ijcsis_model_di_v2

8/3/2019 IJCSIS_MODEL_DI_V2

http://slidepdf.com/reader/full/ijcsismodeldiv2 1/7

(IJCSIS) International Journal of Computer Science and Information Security,

Vol. XXX, No. XXX, 2011

“Chain of Digital Evidence” Based Model of Digital

Forensic Investigation Process

Jasmin osi ( Author )

IT Section of Police Administration

Ministry of Interior of Una-sana canton

Biha, Bosnia and Herzegovina

[email protected]

Zoran osi ( Author )director

Statheros d.o.o.

Kaštel Stari, Croatia

[email protected]

Miroslav Baa ( Author )

Faculty of Organization and Informatics

University of Zagreb

Varaždin, Croatia

[email protected]

Abstract- Computer forensics is essential for the successfulprosecution of criminals in computer (cyber) crime. Digitalinvestigation process must be done in a lawful way, and some

proposed steps must be followed in order for evidence to beaccepted by the court of law. The digital forensic investigationprocess will be successful, if we follow simple rules. The aim of thispaper is to compare different existing models and frameworkdeveloped in recent years and propose a new framework based on“chain of digital evidence”. This Framework will be modeledusing a UML – Use Case and Activity diagrams. The authors alsowarns of certain shortcomings and suggests somerecommendation for further research.

Keywords- digital forensic; computer forensic; models of digital forensic; cyber crime investigation; digital forensic framework

I. INTRODUCTION

Computer crime, cyber or internet crime is escalatingand the race against cyber criminals is never ending. The fieldof digital forensics has become a critical part of legal systemthrough the world. In 2002 the FBI stated that “fifty percent of the cases the FBI now opens involve a computer”. [1]Therefore, it is very important to have good models andframeworks for computer (cyber) crime investigation. Withmodel we can generalize a process and create a framework tounderstand all techniques and technology for supporting thework of investigators or other personnel in digitalinvestigation process. In many situations investigators mightnot lead to a successful prosecution. In most cases the reasonis a lack of preparation and non-compliance with definedprocedures. They often do not have tools, skills, and otherrequired staff to successfully work with digital evidence. Veryoften the problem is collection and gathering of evidence. Indigital forensic practice, there are over hundreds of digitalforensic investigation procedures, recommendation anddocuments, developed all over the world.In this paper author discusses models and framework of forensic investigation and propose a new framework based onweaknesses and failures that are commonly occur in forensicprocess.

II. EXISTING MODELS AND FRAMEWORKS OD DIGITAL

INVESTIGATION PROCESS

There are lots of forensic models and frameworks inliterature. Some authors propose a model and someframework. What is the difference and where is the border?According to the Oxford dictionary framework is “asupporting or underlying structure” [2]. Some other dictionarydefined a framework as “a skeletal structure designed tosupport or enclose something” [3].It can be said thatframework is a structure designed to support some action. Inforensic investigation, some action includes forensic stages,steps or levels.

On other side, the same source defined model as “astandard or example for imitation or comparison and arepresentation, generally in miniature, to show the

construction or appearance of something”. In computer worldit can be said that model represents an abstraction of something consisting insufficient detail to be useful as aformula.

As we can see there is a difference between a modeland a framework. Model is something that we apply to asituation, and framework we use to place aspect. Modelsgeneralize a process to provide a framework that enablespeople to understand what that process does, and does not, do[4].Brief description of the most important models used incomputer (digital) investigation, are given below.

A. Lee`s model

Lee`s model (2001) is based on Scientific CrimeScene Investigation process [5]. This model identifies 4 steps:recognition, identification, individualization andreconstruction. Fig. 1 shows the Lee Scientific Crime SceneInvestigation Model. This model is focused on a systematicand methodical way of investigation of any digital crimecases, the barrier of the model is analyzing a part of digitalforensic process only, this has made a limitation in the digital





forensic investigation, as not be focusing on the dataacquisition neither preparation and presentation [8].

Figure 1.Lee`s S CSI model (2001)

B. Casey model

Casey (2004) proposes a model, which is focused onprocessing and examining digital evidence [6]. This model isfocused on processing and examining digital evidence (Fig. 2).The model is similar to Lee’s model.

Figure 2.Casey model (2004)

First and last stages – recognition and reconstruction are thesame like in Lee`s model. This phase only focuses on a part of digital forensic investigation process.

C. DFRW framework

The Digital Forensic Research Working Group(DFRW, 2001) developed a framework that consists of 7“classes“(Fig. 3). The classes that are defined by theframework serve to categorize the activities of an investigationinto groups.

