DF FM MF - COnnecting REpositories · 1.3 Challenges to Digital Forensics 1-4 1.3.1 Challenge 1: Inadequate evidence 1-5 1.3.2 Challenge 2: Continuity strategies do not consider evidence

1

DDFFMMFF

AA DDiiggiittaall FFoorreennssiicc MMaannaaggeemmeenntt FFrraammeewwoorrkk

Thesis

by

CORNELIA PETRONELLA GROBLER

Submitted in fulfilment of the requirements

for the degree

PHILOSOPHIAE DOCTOR

in

INFORMATICS

in the

Faculty of Science

at

UNIVERSITY OF JOHANNESBURG

Promoter: Prof SH von Solms

Co-promoter: Prof CP Louwrens

November 2011

2

AACCKKNNOOWWLLEEDDGGEEMMEENNTTSS

Thank you ….

My promoter, Prof Basie von Solms for your guidance and support through all my post-graduate

studies

My co-promotor, Prof Buks Louwrens for your incredible patience, support, guidance, technical

expertise, and enthusiasm during my studies.

Prof Elize Ehlers for your interest, support, and understanding during my illness and studies.

My husband, Vernon and children Werner and Vernandi, for your understanding, support,

motivation and love throughout my studies

My parents for your unconditional support, motivation, and love in my life

My parents in law, sisters and their family for your continuous support

All colleagues and friends for your consistent motivation and interest

Mrs Strydom and van den Bergh at the Faculty of Science, and Tosca at the department for your

help and ensuring that all the administration is in place

Reviewers for your constructive comments to make the thesis more complete

AND to God for granting me the ability and life to complete this thesis.

