DIGITAL FORENSICModels & Frameworks (2000-2015)

Costas Katsavounidis

Katsavounidis C. 2

Locard’s Exchange Principle: “Every Contact Leaves a Trace”Principles of Forensic Examination of Digital Evidence

A.C.P.O. (2007)Good Practice Guide for Computer-Based Evidence

Principle 1:No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.Principle 2:In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.Principle 3:An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.Principle 4:The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

N.I.J (2008)Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition The process of collecting, securing,

and transporting digital evidence should not change the evidence.

Digital evidence should be examined only by those trained specifically for that purpose.

Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, preserved, and available for review.

E.N.F.S.I. (2009)Guidelines for Best Practice in the Forensic Examination of Digital Evidence.

A. The general rules of evidence should be applied to all digital evidence

B. Upon seizing digital evidence, actions taken should not change that evidence.

C. When it is necessary for a person to access original digital evidence that person should be suitably trained for the purpose.

D. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.

E. An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.

Katsavounidis C. 3

Recognition Identification Individualization Reconstruction

Lee/Pagliaro Crime Scene Handbook (2001)Physical Scene Investigation Principles

RecognitionPreservation: Collection and

Documentation

Individualization: Comparison and Individualization

Reconstruction

Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2000)

Digital Evidence Process Model

Process Models & Frameworks for the Forensic Examination of Digital Evidence

Katsavounidis C. 4

Acquisition Authentication Analysis

3A’s - Computer Investigation Model Process ModelKruse & Heiser: Computer Forensics, Incident Response Essentials (2001)

Acquisition Authentication Analysis ReportExamination

Improved Computer Investigation Model Process ModelKöhn, Michael: Integrated Digital Forensic Process Model (2012)

Katsavounidis C. 5

Forensic Investigation Processes NIJ: Electronic Crime Scene Investigation: A Guide for First Responders (2001), NIST: Guide to Integrating Forensic Techniques into Incident Response (2006), ACPO: Good Practice Guide for Computer-Based Evidence (2007)

Forensic ProcessesNIJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004)

Collection Examination Analysis Report

Acquisition Examination Analysis ReportAssessment

Katsavounidis C. 6

Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2004)Investigative Process

Persuation and testimony

Reporting

Analysis

Organization and search

Reduction

Harvesting

Recovery

Preservation

Identification or seizure

Incident/Crime scene protocols

Assessment of worth

Incident alerts or accusation

AssessmentExperimentFusionCorrelationValidation

Crime or policy violation

Prioritize - choose

Actions at scene – real/virtual

Recognition and proper packaging

Get it ALL – hidden/deleted

Data about data

Integrity – modification tree

Filter - eliminate

Focus

Scrutinize

Detailed record

Translate and explain

Katsavounidis C. 7

DFRWS: A Road Map for Digital Forensic Research (2001)Investigative Process for Digital Forensic Science

Identification Preservation Collection Examination Analysis Presentation Decision

Event/Crime detection

Resolve Signature

Anomalous Detection

Complaints

System monitoring

Audit Analysis

Etc ..

Case Mngt

Imaging Technologies

Chain of custody

Time Sync

Preservation

Approved Methods

Approved Software

Approved Hardware

Legal Authority

Lossless compression

Sampling

Data Reduction

Recovery Techniques

Preservation Preservation Document-ation

Traceability Traceability

Validation Techniques Statistical

Protocols

Data Mining

Timeline

Link

Spacial

Filtering Techniques

Pattern Matching

Hidden Data Discovery

Hidden Data Extraction

Expert Testimony

Clarification

Mission impact

statement

Recommended countermeasure

Statistical Interpretation

Katsavounidis C. 8Reith et al: An Examination of Digital Forensic Models (2002)

Abstract Model for Digital Forensics

Identification

Preparation

Approach Strategy

Preservation

Collection

Examination

Analysis

Presentation

Returning Evidence

Katsavounidis C. 9

Mandia et al: Incident Response and Computer Forensics (2003)The Incident Model

Pre-Incident Preparation

Detection of Incidents

Initial Response

Formulation of Response

StrategyReport

Insident Investigation

Data Collection

Data Analysis

Resolution, Recovery, Security Measures Implementation

Katsavounidis C. 10

Carrier/Spafford: Getting Physical with the Digital Investigation Process (2003)Integrated Digital Investigation Process (IDIP)

