df process models
TRANSCRIPT
DIGITAL FORENSICModels & Frameworks (2000-2015)
Costas Katsavounidis
Katsavounidis C. 2
Locard’s Exchange Principle: “Every Contact Leaves a Trace”Principles of Forensic Examination of Digital Evidence
A.C.P.O. (2007)Good Practice Guide for Computer-Based Evidence
Principle 1:No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.Principle 2:In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.Principle 3:An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.Principle 4:The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
N.I.J (2008)Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition The process of collecting, securing,
and transporting digital evidence should not change the evidence.
Digital evidence should be examined only by those trained specifically for that purpose.
Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, preserved, and available for review.
E.N.F.S.I. (2009)Guidelines for Best Practice in the Forensic Examination of Digital Evidence.
A. The general rules of evidence should be applied to all digital evidence
B. Upon seizing digital evidence, actions taken should not change that evidence.
C. When it is necessary for a person to access original digital evidence that person should be suitably trained for the purpose.
D. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.
E. An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.
Katsavounidis C. 3
Recognition Identification Individualization Reconstruction
Lee/Pagliaro Crime Scene Handbook (2001)Physical Scene Investigation Principles
RecognitionPreservation: Collection and
Documentation
Individualization: Comparison and Individualization
Reconstruction
Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2000)
Digital Evidence Process Model
Process Models & Frameworks for the Forensic Examination of Digital Evidence
Katsavounidis C. 4
Acquisition Authentication Analysis
3A’s - Computer Investigation Model Process ModelKruse & Heiser: Computer Forensics, Incident Response Essentials (2001)
Acquisition Authentication Analysis ReportExamination
Improved Computer Investigation Model Process ModelKöhn, Michael: Integrated Digital Forensic Process Model (2012)
Katsavounidis C. 5
Forensic Investigation Processes NIJ: Electronic Crime Scene Investigation: A Guide for First Responders (2001), NIST: Guide to Integrating Forensic Techniques into Incident Response (2006), ACPO: Good Practice Guide for Computer-Based Evidence (2007)
Forensic ProcessesNIJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004)
Collection Examination Analysis Report
Acquisition Examination Analysis ReportAssessment
Katsavounidis C. 6
Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2004)Investigative Process
Persuation and testimony
Reporting
Analysis
Organization and search
Reduction
Harvesting
Recovery
Preservation
Identification or seizure
Incident/Crime scene protocols
Assessment of worth
Incident alerts or accusation
AssessmentExperimentFusionCorrelationValidation
Crime or policy violation
Prioritize - choose
Actions at scene – real/virtual
Recognition and proper packaging
Get it ALL – hidden/deleted
Data about data
Integrity – modification tree
Filter - eliminate
Focus
Scrutinize
Detailed record
Translate and explain
Katsavounidis C. 7
DFRWS: A Road Map for Digital Forensic Research (2001)Investigative Process for Digital Forensic Science
Identification Preservation Collection Examination Analysis Presentation Decision
Event/Crime detection
Resolve Signature
Anomalous Detection
Complaints
System monitoring
Audit Analysis
Etc ..
Case Mngt
Imaging Technologies
Chain of custody
Time Sync
Preservation
Approved Methods
Approved Software
Approved Hardware
Legal Authority
Lossless compression
Sampling
Data Reduction
Recovery Techniques
Preservation Preservation Document-ation
Traceability Traceability
Validation Techniques Statistical
Protocols
Data Mining
Timeline
Link
Spacial
Filtering Techniques
Pattern Matching
Hidden Data Discovery
Hidden Data Extraction
Expert Testimony
Clarification
Mission impact
statement
Recommended countermeasure
Statistical Interpretation
Katsavounidis C. 8Reith et al: An Examination of Digital Forensic Models (2002)
Abstract Model for Digital Forensics
Identification
Preparation
Approach Strategy
Preservation
Collection
Examination
Analysis
Presentation
Returning Evidence
Katsavounidis C. 9
Mandia et al: Incident Response and Computer Forensics (2003)The Incident Model
Pre-Incident Preparation
Detection of Incidents
Initial Response
Formulation of Response
StrategyReport
Insident Investigation
Data Collection
Data Analysis
Resolution, Recovery, Security Measures Implementation
Katsavounidis C. 10
Carrier/Spafford: Getting Physical with the Digital Investigation Process (2003)Integrated Digital Investigation Process (IDIP)