i

TTAABBLLEE OOFF CCOONNTTEENNTTSS

ACKNOWLEDGEMENTS 2

TABLE OF CONTENTS I

TABLE OF FIGURES IX

TABLE OF TABLES I

AFFIDAVIT: MASTER’S AND DOCTORAL STUDENTS I

GLOSSARY OF TERMS I

ABBREVIATIONS AND ACRONYMS USED IN THIS THESIS I

1 CHAPTER 1 OVERVIEW OF THESIS 1-1

1.1 Introduction 1-1

1.2 Background 1-2

1.3 Challenges to Digital Forensics 1-4

1.3.1 Challenge 1: Inadequate evidence 1-5

1.3.2 Challenge 2: Continuity strategies do not consider evidence or procedure requirements 1-5

1.3.3 Challenge 3: Need for live investigative frameworks 1-5

1.3.4 Challenge 4: Need for new DF tools and technologies 1-5

1.3.5 Challenge 5: Use of DF tools and technologies for non-investigative purposes 1-6

1.3.6 Challenge 6: Implementation of a DF capability 1-6

1.4 Problem statement 1-8

1.5 Objective of the thesis 1-8

1.5.1 Sub-objective 1: Provide background to DF 1-8

1.5.2 Sub-objective 2: Provide background to our CDF capability 1-9

1.5.3 Sub-objective 3: Formulate our CDF capability 1-9

ii

1.5.4 Sub-objective 4: Construct our holistic, theoretical DF implementation and management framework

(DFMF) 1-9

1.5.5 Sub-objective 5: Identify challenges to DFMF and further research 1-9

1.6 Approach to achieving the objectives 1-10

1.6.1 Part 1: Background 1-10

1.6.2 Part 2: Construction of our DFMF to implement our CDF capability 1-11

1.6.3 Part 3: Conclusion 1-13

1.7 The structure and overview of the thesis 1-13

1.8 Part 1: Background 1-14

1.8.1 Chapter 1: Overview of thesis 1-14

1.8.2 Chapter 2: Introduction to DF 1-14

1.8.3 Chapter 3: Conventional approach to DF 1-16

1.8.4 Chapter 4: Proactive DF (ProDF) 1-16

1.8.5 Chapter 5: Reactive DF (ReDF) 1-17

1.8.6 Chapter 6: Active DF (ActDF) 1-17

1.9 Part 2: Construction of our DFMF 1-18

1.9.1 Chapter 7: CDF capability 1-18

1.9.2 Chapter 8: Construction of the holistic CDF management framework (DFMF) 1-19

1.10 Part 3: Conclusion 1-19

1.10.1 Chapter 9: Conclusion 1-20

1.11 Research results from this thesis so far 1-20

1.11.1 Articles presented and published 1-20

1.11.2 Future articles 1-21

1.12 Summary 1-21

PART 1 BACKGROUND 22

2 CHAPTER 2 INTRODUCTION TO DIGITAL FORENSICS 2-23


2.2 Aim and structure of this Chapter 2-25

2.3 Background 2-25

iii

2.3.1 Case study 2-25

2.4 Digital Forensics 2-31

2.5 Driving factors for the use of DF in organisations 2-33

2.5.1 External factors 2-33

2.5.2 Internal factors 2-35

2.5.3 Common reasons (needs) for the application of DF in organisations 2-37

2.6 Cybercrime 2-37

2.6.1 Definition of cybercrime 2-37

2.6.2 Cybercriminals 2-39

2.6.3 Types of attacks 2-40

2.7 Digital evidence 2-40

2.7.1 Definition of digital evidence 2-41

2.7.2 Characteristics of ‘good’ evidence 2-43

2.8 Comprehensive Digital Forensic capability 2-44

2.8.1 Reactive DF (ReDF) component 2-45

2.8.2 Proactive DF (ProDF) component 2-46

2.8.3 Active DF (ActDF) component 2-48

2.8.4 Potential relationship between the components of a CDF capability 2-48

2.9 Summary 2-49

3 CHAPTER 3 CONVENTIONAL APPROACH TO DIGITAL FORENSICS 3-51



3.3 Process-oriented frameworks 3-53

3.3.1 FRAMEWORK 1: Ó Ciardhuáin (2004) 3-54

3.3.2 FRAMEWORK 2: Carrier and Spafford (2003) 3-56

3.3.3 FRAMEWORK 3: Baryamureeba and Tushabe (2004) 3-58

3.3.4 FRAMEWORK 4: Beebe and Clark (2005) 3-61

3.3.5 FRAMEWORK 5: Louwrens et al. (2006b) 3-65

3.3.6 FRAMEWORK 6: E Casey (2004) 3-68

3.3.7 FRAMEWORK 7: Forrester and Irwin (2007) 3-70

iv

3.4 Comparison of process–oriented frameworks 3-72

3.5 Draft version of our CDF capability 3-79

3.5.1 ProDF component 3-79

3.5.2 ActDF component 3-81

3.5.3 ReDF component 3-82

3.6 Role based Framework: FORZA (Ieong, 2006) 3-86

3.7 Comparison of role-based and process frameworks 3-89

3.8 Summary 3-89

3.9 Fold-out for Chapter 3 3-91

4 CHAPTER 4 PROACTIVE DIGITAL FORENSICS (PRODF) 4-92



4.3 Background: Why ProDF? 4-95

4.3.1 ProDF needs 4-97

4.4 Relationship between DF Readiness views and ProDF 4-99

4.4.1 DF Readiness goals 4-100

4.4.2 DF Readiness elements 4-102

4.4.3 DF Readiness versus ProDF 4-106

4.5 Proposed ProDF plan for the ProDF component 4-109

4.5.1 ProDF definition 4-109

4.5.2 ProDF goals 4-109

4.6 Summary 4-114


5 CHAPTER 5 REACTIVE DIGITAL FORENSICS (REDF) 5-116



v

5.3 Definition of ReDF 5-117

5.4 Goals of ReDF 5-118

5.5 ReDF protocol 5-118

5.5.1 PHASE 1: Incident response and confirmation phase 5-118

5.5.2 PHASE 2: Physical investigation phase (if relevant) 5-119

5.5.3 PHASE 3: Digital investigation phase 5-120

5.5.4 PHASE 4: Incident reconstruction phase 5-122

5.5.5 PHASE 5: Presentation of findings phase 5-122

5.5.6 PHASE 6: Incident closure phase 5-122

5.6 Evaluation of the six phases of the ReDF component 5-123

5.7 Summary 5-125

6 CHAPTER 6 ACTIVE DIGITAL FORENSICS (ACTDF) 6-126



6.3 Need for Active or live investigations 6-128

6.4 Incident response (IR), Intrusion detection system (IDS) and live investigations 6-130

6.5 Live investigation tools and techniques 6-133

6.6 Live investigation frameworks 6-136

6.6.1 FRAMEWORK 1: Payer (2004) 6-137

6.6.2 FRAMEWORK 2: Ren and Jin (2005) 6-138

6.6.3 FRAMEWORK 3: Foster and Wilson (2004) 6-140

6.6.4 FRAMEWORK 4: Grobler (2009) 6-141

6.6.5 FRAMEWORK 5: Ieong and Leung (2007) 6-145

6.7 ActDF component of our CDF capability 6-150

6.7.1 ActDF definition 6-151

6.7.2 Goals for ActDF 6-151

6.7.3 ActDF protocol 6-152

6.8 Summary 6-155

vi


PART 2 CONSTRUCTION OF OUR DFMF 6-158

7 CHAPTER 7 COMPREHENSIVE DF CAPABILITY 7-159



7.3 Proactive DF (ProDF) component 7-161

7.3.1 ProDF Goal 1: Become DF-ready. See on the ProDF fold-out 7-162

7.3.2 ProDF Goal 2: Implement and manage DF to improve governance programmes (two sub-goals). See

on the ProDF fold-out. 7-175

7.4 Reactive DF (ReDF) component 7-178

7.4.1 ReDF Phase 1: Incident Response and confirmation phase. See on the ReDF fold-out. 7-180

7.4.2 ReDF Phase 2: Physical investigation phase (par.5.5.2). See on the ReDF fold-out. 7-182

7.4.3 ReDF Phase 3: Digital investigation phase (par. 5.5.3). See on the ReDF fold-out. 7-183

7.4.4 ReDF Phase 4: Incident reconstruction phase (par. 5.5.4) (three steps). See on the ReDF fold-out. 7-

187

7.4.5 ReDF Phase 5: Presentation of findings phase (par. 5.5.5). See on the ReDF fold-out. 7-188

7.4.6 ReDF Phase 6: Incident closure phase (par. 5.5.6). See on the ReDF fold-out. 7-189

7.4.7 To-do list 7-190

7.5 Active DF (ActDF) component 7-190

7.5.1 ActDF Phase 1: Incident response and confirmation phase. See on the ActDF fold-out. 7-193

7.5.2 ActDF Phase 2: ActDF investigation phase (par. 6.7.3). See on the ActDF fold-out. 7-195

7.5.3 ActDF Phase 3: Limited incident reconstruction phase (par. 6.7.3.3) (two steps) (Figure 7-15 - below).

See on the ActDF fold-out. 7-197

7.5.4 ActDF Phase 4: ActDF investigation closure phase (par. 6.7.3.4). See on the ActDF fold-out. 7-198

7.5.5 To-do list 7-198

7.6 Relationship between ProDF, ReDF and ActDF 7-198

7.7 Summary 7-199

7.8 FOLD-OUT FOR ProDF 7-204

7.9 FOLD-OUT FOR ReDF 7-205

vii

7.10 FOLD-OUT FOR ActDF 7-206

8 CHAPTER 8 CONSTRUCTION OF OUR HOLISTIC DF MANAGEMENT FRAMEWORK

(DFMF) 8-207


8.2 Aim and structure of the chapter 8-208

8.3 Catagorise the to-do list 8-209

8.4 Step-by-step construction of the DFMF 8-212

8.4.1 Legal and judicial dimension 8-213

8.4.2 Governance dimension 8-214

8.4.3 Policy dimension 8-216

8.4.4 Process dimension 8-220

8.4.5 People dimension 8-226

8.4.6 Technology dimension 8-228

8.5 Consolidated view of our DFMF 8-231

8.6 Summary 8-232

PART 3 8-233

CONCLUSION 8-233

9 CHAPTER 9 CONCLUSION 9-234


9.2 Part 1 9-235

9.3 Part 2 9-237

9.3.1 ProDF component 9-237

9.3.2 ReDF component 9-239

9.3.3 ActDF component 9-240

9.3.4 Construction of our DFMF 9-241

9.4 Potential challenges to the application of our CDF capability and DFMF 9-242

viii

9.5 Future research opportunities 9-243

9.6 Achievement of the objective of thesis 9-244

10 BIBLIOGRAPHY 246

ix

TTAABBLLEE OOFF FFIIGGUURREESS

FIGURE 1.1. COMPONENTS OF A DF CAPABILITY (GROBLER, LOUWRENS & VON SOLMS, 2010B) ......................... 1-10

FIGURE 1-2. DIMENSIONS OF DF (BY AUTHOR) ....................................................................................................... 1-12

FIGURE 1-3. OUTLINE OF THE THESIS ...................................................................................................................... 1-13

FIGURE 2-1. ROLE OF THE CHAPTER IN THE THESIS................................................................................................. 2-24

FIGURE 2-2. GRAPHICAL REPRESENTATION OF EVIDENCE (BY AUTHOR) ................................................................ 2-42

FIGURE 2-3. GRAPHICAL REPRESENTATION OF OUR COMPREHENSIVE DF CAPABILITY (BY AUTHOR) ................... 2-45

FIGURE 2-4. RELATIONSHIP BETWEEN COMPONENTS OF CDF CAPABILITY (BY AUTHOR) ...................................... 2-49

FIGURE 3-1. ROLE OF THE CHAPTER IN THE THESIS................................................................................................. 3-52

FIGURE 3-2 TYPICAL PROCESS FRAMEWORK (BY AUTHOR) .................................................................................... 3-53

FIGURE 3-3. COMPREHENSIVE DF CAPABILITY (ALSO FIGURE 2.3) (BY AUTHOR) ................................................... 3-79

FIGURE 3-4 DIAGRAMMATIC REPRESENTATION OF THE PROPOSED PROCESS FLOWS BETWEEN ROLES (IEONG,

2006) ............................................................................................................................................................... 3-87

FIGURE 4-1 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ........................................................................... 4-94

FIGURE 4-2 ADAPTED DIAGRAMMATIC REPRESENTATION OF INTERNAL COMPUTER INVESTIGATIONS SOX

REQUIREMENTS (PATZAKIS & LIMONGELLI, 2004) ......................................................................................... 4-96

FIGURE 4-3. GRAPHICAL REPRESENTATION OF THE PRODF COMPONENT (BY AUTHOR) ..................................... 4-113

FIGURE 5-1. ROLE OF THE CHAPTER IN THE THESIS............................................................................................... 5-116

FIGURE 5-2 GRAPHICAL REPRESENTATION OF THE SIX PHASES OF REDF COMPONENT (BY AUTHOR) ................ 5-123

FIGURE 6-1 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ......................................................................... 6-127

FIGURE 6-2 MCDOUGAL MODEL OF VOLATILITY (IEONG & LEUNG, 2007) ........................................................... 6-135

FIGURE 6-3 ARCHITECTURE OF REN AND JIN (2005) ............................................................................................. 6-139

FIGURE 6-4 GRAPHICAL REPRESENTATION OF LIFORAC MODEL (GROBLER, 2009) .............................................. 6-141

FIGURE 6-5. A REFERENCE ORDER OF DATA COLLECTION PROCESS IN LIVE FORENSIC INVESTIGATIONS (IEONG &

LEUNG, 2007) ................................................................................................................................................ 6-146

FIGURE 6-6. GRAPHICAL REPRESENTATION OF THE ACTDF COMPONENT (BY AUTHOR) ..................................... 6-155

FIGURE 7-1 CDF CAPABILITY (ALSO FIGURE 2.3) (BY AUTHOR) ............................................................................. 7-159


FIGURE 7-3 PRODF COMPONENT OF CDF CAPABILITY (ALSO FIGURE 4.3) ............................................................ 7-162

FIGURE 7-4 ADAPTED UGRADER MATRIX (BY AUTHOR) ........................................................................................ 7-168

FIGURE 7-5 PROPOSED PHASES OF THE REDF PROTOCOL OF THE REDF COMPONENT (BY AUTHOR) – THIS IS A COPY

OF FIGURE 5.2 ............................................................................................................................................... 7-180

FIGURE 7-6 PHASE 1 OF THE REDF PROTOCOL (BY AUTHOR) ................................................................................ 7-180




FIGURE 7-10 PHASE 5 OF THE REDF PROTOCOL (BY AUTHOR) .............................................................................. 7-188

x

FIGURE 7-11 PHASE 6 OF THE REDF PROTOCOL (BY AUTHOR) .............................................................................. 7-189

FIGURE 7-12 GRAPHICAL REPRESENTATION OF THE ACTDF PROTOCOL (ADAPTED FROM FIGURE 6.6) (BY AUTHOR)

...................................................................................................................................................................... 7-192

FIGURE 7-13 PHASE 1 OF THE ACTDF PROTOCOL (BY AUTHOR) ........................................................................... 7-193




FIGURE 7-17 RELATIONSHIP BETWEEN COMPONENTS OF OUR CDF CAPABILITY (ALSO FIGURE 2.4) ( BY AUTHOR) . 7-

199


FIGURE 8-2 RELATIONSHIP BETWEEN THE DIMENSIONS (ALSO FIGURE 1.2) (BY AUTHOR) ................................. 8-209

FIGURE 8-3 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE LEGAL AND JUDICIAL DELIVERABLES

(BY AUTHOR) ................................................................................................................................................. 8-214

FIGURE 8-4 LEGAL AND JUDICIAL DELIVERABLES AS STEP 1 OF THE CONSTRUCTION OF OUR DFMF (BY AUTHOR) .. 8-

214

FIGURE 8-5 FIRST TWO LEVELS OF THE GOVERNANCE DELIVERABLES (BY AUTHOR) ........................................... 8-216

FIGURE 8-6 ADDITION OF THE GOVERNANCE DELIVERABLES AS STEP 2 OF THE CONSTRUCTION OF OUR DFMF (BY

AUTHOR) ....................................................................................................................................................... 8-216

FIGURE 8-7 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE POLICY DELIVERABLES (BY AUTHOR)

...................................................................................................................................................................... 8-220

FIGURE 8-8 ADDITION OF THE POLICY DELIVERABLES AS STEP 3 OF THE CONSTRUCTION OF OUR DFMF (BY

AUTHOR) ....................................................................................................................................................... 8-220

FIGURE 8-9 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE PROCESS DELIVERABLES (BY

AUTHOR) ....................................................................................................................................................... 8-225

FIGURE 8-10 ADDITION OF THE PROCESS DELIVERABLES AS STEP 4 OF THE CONSTRUCTION OF OUR DFMF (BY

AUTHOR) ....................................................................................................................................................... 8-225

FIGURE 8-11 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE PEOPLE DELIVERABLES (BY AUTHOR)

...................................................................................................................................................................... 8-227

FIGURE 8-12 ADDITION OF THE PEOPLE DELIVERABLES AS STEP 5 OF THE CONSTRUCTION OF OUR DFMF (BY

AUTHOR) ....................................................................................................................................................... 8-228

FIGURE 8-13 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE TECHNOLOGY DELIVERABLES (BY

AUTHOR) ....................................................................................................................................................... 8-230

FIGURE 8-14 ADDITION OF THE TECHNOLOGY DELIVERABLES AS STEP 6 OF THE CONSTRUCTION OF OUR DFMF (BY

AUTHOR) ....................................................................................................................................................... 8-230

FIGURE 8-15 HIGH LEVEL GRAPHICAL VIEW OF OUR DFMF (BY AUTHOR) ............................................................ 8-231

FIGURE 9-1 PRODF COMPONENT (ALSO FIGURE 7.3) ............................................................................................ 9-238

