CK
Uploaded byCostas Katsavounidis
PPTX, PDF3,416 views

DF Process Models

This document summarizes several models and frameworks for digital forensic examination developed between 2000-2015. It provides brief descriptions of key frameworks such as the ACPO principles of 2007, NIJ guidelines of 2008, ENFSI guidelines of 2009 and several process models including the 3A model, IDIP model, InteDFPM model and Palantir framework for collaborative incident response. The document is intended to provide an overview of the evolution of digital forensic examination processes and standards over this 15 year period.

Embed presentation

Downloaded 142 times
Models & Frameworks (2000-2015) Costas Katsavounidis
Katsavounidis C. 2 Locard’s Exchange Principle: “Every Contact Leaves a Trace” Principles of Forensic Examination of Digital Evidence A.C.P.O. (2007) Good Practice Guide for Computer-Based Evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. N.I.J (2008) Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition  The process of collecting, securing, and transporting digital evidence should not change the evidence.  Digital evidence should be examined only by those trained specifically for that purpose.  Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, preserved, and available for review. E.N.F.S.I. (2009) Guidelines for Best Practice in the Forensic Examination of Digital Evidence.  A. The general rules of evidence should be applied to all digital evidence  B. Upon seizing digital evidence, actions taken should not change that evidence.  C. When it is necessary for a person to access original digital evidence that person should be suitably trained for the purpose.  D. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.  E. An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.
Recognition Identification Individualization Reconstruction Lee/Pagliaro Crime Scene Handbook (2001) Physical Scene Investigation Principles Recognition Preservation: Collection and Documentation Individualization: Comparison and Individualization Reconstruction Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2000) Digital Evidence Process Model Katsavounidis C. 3 Process Models & Frameworks for the Forensic Examination of Digital Evidence
Acquisition Authentication Analysis 3A’s - Computer Investigation Model Process Model Kruse & Heiser: Computer Forensics, Incident Response Essentials (2001) Acquisition Authentication Analysis ReportExamination Improved Computer Investigation Model Process Model Köhn, Michael: Integrated Digital Forensic Process Model (2012) Katsavounidis C. 4
Forensic Investigation Processes  NIJ: Electronic Crime Scene Investigation: A Guide for First Responders (2001),  NIST: Guide to Integrating Forensic Techniques into Incident Response (2006),  ACPO: Good Practice Guide for Computer-Based Evidence (2007) Forensic Processes NIJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004) Collection Examination Analysis Report Acquisition Examination Analysis ReportAssessment Katsavounidis C. 5
Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2004) Investigative Process Persuation and testimony Reporting Analysis Organization and search Reduction Harvesting Recovery Preservation Identification or seizure Incident/Crime scene protocols Assessment of worth Incident alerts or accusation Assessment Experiment Fusion Correlation Validation Crime or policy violation Prioritize - choose Actions at scene – real/virtual Recognition and proper packaging Get it ALL – hidden/deleted Data about data Integrity – modification tree Filter - eliminate Focus Scrutinize Detailed record Translate and explain Katsavounidis C. 6
DFRWS: A Road Map for Digital Forensic Research (2001) Investigative Process for Digital Forensic Science Identification Preservation Collection Examination Analysis Presentation Decision Event/Crime detection Resolve Signature Anomalous Detection Complaints System monitoring Audit Analysis Etc .. Case Mngt Imaging Technologies Chain of custody Time Sync Preservation Approved Methods Approved Software Approved Hardware Legal Authority Lossless compression Sampling Data Reduction Recovery Techniques Preservation Preservation Document- ation Traceability Traceability Validation Techniques Statistical Protocols Data Mining Timeline Link Spacial Filtering Techniques Pattern Matching Hidden Data Discovery Hidden Data Extraction Expert Testimony Clarification Mission impact statement Recommended countermeasure Statistical Interpretation Katsavounidis C. 7
Reith et al: An Examination of Digital Forensic Models (2002) Abstract Model for Digital Forensics Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Returning Evidence Katsavounidis C. 8
Mandia et al: Incident Response and Computer Forensics (2003) The Incident Model Pre-Incident Preparation Detection of Incidents Initial Response Formulation of Response Strategy Report Insident Investigation Data Collection Data Analysis Resolution, Recovery, Security Measures Implementation Katsavounidis C. 9
Carrier/Spafford: Getting Physical with the Digital Investigation Process (2003) Integrated Digital Investigation Process (IDIP) Readiness Phases Deployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases Review Phases Operations Readiness Infrastructure Readiness Detection & Notification Confirmation & Authorization Preservation Survey Document- ation Search & Collection Reconstruct- ion Presentation Preservation Survey Document- ation Search & Collection Reconstruct- ion Presentation Review Katsavounidis C. 10
Baryamureeba/Tushabe: The Enhanced Digital Investigation Process Model (2004) Enhanced Integrated Digital Investigation Process Model Preparation Phases Deployment Phases Traceback Phases Dynamite Phases Review Phases Digital Crime Scene Preservation Phase Survey Phase Documentation Phase Search & Collection Phase Presentation Phase Physical Crime Scene Katsavounidis C. 11
Beebe/Clark: A Hierarchical, Objectives-Based Framework for the Digital Investigation Process (2005) Two-Tier Digital Investigations Process Framework Preparation Incident Responce Data Collection Data Analysis Presentation of Findings Incident Closure Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Katsavounidis C. 12