Readiness Phases

Deployment Phases

Physical Crime Scene Investigation Phases

Digital Crime Scene Investigation Phases

Review Phases

Operations Readiness

Infrastructure Readiness

Detection & Notification

Confirmation & Authorization

Preservation Survey Document-ation

Search & Collection

Reconstruct-ion Presentation

Preservation Survey Document-ation

Search & Collection

Reconstruct-ion Presentation

Review

Katsavounidis C. 11

Baryamureeba/Tushabe: The Enhanced Digital Investigation Process Model (2004)Enhanced Integrated Digital Investigation Process Model

Preparation Phases

Deployment Phases

Traceback Phases

Dynamite Phases

Review Phases

Digital Crime Scene

Preservation Phase

Survey Phase

Documentation Phase

Search & Collection Phase

Presentation Phase

Physical Crime Scene

Katsavounidis C. 12

Beebe/Clark: A Hierarchical, Objectives-Based Framework for the Digital Investigation Process (2005)Two-Tier Digital Investigations Process Framework

Preparation Incident Responce Data Collection Data Analysis Presentation of

Findings Incident Closure

Objectives Based sub-

phases

Objectives Based sub-

phases

Objectives Based sub-

phases

Objectives Based sub-

phases

Objectives Based sub-

phases

Objectives Based sub-

phases

Katsavounidis C. 13O'Ciardhuain, Seamus: An Extended Model of Cybercrime Investigations (2004)

Extended Model of Cybercrime Investigations

Awareness

Authorization

Planning

Notification

Search/Identify

Collection

Transport

Storage

Examination

Hypothesis

Presentation

Proof/Defence

Dissemination

External Events

External Authority

Externally imposed policies, regulations

& Legislation

External Information

Information Distribution

Organizational Policies

Internal Information

Information Controls

Internal Authority

Internal Events

Information Controls

General Information Flow

Other Organizations

Internal Challenges

External Challenges

Katsavounidis C. 14

Köhn et al: Framework for a Digital Forensic Investigation (2006) Köhn et al: UML Modelling of Digital Forensic Process Models (DFPMs) (2008)

Integrated Digital Forensic Process Model (InteDFPM )

Preparation Investigation Presentation

Law

Preparation Collect Authenticate Examine Analyze

Report Present

Evidence Report

Katsavounidis C. 15

NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response (2006)Forensic Process

Collection Examination Analysis Report

Media Data Information Evidence

Selamat et al : Mapping Process of Digital Forensic Investigation Framework (2008)Simplified DF Investigation Framework

Preparation Presentation & Reporting

Collection & Preservation DisseminationExamination &

Analysis

Katsavounidis C. 16

Rogers et al: Computer Forensics Field Triage Process Model (2006)Cyber Forensic Field Triage Process model (CFFTP)

Planning

Triage

User Usage Profiles

Home Directory

File Properties

Registry

Chronology Timeline

Internet

Case Specific

Email

Browser artifacts

Instant MessagesAt Scene

Katsavounidis C. 17

Forrester/Irwin : A Digital Forensic investigative model for business organizations (2007)DF model for business organizations

Readiness Deployment Incident Evaluation

Scene Preservation

Investigation Service Restoration

Reporting

Decisions

Incident Review

Interaction

Katsavounidis C. 18Freiling/Schwittay A Common Process Model for Incident Response and Computer Forensics (2007)

Common Process model for Incident Response & Computer Forensics

Pre-Analysis Phase

Detection of Incidents Initial Response

Formulation of response strategy

Pre-Incident Preparation

Incident Occurs

Analysis Phase

Live Respose Forensic Duplication

Data Recovery Harvesting Reduction &

Organization

Analysis

Post-Analysis Phase

Report Resolution

Katsavounidis C. 19Khurana et al: Palantir: A framework for collaborative incident response and investigation (2009)

Collaborative framework: Palantir

· Establish an Incident Response Team.· Train staff on latest threats and software tools.· Follow recommended practices to prevent incidents.· Deploy intrusion detection and forensics data

collection capabilities.· Develop incident response policies and procedures,

including a legal activities coordination plan.

· Detect and confirm that an incident has occurred.· Perform initial analysis to determine incident

scope.· Determine containment, eradication, recovery

and investigation strategy.· Report incident to appropriate ICIM.

· Identify lessons learned.· Complete incident report.· Improve future preparedness.· Retain evidence as required according to policy.

· Establish and train Incident Response Team.· Train Staff on latest threats and software tools.· Establish and maintain a collaborative workspace

hosting environment.· Develop incident response policies and

procedures including a legal activities coordination plan.

· Develop policies and procedures for collaboration.

· Deploy collaborative investigation tools.

· Analyze incoming incident reports.· Develop response strategy and determine if

collaborative investigation is warranted.