FIGURE 9-2 REDF PROTOCOL (ALSO FIGURE 7.5) .................................................................................................. 9-240

FIGURE 9-3 ACTDF PROTOCOL (ALSO FIGURE 7.12) .............................................................................................. 9-241

i

TTAABBLLEE OOFF TTAABBLLEESS

TABLE 3.1. COMPARISON OF PROACTIVE (PRODF) ELEMENTS (BY AUTHOR) ......................................................... 3-73

TABLE 3.2. COMPARISON OF ACTIVE (ACTDF) PHASES AND STEPS (BY AUTHOR) .................................................. 3-74

TABLE 3.3. COMPARISON OF REACTIVE (REDF) PHASES AND STEPS (BY AUTHOR) ................................................. 3-75

TABLE 3.4. HIGH-LEVEL VIEW OF THE FORZA FRAMEWORK (IEONG, 2006) ........................................................... 3-88

TABLE 4.1. COMPARISONS OF GOALS FOR DF READINESS (BY AUTHOR) .............................................................. 4-101

TABLE 4.2. COMPARISON OF DF READINESS ELEMENTS (BY AUTHOR) ................................................................. 4-104

TABLE 4.3. RELATIONSHIP BETWEEN PRODF NEEDS AND DF READINESS (BY AUTHOR) ....................................... 4-107

TABLE 4.4. COBIT CONTROLS TO INCLUDE DF REQUIREMENTS (BY AUTHOR) ...................................................... 4-112

TABLE 6.1. LIST OF SPECIFIC QUESTIONS FOR LIVE INVESTIGATIONS – BASED ON FORZA (IEONG & LEUNG, 2007) .. 6-

147

TABLE 7.1 NEEDS ADDRESSED BY THE CDF CAPABILITY (PAR. 2.5.3) (BY AUTHOR) .............................................. 7-200

TABLE 7.2 CONSOLIDATED TO-DO LIST TO IMPLEMENT THE CDF CAPABILITY (BY AUTHOR) ............................... 7-201

TABLE 8.1 CATEGORISED TO-DO LIST (BY AUTHOR) .............................................................................................. 8-210

TABLE 9.1 EVALUATION OF OUR CDF CAPABILITY AND DFMF (BY AUTHOR) ........................................................ 9-243

TABLE 9.2 SUMMARY OF THE ACHIEVEMENT OF THE SUB-OBJECTIVES OF THE THESIS ...................................... 9-244

i

AAFFFFIIDDAAVVIITT:: MMAASSTTEERR’’SS AANNDD DDOOCCTTOORRAALL SSTTUUDDEENNTTSS

TO WHOM IT MAY CONCERN

This serves to confirm that I, Cornelia Petronella Grobler

ID Number 6206140172088

Student number 908115739 enrolled for the

Qualification PhD (Informatics)

Faculty of Science

Herewith declare that my academic work is in line with the Plagiarism Policy of the University of

Johannesburg which I am familiar.

I further declare that the work presented in the Thesis (minor dissertation/dissertation/thesis) is

authentic and original unless clearly indicated otherwise and in such instances full reference to the

source is acknowledged and I do not pretend to receive any credit for such acknowledged quotations,

and that there is no copyright infringement in my work. I declare that no unethical research practices were

used or material gained through dishonesty. I understand that plagiarism is a serious offence and that

should I contravene the Plagiarism Policy notwithstanding signing this affidavit, I may be found guilty of a

serious criminal offence (perjury) that would amongst other consequences compel the UJ to inform all

other tertiary institutions of the offence and to issue a corresponding certificate of reprehensible academic

conduct to whomever request such a certificate from the institution.

Signed at Johannesburg________________ on this _______ of ____________________2012

Signature__________________________________ Print name Cornelia Petronella Grobler

STAMP COMMISSIONER OF OATHS

Affidavit certified by a Commissioner of Oaths

This affidavit conforms with the requirements of the JUSTICES OF THE PEACE AND COMMISSIONERS OF OATHS ACT 16 OF

1963 and the applicable Regulations published in the GG GNR 1258 of 21 July 1972; GN 903 of 10 July 1998; GN 109 of 2

February 2001 as amended.

i

GGLLOOSSSSAARRYY OOFF TTEERRMMSS

Term / abbreviation Description

Active DF The ability of an organisation to gather (identify, collect and preserve) comprehensive

digital evidence in a live environment to facilitate a successful investigation.

Chain of custody A system of recording who is responsible for the evidence at any point of time from the

moment it was collected until it is used in the court room.

Chain of evidence A series of events in which the evidence has not been altered at any stage.

Competent Having suitable or sufficient skill, knowledge, experience, etc., for some purpose;

properly qualified: He is perfectly competent to manage the bank branch.

Comprehensive DF

capability

A capability consisting of the combination of reactive, active, and proactive DF

components.

Comprehensive digital

evidence

Digital evidence that will have evidentiary weight in a court of law and that contains all

the evidence necessary (relevant and sufficient) to establish a fact or disprove a claim.

DF readiness The ability of an organisation to maximise its potential to use comprehensive digital

evidence whilst minimising the costs of an investigation.

Digital crime scene The virtual environment created by hardware and software where evidence of a digital

crime or incident exists.

Digital evidence Any data stored or transmitted using a digital device that tends to establish a fact or

disprove a claim.

Digital forensic The scientific study of all the processes involved in the recovery, preservation and

examination of digital evidence, including audio, imaging and communication devices

(TC-11, 2006).

Forensic sound

process

A process that maintains the integrity of evidence, ensuring that the chain of custody

remains unbroken and that collected evidence will be admissible in a court of law.

Physical crime scene The physical environment where physical evidence of a crime or incident exists.

Proactive DF The forensic preparation of an organisation to ensure successful, cost-effective

investigations, with minimal disruption to business activities, and the use of DF to

establish and manage governance programmes.

Reactive DF The application of analytical and investigative techniques for the preservation,

identification, extraction, documentation, analysis, and interpretation of digital media,

for evidentiary, and/or root cause analysis and the presentation of comprehensive

digital evidence derived from digital sources for the purpose of facilitation or furthering

the reconstruction of incidents.

Risk profile Adapted threat profile.

Standard operating

procedure

Documented quality control guidelines that are supported by proper case records and

use broadly accepted procedures, equipment, and material.

i

AABBBBRREEVVIIAATTIIOONNSS AANNDD AACCRROONNYYMMSS UUSSEEDD IINN TTHHIISS TTHHEESSIISS

Acronym /abbreviation Description

ActDF Active digital forensics

ActDFI Active digital forensic investigation

BCP Business continuity plan

BIA Business impact analysis

BOK Body of knowledge

CDE Comprehensive digital evidence

CDF Comprehensive digital forensics

CERT Computer Emergency Response Team

CPU Central processing unit

DF Digital forensics

DFI Digital forensic investigation

DFMF Digital forensic management framework

DRP Disaster recovery plan

ECT act Electronic communication and transactions act

EMP Evidence management plan

FBI Federal Bureau of Investigation

IDS Intrusion detection system

Info Sec Information security

IR Incident response

IRP Incident response plan

ITIL Information Technology Infrastructure Library

ITSM IT Service Management

LAN Local area network

PID Process identification number

PPID Parent process identification number

ProDF Proactive digital forensics

RAM Random access memory

ReDF Reactive digital forensics

SAQA South African Qualifications Authority

SOP Standard operating procedure

TCP Transmission control protocol

ii

Note to reader:

The thesis uses the first person plural to facilitate a broader narrative delivery. We also

include notes to the reader to increase the readability and context.

Part 1: Background to Digital Forensics

1-1 | P a g e Chapter 1: Overview of thesis

1 CHAPTER 1

OOVVEERRVVIIEEWW OOFF TTHHEESSIISS

"The modern thief can steal more with a computer than with a gun.

Tomorrow's terrorist may be able to do more damage with a keyboard than

with a bomb." National Research Council” (Computers at Risk, 1991).

The “Stuxnet attack was more effective than bombs – using an anti-bunker

bomb to take out the Natanz facility could have delayed Iran’s efforts by

three years … Stuxnet and other non-military efforts have put Iran four

years behind.” (Lemos, 2011).

1.1 INTRODUCTION

We are living in an increasingly complex world in which much of society is dependent on technology

and its various offshoots and incarnations (Rogers & Siegfried, 2004). There is ample evidence of the

influence of technology on our daily lives. We communicate via e-mail, use chat groups to interact

and conduct business by using e-commerce. People relate each other’s existence to a presence on

Facebook.

The convergence of the products, systems and services of information technology is changing the

way of living. The latest smart and cell phones have cameras, applications, and access to social

networking sites. These phones contain sensitive information, for example photographs, e-mail,

spread sheets, documents, and presentations. The loss of a cell phone therefore may pose a serious

problem to an individual or an organisation, when considering privacy and intellectual property

issues from an information security (Info Sec) perspective (Pieterse, 2006).

Organisations have accepted the protection of information and information assets as a fundamental

business requirement and managers are therefore implementing an increasing number of security

counter measures, such as security policies, intrusion detection systems, access control mechanisms,



and anti-virus products to protect the information and information assets from potential threats.

However, incidents still occur, as no system is 100% secure. The incidents must be investigated to

determine their root cause and potentially to prosecute the perpetrators (Louwrens, von_Solms,

Reeckie & Grobler, 2006b).

Humankind has long been interested in the connection between cause and event, wishing to know

what happened, what went wrong and why it happened. The need for computer forensics emerged

when an increasing number of crimes were committed with the use of computers and the evidence

required was stored on the computer. In 1984, a Federal Bureau of Investigation (FBI) laboratory

began to examine computer evidence (Barayumureeba & Tushabe, 2004), and in 1991 the

international association of computer investigation specialists (IACIS) in Portland, Oregon coined the

term ‘computer forensics’ during a training session.

