MODELS OF DIGITAL FORENSIC INVESTIGATION

By

Sanya-Isijola, Ademuyiwa

36641

ABSTRACT

The race against criminals by law enforcement is never ending, law enforcement need to develop
tools and use a digital forensic methodology that covers all area of forensic analysis of digital
crime investigation. The digital investigation process can be driven using numerous digital
forensic investigation models.

This paper compares and contrasts different forensic methodology and discusses about the main
components any forensic investigation model should contain.

INTRODUCTION

The digital age has brought about the increase in the use of computers/internet as tools used to
increase productivity and efficiency in the governmental, commercial, educational and private
sectors of every economy.

In the same vein, these technologies have now become a criminal tool used to perpetrate
unlawful or unethical activities. The increase in use of the internet and computers has fostered
criminal activities because perpetrators now use their in depth technical knowledge, coupled with
anonymity to commit crimes. In order to apprehend cyber criminals, investigators must use well
defined and consistent forensic procedures. [1]

1.0 What is digital forensics?

In this modern age, several types of digital devices, not just computers are used on a daily basis
and are constantly exploited for criminal activity. Computer forensics focus on extracting
evidence from a particular platform (Computer), digital forensic covers extracting evidence from
all forms of digital evidence. [1]

Digital forensics is the collection, preservation, analysis and presentation of digital evidence
extracted from any source of digital evidence that can be used to identify criminal activities or
other activity that constitutes violation. [2]
2.0 Lack of standardization

Presently there are several digital forensic investigation methodologies but there are no
consistent or standard digital forensic models, only set of procedures and tools built from the
experience of hackers, system administrators and law enforcement. The available models
concentrate on part of the investigative process (analysis, presentation) rather than provide a
general view for the entire investigation. Thus, many digital crimes are not investigated with a
standardized forensic methodology. [1]

A good digital investigation model must provide a consistent and standardized framework that
supports every stage of the investigation (technical and non-technical) regardless of the type of
crime. As new technologies unfold, they can be applied to the standardized model. [4]

3.0 What is digital forensic investigation?

“Digital forensic investigation is a process that uses science and technology to examine digital
objects and that develops and tests theories, which can be entered into a court of law, to answer
questions about events that occur”. [5]

3.1 Digital forensic investigation models

Over the years, several digital forensic investigation models have been proposed, they include:
[3]

 Kruse and Heiser

 America’s department of justice (DOJ)
 Lee’s model
 Casey’s model
 DFRWS frame work meta-model
 The Reith, Carr and Gunsch model
 The Ciardhuain model
3.11 KRUSE and HEISER

Kruse and Heiser stated that forensic investigation consists of 3 basic components:

 Acquire evidence
 Authenticate evidence
 Analyzing data

3.12 America’s department of justice, DOJ

The model proposed by America’s department of justice was very similar to that of Kruse and
Heiser, their proposed model only added a new component called Reporting. The model consists
of :
 Collection
 Examination
 Analyzing
 Report

3.13 Lee (2001)

Lee proposed a model that consists of 4 steps, they are:

 Recognition
 Identification
 Individualization
 Reconstruction

The steps proposed by Lee refer to only a part of the forensic investigation process i.e the
investigation stage (no preparation or presentation).

3.14 Casey’s model

Is similar to that proposed by Lee, the 1st and last stages are the same. It focuses on processing
and examining digital evidence (focuses on investigation). The steps also include:

 Recognition
 Preservation
 Classification
 Reconstruction
3.15 Digital forensic Research working group (DFRW)

The DFRW model was developed between 2001 and 2003.The DFRW model includes crucial
stages of the investigation and also includes the Presentation stage. It consists of the following
stages:

 Identification
 Preservation
 Collection
 Examination
 Analysis
 Presentation
 Decision

3.16 The Reith, Carr and Gunsch model (2002)

The Reith, Carr and Gunsch model (2002) included other components not found in the above
mentioned frameworks. It consists of:

 Identification
 Preparation
 Approach
 Strategy
 Preservation
 Collection
 Examination
 Analysis
 Presentation
 Returning evidence

3.17 Ciardhuain model

Ciardhuain model is the most up to date and complete. The framework consists of the following:

 Awareness
 Authorization
 Planning
 Notification
  Search and identify evidence
 Collection
 Transportation
 Storage
 Examinatioon
 Hypothesis
 Presentation
 Proof/Defense
 Dissemenation [3]

After cross examination of the above mentioned frameworks, it was noted that:

 Each preceding framework modifies the previous

 Some of the models have very similar approaches
 Some of the models concentrate on different areas of the investigation.

The main aim of these models is to produce sufficient evidence that is presentable in the court of
law but there needs to be a balance in the processes identified by these models to avoid derailing
from that aim.

During a forensic investigation, the framework chosen should not concentrate on a certain stage,
it should incorporate the basic components of forensic investigation which are: [6]

 Preparation
 Investigation
 Presentation

CONCLUSION

Framework used for forensic investigation must not be stage specific i.e concentrate only on a
stage of the forensic investigation like Preparation. Any of the above models can be chosen and
easily modified or expanded so that it involves the main components of forensic investigation
(Preparation, investigation and Presentation). Whatever the framework used for investigation, it
must be applicable to all current digital crimes and those in the nearest future.
 Reference

 Mark Reith, Clint Carr, Gregg Gunsch, An examination of digital forensic models [1]
 Bruce J. Nikkel, The role of digital forensics within a corporate organization [2]
 Daniel A. Ray, Phillip G. Bradford, Models of models: Digital forensics and domain-
specific languages [3]
 Séamus Ó Ciardhuáin, An extended model of cyber crime investigation [4]
 www.cerias.purdue.edu [5]
 Michael Kohn, JHP Eloff and MS Olivier, Framework for a digital forensic
investigation.[6]