· Create collaborative workspace.· Invite collaborators and assign roles.· Formulate collaborative response and

investigation strategy.· Share (anonymized) evidence as appropriate.· Perform cross-site data analysis and correlation.· Discuss (ongoing) incident and share insights.· Cooperate in containment and recovery.· Reconstruct the crime scene. Prepare

coordinated legal strategy.

· Legally prosecute the offenders.· Share lessons learned among participants and

publicly as appropriate.· Retain evidence according to policy.

· Contain the breach to prevent further damage.· Collect and preserve evidence in a forensically

sound manner.· Eradicate malware and disable compromised

systems/accounts.· Deploy counter-measures to prevent repeat

occurrence of compromise.· Restore normal system operation.

Site ICIM / Collaboration

Katsavounidis C. 20

Perumal, Sundresan: Digital Forensic Model Based on the Malaysian Investigation Process (2009)Malaysian Investigation Process model

Static Acquisition

Authorization Search Warrant ObtainedPlanning

IdentificationAuthorization Live acquisition

Identify Fragile Evidence

ReconnaissanceGathering Evidence

Transport & Storage

Analysis

Result

Proof & Defense

Archive Storage

Katsavounidis C. 21

Cohen, Frederich: Fundamentals of Digital Forensic Evidence (2010)Digital Forensic Evidence Processes

Digital Evidence

Identify

Collect

Preserve

Transport

Store

Analyze

Interpret

Attribute

Reconstruct

Present

Destroy

Katsavounidis C. 22

Smith/Petreski: A New Approach to Digital Forensic Methodology (2010)Smith & Petreski Method

Determine Case Type

Requester Goals

Common Case Goals

Analyst Developed

Goals

Agreed Upon Case Goals

Develop Required

Information List

Develop Beneficial

Information List

Provide Case Time Estimate

Determine Methods to

Achieve each Case Goal

Pre-Analysis

AnalysisIdentify Effectiveness

of the Method

Identify the Time Required for this

Method

Identify Additional Costs

Estimate Analyst Skill with Method

Estimate Size of Data

Actual Costs Resource Costs

Generate SPI and Time Limits for

reevaluation

Katsavounidis C. 23

Grobler, C. et al: A Multi-component View of Digital Forensics (2010)Digital Forensic Management Framework

Pro-Active DF

Active-DF

Re-Active DF

Incident

Before Incident After Incident

Katsavounidis C. 24Atsa/Mboupda: Multi-Perspective Cybercrime Investigation Process Modeling (2012)

MCIP model

ReaDFProDF ActDF

Complaint / Alert / Automatic Detection

Identification

Collection

Preservation

Analysis

Documentation

Incident Closure

Reconstruction

- Identification- Preservation

- Collection

Evidence Acquisition

Analysis

Physical Investigation

Reconstruct-ion

Present Findings

Dissemination of results

Incident Closure

Final Report

25

Agarwal et al: Systematic Digital Forensic Investigation Model (2011)Systematic Digital Investigation Model (SRDFIM)

Preparation

Securing the Scene

Survey & Recognition

Documentation of the Scene

Communication Shielding

Evidence Collection

Preservation

ExaminationAnalysisPresentation

Result

Capt

urin

g th

e Ti

mel

ine

Acco

rdin

g to

the

Coun

try

Digi

tal

Fore

nsic

Law

Katsavounidis C.

Katsavounidis C. 26

Yusoff et al: Common Phases of Computer Forensic Investigation Models (2011)Generic Computer Forensic Investigation model (GCFIM)

Pre-Process

Acquisition & Preservation

Analysis

Presentation

Post-Process

Katsavounidis C. 27

Valjarevic/Venter: Harmonized Digital Forensic Investigation Process Model (2012) Valjarevic/Venter: Towards a prototype for guidance and implementation of a standardized digital forensic investigation

process (2014)

Harmonized Digital Forensic Investigation Process model

Incident Detection

First Response

Planning

Preparation

Incident Scene Documentation

Potential Evidence Transportation

Potential Evidence Storage

Potential Evidence Analysis

Presentation

Conclussion

Potential Evidence

Identification

Potential Evidence Collection

123

45

1. Interaction with Physical Investigation2 - Preserving Chain of Evidence

3 – Preserving Evidence4 – Information Flow

5 - Documentation

6

6 – Obtaining Authorization

Readiness Processes

Initialization Processes

Acquisition Processes

Investigative Processes

Conc

urre

nt

Proc

esse

s

Katsavounidis C. 28

Mumba/Venter: Testing and Evaluating the Harmonized Digital Forensic Investigation Process in Post Mortem Digital Investigations (2014)

