2–11

    CrossRef  Google Scholar 

  • Garrie D (2014) Digital forensic evidence in the courtroom: understanding content and quality. Northwest J Technol Intellect Prop 12(2). [i]–128

    Google Scholar 

  • Grobler CP, Louwrens CP, Solms SH (2010) A multi-component view of digital forensics. In: ARES’10 international conference on availability, reliability and security, pp 647–652

    Google Scholar 

  • Guidance Software (2016) EnCase forensics. Available at https://www.guidancesoftware.com/encase-forensic. Accessed 14 May 2018

  • Harrison W, Heuston G, Morrissey M, Aucsmith D, Mocas S, Russelle S (2002) A lessons learned repository for computer forensics. Int J Digit Evid 1(3):1–9

    Google Scholar 

  • Hauck R, Atabakhsh H, Ongvasith P, Gupta H, Chen H (2002) Using coplink to analyze criminal-justice data. IEEE Comput 35(3):30–37

    CrossRef  Google Scholar 

  • Holder E, Robinson L, Rose K (2009) Electronic crime scene investigation: an on-the-scene reference for first responders, U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/227050.pdf. Accessed 14 May 2018

  • Ieong R (2006) FORZA-digital forensics investigation framework that incorporate legal issues. Digit Investig 3:29–36

    CrossRef  Google Scholar 

  • International Organisation for Standardization (2005) ISO/IEC 17799:2005. In: Information technology – security techniques – code of practice for information security management. International Organization for Standardization, Geneva

    Google Scholar 

  • International Organisation for Standardization (2011) ISO/IEC 27035:2011. In: Information technology – security techniques – information security incident management. International Organization for Standardization, Geneva

    Google Scholar 

  • International Organisation for Standardization (2012) ISO/IEC 27037:2012. In: Information technology – security techniques – guidelines for identification, collection, acquisition and preservation of digital evidence. International Organization for Standardization, Geneva

    Google Scholar 

  • International Organisation for Standardization (2013) ISO/IEC 27001:2013. In: Information technology – security techniques – information security management systems – requirements. International Organization for Standardization, Geneva

    Google Scholar 

  • International Organisation for Standardization (2015) ISO/IEC 27043:2015. In: Information technology – security techniques – incident investigation principles and processes. International Organization for Standardization, Geneva

    Google Scholar 

  • IP Location (2016) Where is geolocation of an IP address?. Available at: https://www.iplocation.net/. Accessed 14 May 2018

  • Karyda M, Mitrou L (2007) Internet forensics: legal and technical issues. 2nd international workshop on digital forensics and incident analysis, pp 3–12

    Google Scholar 

  • Kent K, Chevalier S, Grance T, Dang H (2006) Guide to integrating forensic techniques into incident response. U.S. Department of Commerce. Available at: http://cybersd.com/sec2/800-86Summary.pdf. Accessed 16 June 2016

  • Kessler C (2010) Judges’ awareness, understanding, and application of digital evidence. PhD thesis, Nova Southeastern University

    Google Scholar 

  • Khatir M, Hejazi M, Sneiders E (2008) Two-dimensional evidence reliability amplification process model for digital forensics. Third international annual workshop on digital forensics and incident analysis, pp 21–29

    Google Scholar 

  • Kohn M, Eloff J, Olivier M (2006) Framework for a digital forensic investigation. In: Information security South Africa conference, pp 1–7

    Google Scholar 

  • Kohn M, Eloff M, Eloff J (2013) Integrated digital forensic process model. Comput Secur 38:103–115

    CrossRef  Google Scholar 

  • Leigland L, Krings A (2004) A formalization of digital forensics. Int J Digit Evid 3(2):1–32

    Google Scholar 

  • Montasari R (2016a) The comprehensive digital forensic investigation process model (CDFIPM) for digital forensic practice. PhD thesis, University of Derby

    Google Scholar 

  • Montasari R (2016b) A comprehensive digital forensic investigation process model. Int J Electron Secur Digit Forensics 8(4):285–302

    CrossRef  Google Scholar 

  • Montasari R (2016c) An ad hoc detailed review of digital forensic investigation process models. Int J Electron Secur Digit Forensics 8(3):205–223

    CrossRef  Google Scholar 

  • Montasari R (2016d) Formal two stage triage process model (FTSTPM) for digital forensic practice. Int J Comput Sci Electron Secur 10(2):69–87

    Google Scholar 

  • Montasari R (2016e) Review and assessment of the existing digital forensic investigation process models. Int J Comput Appl 147(7):41–49

    Google Scholar 

  • Montasari R (2017a) Digital evidence: disclosure and admissibility in the United Kingdom jurisdiction. In: Proceedings of the 11th international conference on global security, safety, and sustainability, London, UK, pp 42–52

    Google Scholar 

  • Montasari R (2017b) A standardised data acquisition process model for digital forensic investigations. Int J Inf Comput Secur 9(3):229–249

    Google Scholar 

  • Montasari R (2017c) An overview of cloud forensics strategy: capabilities, challenges, and opportunities. In: Hosseinian-Far A, Ramachandran M, Sarwar D (eds) Strategic engineering for cloud computing and big data analytics. Springer, Cham, pp 189–205

    CrossRef  Google Scholar 

  • Montasari R (2018) Testing the comprehensive digital forensic investigation process model (the CDFIPM). In: Dastbaz M, Arabnia H, Akhgar B (eds) Technology for smart futures. Springer, Cham, pp 303–327