The environment in which digital crimes are committed has changed dramatically with the

emergence of personal computers, the Internet, cell phones, flash disks and wireless devices. It is no

longer sufficient to investigate the hard drive of the victim’s personal computer as it may not be

possible to gather sufficient evidence for successful prosecution (Adelstein, 2006).

Digital evidence, static as well as ‘volatile’, is required for establishing the root cause of incidents. It

may be necessary to consider network activity, Internet activities, e-mails sent and received and

data on cell phones or other portable devices for a particular situation. Cyber-trained defence

attorneys require the investigator to link the attacker to the victim by analysing the additional

information in the chain of evidence (Stephenson, 2002).

1.2 BACKGROUND

Consider the following example:

“When a thief breaks into your home, you’re likely to feel victimized,

vulnerable, and confused. You may wonder: What was taken? Will the

house ever feel safe again? What can I do to protect myself from another

intrusion?

When malcontent breaks into, or cracks, your computer, your reactions are

likely to be very much the same. What was taken? What was left behind? Is

the computer safe to use? How can I keep my computer safer in the future?



While the latter question is important, the former three questions weigh

more heavily immediately after a break-in. The suits and the geeks want an

assessment as soon as possible, especially if the compromised system held

critical information or served a critical purpose” (Frye, 2005).

As the example demonstrated, organisations and individuals are exposed to cybercrime and the

incidents must be investigated. According to the CSI 2008 computer crime and security survey, the

most expensive incidence is financial fraud followed by dealing with ‘bot’ computers in a network.

The data loss categories (customer and proprietary information together) are the second largest

source of losses (Richardson, 2008).

However, when a security incident has taken place, many organisations do not have proper

guidelines to conduct a forensic investigation and often fail to bring the investigation to a productive

conclusion (Sinangin, 2002). Many organisations do not regard forensic investigations as a priority

item. The key role of computer forensics is the protection, adducing, and presentation of evidence.

The protection of evidence in all abuse cases is both critical and central to the organisation's ability

to investigate and take action against the abuser (Sheldon, 2004). It is essential to determine the

root cause of an incident and link the attacker to it.

Computer forensics is well established in the military and aviation industries, for example the

retrieval and examination of flight information from the ‘black box’ of an aeroplane after an

accident. However, digital forensics (DF) is a wider discipline than computer forensics, as shown by

definitions of the two concepts:

Computer forensics is considered to be the use of analytical and investigative techniques

to identify, collect, examine and preserve evidence/information which is magnetically

stored or encoded (Louwrens & von_Solms, 2005).

Digital forensics (DF) is the scientific thesis of the processes involved in the recovery,

preservation and examination of digital evidence, including audio, imaging and

communication devices (TC-11, 2006).

DF includes the acquisition of all types of digital evidence, for example cell phone content, volatile

memory content, static hard disk and optical disk content, audio files and images. DF is an emerging

discipline in the private sector that is becoming increasingly important to organisations.

The use of computers and other digital devices generates a wealth of digital information in the form

of, for example, log files, passwords, and timestamps by the normal operating processes. There is a



growing need for good evidence in organisations. According to Sommer (2005), the need for good

evidence manifests itself, for example, as evidence needed for disputed transactions, to prove

allegations of employee misbehaviour, to demonstrate legal and regulatory compliance and to

provide supporting evidence for insurance claims.

The application of DF tools and techniques are becoming the vehicle for organisations to acquire

useful and admissible evidence, using the available operational or stored information. DF tools

consist of forensic software tools with very specific guidelines and procedures (Guidance_Software,

2005).

The forensic specialist must be able to guarantee the accuracy of the evidence and results, which can

be done by the use of “time tested evidence processing procedures and through the use of multiple

software tools”, developed by separate and independent developers (Computer evidence defined,

2008). We will refer to these ‘time tested procedures’ as ‘frameworks’.

The current application of DF tools and technologies is for digital investigations, or as part of the

information security tool suite to determine vulnerabilities in the Info Sec architecture (Richardson,

2008). However, organisations also apply the use of DF tools for other purposes in other areas, for

example to retrieve evidence to prove compliance with legislation and to improve the information

technology (IT) governance frameworks (Nikkel, 2006).

The identified DF frameworks (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Forrester &

Irwin, 2007; Louwrens et al., 2006b) concentrate mainly on ‘post-mortem’ investigation, with limited

reference to live evidence acquisition and DF readiness aspects. They provide clear guidelines on

‘must do’s’ and ‘must not do’s’ during a forensic investigation, but do not consider the management

or establishment of a DF capability in an organisation (Nikkel, 2006). The next section discusses the

challenges to the management and implementation of a DF capability in an organisation.

1.3 CHALLENGES TO DIGITAL FORENSICS

From the literature studied (as indicated in the following paragraphs), we have identified the

following six challenges:



1.3.1 Challenge 1: Inadequate evidence

Organisations do not consider the pro-active collection of adequate, admissible evidence prior

to an incident, as the perception exists that it is too expensive (Rowlingson, 2004). However, if

the evidence is in place and the processes are well-defined, the cost and impact of an

investigation will be minimised (Louwrens et al., 2006b).

1.3.2 Challenge 2: Continuity strategies do not consider evidence or procedure

requirements

The incident response plan (IRP) often does not consider the handling and preservation of

evidence or ensure that the process followed is forensically sound (Sommer, 1999). The lack of

evidence compromises investigations. Whenever an incident occurs, adequate relevant and

legally admissible evidence is not available to successfully conduct and conclude an

investigation (Thomas, 2005).

1.3.3 Challenge 3: Need for live investigative frameworks

Traditional DF frameworks are no longer sufficient to investigate incidents effectively as active

or ‘live’ attacks are increasing. These attacks necessitate immediate action not only to contain

the incident or to stop attacks but also to acquire relevant volatile and essential evidence in real

time. Volatile or live evidence is becoming an essential part of investigations as incidents are

becoming more sophisticated and targeted. Criminals are using a network or the Internet to

launch their attacks.

Ieong and leung (2007) have noted the absence of a definition for live forensics, a lack of

standard procedures for live investigations and a problem with the certification and acceptance

of live evidence (Foster & Wilson, 2004; Grobler, 2009; Ieong & Leung, 2007; Payer, 2004; Ren &

Jin, 2005).

1.3.4 Challenge 4: Need for new DF tools and technologies

If one considers new technologies and software that are currently in use, traditional DF tools and

techniques are becoming inadequate. To demonstrate this: Windows® Vista Ultimate and

Enterprise editions have the Bitlocker® drive encryption capability. This is a full disk encryption

feature that uses the AES (advanced encryption standard) encryption algorithm in CBC (cypher-



block chaining) mode with a 128 / 256 bit key, combined with the elephant diffuser1 for

additional disk encryption specific security not provided by AES (TechNet, 2009). An additional

obstacle is that Bitlocker® has no backdoor, which makes it very difficult for an investigator to get

access to an encrypted drive (Wikipedia, 2009). Investigators have to wait for an appropriate

moment to investigate a suspect machine in a ‘live’ state when the content is decrypted. It is

therefore essential that organisations are aware of new technologies to ensure that they plan

and prepare themselves for such investigations.

It is also essential to consider the emerging legal debate about enforced “decryption” between

the United Kingdom and the United States of America as the investigator needs access to the

plain text based system.

1.3.5 Challenge 5: Use of DF tools and technologies for non-investigative purposes

The cliché that ‘you can only manage if you can measure’ may be applicable to IT and corporate

governance. It is essential to measure the effectiveness of internal and technical controls.

Corporate governance legislation and reports, for example Sarbanes-Oxley (Sarbanes-Oxley Act of

2002, 2002) and King III (King, 2009), require that management be able to prove the efficiency

and effectiveness of controls. DF tools and technologies can be applied to provide documented

proof to demonstrate due diligence with respect to good governance as evidence will be available

to provide the proof.

1.3.6 Challenge 6: Implementation of a DF capability

Nikkel (2006) has identified the following challenges that organisations face when establishing a

forensic capability:

1 “The Enterprize and Ultimate editions of Windows Vista contain a new feature called BitlockerTM Drive

Encryption which encrypts all the data on the system volume. Bit- Locker imposes some security requirements on the encryption algorithm that are not met by common encryption algorithms and modes. This creates a real problem: a new cipher cannot be trusted without many years of public review, and existing ciphers that satisfy the additional security requirements are either too slow or insufficiently analysed. We resolved this dilemma by combining a well-established cipher (AES in CBC mode) with a new component that we call the Elephant di®user. The basic encryption security is provided by AES-CBC, which has been widely reviewed and is generally used in the industry for encryption. The di®user layer adds some additional security properties that are desirable in the disk encryption setting but which are not provided by AES-CBC cipher methods. This combination gives us the best of both worlds. All the security properties traditionally provided by encryption algorithms are provided by AES-CBC, which is an accepted cipher. We only depend on the di®user for the additional security properties not provided by AES CBC. The AES-CBC + di®user approach is also faster than any of the alternatives, which is important for our application” FERGUSON, N. (2006). AES-CBC + Elephant di®user A Disk Encryption Algorithm for Windows Vista. Available from: http://pdos.csail.mit.edu/6.858/2011/readings/bitlocker.pdf (Accessed 20 February 2012).



Where and to whom does the DF team report? It must be determined if it must report

to the IT, risk management (corporate, IT or Info Sec), legal, and compliance

departments, or whether the function should be outsourced. The different degrees of

involvement from a forensics team in the organisation must also be defined, for example

a lead, consulting or assisting role.

Typical DF readiness challenges are to establish forensic resources, e.g., trained staff,

relevant tools, and a well-equipped forensic laboratory. Specific policies must be

formulated to enable DF investigations, for example, investigative access policies and

data retention policies.

Obtain management support and awareness. Management must buy into the need for a

DF unit in the organisation. DF awareness should be included in the workflows and

processes of the organisation. All employees must be aware of their responsibility in

terms of incidents and existence of the DF capability.

Formal contact channels must be established to ensure efficient communication with

the forensic team, and other internal and external stakeholders.