O'Ciardhuain, Seamus: An Extended Model of Cybercrime Investigations (2004) Extended Model of Cybercrime Investigations Awareness Authorization Planning Notification Search/ Identify Collection Transport Storage Examination Hypothesis Presentation Proof/ Defence Dissemination External Events External Authority Externally imposed policies, regulations & Legislation External Information Information Distribution Organizational Policies Internal Information Information Controls Internal Authority Internal Events Information Controls General Information Flow Other Organizations Internal Challenges External Challenges Katsavounidis C. 13
 Köhn et al: Framework for a Digital Forensic Investigation (2006)  Köhn et al: UML Modelling of Digital Forensic Process Models (DFPMs) (2008) Integrated Digital Forensic Process Model (InteDFPM ) Preparation Investigation Presentation Law Preparation Collect Authenticate Examine Analyze Report Present Evidence Report Katsavounidis C. 14
NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response (2006) Forensic Process Collection Examination Analysis Report Media Data Information Evidence Selamat et al : Mapping Process of Digital Forensic Investigation Framework (2008) Simplified DF Investigation Framework Preparation Presentation & Reporting Collection & Preservation Dissemination Examination & Analysis Katsavounidis C. 15
Rogers et al: Computer Forensics Field Triage Process Model (2006) Cyber Forensic Field Triage Process model (CFFTP) Planning Triage User Usage Profiles Home Directory File Properties Registry Chronology Timeline Internet Case Specific Email Browser artifacts Instant Messages AtScene Katsavounidis C. 16
Forrester/Irwin : A Digital Forensic investigative model for business organizations (2007) DF model for business organizations Readiness Deployment Incident Evaluation Scene Preservation Investigation Service Restoration Reporting Decisions Incident Review Interaction Katsavounidis C. 17
Freiling/Schwittay A Common Process Model for Incident Response and Computer Forensics (2007) Common Process model for Incident Response & Computer Forensics Pre-Analysis Phase Detection of Incidents Initial Response Formulation of response strategy Pre-Incident Preparation Incident Occurs Analysis Phase Live Respose Forensic Duplication Data Recovery Harvesting Reduction & Organization Analysis Post-Analysis Phase Report Resolution Katsavounidis C. 18
Khurana et al: Palantir: A framework for collaborative incident response and investigation (2009) Collaborative framework: Palantir · Establish an Incident Response Team. · Train staff on latest threats and software tools. · Follow recommended practices to prevent incidents. · Deploy intrusion detection and forensics data collection capabilities. · Develop incident response policies and procedures, including a legal activities coordination plan. · Detect and confirm that an incident has occurred. · Perform initial analysis to determine incident scope. · Determine containment, eradication, recovery and investigation strategy. · Report incident to appropriate ICIM. · Identify lessons learned. · Complete incident report. · Improve future preparedness. · Retain evidence as required according to policy. · Establish and train Incident Response Team. · Train Staff on latest threats and software tools. · Establish and maintain a collaborative workspace hosting environment. · Develop incident response policies and procedures including a legal activities coordination plan. · Develop policies and procedures for collaboration. · Deploy collaborative investigation tools. · Analyze incoming incident reports. · Develop response strategy and determine if collaborative investigation is warranted. · Create collaborative workspace. · Invite collaborators and assign roles. · Formulate collaborative response and investigation strategy. · Share (anonymized) evidence as appropriate. · Perform cross-site data analysis and correlation. · Discuss (ongoing) incident and share insights. · Cooperate in containment and recovery. · Reconstruct the crime scene. Prepare coordinated legal strategy. · Legally prosecute the offenders. · Share lessons learned among participants and publicly as appropriate. · Retain evidence according to policy. · Contain the breach to prevent further damage. · Collect and preserve evidence in a forensically sound manner. · Eradicate malware and disable compromised systems/accounts. · Deploy counter-measures to prevent repeat occurrence of compromise. · Restore normal system operation. Site ICIM / Collaboration Katsavounidis C. 19
Perumal, Sundresan: Digital Forensic Model Based on the Malaysian Investigation Process (2009) Malaysian Investigation Process model Static Acquisition Authorization Search Warrant Obtained Planning IdentificationAuthorization Live acquisition Identify Fragile Evidence Reconnaissance Gathering Evidence Transport & Storage Analysis Result Proof & Defense Archive Storage Katsavounidis C. 20
Cohen, Frederich: Fundamentals of Digital Forensic Evidence (2010) Digital Forensic Evidence Processes Digital Evidence Identify Collect Preserve Transport Store Analyze Interpret Attribute Reconstruct Present Destroy Katsavounidis C. 21
Smith/Petreski: A New Approach to Digital Forensic Methodology (2010) Smith & Petreski Method Determine Case Type Requester Goals Common Case Goals Analyst Developed Goals Agreed Upon Case Goals Develop Required Information List Develop Beneficial Information List Provide Case Time Estimate Determine Methods to Achieve each Case Goal Pre-Analysis Analysis Identify Effectiveness of the Method Identify the Time Required for this Method Identify Additional Costs Estimate Analyst Skill with Method Estimate Size of Data Actual Costs Resource Costs Generate SPI and Time Limits for reevaluation Katsavounidis C. 22
Grobler, C. et al: A Multi-component View of Digital Forensics (2010) Digital Forensic Management Framework Pro-Active DF Active-DF Re-Active DF Incident Before Incident After Incident Katsavounidis C. 23
Atsa/Mboupda: Multi-Perspective Cybercrime Investigation Process Modeling (2012) MCIP model ReaDFProDF ActDF Complaint / Alert / Automatic Detection Identification Collection Preservation Analysis Documentation Incident Closure Reconstruction - Identification - Preservation - Collection Evidence Acquisition Analysis Physical Investigation Reconstruct- ion Present Findings Dissemination of results Incident Closure Final Report Katsavounidis C. 24
Agarwal et al: Systematic Digital Forensic Investigation Model (2011) Systematic Digital Investigation Model (SRDFIM) Preparation Securing the Scene Survey & Recognition Documentation of the Scene Communication Shielding Evidence Collection Preservation ExaminationAnalysisPresentation Result CapturingtheTimelineAccordingtotheCountryDigital ForensicLaw Katsavounidis C. 25
