MODELS OF DIGITAL FORENSIC INVESTIGATION By Sanya-Isijola, Ademuyiwa 36641
ABSTRACT The race against criminals by law enforcement is never ending, law enforcement need to develop tools and use a digital forensic methodology that covers all area of forensic analysis of digital crime investigation. The digital investigation process can be driven using numerous digital forensic investigation models. This paper compares and contrasts different forensic methodology and discusses about the main components any forensic investigation model should contain.
INTRODUCTION The digital age has brought about the increase in the use of computers/internet as tools used to increase productivity and efficiency in the governmental, commercial, educational and private sectors of every economy. In the same vein, these technologies have now become a criminal tool used to perpetrate unlawful or unethical activities. The increase in use of the internet and computers has fostered criminal activities because perpetrators now use their in depth technical knowledge, coupled with anonymity to commit crimes. In order to apprehend cyber criminals, investigators must use well defined and consistent forensic procedures. [1]
1.0 What is digital forensics? In this modern age, several types of digital devices, not just computers are used on a daily basis and are constantly exploited for criminal activity. Computer forensics focus on extracting evidence from a particular platform (Computer), digital forensic covers extracting evidence from all forms of digital evidence. [1] Digital forensics is the collection, preservation, analysis and presentation of digital evidence extracted from any source of digital evidence that can be used to identify criminal activities or other activity that constitutes violation. [2]
2.0 Lack of standardization Presently there are several digital forensic investigation methodologies but there are no consistent or standard digital forensic models, only set of procedures and tools built from the experience of hackers, system administrators and law enforcement. The available models concentrate on part of the investigative process (analysis, presentation) rather than provide a general view for the entire investigation. Thus, many digital crimes are not investigated with a standardized forensic methodology. [1] A good digital investigation model must provide a consistent and standardized framework that supports every stage of the investigation (technical and non-technical) regardless of the type of crime. As new technologies unfold, they can be applied to the standardized model. [4]
3.0 What is digital forensic investigation? “Digital forensic investigation is a process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occur”. [5]
3.1 Digital forensic investigation models Over the years, several digital forensic investigation models have been proposed, they include: [3]
Kruse and Heiser America’s department of justice (DOJ) Lee’s model Casey’s model DFRWS frame work meta-model The Reith, Carr and Gunsch model The Ciardhuain model
3.11 KRUSE and HEISER Kruse and Heiser stated that forensic investigation consists of 3 basic components:
Acquire evidence Authenticate evidence Analyzing data
3.12 America’s department of justice, DOJ The model proposed by America’s department of justice was very similar to that of Kruse and Heiser, their proposed model only added a new component called Reporting. The model consists of : Collection Examination Analyzing Report
3.13 Lee (2001) Lee proposed a model that consists of 4 steps, they are:
Recognition Identification Individualization Reconstruction
The steps proposed by Lee refer to only a part of the forensic investigation process i.e the investigation stage (no preparation or presentation). 3.14 Casey’s model Is similar to that proposed by Lee, the 1st and last stages are the same. It focuses on processing and examining digital evidence (focuses on investigation). The steps also include:
Recognition Preservation Classification Reconstruction
3.15 Digital forensic Research working group (DFRW) The DFRW model was developed between 2001 and 2003.The DFRW model includes crucial stages of the investigation and also includes the Presentation stage. It consists of the following stages:
Identification Preservation Collection Examination Analysis Presentation Decision
3.16 The Reith, Carr and Gunsch model (2002) The Reith, Carr and Gunsch model (2002) included other components not found in the above mentioned frameworks. It consists of:
Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Returning evidence
3.17 Ciardhuain model Ciardhuain model is the most up to date and complete. The framework consists of the following:
Awareness Authorization Planning Notification
Search and identify evidence Collection Transportation Storage Examinatioon Hypothesis Presentation Proof/Defense Dissemenation [3]
After cross examination of the above mentioned frameworks, it was noted that:
Each preceding framework modifies the previous Some of the models have very similar approaches Some of the models concentrate on different areas of the investigation.
The main aim of these models is to produce sufficient evidence that is presentable in the court of law but there needs to be a balance in the processes identified by these models to avoid derailing from that aim. During a forensic investigation, the framework chosen should not concentrate on a certain stage, it should incorporate the basic components of forensic investigation which are: [6]
Preparation Investigation Presentation
CONCLUSION Framework used for forensic investigation must not be stage specific i.e concentrate only on a stage of the forensic investigation like Preparation. Any of the above models can be chosen and easily modified or expanded so that it involves the main components of forensic investigation (Preparation, investigation and Presentation). Whatever the framework used for investigation, it must be applicable to all current digital crimes and those in the nearest future.
Reference
Mark Reith, Clint Carr, Gregg Gunsch, An examination of digital forensic models [1] Bruce J. Nikkel, The role of digital forensics within a corporate organization [2] Daniel A. Ray, Phillip G. Bradford, Models of models: Digital forensics and domainspecific languages [3] Séamus Ó Ciardhuáin, An extended model of cyber crime investigation [4] www.cerias.purdue.edu [5] Michael Kohn, JHP Eloff and MS Olivier, Framework for a digital forensic investigation.[6]