The forensic team should be trained so that the required skills exist to facilitate

successful investigations. It is also important to acquire efficient and relevant forensic

tools to conduct investigations.

The discussion in pars. 1.2 and 1.3 centres on how organisations begin to engage in the use of DF

tools and technologies in various areas of the organisation. The main use of DF is currently to

acquire evidence for specific scenarios and purposes (Nikkel, 2006) and to investigate incidents.

The legal status of forensic investigators is highly relevant when ensuing court proceedings. The

investigators should be aware of various privacy-related statutes when investigating a specific

incident. Should the investigator discover data for example, images, video, audio, text etc.

associated with a criminal activity. Investigators must be aware of their legal obligation and rights

in the situation as when the evidence is not related to the incident, it cannot be acquired, as they

had mandate to acquire the evidence.

The value that evidence availability and forensic sound procedures and processes can add to an

organisation is not yet known to organisations as the current DF frameworks concentrate on

investigating incidents and the focus is not on the use of DF to obtain good evidence for other

purposes, for example to measure compliance with legal or regulatory requirements. There is a



need for an implementation and management framework to enable organisations to implement

and apply a DF capability in all areas of business. The next section will present the problem

statement of the thesis.

1.4 PROBLEM STATEMENT

The challenges identified in par. 1.3 and literature studied demonstrate that no holistic DF

framework exists to manage and implement our Comprehensive DF (CDF) capability in an

organisation (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Casey, 2004; Forrester &

Irwin, 2007; Ieong, 2006; Louwrens et al., 2006b; Nikkel, 2006). The next section will discuss the

objective of the thesis.

1.5 OBJECTIVE OF THE THESIS

The objective of the thesis is to develop a holistic, theoretical DF

Management Framework (DFMF) to implement and manage an effective

CDF capability in an organisation.

Note to reader:

We use two abbreviations in the thesis: DF and DFMF

DF refers to digital forensics

DFMF refers to the holistic theoretical DF framework to manage and implement

DF in an organisation.

To achieve the above objective we have identified the following five supporting sub-objectives:

1.5.1 Sub-objective 1: Provide background to DF

Define DF

Discuss driving factors for DF

Discuss cybercrime and digital evidence

Propose our CDF capability.



1.5.2 Sub-objective 2: Provide background to our CDF capability

Identify, discuss and compare various DF frameworks

Use the comparison of the DF frameworks and views of DF readiness to propose the

formulation of a preparation (proactive) DF component (ProDF) with goals and steps

Use the comparison of the DF frameworks to propose the formulation of a post-incident

investigation (reactive) DF component (ReDF) with goals and steps

Use the comparison and investigate live and real-time investigative practices and

frameworks to formulate a live (active) DF component (ActDF) with DF goals and steps.

1.5.3 Sub-objective 3: Formulate our CDF capability

Expand on the identified phases and steps for each component to formulate our CDF

capability and identify to-do lists for the CDF capability

Discuss the relationship between the defined components of our CDF capability

Consolidate the to-do lists to assist management to implement the CDF capability.

1.5.4 Sub-objective 4: Construct our holistic, theoretical DF implementation and

management framework (DFMF)

The framework (DFMF) will assist organisations in managing and implementing our CDF

capability.

Use the consolidated to-do list as a basis for the formulation of the DFMF

Identify deliverables to implement and manage for each component of our CDF capability;

the deliverables will be used to formulate DFMF

Use the dimensions of DF to categorise the identified deliverables

Use the relationship between the dimensions of DF to construct the holistic, comprehensive

DF implementation and management framework (DFMF)

Ensure that our DFMF is easy to use as it should be able to provide management with a high-

level overview of ‘what to do, who should do it, how it should be done’.

1.5.5 Sub-objective 5: Identify challenges to DFMF and further research

Discuss potential challenges to the implementation of our DFMF and identify further

research opportunities.

The next section will discuss the approach to the thesis.



1.6 APPROACH TO ACHIEVING THE OBJECTIVES

We review the literature to provide a background to the thesis and ensure that all concepts are

clearly identified and defined. We will define DF, discuss the need for and application of DF in

organisations, discuss cybercrime, and define digital evidence. We will adopt the following approach

to develop the holistic, DF framework to managing and implementing our CDF capability.

1.6.1 Part 1: Background

The aim of this part of the thesis is to research existing DF frameworks to formulate our CDF

capability. We will identify various DF and computer investigation frameworks and best practices

for DF from literature. The investigation frameworks can be classified as supporting process-

oriented frameworks (Carrier & Spafford, 2003; Kruse & Heiser, 2004; Lee, Palmbach & Miller,

2001), composite process oriented frameworks (Barayumureeba & Tushabe, 2004; Beebe & Clark,

2005; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006; O'Ciardhuain, 2004), and a

role-based framework (Ieong, 2006).

We will compare the various composite process-oriented DF frameworks and a role-based DF

framework to determine the comprehensiveness of the identified DF frameworks. We will use

the comparison to define and formulate an initial draft of our CDF capability.

It will turn out that our CDF capability will consist of three distinct components: Proactive DF

(ProDF) for the preparation of organisations for investigations; Active DF (ActDF) that will

consider the acquisition and analysis of live evidence; and Reactive DF (ReDF) as the actual ‘post-

mortem’ forensic investigation. The incident is the main catalyst that will distinguish the

components. Figure 1.1 (below) is a graphical representation of our CDF capability.

We will investigate component-specific literature, using the initial draft of the individual

component and adding additional content to present each, namely ProDF (Chapter 4), ReDF

(Chapter 5) and ActDF (Chapter 6). We will combine, expand and consolidate the findings of the

ProDF (Chapter 4), ReDF (Chapter 5) and ActDF (Chapter 6) to formulate our CDF capability

(Chapter 7) in the next section.

Figure 1.1. Components of a DF capability (Grobler, Louwrens & von Solms, 2010b)



1.6.2 Part 2: Construction of our DFMF to implement our CDF capability

The aim of this part of the thesis is to formulate our CDF capability and propose a holistic DF

management framework (DFMF) to manage and implement our CDF capability in an organisation.

It is essential to consider the legal, regulatory and governance requirements relevant to the

investigation and the investigative team. To formulate our CDF capability we will:

confirm a definition and goals for each component

use the findings of the previous chapters and expand the ProDF elements or ActDF and ReDF

phases with steps

identify to-do lists for the CDF capability to enable us to determine what to consider when

we formulate the DFMF

discuss the relationship between the three distinct components: ProDF, ReDF and ActDF of

our CDF capability.

The next challenge is to determine how to structure an implementation and management

framework for our CDF capability. The framework must be practical and easy to use, and should

provide clear guidelines on how to implement and manage our CDF capability. We should ensure

that it supports Casey’s principles for a DF framework: acceptance, reliability, repeatability,

integrity, cause and effect, and documentation (Casey, 2004). The principles require that the

framework use professional methods and steps from literature, while the processes should be

repeatable, produce trusted evidence, and adhere to the Daubert or Frye requirements. The

result of the investigation should provide a logical connection between the suspected individual

events and evidence. The framework must support the recording of all testamentary evidence

during the investigation.

Management must have something to manage or implement. We identify to-do lists for each

component (ProDF, ReDF and ActDF) of our CDF capability. The to-do lists or deliverables are

tangible items that can be implemented, assessed, and managed. It will be difficult to implement

the list of deliverables, as there should be a structured approach (framework) for the

implementation. To establish a framework we will group together similar deliverables, for

example, relate the training and awareness to the ‘people area’ or dimension.

We will use the dimensions of DF (Grobler & Louwrens, 2006) as categories to formulate our

DFMF. The dimensions of DF were identified after the resources of various views on management



and governance frameworks (Guldentops, Hardy, Heschl & Stroud, 2005; Institute, 2000; Rudd,

2004), dimensions of Info Sec (Grobler & Louwrens, 2006), and the questions asked by Ieong

(Ieong, 2006) were compared. The six categories or dimensions are:

Category (dimension) 1: legal and judicial (answers the ‘why’ question, and deals with

compliance)

Category (dimension) 2: governance (answers the question ‘why’, considers facilities and

partners, and deals with risk management and operational risks)

Category (dimension) 3: people (answers the ‘who’ question, and deals with training and

awareness)

Category (dimension) 4: policy (answers the ‘what’, ‘when’ and ‘who’ questions)

Category (dimension) 5: process (answers the ‘what’, ‘when’, ‘how’, ‘where’ and ‘who’

questions). This dimension encapsulates all activities on an operational level.

Category (dimension) 6: technology (answers the ‘how’, ‘when’, and ‘where’ questions and

addresses which applications and technologies to use).

The dimensions cannot exist in isolation and must support each other to make a significant

contribution, for example, the legal and judicial dimension is the backdrop to all the other

dimensions as the legal framework provides the legal background against which an organisation

operates. The governance dimension is a subset of the legal dimension; the policy dimension is a

subset of the governance dimension. The process, people, and technology dimensions are

subsets of the policy dimension. Figure 1-2 (below) is a graphical representation of the

relationship between the dimensions of DF.

The next step will be to identify and categorise the consolidated list of our CDF capability from

Chapter 7, using the dimensions as categories. We will use the relationship between the

dimensions to construct our DFMF to manage and implement the DF capability effectively in an

organisation. The last chapter of this part will use the DFMF to demonstrate how the application

of our DFMF can add value to an organisation. We will explain how DFMF can be used to

implement and manage our CDF capability in an organisation.

Figure 1-2. Dimensions of DF (by author)



1.6.3 Part 3: Conclusion

The last part of the thesis will provide a summary of the results of the research to demonstrate

that we have met all its objectives. As our framework is a theoretical one, we will discuss

advantages of and challenges to DFMF, and identify potential future research.

1.7 THE STRUCTURE AND OVERVIEW OF THE THESIS

The thesis consists of three parts, graphically represented in Figure 1-3 (below).

The next section will provide a brief overview of the content of each part and related chapters of the

thesis.