The specifics of the framework must be largely

redefined for each particular investigation. [7] This framework is not intended as a final comprehensive one, but rather as abasis for future work which will define a full model, andframework for future research. The Model is presented aslinear. [8]

Figure 3.DFRWS framework (2001)

D. Reith, Carr and Gunch model

This model (2002) has come up and included some of the missing components from the previous model which all thewhile been suggested. The model is focused in depthconcerning investigation procedures and has 9 stages. [9] Thismodel is similar to the DFRWS and is presented on Fig. 4.

E. Kruss & Heisser model

According to Kruse and Heisser (2001), computerforensic investigation process has 3 basic components:acquiring the evidence, authenticating and analyzing the data[Kohn….]. These components are presented in Figure 5.

Figure 5 Kruss & Heisser model (2001)

Figure 4 Reith, Carr & Gunch model (2002)





F. USDOJ model

The United States of America`s Department of Justice proposed a process model for forensics. This model has4 phases: collection, examination, reporting and analysis (Fig.6), and is abstracted from technology [10]. They dosignificantly better at identifying the core aspects of theforensic process and then building steps to support it, ratherthan becoming entangled in the details of a particular

technology or methodology. This is commendable because itallows traditional physical forensic knowledge to be applied toelectronic evidence.

Figure 6. USDOJ model

G. Ciardhuain Extended model

The model proposed by Ciardhuain (2004) is themost complete model. His phases (stages) are also called“activities”. There are 13 activities (Fig. 7). Unlike previousmodels, Ciardhuain model explicitly represents theinformation flows in an investigation and captures the fullscope of an investigation, rather than only the processing of evidence. The inclusion of information flows in this model, aswell as the investigative activities, makes this model more

comprehensive than other models. It provides a basis for thedevelopment of techniques and especially tools to support thework of investigators.[8]

H. A few newest models

In 2006, forensic process, proposed by [11] consistsof 4 phases, collecting, examination, analysis and reporting.This model is very similar to early models proposed by.[Pollit, 1995].

Kohn, Eloff & Oliver (2006) proposed a framework,which is based on experience of other authors [9]. According[12] , a process framework to investigate incident includes andcombines Incident Response and Computer Forensic to

improve the overall process of computer investigation.All frameworks are useful and have their own

strength. It is very hard to develop one framework to be usedin all investigation processes. Some researcher proposes amapping process between a process/activities of digitalinvestigation, and offers a simplified Digital ForensicInvestigation Framework to establish a clear guideline on stepsthat should be followed in forensic process [13].

III. PROPOSED FRAMEWORK BASED ON “CHAIN OF

EVIDENCE”

IV. PROPOSED FRAMEWORK BASED ON CHAIN OF DIGITAL

EVIDENCE

In the previous section, 10 models and framework being presented. In his earlier work, the authors haveencountered in the literature on several “new” model, whichare interpreted most commonly used models and framework ,described in this paper.

In this situation, central question is why develop newmodel which does not offer anything new.

Some of previous presented model are based on few stages of investigation process, but Ciardhuain model is the mostcomplete model. He based his model on all stages of digitalforensic process.

The problem can be the fact that in every country isnot same procedures for initiate forensic process and everymodel cannot be applied in every country. In some Europeancountry (Croatia for example) there are not enough forensicexperts who will handle with digital evidence in everystages/phase. Police officers (crime investigation) for examplewill be a “first responders” and “collecting personal”. Secondproblem is that most of presented model does not emphasis aprocess of documentation and “chain of evidence”respectively “chain of custody” of digital evidence.

What it actually means? The phrase “chain of custody” or “chain of evidence” refers to the accurate auditingcontrol of original evidence material that could potentially beused for legal purposes [14]. Some authors use a term „chainof evidence“instead chain of custody. The purpose of testimony concerning chain of custody is to prove thatevidence has not been altered or changed through all phases,and must include documentation on how evidence is gathered,how was transported, analyzed and presented. Access to theevidence must be controlled and audited. [14]

Figure 7 Ciardhuain model (2004)





Chain of custody and integrity of digital evidenceplay a very important role in the digital process of forensicinvestigation, due to the fact that in every phase forensicinvestigators must know where, when and how the digital

evidence was discovered, collected, handled with, when andwho came in contact with the evidence, etc. Proper chain of custody must include documentation with answers to all thesequestions. If one of these questions remains unanswered, thechain of custody is compromised and disrupted. [15]

Essentiality of documentation and chain of evidence(chain of custody) are central point of proposed framework.The major stages are below:

• Allowance

• Planing and preparation

• Chain of custody stageso Identificationo Collection

o Examinationo Transport and Storage

• Reconstruction (Hypothesis)

• Publishing (Proof/Defense)

• Closing Case

Fig.8 shows the complete flow diagram of proposedframework. Every process is discussed below:

1) Allowance

It is not allowed to start a digital investigation processor computer forensic process without permission or allowance.Process of collecting digital evidence must begin in a lawfulway. In other words, if there is a forensic investigation,competent prosecution or court must issue the order to initiatean investigation, or if there is a corporate internalinvestigation, management or supervisory board must agreewith investigation. In both cases, approval must be in a writtendocument. [14]

2) Planing and PreparationIn this two phase (stages) investigators (or other

person who investigate) still has not come into contact withdigital evidence.