Harmonized Digital Forensic Investigation Process model - (ISO/IEC 27043, 2014)

Investigative Processes

Acquisitive Processes

Initialization ProcessesIncident Detection

First Response

Planning

Preparation

Incident Scene Documentation

Digital Evidence Transportation

Digital Evidence Storage

Digital Evidence Analysis

Presentation

Investigation Closure

Potential Digital Evidence

Identification

Digital Evidence Collection

Concurrent Processes

Digital Evidence Interpretation

Report writing

Katsavounidis C. 29Hewling/Sant: Digital Forensics: the need for Integration (2011)

Standardized framework for DF

Initiation Phase

Type of Investigation required

Educational Training and Qualification

Personnel Involved

Type of Intrusion

Type of Data (Static vs Live)

Type of Authorization required Output: Formal Document

Investigation Phase

Locate suspect devices

Physically protect & preserve crime scene

Capture image at the scene

Identify suspect devices and peripherals

Preserve live data

Preserve static data

Remove devices to controlled environment.

Prevention of spoilation of data

Preserve copy & analyze pertinent data Output: Formal Document

Reporting Phase

Inventory of items seized & analyzed

Prepare ͚Ajargon͚Bfree report

Inventory of all equipment used in the investigation

Inventory of tools used in the

investigation

Archiving and Storage

Reconstruction of crime scene

Creation of attacker profile

Output: Investigation deliverable.

Formal Document

Legal Adherence(Daubert͚Bs Criteria)

Katsavounidis C. 30Köhn et al: Integrated digital forensic process model (2013)

Integrated Digital Forensic Process model (IDFPM)

Presentation

Preparation

Policy/Procedure

Infrastructure Readiness

Operational Readiness

Incident

Incident Response

DetectNotifyAuthorize

DeployConfirm

Assess

Approach Strategy

Search

Recover

Seize

Preserve

Transport

Store

Digital Forensic Investigation

CollectAuthenticateExamineHarvestReduce

Identify Classify Organize Compare Hypothesize

AnalyzeAttributeEvaluateInterpret

Reconstruct Communicate Review

Present ReportDecideDisseminate

Katsavounidis C. 31SWGDE: Best Practices for Computer Forensics V3-1 (2014)

SWGDE Best Practices

Evidence Collection

Evidence Handling

Evidence Triage/Preview

Powered-On Systems

Powered-Off Systems

Loose Media

Computers

Servers

Evidence Packaging / Transport

Equipment Preparation

Acquisition

Physical

Forensic Analysis /

Examination

Documentation

Acquisition Documentation

Examination Documentation

Evidence Handling

DocumentationReport of Findings

Review

Logical

Live

Targeted (Files)

Katsavounidis C. 32

Nasif, L.: Best Practices for Cybercrime Evidence Collection Projects (2014)Forensics Based on Project (ForPro) model

Collect Examine Analyze Report

Initiating Planning

Controlling Executing Closing

Katsavounidis C. 33ISO/IEC 27043:2015 Information technology - Security techniques – Incident investigation principles and processes

ISO/IEC 27043

Initialization Processes

Acquisitive Processes

Investigative Processes

Concurrent Processes

Incident Detection

First Response

Planning

Preparation

Potential Digital Evidence Identification

Potential Digital Evidence Acquisition

Potential Digital Evidence Transportation

Potential Digital Evidence Storage

Potential Digital Evidence Examination and Analysis

Digital Evidence Interpretation

Reporting

Presentation

Obtaining Authorization

Managing Information Flow

Preserving Chain of Custody

Preserving Digital Evidence

Interaction with the Physical Investigation

Readiness Processes

Planning and Definition of System Architectures

Implementing Digital Forensic Readiness System Architecture

Assessment of Implementation

Katsavounidis C. 34

DF processes per models reviewed

0

5

10

15

20

25

30 2928

2018

1714

1311

109 9

8 87 7

6 6 6 65 5

4 4 4 43 3 3 3 3 3 3 3

2 2 2 2 2 21 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Katsavounidis C. 35

Most Common Digital Forensic Processes

Preparation / Planning

Evidence Identification

Collection / Acquisition

Preservation (Scene/Evidence) Examination Analysis Presentation/

Report

Preparation / Planning Evidence Identification Collection / Acquisition Preservation of Scene / Digital Evidence Examination Analysis Presentation / Report of results

Katsavounidis C. 36

“We can all see, but can you observe?”