Chapter 2 Introduction to DF

Chapter 1 Introduction

Chapter 3 Conventional approach to DF

Chapter 4 Proactive DF (ProDF)

Chapter 5 Reactive DF (ReDF)

Chapter 6 Active DF (ActDF)

Chapter 7Comprehensive DF

capability

Chapter 8Construction of DFMF

Chapter 9Conclusion

Part 1: Background

Part 2: Construction

of DFMF

Part 3: Conclusion

LEGAL AND JUDICIARY

Evidence Process Infrastructure Other

GOVERNANCE

DF strategy InfrastructureRisk management/

Contingency strategy

POLICY

PROCESSEvidence

management

and handling

procedures

Incident

management

procedures

Infrastructure

procedures

Management

procedures

Risk

management

/ Contingency

procedures

General DF Policy

Evidence

management

and handling

policies

Risk management /

Contingency policies

Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness

policy

PEOPLEEducation

and training

programmes

Awareness

programmes

Code of

Conduct

TECHNOLOGY

Operational

infrastructure

DFI

infrastructure

Management

of DF

capability

Evidence

management

plan

DF Education,

training and

awareness strategy

DFMF

Comprehensive DF capability

ProDF ActDFReDF

Figure 1-3. Outline of the thesis



1.8 PART 1: BACKGROUND

1.8.1 Chapter 1: Overview of thesis

The aim of the chapter will be to provide the reader with an overview of the thesis.

1.8.2 Chapter 2: Introduction to DF

The aim of this chapter is to provide a background to DF, with a definition and discussion as to

why it is becoming increasingly important for governments, organisations and individuals to

address cybercrime and new threats to security, and discuss the need for evidence in

organisations by considering factors that drive DF in organisations.

The chapter discusses the need to prepare organisations for DF investigations and to have the

ability to acquire volatile evidence during an on-going attack. The nature of contemporary

forensic evidence has changed from mostly paper-based evidence and physical evidence to digital

evidence. Digital evidence exists on computer hard drives, flash disks, cell phones, digital cameras

and audio devices. The chapter defines digital evidence, discusses types of digital evidence, and

Part 1: Background

The aim of Part 1 of the thesis will be to address sub-objectives 1 and 2 (pars. 1.5.1 and 1.5.2):

Sub-objective 1: Provide background to DF (Chapter 2).

We will:

define DF

discuss driving factors for DF

discuss cybercrime and digital evidence

propose our CDF capability.

Sub-objective 2: Provide background to our CDF capability (Chapters 3 – 6).

We will:

identify, discuss, and compare various DF frameworks (Chapter 3)

use the comparison of the DF frameworks and views of DF readiness to propose the formulation

of a preparation (proactive) DF component with ProDF goals and steps (Chapter 4)

use the comparison of the DF frameworks to identify goals and steps for a post-incident

investigation (reactive) DF component with steps (Chapter 5)

use the comparison and investigate live and real-time investigation practices and frameworks to

formulate a live (active) DF component goals and steps (Chapter 6).



refers briefly to admissibility requirements for digital evidence. It also coins a new term:

comprehensive digital evidence (CDE).

There is a need for a DF capability that will concentrate on ensuring digital evidence availability

and forensic sound processes in organisations, enable DF investigations, and cater for the

acquisition of live evidence. We propose a definition for a CDF capability:

Our CDF capability will consider the:

Reactive DF (ReDF) component, which concentrates on the investigation process after an

incident has happened. Most traditional DF frameworks are process models that

concentrate on reactive DF, as demonstrated by a number of authors (Barayumureeba &

Tushabe, 2004; Beebe & Clark, 2005; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,

2006b). The role-based model FORZA of Ieong will be included in the discussion of ReDF to

be discussed in more detail in Chapter 4 (Ieong, 2006).

Proactive DF (ProDF) component, which concentrates on the forensic preparation of the

organisation to enable successful investigations (Beebe & Clark, 2005; Carrier & Spafford,

2003; Louwrens et al., 2006b). Pro-active DF (ProDF) is the measure that organisations

should take to ensure they are DF-ready (Louwrens et al., 2006b) and make responsible use

of DF to demonstrate that organisations practice good IT governance. It is also important to

ensure that standard operating procedures are forensically sound. ProDF will be discussed in

detail in Chapter 5.

Active DF (ActDF) component, which concentrates on the acquisition of live and volatile

evidence, for example: Random Access Memory (RAM) content, registry information and

other session information are becoming more important for investigating certain cases of

cybercrime (Shipley & Reeve, 2006). The active DF (ActDF) component concentrates on

gathering of live evidence during real-time or on-going attacks to set the platform for a

successful DF investigation. ActDF will be discussed in detail in Chapter 6.

The chapter addresses sub-objective 1, par 1.5.1.

A comprehensive DF (CDF) capability consists of the combination of

reactive, active, and proactive DF components.



1.8.3 Chapter 3: Conventional approach to DF

The aim of this chapter is to identify various DF frameworks from literature to identify goals and

steps for the formulation of our CDF capability. As the traditional DF frameworks concentrate on

reactive investigations, the chapter will identify a comprehensive set of phases and steps for

ReDF.

Traditionally, DF frameworks are process models (Barayumureeba & Tushabe, 2004; Beebe &

Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,

2006b; O'Ciardhuain, 2004) but Ieong (2006) has proposed a role-based framework. The chapter

will discuss the identified composite process frameworks and comment on each. The next section

uses a comparison of them to compile a comprehensive list of phases and steps.

Some of the identified process models have references to DF readiness or a preparation phase

and limited reference to the acquiring of live evidence. The chapter will identify the steps to

include in the ReDF, ProDF, and ActDF components that will be discussed in the following three

chapters.

The last section will describe the role-based framework of Ieong (2006) and compare it with the

identified process frameworks to identify potential missing steps or concepts of the

comprehensive list of steps in the proposed comprehensive part of the DF capability. The chapter

addresses sub-objective 2: par. 1.5.2.

1.8.4 Chapter 4: Proactive DF (ProDF)

The aim of the chapter will be to formulate goals and steps for ProDF. The conventional DF

frameworks in Chapter 3 do not cover the ProDF comprehensively. The chapter will use the steps

identified for DF readiness or preparation phases in Chapter 3, and other identified proactive and

DF readiness views from literature (Bradford, Brown & Perdue, 2007; Garcia, 2005; Rowlingson,

2004), to propose a comprehensive ProDF component for our CDF. It will also include some of the

identified needs in Chapter 2 to ensure that the organisation will be fully prepared for DF

investigations and have evidence available for non-investigative purposes.

Generally, DF readiness concentrates on evidence availability and the preparation of the

organisation in terms of infrastructure, people, and processes to ensure a cost-effective,

successful investigation (Rowlingson, 2004). The chapter will demonstrate that ProDF is more



comprehensive than DF readiness, as it includes the responsible use of DF tools and techniques to

enhance governance structures and to improve the efficiency of the implementation of controls.

It can also be a valuable tool to determine the return on investment for controls implemented in

organisations.

The chapter will define ProDF and propose goals and provisional elements for the ProDF

component. It addresses sub-objective 2: par. 1.5.2.

1.8.5 Chapter 5: Reactive DF (ReDF)

The aim of the chapter is to use the comparison in Chapter 3 to consolidate the ReDF component

of our CDF capability. The ReDF component considers the traditional post-incident DF

investigation. It will propose goals for ReDF and a protocol with phases and related steps for the

ReDF component. It addresses sub-objective 2: par. 1.5.2. The ReDF goals will be to successfully

investigate an incident whilst minimising the impact of the incident. T proposed ReDF protocol

consists of six phases: Incident response and confirmation, physical investigation, digital

investigation, incident reconstruction and presentation of findings, and finally incident closure

phase.

1.8.6 Chapter 6: Active DF (ActDF)

There is an increasing need to investigate certain crimes as they occur. Volatile evidence is also

becoming increasingly important in investigations. From the literature studied there is a need for

a framework that will provide technology-independent guidelines on the gathering and

acquisition of forensic sound evidence, as most of the identified frameworks concentrate on

intrusion detection technology to collect the evidence, or use tool-specific methodology, for

example EnCase Enterprise® for remote logging (Guidance Software, 2005).

The evidence acquired by live evidence acquisition tools is not yet fully acceptable in courts as

there is no guarantee that it has not been altered. The chapter will discuss challenges to ActDF

(Adelstein, 2006; Ieong & Leung, 2007).

The DF frameworks discussed in Chapter 3 include some live evidence-handling processes. The

chapter investigates and compares live or real-time frameworks (Grobler, 2009; Ieong & Leung,

2007). We will use the comparison and the identified live evidence-handling processes (from



Chapter 3) to propose goals and phases with associated steps for the ActDF component. The

chapter addresses sub-objective 2, par. 1.5.2.

1.9 PART 2: CONSTRUCTION OF OUR DFMF

This part consists of Chapters 8 and 9.

1.9.1 Chapter 7: CDF capability

The aim of the chapter is to consolidate the three identified components of a DF capability:

ProDF, ReDF, and ActDF by referring to the identified goals, phases and steps from the previous

three chapters. We will identify potential problem areas in the components, as defined in

literature and propose enhancement to formulate our CDF capability. The components cannot

exist in isolation and we will discuss the relationship between them. We will propose and

consolidate to-do lists for the different components to enable us to formulate the DFMF in the

next part of the thesis. The chapter addresses sub-objective 3, par. 1.5.3.

Part 2: Construction of our DFMF

The aim of Part 2 of the thesis will be to address sub-objectives 3 (par. 1.5.3) and 4 (par. 1.5.4):

Sub-objective 3: Formulate our CDF capability (Chapter 7). We will:

Expand on the identified phases and steps for each component to formulate our CDF capability

(Chapter 7).

Identify to-do lists for the CDF capability (Chapter 7).

Discuss the relationship between the components of a DF capability (Chapter 7).

Consolidate the to-do lists to assist management to implement the CDF capability (Chapter 7).

