Digital forensics

Digital forensics models

Soufiane Tahiri
January 25, 2016 by
Soufiane Tahiri

In the increasingly dynamic world of technology, the number of smart devices (computers, smartphones) is dramatically increasing leading to a huge amount of data being inter-exchanged. These smart devices are becoming more and more responsible for cyber fraud and cyber-crimes. Today more information is stored in its digital format, and due to increasing criminal activities using either computers or smartphone, it becomes very important and crucial that digital investigators could conduct their analysis properly, this is why and as early as 1984, the FBI and many other law enforcement agencies started to develop processes and adopt procedures in digital investigations.

Since then, the number of proposed models and frameworks keeps on increasing, and many enhancement has been applied to existing once, this and upcoming articles will drive you through some of the proposed models.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Investigation process

All models agree on the importance of some phases as we will see later, most of the proposed frameworks accept some common starting points and give an abstract frame that forensic researchers and practitioners apply and use to develop new research horizons to fill in continually evolving requirements.

Computer forensic investigative process

Back in 1984, Politt proposed the first methodology to deal with digital evidence in a way to remain scientifically reliable and legally acceptable, the model proposed was discussed in Proceeding of the National Information Security Conference, this model consists of four main phases as you can see in the following diagram:

Figure 1 Computer Forensic Investigative Process

The first phase is Acquisition, where evidence is acquired with approval from authorities and in an acceptable manner, it's followed by Identification step whereby all evidence is transformed from digital format to a human understandable format. The Evaluation phase comprises of tasks that determinate the accuracy of gathered evidence, and if indeed they can be considered as relevant to the being investigated case. The final step is Admission where all extracted evidence is presented.

DFRWS investigative model

The research roadmap from Digital Research Workshops proposed in 2001 a general purpose digital forensic framework composed of six main phases:

Figure 2 DFRWS Investigative Model

This model was the base fundament of further enhancement since it was very consistent and standardized, the phases namely: Identification, Preservation, Collection, Examination, Analysis and Presentation (then a pseudo additional step: Decision). Each phase consists of some candidate techniques or methods. The first is Identification and comprises event or crime detection, resolving signature, anomalous detection, system monitoring, audit analysis, etc. Followed by Preservation step in which a proper case management is set, imaging technologies are used, and all measurement are taken to ensure an accurate and acceptable chain of custody, preservation is a guarded principle across all forensic phases. Collection comes directly after in which relevant data is collected based on approved methods, software, and hardware; in this step, we make use also of different recovery techniques and lossless compression. Following this step are two interesting and very crucial phases, Examination and Analysis, whereby evidence traceability, pattern matching are guaranteed, then hidden data must be discovered and extracted, at this point data mining and timeline are performed. The latest phase of this model is Presentation. Tasks related to this step are documentation, clarification, mission impact statement, recommendation and countermeasures are taken and experts testimony.

Abstract digital forensics model (ADFM)

As seen DFRWS Investigative Model was meant to be a generic "technology-independent" model, and in 2002 Mark Reith, Clint Carr, and Gregg Gunsch was inspired from DFRWS and presented the Abstract Digital Forensic Model an enhanced model composed of nine phases:

Figure 3 Abstract Digital Forensics Model (ADFM)

As, by this model, the Identification phase assumes that the incident type is well recognized and determined, this is an important step since all upcoming steps depend on it. Followed by the Preparation step, this is the first introduced step where tools, techniques, search warrants, monitoring authorization and management support are prepared, this step is followed by the second introduced step Approach Strategy, this step is meant to maximize the collection of the evidence while minimizing the impact on the victim by formulating different approaches and procedures to follow. In the following phase, Preservation, all acquired data must be isolated and secured to keep them in their actual state. All acquired digital evidence is duplicated, and the physical scene is recorded, based on standardized procedures, these tasks are performed under the Collection phase. The next phase is Examination whereby an in-depth systemic analysis is conducted to search the evidence relating to the current case. The probative value of the examined evidence is determined in Analysis phase. The following step is Presentation where a summary of the process is developed, then comes the third introduced step: Returning Evidence that closes the investigation process by returning physical and digital evidence to the proper owner.

The most important value that added this model (in contrast with DFRWS Investigative Model) consists of a comprehensive pre and post investigation procedures.

Integrated digital investigation process (IDIP)

The model was first proposed by Carrier and Spafford in 2003, the goal was to "integrate" all available models and investigative procedures, the effort was held to map the digital investigative process to the physical investigative one. The model itself is quite big since it organized into five groups consisting of 17 phases.

Figure 4 The five groups of phases in the IDIP model

The model starts with the Readiness phase, which ensures that we are fully able to support fully the investigation (including operations readiness, a phase in which we provide all training and equipment for investigators; and infrastructure readiness phase that ensures that the needed data exists). This is followed by the Deployment phase, a phase where we provide mechanisms for an incident to be detected and confirmed, this phase consists of detection and notification then confirmation and authorization phases. Followed immediately by Physical Crime Scene Investigation phase where we collect and analyze physical evidence, this is meant to reproduce the actions that took place during the incident, this phase consists of six phases as shown below:

After this comes the Digital Crime Scene Investigation phase, this model consider each digital device as a separate crime scene, this phase ensure the collection of all electronic evidence, and just like the previous, this phase contains six 'identical' phases:

Both phases include Preservation, Survey for Physical/Digital Evidence, Document Evidence and Scene, Search for Physical/Digital evidence, Physical/Digital Crime Scene Reconstruction and Presentation of Physical/Digital Scene Theory. The latest phase of the model is the Review phase in which the whole process is reviewed to find points of improvements and to identify new procedures or new training requirements.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Summary

Today's digital world is becoming an important (if not the most important) part of any criminal investigation, it's important to have in mind that using tools and having technical skills is not usually enough to fully and properly investigate a digital crime. Digital forensic examiners must follow a well-defined process that goes beyond technical needs, this is why we must have an in-depth look at previously done efforts and existing forensic frameworks. This article is the first of a series that will go through the historical evolution of digital forensic models and frameworks, today we described the first four major models that were developed and upcoming articles will cover more recent ones.

Soufiane Tahiri
Soufiane Tahiri

Soufiane Tahiri is is an InfoSec Institute contributor and computer security researcher, specializing in reverse code engineering and software security. He is also founder of www.itsecurity.ma and practiced reversing for more then 8 years. Dynamic and very involved, Soufiane is ready to catch any serious opportunity to be part of a workgroup.

Contact Soufiane in whatever way works for you:

Email: soufianetahiri@gmail.com

Twitter: https://twitter.com/i7s3curi7y

LinkedIn: http://ma.linkedin.com/in/soufianetahiri

Website: http://www.itsecurity.ma