Readiness Phases
Deployment Phases
Physical Crime Scene Investigation Phases
Digital Crime Scene Investigation Phases
Review Phases
Operations Readiness
Infrastructure Readiness
Detection & Notification
Confirmation & Authorization
Preservation Survey Document-ation
Search & Collection
Reconstruct-ion Presentation
Preservation Survey Document-ation
Search & Collection
Reconstruct-ion Presentation
Review
Katsavounidis C. 11
Baryamureeba/Tushabe: The Enhanced Digital Investigation Process Model (2004)Enhanced Integrated Digital Investigation Process Model
Preparation Phases
Deployment Phases
Traceback Phases
Dynamite Phases
Review Phases
Digital Crime Scene
Preservation Phase
Survey Phase
Documentation Phase
Search & Collection Phase
Presentation Phase
Physical Crime Scene
Katsavounidis C. 12
Beebe/Clark: A Hierarchical, Objectives-Based Framework for the Digital Investigation Process (2005)Two-Tier Digital Investigations Process Framework
Preparation Incident Responce Data Collection Data Analysis Presentation of
Findings Incident Closure
Objectives Based sub-
phases
Objectives Based sub-
phases
Objectives Based sub-
phases
Objectives Based sub-
phases
Objectives Based sub-
phases
Objectives Based sub-
phases
Katsavounidis C. 13O'Ciardhuain, Seamus: An Extended Model of Cybercrime Investigations (2004)
Extended Model of Cybercrime Investigations
Awareness
Authorization
Planning
Notification
Search/Identify
Collection
Transport
Storage
Examination
Hypothesis
Presentation
Proof/Defence
Dissemination
External Events
External Authority
Externally imposed policies, regulations
& Legislation
External Information
Information Distribution
Organizational Policies
Internal Information
Information Controls
Internal Authority
Internal Events
Information Controls
General Information Flow
Other Organizations
Internal Challenges
External Challenges
Katsavounidis C. 14
Köhn et al: Framework for a Digital Forensic Investigation (2006) Köhn et al: UML Modelling of Digital Forensic Process Models (DFPMs) (2008)
Integrated Digital Forensic Process Model (InteDFPM )
Preparation Investigation Presentation
Law
Preparation Collect Authenticate Examine Analyze
Report Present
Evidence Report
Katsavounidis C. 15
NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response (2006)Forensic Process
Collection Examination Analysis Report
Media Data Information Evidence
Selamat et al : Mapping Process of Digital Forensic Investigation Framework (2008)Simplified DF Investigation Framework
Preparation Presentation & Reporting
Collection & Preservation DisseminationExamination &
Analysis
Katsavounidis C. 16
Rogers et al: Computer Forensics Field Triage Process Model (2006)Cyber Forensic Field Triage Process model (CFFTP)
Planning
Triage
User Usage Profiles
Home Directory
File Properties
Registry
Chronology Timeline
Internet
Case Specific
Browser artifacts
Instant MessagesAt Scene
Katsavounidis C. 17
Forrester/Irwin : A Digital Forensic investigative model for business organizations (2007)DF model for business organizations
Readiness Deployment Incident Evaluation
Scene Preservation
Investigation Service Restoration
Reporting
Decisions
Incident Review
Interaction
Katsavounidis C. 18Freiling/Schwittay A Common Process Model for Incident Response and Computer Forensics (2007)
Common Process model for Incident Response & Computer Forensics
Pre-Analysis Phase
Detection of Incidents Initial Response
Formulation of response strategy
Pre-Incident Preparation
Incident Occurs
Analysis Phase
Live Respose Forensic Duplication
Data Recovery Harvesting Reduction &
Organization
Analysis
Post-Analysis Phase
Report Resolution
Katsavounidis C. 19Khurana et al: Palantir: A framework for collaborative incident response and investigation (2009)
Collaborative framework: Palantir
· Establish an Incident Response Team.· Train staff on latest threats and software tools.· Follow recommended practices to prevent incidents.· Deploy intrusion detection and forensics data
collection capabilities.· Develop incident response policies and procedures,
including a legal activities coordination plan.
· Detect and confirm that an incident has occurred.· Perform initial analysis to determine incident
scope.· Determine containment, eradication, recovery
and investigation strategy.· Report incident to appropriate ICIM.
· Identify lessons learned.· Complete incident report.· Improve future preparedness.· Retain evidence as required according to policy.
· Establish and train Incident Response Team.· Train Staff on latest threats and software tools.· Establish and maintain a collaborative workspace
hosting environment.· Develop incident response policies and
procedures including a legal activities coordination plan.
· Develop policies and procedures for collaboration.
· Deploy collaborative investigation tools.