Sub-objective 4: Construct our holistic theoretical DF implementation and management framework

(DFMF) (Chapter 8). We will:

use the consolidated to-do list as a basis for the formulation of the DFMF (Chapter 8).

identify deliverables to implement and manage for each component of our CDF capability; the

deliverables will be used to formulate DFMF (Chapter 8).

use the dimensions of DF to categorise the identified deliverables (Chapter 8).

use the relationship between the dimensions of DF to construct the holistic, comprehensive DF

implementation and management framework (DFMF) (Chapter 8).

ensure that our DFMF is easy to use as it should be able to provide management with a high-level

overview of ‘what to do, who should do it, how it should be done’ (Chapter 8).



1.9.2 Chapter 8: Construction of the holistic CDF management framework (DFMF)

It is essential to note that our CDF capability describes the whole spectrum of potential

applications of DF in an organisation. The capability does not provide sufficient management

and implementation guidelines. Management is not concerned with the detailed investigation

protocols as defined by the ReDF and ActDF components, but rather with how to establish a DF-

friendly environment to ensure successful investigations and the application of DF tools and

technologies to enhance governance structures. The DF-friendly environment will be guided by

a DF strategy, supporting governance structures and policies, with processes, competent

employees and adequate technologies.

The chapter will use our to-do lists identified for the CDF capability components (Chapter 7) to

identify typical deliverables that should be implemented and managed. The deliverables will

enable management to obtain a clear understanding of what to consider when establishing or

managing a DF capability, for example what should be formulated (e.g., policies, procedures or

strategies), who should be involved and trained, and what should be acquired (e.g., DF tools).

We will use the to-do list to categorise similar deliverables, for example policies, processes, or

people-related deliverables. We described DF as a multi-dimensional discipline (Grobler &

Louwrens, 2006). We will use the dimensions of DF: legal and judicial, governance, people,

policy, process, and technology to categorise deliverables for our CDF capability. The

dimensions are related and we will use the relationship between the dimensions to construct

the DF implementation and management framework (DFMF) to implement and manage our

CDF capability in an organisation. The chapter addresses sub-objective 4, par. 1.5.4.

1.10 PART 3: CONCLUSION

Part 3: Conclusion.

The aim of Part 3 of the thesis is to address sub-objective 5 (par.1.5.5)

Sub-objective 5: Identify challenges to DFMF and further research. (Chapter 9). We will:

summarise the research conducted in the thesis (Chapter 9)

assess the CDF capability and DFMF using Casey’s criteria (Chapter 9).

identify the challenges to the implementation of our DFMF (Chapter 9).

Identify further research opportunities (Chapter 9).



1.10.1 Chapter 9: Conclusion

This chapter will summarise the research carried out in the thesis and identify possible areas for

further research.

1.11 RESEARCH RESULTS FROM THIS THESIS SO FAR

1.11.1 Articles presented and published

1.11.1.1 CDF Capability

“A multi-component view of Digital Forensics”, at the 3rd annual international Workshop for

Digital Forensics, (15-18 February 2010), in Krakow, Poland , published by IEEE Explore

(Grobler, Louwrens & von_Solms, 2010b).

“High-level overview of Digital Forensics” at the 7th annual Information Security South Africa

conference, (July 2009), Johannesburg, South Africa, published by conference organisers

(Grobler & Louwrens, 2009).

1.11.1.2 ProDF component

“A framework to guide the implementation of Pro-active Digital Forensics in organisations”

at the 3rd annual Workshop for Digital Forensics (15-18 February 2010), Krakow, Poland,

published by IEEE Explore (Grobler, Louwrens & von_Solms, 2010a).

1.11.1.3 Dimensions of DF

“Digital Forensics: a multi-dimensional discipline” at the Information Security South Africa

conference (5-7 July 2006), Sandton, South Africa, published by conference organisers

(Grobler & Louwrens, 2006).

1.11.1.4 Relationship between DF and Info Sec

“DF readiness, a component of Information Security best practice” at the IFIPSec conference

(May, 2007), Sandton, South Africa, published by Springer (Grobler & Louwrens, 2007).

1.11.1.5 Digital Evidence Plan

“Digital Evidence Management Plan” at the 8th annual Information Security South Africa

conference (August 2010), Sandton, South Africa, published by IEEE Explore (Grobler &

Louwrens, 2010).



1.11.2 Future articles

We intend to publish the following articles:

A framework to successfully implement a CDF capability in an organisation

Digital Forensics and corporate governance – does it make sense?

How can a CDF capability ensure good governance?

Assessing the completeness of the evidence set of an organisation.

1.12 SUMMARY

The chapter has provided an overview of the thesis. Organisations need digital evidence for various

reasons as identified in literature, and DF tools and techniques can assist with its acquisition.

To establish an effective DF capability in an organisation, it is essential that organisations prepare

themselves by considering early evidence-identification and the structuring of forensic sound

processes. The organisation must also have frameworks in place to acquire live and static evidence.

We propose that a DF capability consist of three components: ProDF, ReDF, and ActDF.

From the literature studied, most of the frameworks address the actual investigation with limited

references to forensic readiness and live evidence acquisition. Very little emphasis is placed on the

management of a DF capability in an organisation. We propose to develop a holistic CDF

management framework (DFMF) to manage and implement a CDF capability in an organisation. The

next chapter will provide a general background to DF.


22 | P a g e

PPAARRTT 11

BBAACCKKGGRROOUUNNDD

The aim of Part 1 of the thesis will be to address sub-objectives 1 and 2 (pars. 1.5.1 and 1.5.2):

Sub-objective 1: Provide background to DF (Chapter 2). We will:

define DF

discuss driving factors for DF

discuss cybercrime and digital evidence

propose our CDF capability.

Sub-objective 2: Provide background to our CDF capability. We will:

identify, discuss, and compare various DF frameworks (Chapter 3)

use the comparison of the DF frameworks and views of DF readiness to propose the formulation

of a preparation (proactive) DF component with ProDF goals and steps (Chapter 4)

use the comparison of the DF frameworks to identify goals and steps for a post-incident

investigation (reactive) DF component with steps (Chapter 5)

use the comparison and investigate live and real-time investigation practices and frameworks to

formulate a live (active) DF component goals and steps (Chapter 6).


2-23 | P a g e Chapter 2: Introduction

2 CHAPTER 2

IINNTTRROODDUUCCTTIIOONN TTOO DDIIGGIITTAALL FFOORREENNSSIICCSS

2.1 INTRODUCTION

Organisations, individuals, and governments are operating in cyberspace, which can be defined as a

global community (the virtual shared universe of the world's computer networks) with no physical

boundaries or real law and order (Unesco, 1997). People normally communicate in cyberspace using

networks or the Internet, which also provide the speed, anonymity, and effectiveness which criminal

elements in society use as a unique platform for their operations.

The importance of information has given rise to an increase in criminal activities. Similarly, the

introduction of computers as a criminal tool has enhanced the criminal’s ability to perform, hide, or

otherwise aid unlawful or unethical activity. In particular, the surge of technical expertise by the

general population, coupled with anonymity, seems to encourage criminals to use computer

systems, since there is a small chance of being prosecuted, let alone being caught (Reith, Carr &

Gunsch, 2002). These “cybercrimes” are not always new crimes, but traditional ones translated into

a cyber-world by exploiting computing power and accessibility of information.

Criminals tend to target specific sectors of the community, with the 2010/2011 CSI survey indicating

that 22% of respondents had experienced a targeted attack, defined as a malware attack, aimed

exclusively at the respondent’s organisation or at organisations within a small subset of the general

business population. The survey also indicates an increase in malware attacks and bots / zombies

within the organisation. Organisations were reluctant to provide a monetary value for financial

losses, but it ranges from small losses to $25 million (Richardson, 2012).

It is essential to investigate the incident, determine its root cause, and link the perpetrator to it. In

the early 1900s, Edmond Locard’s finding that whenever two objects come into contact a transfer of

material occurs became known as Locard’s Exchange Principle (FBI, 1999). These traces left by

material will be the basic elements that forensic science will utilise, and a similar principle of

evidence traces is applicable to the digital world.



Among various definitions for forensics in literature are:

the application of science to legal problems (Louwrens & von_Solms, 2005)

the coherent application of methodical investigatory techniques to solve criminal cases

(Kruse & Heiser, 2004)

the science of finding out why something failed (Stephenson, 2003).

The process followed by the investigator is crucial, as it must be able to stand up to legal scrutiny.

The forensic sound process must maintain the chain of evidence and chain of custody at all times.

A forensically sound process will maintain the integrity of evidence, ensuring that the chain

of custody remains unbroken and that collected evidence will be admissible in a court of law

(Louwrens et al., 2006b).

The chain of evidence requires it not to have been altered at any stage (detectives in the

case study photograph and bag evidence).

The chain of custody is a system of recording who is responsible for the evidence at any point

of time from the moment it was collected until it is used in the court room (Foster & Wilson,

2004).

The forensic tools used are also important as their admissibility and acceptability will determine the

quality and validity of the acquired evidence and documentation of the investigation in a court of

law. Not all forensic investigation tools are acceptable in courts.

The chapter provides a background for DF, with Figure 2-1 (below) depicting the role of this chapter

within the overall thesis.

Figure 2-1. Role of the Chapter in the thesis







Part 1: Background


of DFMF

Part 3: Conclusion



2.2 AIM AND STRUCTURE OF THIS CHAPTER

The aim of this chapter is to provide a background to DF. We will provide a brief case study and

correlate a typical physical investigation with a digital investigation. The chapter defines DF and

states why it is important to organisations. Cybercrime is a given in modern society. The Chapter will

define and briefly discuss cybercrime and digital evidence. We will also begin to explore what the

components of the eventual CDF capability will be. The chapter will:

provide a background by presenting a brief case study and general understanding of

differences between a traditional physical forensic investigation and a digital investigation

(par. 2.3)

define and discuss DF (par. 2.4)

discuss drivers for the use of DF tools in organisations (par. 2.5)

define and discuss cybercrime and new developments in security threats (par.2.6 )

define and discuss digital evidence (par. 2.7)

propose and describe our CDF capability (par. 2.8).