Yusoff et al: Common Phases of Computer Forensic Investigation Models (2011) Generic Computer Forensic Investigation model (GCFIM) Pre-Process Acquisition & Preservation Analysis Presentation Post-Process Katsavounidis C. 26
 Valjarevic/Venter: Harmonized Digital Forensic Investigation Process Model (2012)  Valjarevic/Venter: Towards a prototype for guidance and implementation of a standardized digital forensic investigation process (2014) Harmonized Digital Forensic Investigation Process model Incident Detection First Response Planning Preparation Incident Scene Documentation Potential Evidence Transportation Potential Evidence Storage Potential Evidence Analysis Presentation Conclussion Potential Evidence Identification Potential Evidence Collection 123 45 1. Interaction with Physical Investigation 2 - Preserving Chain of Evidence 3 – Preserving Evidence 4 – Information Flow 5 - Documentation 6 6 – Obtaining Authorization Readiness Processes Initialization Processes Acquisition Processes Investigative Processes Concurrent Processes Katsavounidis C. 27
Mumba/Venter: Testing and Evaluating the Harmonized Digital Forensic Investigation Process in Post Mortem Digital Investigations (2014) Harmonized Digital Forensic Investigation Process model - (ISO/IEC 27043, 2014) Investigative Processes Acquisitive Processes Initialization Processes Incident Detection First Response Planning Preparation Incident Scene Documentation Digital Evidence Transportation Digital Evidence Storage Digital Evidence Analysis Presentation Investigation Closure Potential Digital Evidence Identification Digital Evidence Collection Concurrent Processes Digital Evidence Interpretation Report writing Katsavounidis C. 28
Hewling/Sant: Digital Forensics: the need for Integration (2011) Standardized framework for DF Initiation Phase Type of Investigation required Educational Training and Qualification Personnel Involved Type of Intrusion Type of Data (Static vs Live) Type of Authorization required Output: Formal Document Investigation Phase Locate suspect devices Physically protect & preserve crime scene Capture image at the scene Identify suspect devices and peripherals Preserve live data Preserve static data Remove devices to controlled environment. Prevention of spoilation of data Preserve copy & analyze pertinent data Output: Formal Document Reporting Phase Inventory of items seized & analyzed Prepare jargon free report Inventory of all equipment used in the investigation Inventory of tools used in the investigation Archiving and Storage Reconstruction of crime scene Creation of attacker profile Output: Investigation deliverable. Formal Document Legal Adherence (Daubert s Criteria) Katsavounidis C. 29
Köhn et al: Integrated digital forensic process model (2013) Integrated Digital Forensic Process model (IDFPM) Presentation Preparation Policy/ Procedure Infrastructure Readiness Operational Readiness Incident Incident Response DetectNotifyAuthorize Deploy Confirm Assess Approach Strategy Search Recover Seize Preserve Transport Store Digital Forensic Investigation CollectAuthenticateExamineHarvestReduce Identify Classify Organize Compare Hypothesize AnalyzeAttributeEvaluateInterpret Reconstruct Communicate Review Present ReportDecideDisseminate Katsavounidis C. 30
SWGDE: Best Practices for Computer Forensics V3-1 (2014) SWGDE Best Practices Evidence Collection Evidence Handling Evidence Triage/Preview Powered-On Systems Powered-Off Systems Loose Media Computers Servers Evidence Packaging / Transport Equipment Preparation Acquisition Physical Forensic Analysis / Examination Documentation Acquisition Documentation Examination Documentation Evidence Handling Documentation Report of Findings Review Logical Live Targeted (Files) Katsavounidis C. 31
Nasif, L.: Best Practices for Cybercrime Evidence Collection Projects (2014) Forensics Based on Project (ForPro) model Collect Examine Analyze Report Initiating Planning Controlling Executing Closing Katsavounidis C. 32
ISO/IEC 27043:2015 Information technology - Security techniques – Incident investigation principles and processes ISO/IEC 27043 Initialization Processes Acquisitive Processes Investigative Processes Concurrent Processes Incident Detection First Response Planning Preparation Potential Digital Evidence Identification Potential Digital Evidence Acquisition Potential Digital Evidence Transportation Potential Digital Evidence Storage Potential Digital Evidence Examination and Analysis Digital Evidence Interpretation Reporting Presentation Obtaining Authorization Managing Information Flow Preserving Chain of Custody Preserving Digital Evidence Interaction with the Physical Investigation Readiness Processes Planning and Definition of System Architectures Implementing Digital Forensic Readiness System Architecture Assessment of Implementation Katsavounidis C. 33
DF processes per models reviewed 0 5 10 15 20 25 30 Collection/acquisition Analysis Report Preservation(scene/evidence) Presentation Identificationofevidence Examination Preparation(BeforeIncident) Assessment/ApproachStrategy/Planning IncidentDetection-Notification Search/Investigation EventReconstruction Documentation Incident/FirstResponse Preparation Confirmation/Authorization Triage/Liveresponse Transport Storage ServiceRestoration IncidentClosure Chainofevidence Review Decision Dissemination Readiness Deployment Documentationofscene Authentication Reduction/organization Interpretation Result/Conclusion Corroboration/Proof/Defence Recognitionofsources/patterns Securecrimescene Harvesting Classification Hypothesis Attribution/Individualization OperationReadiness InfrastructureReadiness Awareness Notification IncidentEvaluation Communicationshielding Seizure Survey Traceback Correlation EventNormalizing EventDeconfliction Timelineanalysis Post-process ReturningEvidence Archivestorage 29 28 20 18 17 14 13 11 10 9 9 8 8 7 7 6 6 6 6 5 5 4 4 4 4 3 3 3 3 3 3 3 3 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Katsavounidis C. 34
Most Common Digital Forensic Processes Katsavounidis C. 35 Preparation / Planning Evidence Identification Collection / Acquisition Preservation (Scene/Evidence) Examination Analysis Presentation/ Report  Preparation / Planning  Evidence Identification  Collection / Acquisition  Preservation of Scene / Digital Evidence  Examination  Analysis  Presentation / Report of results
Katsavounidis C. 36 “We can all see, but can you observe?”

