Forensic Investigation Process Model Research Articles

A Conceptual Cloud Forensic Investigation Process Model for Software as a Service(SaaS) Applications

This paper explore a structured and systematic approach cloud forensic investigation process model for SaaS applications, to investigate the digital crimes in the cloud environment and contributing to enhanced security and privacy of acquired data during forensic investigation .The proposed model offers the distinctive characteristics of cloud environments and the varying levels of access and control within them. In this proposed model, the systematic forensic investigation process is detailed with microscopic details with four phases namely the initial phase, the acquisition phase, the analysis phase, and the reporting phase in Cloud environment. Ultimately, this research aims to enhance the overall trustworthiness and reliability of SaaS applications forensic for fostering a safer and more secure cloud computing forensic investigation landscape by using the chain of custody.

Unboxing the digital forensic investigation process

As digital forensics continues to play an important role in criminal investigations, its investigative work must be underpinned with well-defined and robust methodologies. Over the last 20 years, a substantial body of research has been produced to define and codify the digital forensic investigation process and the stages/sub-processes involved. Whilst current digital forensic investigation process models provide a solid foundation, it is argued that existing attempts often only focus on those physical tasks, which a practitioner must carry out at any given stage of an examination, omitting to identify those core thought processes, decisions and behaviours that form part of effective investigative practices. This work presents the Digital Forensic Workflow Model (DFWM), a novel approach to the structuring and definition of the procedures and tasks involved in the digital forensic investigation process starting from the initial ‘Review of Client Requirements & Planning’ stage, right through to the ‘Evaluation of Deployed Workflow’ stage. The DFWM contributes to the digital forensic management toolbox, where it enables the identification and management of risk and supports error mitigation at each stage of the workflow. The paper demonstrates how the DFWM functions as a framework for unboxing the digital forensic investigation process based on the investigative strategy of the particular case, providing a detailed structure and depiction of the physical and investigative tasks and decisions. From a research perspective, DFWM is a descriptive starting point, and future empirical studies may expand and provide further detail to the various physical and cognitive tasks and associated risks during the DF workflow.

A semi-automated forensic investigation model for online social networks

Investigating the online social network profiles of victims, suspects, and witnesses are now part of almost every legal investigation, either it involves a criminal offense, financial fraud, or domestic lawsuit. However, investigating online social networks (OSN) is a technically complicated process that becomes more challenging due to the legal issues of privacy and authentication. Completely manual investigative methods are not feasible for OSN investigations due to the immense size and heterogeneity of social networks. However, the existing models for digital forensic investigation are not supporting automated or semi-automated forensic investigation processes. Furthermore, they are not addressing the fundamental differences and specific requirements of online social networks. The model presented in this work incorporates the robust features of standard investigation models and proposes a digital forensic investigation process model that explicitly addresses the necessities of OSN investigations. This work is addressing the issues of automating the forensic collection and analysis processes, defining crime scene boundaries, and outlining reasonable iterative collection procedures in online social network forensic investigation. This work is evaluated using a case study and is compared with existing practices and standards.

Internet of things devices: digital forensic process and data reduction

The rapid increase in the pervasiveness of digital devices, combined with their heterogeneous nature, has culminated in increasing volumes of diverse data, a.k.a. big data that can become subject to criminal or civil investigations. This growth in big digital forensic data (DFD) has forced digital forensic practitioners (DFPs) to consider seizing a wider range of devices and acquiring larger volumes of data that can be pertinent to the case being investigated. This, in turn, has created an immense backlog of cases for law enforcement agencies worldwide. The method of data reduction by targeted imaging, combined with a robust process model, however, can assist with speeding up the processes of data acquisition and data analysis in IoT device forensic investigations. To this end, we propose an IoT forensic investigation process model, IoT-FIPM, that can facilitate not only the reduction of the evidentiary IoT data, but also a timely acquisition and analysis of this data.

Internet of Things Devices: Digital Forensic Process and Data Reduction

The rapid increase in the pervasiveness of digital devices, combined with their heterogeneous nature, has culminated in increasing volumes of diverse data, a.k.a. big data that can become subject to criminal or civil investigations. This growth in big digital forensic data (DFD) has forced digital forensic practitioners (DFPs) to consider seizing a wider range of devices and acquiring larger volumes of data that can be pertinent to the case being investigated. This, in turn, has created an immense backlog of cases for law enforcement agencies worldwide. The method of data reduction by targeted imaging, combined with a robust process model, however, can assist with speeding up the processes of data acquisition and data analysis in IoT device forensic investigations. To this end, we propose an IoT forensic investigation process model, IoT-FIPM, that can facilitate not only the reduction of the evidentiary IoT data, but also a timely acquisition and analysis of this data.