    CrossRef  Google Scholar 

  • Montasari R, Peltola P (2015) Computer forensic analysis of private browsing modes. In: Proceedings of 10th international conference on global security, safety and sustainability: tomorrow’s challenges of cyber security, pp 96–109

    Google Scholar 

  • Montasari R, Peltola P, Evans D (2015) Integrated computer forensics investigation process model (ICFIPM) for computer crime investigations. International conference on global security, safety, and sustainability, London, UK, pp 83–95

    Google Scholar 

  • Mukasey M, Sedgwick J, Hagy D (2008) Electronic crime scene investigation: a guide for first responders. U.S. Department of Justice. Available at: https://www.ncjrs.gov/pdffiles1/nij/219941.pdf. Accessed: 14 May 2018

  • Mumba E, Venter H (2014) Testing and evaluating the harmonized digital forensic investigation process in post mortem digital investigations. ADFSL conference on digital forensics, security and law, pp 83–97

    Google Scholar 

  • Nance K, Hay B, Bishop M (2009) Digital forensics: defining a research agenda. 42nd Hawaii international conference on system sciences, pp 1–6

    Google Scholar 

  • NIST (2015) Computer forensics tool testing handbook. U.S. Department of Commerce. Available at: http://www.cftt.nist.gov/CFTT-Booklet-08112015.pdf. Accessed 14 May 2018

  • Palmer G (2001) A road map for digital forensic research. 1st digital forensic research workshop (DFRWS), pp 27–30

    Google Scholar 

  • Pollitt M (2008) Applying traditional forensic taxonomy to digital forensics. In: Advances in digital forensics IV. Springer, New York, pp 17–26

    CrossRef  Google Scholar 

  • Reith M, Carr C, Gunsch G (2002) An examination of digital forensic models. Int J Digit Evid 1(3):1–12

    Google Scholar 

  • Rogers M (2004) DCSA: a practical approach to digital crime scene analysis, vol 3, 5th edn. Purdue University, West Lafayette

    Google Scholar 

  • Rogers M, Goldman J, Mislan R, Wedge T, Debrota S (2006) Computer forensics field triage process model. Conference on digital forensics, security and law, pp 27–40

    Google Scholar 

  • Selamat S, Yusof R, Sahib S (2008) Mapping process of digital forensic investigation framework. Int J Comput Sci Netw Secur 8(10):163–169

    Google Scholar 

  • Sherman S (2006) A digital forensic practitioner’s guide to giving evidence in a court of law. Proceedings of the 4th Australian Digital Forensics conference, 1–7

    Google Scholar 

  • Sommer P (2008) Directors’ and corporate advisors’ guide to digital investigations and evidence. U.K. Information assurance advisory council. Available at: https://www.ucisa.ac.uk/~/media/Files/members/activities/ist/DigitalIn vestigationsGuide.ashx. Accessed 14 May 2018

  • Stanfield A (2009) Computer forensics, electronic discovery and electronic evidence. LexisNexis Butterworths, Chatswood

    Google Scholar 

  • Trcek D, Abie H, Skomedal A, Starc I (2010) Advanced frame-work for digital forensic technologies and procedures. J Forensic Sci 55(6):1471–1480

    CrossRef  Google Scholar 

  • Turnbull B (2008) The adaptability of electronic evidence acquisition guides for new technologies. In: Proceedings of the 1st international conference on forensic applications and techniques in telecommunications, Information and Multimedia and Workshop

    Google Scholar 

  • US-CERT (2012) Computer forensics. U.S. Department of Homeland Security. Available at: https://www.us-cert.gov/security-publica-tions/computer-forensics. Accessed 14 May 2018

  • Valjarevic A, Venter H (2012) Harmonised digital forensic investigation process model. In: Proceedings of information security for South Africa, pp 1–10

    Google Scholar 

  • Valjarevic A, Venter H (2015) A comprehensive and harmonized digital forensic investigation process model. J Forensic Sci 60(6):1467–1483

    CrossRef  Google Scholar 

  • Venter J (2006) Process flow for cyber forensics training and operations. Available at: http://researchspace.csir.co.za/dspace/handle/10204/1073. Accessed 17 June 2015

  • WhatIsMyIPAddress (2016) How you connect to the world. Available at:http:/whatismyipaddress.com/. Accessed: 14 May 2018

  • Yusoff Y, Ismail R, Hassan Z (2011) Common phases of computer forensics investigation models. Int J Comput Sci Inf Technol 3(3):17–31

    CrossRef  Google Scholar 

  • Zainudin N, Merabti M, Llewellyn-Jones D (2011) Online social networks as supporting evidence: a digital forensic investigation model and its application design. International conference on research and innovation in information systems, pp 1–6

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Reza Montasari .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

Montasari, R., Hill, R., Carpenter, V., Hosseinian-Far, A. (2019). The Standardised Digital Forensic Investigation Process Model (SDFIPM). In: Jahankhani, H., Kendzierskyj, S., Jamal, A., Epiphaniou, G., Al-Khateeb, H. (eds) Blockchain and Clinical Trial. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-11289-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-11289-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-11288-2

  • Online ISBN: 978-3-030-11289-9

  • eBook Packages: Computer ScienceComputer Science (R0)