More Related Content

PPTX
CCS335 – CLOUD COMPUTING.pptx
byNiviV4
 
PPTX
Analysis of database tampering
bysaddamhusain hadimani
 
PDF
Network Forensics: Packet Analysis Using Wireshark
byn|u - The Open Security Community
 
PDF
Cloud Security And Privacy
bytmather
 
PDF
Wired and Wireless Network Forensics
bySavvius, Inc
 
PPTX
Mobile cloud Computing
byPooja Sharma
 
PPTX
Computer forensics powerpoint presentation
bySomya Johri
 
PPTX
Computer crimes and forensics
byAvinash Mavuru
 
CCS335 – CLOUD COMPUTING.pptx
byNiviV4
 
Analysis of database tampering
bysaddamhusain hadimani
 
Network Forensics: Packet Analysis Using Wireshark
byn|u - The Open Security Community
 
Cloud Security And Privacy
bytmather
 
Wired and Wireless Network Forensics
bySavvius, Inc
 
Mobile cloud Computing
byPooja Sharma
 
Computer forensics powerpoint presentation
bySomya Johri
 
Computer crimes and forensics
byAvinash Mavuru
 

What's hot

PPTX
Networking in cloud computing
byBarani Tharan
 
PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PDF
Chapter1
by@d!tya Gs
 
PPTX
Cloud Computing Security
byNinh Nguyen
 
PPTX
Cloud computing ppt
byJagriti Rai
 
PPTX
Cloud computing
bypgayatrinaidu
 
PPTX
Cryptography and network security
bypatisa
 
PPTX
Chap 6 cloud security
byRaj Sarode
 
PDF
Introduction to IoT Architectures and Protocols
byAbdullah Alfadhly
 
PPTX
Virtualization Explained | What Is Virtualization Technology? | Virtualizatio...
bySimplilearn
 
PPTX
Architectural reference model
bySuvendu Kumar Dash
 
PPTX
PRESENTATION ON CLOUD COMPUTING
byvipluv mittal
 
PPT
Mobile forensics
bynoorashams
 
PDF
Fundamental digital forensik
bynewbie2019
 
PPTX
Intrusion detection
byUmesh Dhital
 
PPTX
Cloud computing
bykanchu17
 
PPT
Cloud deployment models
byAshok Kumar
 
PPTX
Network forensic
byManjushree Mashal
 
PDF
Incident response-in-the-cloud
byPriyanka Aash
 
PPTX
Security and privacy in cloud computing.pptx
byTRSrinidi
 
Networking in cloud computing
byBarani Tharan
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
Chapter1
by@d!tya Gs
 
Cloud Computing Security
byNinh Nguyen
 
Cloud computing ppt
byJagriti Rai
 
Cloud computing
bypgayatrinaidu
 
Cryptography and network security
bypatisa
 
Chap 6 cloud security
byRaj Sarode
 
Introduction to IoT Architectures and Protocols
byAbdullah Alfadhly
 
Virtualization Explained | What Is Virtualization Technology? | Virtualizatio...
bySimplilearn
 