· Analyze incoming incident reports.· Develop response strategy and determine if
collaborative investigation is warranted.
· Create collaborative workspace.· Invite collaborators and assign roles.· Formulate collaborative response and
investigation strategy.· Share (anonymized) evidence as appropriate.· Perform cross-site data analysis and correlation.· Discuss (ongoing) incident and share insights.· Cooperate in containment and recovery.· Reconstruct the crime scene. Prepare
coordinated legal strategy.
· Legally prosecute the offenders.· Share lessons learned among participants and
publicly as appropriate.· Retain evidence according to policy.
· Contain the breach to prevent further damage.· Collect and preserve evidence in a forensically
sound manner.· Eradicate malware and disable compromised
systems/accounts.· Deploy counter-measures to prevent repeat
occurrence of compromise.· Restore normal system operation.
Site ICIM / Collaboration
Katsavounidis C. 20
Perumal, Sundresan: Digital Forensic Model Based on the Malaysian Investigation Process (2009)Malaysian Investigation Process model
Static Acquisition
Authorization Search Warrant ObtainedPlanning
IdentificationAuthorization Live acquisition
Identify Fragile Evidence
ReconnaissanceGathering Evidence
Transport & Storage
Analysis
Result
Proof & Defense
Archive Storage
Katsavounidis C. 21
Cohen, Frederich: Fundamentals of Digital Forensic Evidence (2010)Digital Forensic Evidence Processes
Digital Evidence
Identify
Collect
Preserve
Transport
Store
Analyze
Interpret
Attribute
Reconstruct
Present
Destroy
Katsavounidis C. 22
Smith/Petreski: A New Approach to Digital Forensic Methodology (2010)Smith & Petreski Method
Determine Case Type
Requester Goals
Common Case Goals
Analyst Developed
Goals
Agreed Upon Case Goals
Develop Required
Information List
Develop Beneficial
Information List
Provide Case Time Estimate
Determine Methods to
Achieve each Case Goal
Pre-Analysis
AnalysisIdentify Effectiveness
of the Method
Identify the Time Required for this
Method
Identify Additional Costs
Estimate Analyst Skill with Method
Estimate Size of Data
Actual Costs Resource Costs
Generate SPI and Time Limits for
reevaluation
Katsavounidis C. 23
Grobler, C. et al: A Multi-component View of Digital Forensics (2010)Digital Forensic Management Framework
Pro-Active DF
Active-DF
Re-Active DF
Incident
Before Incident After Incident
Katsavounidis C. 24Atsa/Mboupda: Multi-Perspective Cybercrime Investigation Process Modeling (2012)
MCIP model
ReaDFProDF ActDF
Complaint / Alert / Automatic Detection
Identification
Collection
Preservation
Analysis
Documentation
Incident Closure
Reconstruction
- Identification- Preservation
- Collection
Evidence Acquisition
Analysis
Physical Investigation
Reconstruct-ion
Present Findings
Dissemination of results
Incident Closure
Final Report
25
Agarwal et al: Systematic Digital Forensic Investigation Model (2011)Systematic Digital Investigation Model (SRDFIM)
Preparation
Securing the Scene
Survey & Recognition
Documentation of the Scene
Communication Shielding
Evidence Collection
Preservation
ExaminationAnalysisPresentation
Result
Capt
urin
g th
e Ti
mel
ine
Acco
rdin
g to
the
Coun
try
Digi
tal
Fore
nsic
Law
Katsavounidis C.