This process involves making a plan for investigationprocess and authorization from the local police institution.This authorization is not the same like a allowance-permissionthat is required to make the process even began.

This authorization is required for getting a searchwarrant for use of any items that were found duringinvestigation process. That mean, if we do not haveauthorization, the evidence that we are found, cannot beaccepted by the court. Because of that this phase is very

Figure 8 Proposed framework based on chain of evidence





important and must be applied. This also must be done lawfuland must be documented.

3) Chain of Evidence Phases

a) Identification

Identification phase in proposed framework deals

with locating and identifying a equipment where evidence isstored - computer, external devices, network, embeddeddevices etc. Environment can be a simple (computer) and canbe investigated very simple, and can be a very complex wherewe must include a ISP providers, other Agencies or Corporate.In both case we must identify a evidence from heap of usualfiles.In this phase we need to remind a Locard exchange principe,according to which “anyone or anything, it was the site of committing an offense, it brought with it a part of committingthe offense, and the place of committing an offense has lefttraces of their presence.” [16]It is very important that we have in mind that evidence can bein temporary state ( in Random Access Memory or Swap file

example), and live acquisition must be applied. With liveacquisition process we retrieve the file time stamp, registrykey, swap files and memory details. [9].

b) Collection

Process of collection of digital evidence is mostsensitive phase, because in most cases this is the first contactwith evidence. In this phase personal must be very careful,because evidence is in digital format and easily can be changeeven destroyed. All equipment are seizure and data are inacquisition process prepared for later analysis. This phase is infocus of many science research because, every mistake or

error in this phase can be futile to do further investigation.Authors [14,15,16] in his early research also warns on risk of collection process.

c) Examination

Everything that is said for the phase of collecting isvalid for process of examination. Examination of digitalevidence requires a lot of knowledge, skills and mastering aforensic tools & technique. In this phase is very important tohave control over integrity of digital evidence [14] All whatwe doing, must be documented and “chain of custody” mustbe applied at this stage as no one so far.

Process of examination usually work a computerforensic expert, but in some case, in some country, court may

required a expert witness testimony. This expertise must beindependent and must rely on scientific methods. Dependingon the amount of input data, which today can order a fewTerabytes, in output can be a very large volume of data to beexamined.

d) Storage and Transport of digital evidence

Storage and transport of digital evidence are thephases that are periodically repeated. In this phase digital

evidence are particularly vulnerable, because they areinfluenced by various factors (personal, etc.).

4) ReconstructionIn process and after examination of evidence,

personal who investigate a digital evidence must have ahypothesis, usually one main hypothesis, but in some morecomplex case a few hypothesis. On this way is trying to prove

what is really occurred. Reconstruction process must also bedocumented.

5) Publishing a results Process of publishing of results of digital

investigation means a presentation of results before the court,or in case of an internal investigation in the corporation,before the management board , proof & defense process and atthe end, later dissemination of knowledge throughoutknowledge database. Every corporation, firm or enterprise,even the court have own knowledge base system, that storesall knowledge from the past to future.

6) Closing Case The last phase in forensic investigation process is not

presentation of evidence before the court. In some cases thereis a need to deal with original evidence before the court, and inthis phase also we are in contact with evidence. This can besensitive, and in this case must be applied a „chain of evidence“. Digital evidence passing throughout „life cycle“phase, and at the end of trial, can be stored and archived(closing case).

On Figure 9 is presented a UML diagram of proposedframework based on “chain of evidence”. This framework corresponding with few actors: Law enforcement personnel(First responders, Forensic investigators, etc.), Court expertwitness, Defense, Prosecution and Court. Every actors willinteract with some of the use cases (Fig.9)

Figure 9 Use-case diagram of presented framework





V. COMPARISON OF EXISTING MODELS

Table 1 gives a comparison of the stages/phases of allmodels previously described. There are a number of activities(phases) in this table, which are not same in other models. Theauthor used all activities from all models, the name is different,

but the process is similar.

As we can see in the table, some models areincomplete and focused just on few phases, Ciardhuain modelis most complete and includes all phases of digital investigationprocess. The proposed model is also complete and consists of all forensic investigation phases.

VI. CONCLUSION AND FURTHER RESEARCH

The aim of this paper is to make a review of allessential models and framework of digital investigationforensic process and proposed a new model which can beapplied in some specific condition. There are lots of models,which are different, some are focused on process of collecting

and examination, and some are complete and can be used tomake a clear guideline on steps to be followed in a forensicprocess. The framework that the authors have proposed arebased on documentation and chain of custody of digitalevidence, and consist of all forensic investigation phases. Anyof the above-mentioned processed can be chosen and used indigital investigation process but there are certain specific ineach country, that we should not forget when choosing it.