Architectural reference model
bySuvendu Kumar Dash
 
PRESENTATION ON CLOUD COMPUTING
byvipluv mittal
 
Mobile forensics
bynoorashams
 
Fundamental digital forensik
bynewbie2019
 
Intrusion detection
byUmesh Dhital
 
Cloud computing
bykanchu17
 
Cloud deployment models
byAshok Kumar
 
Network forensic
byManjushree Mashal
 
Incident response-in-the-cloud
byPriyanka Aash
 
Security and privacy in cloud computing.pptx
byTRSrinidi
 

Similar to DF Process Models

PDF
Systematic Digital Forensic Investigation Model
byCSCJournals
 
PPTX
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PPTX
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
bygboy4529248
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
PPTX
Cyber forensic investigation & Analysis
byAnshul Tayal
 
PDF
A Proactive Approach in Network Forensic Investigation Process
byEditor IJCATR
 
DOCX
reserach paper on Study Of Digital Forensics Process.docx
byNavneetSaluja5
 
PPTX
Network and computer forensics
byJohnson Ubah
 
PDF
digital forensics-9 of cyber security.pdf
byAdyakantaSahoo
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
PPTX
cujgh fhgtfh frtrtfh fghfh xtyh hapter-3.pptx
byShubhangi Kirange
 
PPTX
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
PDF
Sued or Suing: Introduction to Digital Forensics
byAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
PPT
CS426_forensics.ppt
byPrabithGupta1
 
PPT
Network Forensics Basic lecture for Everyone
byBurhanKhan774154
 
PPT
CS426_forensics.ppt
byOkviNugroho1
 
PPT
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
PPTX
PARADIGM OF NETWORK SECURITY -UNIT 5 notes.pptx
bylakshmipriyask15116
 
PDF
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 
Systematic Digital Forensic Investigation Model
byCSCJournals
 
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
bygboy4529248
 
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
Cyber forensic investigation & Analysis
byAnshul Tayal
 
A Proactive Approach in Network Forensic Investigation Process
byEditor IJCATR
 
reserach paper on Study Of Digital Forensics Process.docx
byNavneetSaluja5
 
Network and computer forensics
byJohnson Ubah
 
digital forensics-9 of cyber security.pdf
byAdyakantaSahoo
 
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
cujgh fhgtfh frtrtfh fghfh xtyh hapter-3.pptx
byShubhangi Kirange
 
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
Sued or Suing: Introduction to Digital Forensics
byAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
CS426_forensics.ppt
byPrabithGupta1
 
Network Forensics Basic lecture for Everyone
byBurhanKhan774154
 
CS426_forensics.ppt
byOkviNugroho1
 
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
PARADIGM OF NETWORK SECURITY -UNIT 5 notes.pptx
bylakshmipriyask15116
 
FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW
bycscpconf
 

DF Process Models

  • 1.
    Models & Frameworks(2000-2015) Costas Katsavounidis
  • 2.
    Katsavounidis C. 2 Locard’sExchange Principle: “Every Contact Leaves a Trace” Principles of Forensic Examination of Digital Evidence A.C.P.O. (2007) Good Practice Guide for Computer-Based Evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. N.I.J (2008) Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition  The process of collecting, securing, and transporting digital evidence should not change the evidence.  Digital evidence should be examined only by those trained specifically for that purpose.  Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, preserved, and available for review. E.N.F.S.I. (2009) Guidelines for Best Practice in the Forensic Examination of Digital Evidence.  A. The general rules of evidence should be applied to all digital evidence  B. Upon seizing digital evidence, actions taken should not change that evidence.  C. When it is necessary for a person to access original digital evidence that person should be suitably trained for the purpose.  D. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.  E. An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.
  • 3.
    Recognition Identification IndividualizationReconstruction Lee/Pagliaro Crime Scene Handbook (2001) Physical Scene Investigation Principles Recognition Preservation: Collection and Documentation Individualization: Comparison and Individualization Reconstruction Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2000) Digital Evidence Process Model Katsavounidis C. 3 Process Models & Frameworks for the Forensic Examination of Digital Evidence
  • 4.
    Acquisition Authentication Analysis 3A’s- Computer Investigation Model Process Model Kruse & Heiser: Computer Forensics, Incident Response Essentials (2001) Acquisition Authentication Analysis ReportExamination Improved Computer Investigation Model Process Model Köhn, Michael: Integrated Digital Forensic Process Model (2012) Katsavounidis C. 4
  • 5.
    Forensic Investigation Processes NIJ: Electronic Crime Scene Investigation: A Guide for First Responders (2001),  NIST: Guide to Integrating Forensic Techniques into Incident Response (2006),  ACPO: Good Practice Guide for Computer-Based Evidence (2007) Forensic Processes NIJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004) Collection Examination Analysis Report Acquisition Examination Analysis ReportAssessment Katsavounidis C. 5
  • 6.
    Casey, Eoghan: DigitalEvidence and Computer Crime: Forensic Science, Computers and the Internet (2004) Investigative Process Persuation and testimony Reporting Analysis Organization and search Reduction Harvesting Recovery Preservation Identification or seizure Incident/Crime scene protocols Assessment of worth Incident alerts or accusation Assessment Experiment Fusion Correlation Validation Crime or policy violation Prioritize - choose Actions at scene – real/virtual Recognition and proper packaging Get it ALL – hidden/deleted Data about data Integrity – modification tree Filter - eliminate Focus Scrutinize Detailed record Translate and explain Katsavounidis C. 6
  • 7.
    DFRWS: A RoadMap for Digital Forensic Research (2001) Investigative Process for Digital Forensic Science Identification Preservation Collection Examination Analysis Presentation Decision Event/Crime detection Resolve Signature Anomalous Detection Complaints System monitoring Audit Analysis Etc .. Case Mngt Imaging Technologies Chain of custody Time Sync Preservation Approved Methods Approved Software Approved Hardware Legal Authority Lossless compression Sampling Data Reduction Recovery Techniques Preservation Preservation Document- ation Traceability Traceability Validation Techniques Statistical Protocols Data Mining Timeline Link Spacial Filtering Techniques Pattern Matching Hidden Data Discovery Hidden Data Extraction Expert Testimony Clarification Mission impact statement Recommended countermeasure Statistical Interpretation Katsavounidis C. 7
  • 8.
    Reith et al:An Examination of Digital Forensic Models (2002) Abstract Model for Digital Forensics Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Returning Evidence Katsavounidis C. 8
  • 9.
    Mandia et al:Incident Response and Computer Forensics (2003) The Incident Model Pre-Incident Preparation Detection of Incidents Initial Response Formulation of Response Strategy Report Insident Investigation Data Collection Data Analysis Resolution, Recovery, Security Measures Implementation Katsavounidis C. 9
  • 10.
    Carrier/Spafford: Getting Physicalwith the Digital Investigation Process (2003) Integrated Digital Investigation Process (IDIP) Readiness Phases Deployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases Review Phases Operations Readiness Infrastructure Readiness Detection & Notification Confirmation & Authorization Preservation Survey Document- ation Search & Collection Reconstruct- ion Presentation Preservation Survey Document- ation Search & Collection Reconstruct- ion Presentation Review Katsavounidis C. 10
  • 11.
    Baryamureeba/Tushabe: The EnhancedDigital Investigation Process Model (2004) Enhanced Integrated Digital Investigation Process Model Preparation Phases Deployment Phases Traceback Phases Dynamite Phases Review Phases Digital Crime Scene Preservation Phase Survey Phase Documentation Phase Search & Collection Phase Presentation Phase Physical Crime Scene Katsavounidis C. 11
  • 12.
    Beebe/Clark: A Hierarchical,Objectives-Based Framework for the Digital Investigation Process (2005) Two-Tier Digital Investigations Process Framework Preparation Incident Responce Data Collection Data Analysis Presentation of Findings Incident Closure Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Objectives Based sub- phases Katsavounidis C. 12
  • 13.
    O'Ciardhuain, Seamus: AnExtended Model of Cybercrime Investigations (2004) Extended Model of Cybercrime Investigations Awareness Authorization Planning Notification Search/ Identify Collection Transport Storage Examination Hypothesis Presentation Proof/ Defence Dissemination External Events External Authority Externally imposed policies, regulations & Legislation External Information Information Distribution Organizational Policies Internal Information Information Controls Internal Authority Internal Events Information Controls General Information Flow Other Organizations Internal Challenges External Challenges Katsavounidis C. 13