A Review of Mobile Forensic Investigation Process Models

Mobile Forensics (MF) field uses prescribed scientific approaches with a focus on recovering Potential Digital Evidence (PDE) from mobile devices leveraging forensic techniques. Consequently, increased proliferation, mobile-based services, and the need for new requirements have led to the development of the MF field, which has in the recent past become an area of importance. In this article, the authors take a step to conduct a review on Mobile Forensics Investigation Process Models (MFIPMs) as a step towards uncovering the MF transitions as well as identifying open and future challenges. Based on the study conducted in this article, a review of the literature revealed that there are a few MFIPMs that are designed for solving certain mobile scenarios, with a variety of concepts, investigation processes, activities, and tasks. A total of 100 MFIPMs were reviewed, to present an inclusive and up-to-date background of MFIPMs. Also, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for the MF field to unify and structure whole redundant investigation processes of the MF field. The paper also goes the extra mile to discuss the state of the art of mobile forensic tools, open and future challenges from a generic standpoint. The results of this study find direct relevance to forensic practitioners and researchers who could leverage the comprehensiveness of the developed processes for investigation.

A multidisciplinary digital forensic investigation process model

Worldwide usage of mobile smart devices has increased dramatically over the past two decades. The popularity of these devices has grown as a result of their increased processing power, storage capacity, and memory; they can now hold enormous amounts of both personal and private business data. In addition to the consideration of mobile devices, the scope of any forensic investigation has also grown to include cloud environments. Previously, we proposed a working model that can improve the effectiveness and efficiency of an investigation in a multidisciplinary environment. The study presented herein, however, evaluates a straw man model derived from current practice models to identify the required improvements. The study also proposes a new improved process model known as a multidisciplinary digital forensic investigation process model.

Review and Assessment of the Existing Digital Forensic Investigation Process Models

Review and Assessment of the Existing Digital Forensic Investigation Process Models

A GENERIC DATABASE FORENSIC INVESTIGATION PROCESS MODEL

Database Forensic investigation is a domain which deals with database contents and their metadata to reveal malicious activities on database systems. Even though it is still new, but due to the overwhelming challenges and issues in the domain, this makes database forensic become a fast growing and much sought after research area. Based on observations made, we found that database forensic suffers from having a common standard which could unify knowledge of the domain. Therefore, through this paper, we present the use of Design Science Research (DSR) as a research methodology to develop a Generic Database Forensic Investigation Process Model (DBFIPM). From the creation of DBFIPM, five common forensic investigation processes have been proposed namely, the i) identification, ii) collection, iii) preservation, iv) analysis and v) presentation process. From the DBFIPM, it allows the reconciliation of concepts and terminologies of all common databases forensic investigation processes. Thus, this will potentially facilitate the sharing of knowledge on database forensic investigation among domain stakeholders.

A comprehensive digital forensic investigation process model

A formal process model is needed to enable digital forensic practitioners in following a uniform approach and to enable courts of law in determining the reliability of digital evidence presented to them. Such a model also needs to be generic in that it can be applicable in the different fields of digital forensics including law enforcement, corporates and incident response. There does not currently exist such a comprehensive process model that is both formal and generic. To address these shortcomings, this paper proposes a model that is formal in that it can enable the digital forensic practitioners in following a uniform approach when carrying out investigations and that is generic in that it can be applied in the different environments of digital forensics.

An ad hoc detailed review of digital forensic investigation process models

For the past decade, digital forensics has been the subject of scientific study, and as a result it has become an established research and application field. One of the foundational methods in which the researchers in the field have attempted to comprehend the scientific basis of this discipline has been to develop models which reflect their observations. Various process models have been developed describing the steps and processes to follow during a digital forensic investigation. This paper provides a detailed review of 11 published papers representing digital forensic process models. The aim of this review is to gain background knowledge of the existing research on the digital forensic investigation process models and the problems associated with those models.

A Comprehensive and Harmonized Digital Forensic Investigation Process Model.

Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization.

Introduction of concurrent processes into the digital forensic investigation process

Performing a digital forensic investigation requires a formalised process to be followed. It also requires that certain principles are applied, such as preserving of digital evidence and documenting actions. The need for a harmonised and standardised digital forensic investigation process has been recognised in the digital forensics community and much scientific work has been undertaken to produce digital forensic investigation process models, albeit with many disparities within the different models. The problem is that these existing models do not include any processes dealing explicitly with concurrent digital forensic principles. This leaves room for human error and omissions, as there is a lack of clear guidelines on the implementation of digital forensic principles. This paper proposes the introduction of concurrent processes into the digital forensic investigation process model. The authors define concurrent processes as the actions that should be conducted in parallel with other processes within the digital forensic investigation process, with the aim to fulfil digital forensic investigation principles. The concept of concurrent processes is a novel contribution that aims to enable more efficient and effective digital forensic investigations, while reducing the risk of human error and omissions that result in digital evidence being contaminated.

Reviewing Existing Forensic Models to Propose a Cyber Forensic Investigation Process Model for Higher Educational Institutes

Digital Forensics can be defined as a field of study involving the usage of technical and proved procedures for collecting, preserving, validating, analyzing, interpreting and presenting the Evidences extracted from the digital sources for presenting those in the court of law. Different process models have been proposed by the researchers for cyber crimes’ investigation process, each having its own suitability to environments where they are applicable and other pros and cons. The paper includes the tailoring of existing process models to the particular domain of higher education institutes. With the growing access of computing resources and internet to the students, employees and overall citizens, it is the need of time that organizations should establish and maintain their cyber forensics analysis policy along with whole process to be followed in case of any cyber crime scene reporting.