ACKNOWLEDGMENT

The presented research and results came out form the

research supported by the Center for biometrics - Faculty of Organization and Information Science Varazdin, University of Zagreb, Croatia.

REFERENCES

[1] Peisert S., Bishop M.,Marzullo K., Operating SystemsReview (OSR), Special Issue on Computer Forensics,42(3), pp. 112–122, April 2008

[2] Oxford Dictionaries, available at:

http://www.askoxford.com/concise_oed/framework?view=uk, Accessed: 24.12.2009.

[3] Dictionary services, available at:http://dictionary.reference.com/browse/framework ,Accessed: 24.12.2009.

[4] Peisert S.,Bishop M.,Marzullo K., Computer Forensicsin Forensis, ACM Operating Systems Review (OSR),Special Issue on Computer Forensics, 2008

[5] Lee H.C., Palmbach, T.M., & Miller, M.T., HenryLee`s Crime Scene Handbook, San Diego:Academic

Press, 2001[6] Casey E.,Digital Evidence and a Computer

Crime, San Diego:Academic Press, 2004[7] Ray,A.D., Bradford, P.G.,Models of Models: Digital

Forensics and Domain-Specific Language[8] Ciardhuain S., An extended Model of Cybercrime

Investigation, Internation Journal of Digital Evidence,Summer 2004, Volume 3, Issue I

[9] Perumal S., Digital Forensic Model Based OnMalaysian Investigation Process, International Journalof Computer Science and Network Security, Vol.9,No.8, August 2009-12-24

[10] Kohn M.,Elof JHP, Oliver MS.,Framework for a DigitalForensic Investigation, Proceeding of the ISSA 2006from Insight to Foresight Conference, South Africa,July 2006

[11] Kent,K., Chevalier,S.,Grance, T. & Dang,H. , Guide to

integration Forensic Tehcniques into Incident Response,NIST Special Publication 800-86, Gaithersburg, 2006

[12] Freiling, F.C., & Schwittaz, B.,A Common processModel for Incident Response and Computer Forensic.Proceeding of Conference on IT incident Managementand IT Forensic , Germany

[13] Selanat.S.R.,Yusof R.,Sahib, S., Mapping Process of Digital Forensic Investigation Framework, IJCSNS,VOL.8,No.10, 2008

[14] osi, J., Baa, M.: Do We Have Full Control OverIntegrity in Digital Evidence Life Cycle?, ITI2010-32nd Internation Conference on Information TechnologyInterfaces, Cavtat/Dubronik-Croatia, 2010

[15] osi, J., Baa, M.: (Im)Proving Chain of Custody andDigital Evidence Integrity with Time Stamp,MIPRO2010-33rd International Convention on

Information and Communication Technology,Electronics and Microelectronics, Opatija-Croatia,2010

[16] Baa, M., Introduction in computer security (onCroatian). Zagreb: NN; 2004

AUTHORS PROFILE

Jasmin osi has received his BE (Economics) degree from University of

Biha (B&H) in 1997. He completed his study in InformationTechnology field (dipl.ing.Information Technlogy) in Mostar, Universityof Džemal Bijedi, B&H. Currently he is PhD candidate in Faculty of Organization and Informatics in Varaždin, University of Zagreb,Croatia. He is working in Ministry of the Interior of Una-sana canton,B&H. He is a ICT Expert Witness, and is a member of Association of Informatics of B&H, Member of IEEE and ACM. His areas of interestsare Digital Forensic, Computer Crime, Information Security,Information Society and DBM Systems. He is author or co-author more than 25 scientific and professional papers and one book.

Table 1: Comparison of most used models




Vol. XXX, No. XXX, 2011Zoran osi, CEO at Statheros ltd, and business consultant in business

process standardization field. He received BEng degree at Faculty of nautical science , Split (HR) in 1990, MSc degree at Faculty of nauticalscience , Split (HR) in 2007 , actually he is a PhD candidate at Facultyof informational and Organisational science Varaždin Croatia. He isa member of various professional societies and programcommittee members. He is author or co-author more than 20 scientific and professional papers. His mainfields of interest are: Informational security, biometrics and privacy,business process reingeenering,

Miroslav Baa is currently an Full professor, University of Zagreb, Faculty of Organization and Informatics. He isa member of various professional societies and programcommittee members, and he is reviewer of several international

journals and conferences. He is also the head of the Biometrics centre inVaraždin, Croatia. He is author or co-author more than 70 scientific and professional papers and twobooks. His main research fields are computer forensics, biometrics andprivacy professor at Faculty of informational and Organisational scienceVaraždin Croatia

ijcsis_model_di_v2

Documents