  • 14.
     Köhn etal: Framework for a Digital Forensic Investigation (2006)  Köhn et al: UML Modelling of Digital Forensic Process Models (DFPMs) (2008) Integrated Digital Forensic Process Model (InteDFPM ) Preparation Investigation Presentation Law Preparation Collect Authenticate Examine Analyze Report Present Evidence Report Katsavounidis C. 14
  • 15.
    NIST Special Publication800-86: Guide to Integrating Forensic Techniques into Incident Response (2006) Forensic Process Collection Examination Analysis Report Media Data Information Evidence Selamat et al : Mapping Process of Digital Forensic Investigation Framework (2008) Simplified DF Investigation Framework Preparation Presentation & Reporting Collection & Preservation Dissemination Examination & Analysis Katsavounidis C. 15
  • 16.
    Rogers et al:Computer Forensics Field Triage Process Model (2006) Cyber Forensic Field Triage Process model (CFFTP) Planning Triage User Usage Profiles Home Directory File Properties Registry Chronology Timeline Internet Case Specific Email Browser artifacts Instant Messages AtScene Katsavounidis C. 16
  • 17.
    Forrester/Irwin : ADigital Forensic investigative model for business organizations (2007) DF model for business organizations Readiness Deployment Incident Evaluation Scene Preservation Investigation Service Restoration Reporting Decisions Incident Review Interaction Katsavounidis C. 17
  • 18.
    Freiling/Schwittay A CommonProcess Model for Incident Response and Computer Forensics (2007) Common Process model for Incident Response & Computer Forensics Pre-Analysis Phase Detection of Incidents Initial Response Formulation of response strategy Pre-Incident Preparation Incident Occurs Analysis Phase Live Respose Forensic Duplication Data Recovery Harvesting Reduction & Organization Analysis Post-Analysis Phase Report Resolution Katsavounidis C. 18
  • 19.
    Khurana et al:Palantir: A framework for collaborative incident response and investigation (2009) Collaborative framework: Palantir · Establish an Incident Response Team. · Train staff on latest threats and software tools. · Follow recommended practices to prevent incidents. · Deploy intrusion detection and forensics data collection capabilities. · Develop incident response policies and procedures, including a legal activities coordination plan. · Detect and confirm that an incident has occurred. · Perform initial analysis to determine incident scope. · Determine containment, eradication, recovery and investigation strategy. · Report incident to appropriate ICIM. · Identify lessons learned. · Complete incident report. · Improve future preparedness. · Retain evidence as required according to policy. · Establish and train Incident Response Team. · Train Staff on latest threats and software tools. · Establish and maintain a collaborative workspace hosting environment. · Develop incident response policies and procedures including a legal activities coordination plan. · Develop policies and procedures for collaboration. · Deploy collaborative investigation tools. · Analyze incoming incident reports. · Develop response strategy and determine if collaborative investigation is warranted. · Create collaborative workspace. · Invite collaborators and assign roles. · Formulate collaborative response and investigation strategy. · Share (anonymized) evidence as appropriate. · Perform cross-site data analysis and correlation. · Discuss (ongoing) incident and share insights. · Cooperate in containment and recovery. · Reconstruct the crime scene. Prepare coordinated legal strategy. · Legally prosecute the offenders. · Share lessons learned among participants and publicly as appropriate. · Retain evidence according to policy. · Contain the breach to prevent further damage. · Collect and preserve evidence in a forensically sound manner. · Eradicate malware and disable compromised systems/accounts. · Deploy counter-measures to prevent repeat occurrence of compromise. · Restore normal system operation. Site ICIM / Collaboration Katsavounidis C. 19
  • 20.
    Perumal, Sundresan: DigitalForensic Model Based on the Malaysian Investigation Process (2009) Malaysian Investigation Process model Static Acquisition Authorization Search Warrant Obtained Planning IdentificationAuthorization Live acquisition Identify Fragile Evidence Reconnaissance Gathering Evidence Transport & Storage Analysis Result Proof & Defense Archive Storage Katsavounidis C. 20
  • 21.
    Cohen, Frederich: Fundamentalsof Digital Forensic Evidence (2010) Digital Forensic Evidence Processes Digital Evidence Identify Collect Preserve Transport Store Analyze Interpret Attribute Reconstruct Present Destroy Katsavounidis C. 21
  • 22.
    Smith/Petreski: A NewApproach to Digital Forensic Methodology (2010) Smith & Petreski Method Determine Case Type Requester Goals Common Case Goals Analyst Developed Goals Agreed Upon Case Goals Develop Required Information List Develop Beneficial Information List Provide Case Time Estimate Determine Methods to Achieve each Case Goal Pre-Analysis Analysis Identify Effectiveness of the Method Identify the Time Required for this Method Identify Additional Costs Estimate Analyst Skill with Method Estimate Size of Data Actual Costs Resource Costs Generate SPI and Time Limits for reevaluation Katsavounidis C. 22
  • 23.
    Grobler, C. etal: A Multi-component View of Digital Forensics (2010) Digital Forensic Management Framework Pro-Active DF Active-DF Re-Active DF Incident Before Incident After Incident Katsavounidis C. 23
  • 24.
    Atsa/Mboupda: Multi-Perspective CybercrimeInvestigation Process Modeling (2012) MCIP model ReaDFProDF ActDF Complaint / Alert / Automatic Detection Identification Collection Preservation Analysis Documentation Incident Closure Reconstruction - Identification - Preservation - Collection Evidence Acquisition Analysis Physical Investigation Reconstruct- ion Present Findings Dissemination of results Incident Closure Final Report Katsavounidis C. 24
  • 25.
    Agarwal et al:Systematic Digital Forensic Investigation Model (2011) Systematic Digital Investigation Model (SRDFIM) Preparation Securing the Scene Survey & Recognition Documentation of the Scene Communication Shielding Evidence Collection Preservation ExaminationAnalysisPresentation Result CapturingtheTimelineAccordingtotheCountryDigital ForensicLaw Katsavounidis C. 25
  • 26.