Katsavounidis C. 26
Yusoff et al: Common Phases of Computer Forensic Investigation Models (2011)Generic Computer Forensic Investigation model (GCFIM)
Pre-Process
Acquisition & Preservation
Analysis
Presentation
Post-Process
Katsavounidis C. 27
Valjarevic/Venter: Harmonized Digital Forensic Investigation Process Model (2012) Valjarevic/Venter: Towards a prototype for guidance and implementation of a standardized digital forensic investigation
process (2014)
Harmonized Digital Forensic Investigation Process model
Incident Detection
First Response
Planning
Preparation
Incident Scene Documentation
Potential Evidence Transportation
Potential Evidence Storage
Potential Evidence Analysis
Presentation
Conclussion
Potential Evidence
Identification
Potential Evidence Collection
123
45
1. Interaction with Physical Investigation2 - Preserving Chain of Evidence
3 – Preserving Evidence4 – Information Flow
5 - Documentation
6
6 – Obtaining Authorization
Readiness Processes
Initialization Processes
Acquisition Processes
Investigative Processes
Conc
urre
nt
Proc
esse
s
Katsavounidis C. 28
Mumba/Venter: Testing and Evaluating the Harmonized Digital Forensic Investigation Process in Post Mortem Digital Investigations (2014)
Harmonized Digital Forensic Investigation Process model - (ISO/IEC 27043, 2014)
Investigative Processes
Acquisitive Processes
Initialization ProcessesIncident Detection
First Response
Planning
Preparation
Incident Scene Documentation
Digital Evidence Transportation
Digital Evidence Storage
Digital Evidence Analysis
Presentation
Investigation Closure
Potential Digital Evidence
Identification
Digital Evidence Collection
Concurrent Processes
Digital Evidence Interpretation
Report writing
Katsavounidis C. 29Hewling/Sant: Digital Forensics: the need for Integration (2011)
Standardized framework for DF
Initiation Phase
Type of Investigation required
Educational Training and Qualification
Personnel Involved
Type of Intrusion
Type of Data (Static vs Live)
Type of Authorization required Output: Formal Document
Investigation Phase
Locate suspect devices
Physically protect & preserve crime scene
Capture image at the scene
Identify suspect devices and peripherals
Preserve live data
Preserve static data
Remove devices to controlled environment.
Prevention of spoilation of data
Preserve copy & analyze pertinent data Output: Formal Document
Reporting Phase
Inventory of items seized & analyzed
Prepare ͚Ajargon͚Bfree report
Inventory of all equipment used in the investigation
Inventory of tools used in the
investigation
Archiving and Storage
Reconstruction of crime scene
Creation of attacker profile
Output: Investigation deliverable.
Formal Document
Legal Adherence(Daubert͚Bs Criteria)
Katsavounidis C. 30Köhn et al: Integrated digital forensic process model (2013)
Integrated Digital Forensic Process model (IDFPM)
Presentation
Preparation
Policy/Procedure
Infrastructure Readiness
Operational Readiness
Incident
Incident Response
DetectNotifyAuthorize
DeployConfirm
Assess
Approach Strategy
Search
Recover
Seize
Preserve
Transport
Store
Digital Forensic Investigation
CollectAuthenticateExamineHarvestReduce
Identify Classify Organize Compare Hypothesize
AnalyzeAttributeEvaluateInterpret
Reconstruct Communicate Review
Present ReportDecideDisseminate
Katsavounidis C. 31SWGDE: Best Practices for Computer Forensics V3-1 (2014)
SWGDE Best Practices
Evidence Collection
Evidence Handling
Evidence Triage/Preview
Powered-On Systems
Powered-Off Systems
Loose Media
Computers
Servers
Evidence Packaging / Transport
Equipment Preparation
Acquisition
Physical
Forensic Analysis /
Examination
Documentation
Acquisition Documentation
Examination Documentation
Evidence Handling
DocumentationReport of Findings
Review
Logical
Live
Targeted (Files)
Katsavounidis C. 32
Nasif, L.: Best Practices for Cybercrime Evidence Collection Projects (2014)Forensics Based on Project (ForPro) model
Collect Examine Analyze Report
Initiating Planning
Controlling Executing Closing
Katsavounidis C. 33ISO/IEC 27043:2015 Information technology - Security techniques – Incident investigation principles and processes
ISO/IEC 27043
Initialization Processes
Acquisitive Processes
Investigative Processes
Concurrent Processes
Incident Detection
First Response
Planning
Preparation
Potential Digital Evidence Identification
Potential Digital Evidence Acquisition
Potential Digital Evidence Transportation
Potential Digital Evidence Storage
Potential Digital Evidence Examination and Analysis
Digital Evidence Interpretation
Reporting
Presentation
Obtaining Authorization
Managing Information Flow
Preserving Chain of Custody
Preserving Digital Evidence
Interaction with the Physical Investigation
Readiness Processes
Planning and Definition of System Architectures
Implementing Digital Forensic Readiness System Architecture
Assessment of Implementation
Katsavounidis C. 34
DF processes per models reviewed
0
5
10
15
20
25
30 2928
2018
1714
1311
109 9
8 87 7
6 6 6 65 5
4 4 4 43 3 3 3 3 3 3 3
2 2 2 2 2 21 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Katsavounidis C. 35
Most Common Digital Forensic Processes
Preparation / Planning
Evidence Identification
Collection / Acquisition
Preservation (Scene/Evidence) Examination Analysis Presentation/
Report
Preparation / Planning Evidence Identification Collection / Acquisition Preservation of Scene / Digital Evidence Examination Analysis Presentation / Report of results
Katsavounidis C. 36
“We can all see, but can you observe?”