    Yusoff et al:Common Phases of Computer Forensic Investigation Models (2011) Generic Computer Forensic Investigation model (GCFIM) Pre-Process Acquisition & Preservation Analysis Presentation Post-Process Katsavounidis C. 26
  • 27.
     Valjarevic/Venter: HarmonizedDigital Forensic Investigation Process Model (2012)  Valjarevic/Venter: Towards a prototype for guidance and implementation of a standardized digital forensic investigation process (2014) Harmonized Digital Forensic Investigation Process model Incident Detection First Response Planning Preparation Incident Scene Documentation Potential Evidence Transportation Potential Evidence Storage Potential Evidence Analysis Presentation Conclussion Potential Evidence Identification Potential Evidence Collection 123 45 1. Interaction with Physical Investigation 2 - Preserving Chain of Evidence 3 – Preserving Evidence 4 – Information Flow 5 - Documentation 6 6 – Obtaining Authorization Readiness Processes Initialization Processes Acquisition Processes Investigative Processes Concurrent Processes Katsavounidis C. 27
  • 28.
    Mumba/Venter: Testing andEvaluating the Harmonized Digital Forensic Investigation Process in Post Mortem Digital Investigations (2014) Harmonized Digital Forensic Investigation Process model - (ISO/IEC 27043, 2014) Investigative Processes Acquisitive Processes Initialization Processes Incident Detection First Response Planning Preparation Incident Scene Documentation Digital Evidence Transportation Digital Evidence Storage Digital Evidence Analysis Presentation Investigation Closure Potential Digital Evidence Identification Digital Evidence Collection Concurrent Processes Digital Evidence Interpretation Report writing Katsavounidis C. 28
  • 29.
    Hewling/Sant: Digital Forensics:the need for Integration (2011) Standardized framework for DF Initiation Phase Type of Investigation required Educational Training and Qualification Personnel Involved Type of Intrusion Type of Data (Static vs Live) Type of Authorization required Output: Formal Document Investigation Phase Locate suspect devices Physically protect & preserve crime scene Capture image at the scene Identify suspect devices and peripherals Preserve live data Preserve static data Remove devices to controlled environment. Prevention of spoilation of data Preserve copy & analyze pertinent data Output: Formal Document Reporting Phase Inventory of items seized & analyzed Prepare jargon free report Inventory of all equipment used in the investigation Inventory of tools used in the investigation Archiving and Storage Reconstruction of crime scene Creation of attacker profile Output: Investigation deliverable. Formal Document Legal Adherence (Daubert s Criteria) Katsavounidis C. 29
  • 30.
    Köhn et al:Integrated digital forensic process model (2013) Integrated Digital Forensic Process model (IDFPM) Presentation Preparation Policy/ Procedure Infrastructure Readiness Operational Readiness Incident Incident Response DetectNotifyAuthorize Deploy Confirm Assess Approach Strategy Search Recover Seize Preserve Transport Store Digital Forensic Investigation CollectAuthenticateExamineHarvestReduce Identify Classify Organize Compare Hypothesize AnalyzeAttributeEvaluateInterpret Reconstruct Communicate Review Present ReportDecideDisseminate Katsavounidis C. 30
  • 31.
    SWGDE: Best Practicesfor Computer Forensics V3-1 (2014) SWGDE Best Practices Evidence Collection Evidence Handling Evidence Triage/Preview Powered-On Systems Powered-Off Systems Loose Media Computers Servers Evidence Packaging / Transport Equipment Preparation Acquisition Physical Forensic Analysis / Examination Documentation Acquisition Documentation Examination Documentation Evidence Handling Documentation Report of Findings Review Logical Live Targeted (Files) Katsavounidis C. 31
  • 32.
    Nasif, L.: BestPractices for Cybercrime Evidence Collection Projects (2014) Forensics Based on Project (ForPro) model Collect Examine Analyze Report Initiating Planning Controlling Executing Closing Katsavounidis C. 32
  • 33.
    ISO/IEC 27043:2015 Informationtechnology - Security techniques – Incident investigation principles and processes ISO/IEC 27043 Initialization Processes Acquisitive Processes Investigative Processes Concurrent Processes Incident Detection First Response Planning Preparation Potential Digital Evidence Identification Potential Digital Evidence Acquisition Potential Digital Evidence Transportation Potential Digital Evidence Storage Potential Digital Evidence Examination and Analysis Digital Evidence Interpretation Reporting Presentation Obtaining Authorization Managing Information Flow Preserving Chain of Custody Preserving Digital Evidence Interaction with the Physical Investigation Readiness Processes Planning and Definition of System Architectures Implementing Digital Forensic Readiness System Architecture Assessment of Implementation Katsavounidis C. 33
  • 34.
    DF processes permodels reviewed 0 5 10 15 20 25 30 Collection/acquisition Analysis Report Preservation(scene/evidence) Presentation Identificationofevidence Examination Preparation(BeforeIncident) Assessment/ApproachStrategy/Planning IncidentDetection-Notification Search/Investigation EventReconstruction Documentation Incident/FirstResponse Preparation Confirmation/Authorization Triage/Liveresponse Transport Storage ServiceRestoration IncidentClosure Chainofevidence Review Decision Dissemination Readiness Deployment Documentationofscene Authentication Reduction/organization Interpretation Result/Conclusion Corroboration/Proof/Defence Recognitionofsources/patterns Securecrimescene Harvesting Classification Hypothesis Attribution/Individualization OperationReadiness InfrastructureReadiness Awareness Notification IncidentEvaluation Communicationshielding Seizure Survey Traceback Correlation EventNormalizing EventDeconfliction Timelineanalysis Post-process ReturningEvidence Archivestorage 29 28 20 18 17 14 13 11 10 9 9 8 8 7 7 6 6 6 6 5 5 4 4 4 4 3 3 3 3 3 3 3 3 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Katsavounidis C. 34
  • 35.
    Most Common DigitalForensic Processes Katsavounidis C. 35 Preparation / Planning Evidence Identification Collection / Acquisition Preservation (Scene/Evidence) Examination Analysis Presentation/ Report  Preparation / Planning  Evidence Identification  Collection / Acquisition  Preservation of Scene / Digital Evidence  Examination  Analysis  Presentation / Report of results
  • 36.
    Katsavounidis C. 36 “Wecan all see, but can you observe?”