2.3 BACKGROUND

South Africa is a crime-ridden country with incidents committed daily; so many citizens are used to

the investigative procedures of law enforcement agencies (SAPS, 2011). The following hypothetical

case is used to demonstrate similarities and differences between a normal forensic investigation and

a digital forensic investigation.

2.3.1 Case study

The police department receives a frantic call from a neighbour to report several gunshots. As the

officers arrive on the scene they find a body on the kitchen floor of a house in a residential area secured

by a private security company (security complex).

The victim is a 40-year-old male, with a bullet wound to the head and lying on his stomach. The lounge

is in a mess, tables and chairs are scattered and there are clear signs of a struggle. There is a cell

phone next to the body on the floor.

The officers secure the crime scene and wait for the forensic investigators and the detectives to arrive.

The detectives arrive, scan the crime scene and find that the patio door leading to the lounge is open

and muddy footprints lead into the house from the garden. There are distinct fingerprints on the window



of the patio door. The victim’s car is still in the garage and it is not clear if any items are missing from

the house. The detective will formulate an initial hypothesis for the incident.

The detectives continue with their investigation and start to identify evidence and potential leads to

determine the motive for the homicide. They will use ‘direct’ and ‘indirect’ evidence to establish a

motive. An example of ‘indirect’ evidence is the position of the body as it can tell a story of where the

suspect was when the shots were fired. The detectives photograph, bag, and document all potential

items of evidence, then take them to the forensic laboratory for analysis. These include fingerprints, hair

samples, blood samples, a cell phone, a laptop and the bullet casings found on the scene.

The security complex has installed several closed circuit television (CCTV) cameras in strategic points

of the complex to enable them to monitor the area. The footage of the camera and potential

eyewitnesses will be able to provide the detectives with valuable information of events prior to, during,

and after the incident.

It is essential that the detectives establish a motive for the incident. They will interview family,

neighbours, work colleagues, and friends to determine potential suspects and to establish a motive.

The neighbour identifies the body as John Smit, a single accountant who was living a flamboyant

lifestyle. He had regular visitors to his house and had a large Rottweiler in the back yard.

The lead detective will start to compile a case file, which can contain, for example the following:

Information, time, location of the incident

Detectives on the case

Who reported the incident (how and at what time)

First people on the scene

Preliminary hypothesis

Potential motives to support the hypothesis

List of forensic evidence from the crime scene with analysis reports

List of forensic evidence from the victim, e.g., time of death with analysis reports

Records of interviews with neighbours, family, work colleagues and friends

Record of interviews of potential suspects

Press releases if applicable

Authorisations to obtain additional evidence, for example, cell phone provider logs

Event reconstruction

Potential suspect list with profiles



Case conclusion document.

The lack of evidence on a crime scene can make the establishment of a motive very difficult. The more

the detectives can learn about the victim and his lifestyle, any valuables missing from the crime scene,

and potential problems in the victim’s life, the easier it becomes for the detective to establish a motive. A

timeline of events leading towards and during the incident should be constructed as it can narrow down

the search and enable detectives to focus on a specific area. It is also essential that the detectives

gather as much evidence as possible about the potential suspect. Typically, profiling can be used to

determine the most possible suspect in terms of gender and the height of the suspect. The detectives

must start to think like the suspect.

We will now attempt to provide a correlation between the physical investigation and a digital

investigation (indicated in italics). We will compare the two scenarios by looking at the tasks of

the detectives or investigator. We propose the following five steps:

Step 1: Incident alert and response (par. 2.3.1.1)

Step 2: Secure the crime scene (par. 2.3.1.2)

Step 3: Acquire the evidence (par. 2.3.1.3)

Step 4: Analyse the evidence and reconstruct the incident (par. 2.3.1.4)

Step 5: Present the findings (par. 2.3.1.5).

2.3.1.1 Step 1: Incident alert and response

Physical investigation: An incident alert will trigger an investigation. In the case study, the

neighbour called the police to report a crime. A similar action takes place after a cybercrime

has been discovered.

Digital investigation: There will be an incident alert, which may be from an IDS or an employee

who reports a suspicious activity to the help desk. Unlike the case study, where the authorities

handle the investigation, the IR team will handle and contain the incident internally, and they

seldom involve the authorities early in investigations. According to the CSI security report, only

27% of respondents reported security incidents to the authorities (Richardson, 2012).



2.3.1.2 Step 2: Secure the crime scene

Physical investigation: In the case study, the detectives secure the physical crime scene to

preserve all evidence. The physical crime scene is normally well-defined. The secured crime

scene in the case study is ‘shut down’ after the incident so no one can access it.

Digital investigation: The digital crime scene is not always well-defined as it may involve

various physical locations and virtual locations inaccessible to the investigator, and is easily

compromised. The digital crime scene may also be over various jurisdictions and countries,

which can complicate the investigation even further.

Organisations cannot always afford to shut down operations and will attempt to get

operations up and running as fast as possible to minimise the effect of the incident. However,

often very little thought is given to the preservation of evidence or how forensically sound the

process or procedures are following the incident, with the result that digital forensic

investigations are often compromised and evidence destroyed or contaminated by employees

(Sommer, 2005).

2.3.1.3 Step 3: Acquire the evidence

Physical investigation: The next step is to identify and acquire different types of evidence. The

detectives in the case study are competent and follow well-defined procedures to identify,

acquire, and preserve the evidence. The process followed will ensure that the evidence is

admissible in court.

The detectives in the case study gather different types of evidence, such as blood samples,

fingerprints and cell phone, each of which will be acquired in a different way and must be

handled differently.

The evidence gathered in the case study by the CCTV cameras and potential eyewitnesses,

even on the access records at the security gates of the security complex, can provide valuable

evidence for detectives before, during, and after the crime was committed.

The detectives in the case study will establish a motive as soon as possible, which will enable

them to profile the suspect and determine what evidence is required to prosecute him or her

successfully.



The way in which the investigator handles the evidence will have an influence on the

admissibility of the evidence. In the case study, detectives photographed and bagged all

evidence according to predefined criteria.

Digital investigation: Well-defined DF frameworks (Barayumureeba & Tushabe, 2004; Beebe &

Clark, 2005; Casey, 2004; Ieong, 2006; Louwrens et al., 2006b) exist with phases and steps to

guide investigators on how to identify, acquire, and analyse evidence. However, very few

organisations have the structures (management, infrastructure and procedures) in place to

enable them to carry out cost-effective, low-impact and efficient digital investigations

(Sommer, 2005). As organisations tend to handle incidents internally, employees are often not

trained in or aware of digital evidence requirements, and the evidence is often contaminated.

Investigators can also gather different types of digital evidence. There is static digital evidence,

e.g., log file content; live digital evidence, e.g., register content; legacy digital evidence; and

audio evidence. The cell phone seized in the case study may have had digital information on it

that can be used as evidence in the case. The different types of evidence may require different

DF tools and should be acquired in a different way to ensure the integrity of the evidence.

These can be seen as proactive measures to gather evidence before and during incidents.

Organisations should consider how potential evidence could be gathered before and while an

incident is happening. The researched DF frameworks and DF readiness views include a

preparation phase that considers infrastructure and evidence availability. There is a need to

expand the research for live investigations (Ieong & Leung, 2007).

The investigators in a DF investigation will set a hypothesis as soon as possible. It is essential

that organisations become DF-ready. They should address the need to evaluate all business

scenarios to identify threats, vulnerabilities and potential evidence, should an incident arise.

However, some organisations are hesitant to include evidence requirements as it is seen to be

too expensive (Rowlingson, 2004).

The digital crime scene may be different from the case study; however, such items as cameras

and evidence bags are used for physical evidence. The digital evidence will be acquired either

by policy mandate or be prescribed by the content of the mandate. The acquisition of digital



evidence on the hard disk will be carried out by the use of DF tools. The tools must be

accredited in a sense that the evidence acquired is admissible in court. Digital evidence is easily

contaminated or altered therefore the investigator must ensure its integrity.

2.3.1.4 Step 4: Analyse the evidence and reconstruct the incident

Physical investigation: The investigators will analyse the evidence to determine a motive and

to identify the suspect. The evidence gathered is submitted to type-specific forensic

laboratories, e.g., DNA and fingerprints. The investigation team will determine if the evidence

supports the hypothesis or motive, or if additional evidence should be acquired. The

detectives in the case study will compile a case file.

Digital investigation: The digital evidence will be analysed and the incident reconstructed. The

investigator will analyse the evidence in a DF investigation laboratory. The investigation team

will determine if it supports the hypothesis or motive, or if additional evidence is required.

The DF investigator will compile a case file. The thesis will propose potential content for the

case file. The DF tool used for the analysis and acquisition of the digital evidence has a

documentation facility.

2.3.1.5 Step 5: Present the findings

Physical investigation: In both instances, the investigation team will present the findings to

management or in the case study to the case leader or in court.

Digital investigation: Special precautions and preparation are required when presenting digital

evidence and cases in court, as one should prepare the documentation in a format that the

courts can understand.

The discussion above has provided a background to the similarities between a physical and digital

investigation and highlighted problem areas that exist, and actions followed when conducting a

digital investigation. The next section will discuss DF.



2.4 DIGITAL FORENSICS

We are living in a technology-driven society, and communicate using cell phones, e-mail, or social

networks. Organisations depend heavily on computer applications and networks for their daily

operations. Electronic chips control various everyday devices, for example dishwashers and

televisions.

Cybercriminals exploit vulnerabilities of people and technology to launch attacks on society.

Traditionally, investigators used computer forensics to investigate computer-related incidents.

Various definitions for computer forensics exist:

The preservation, identification, extraction, documentation, and interpretation of

computer media for evidentiary and/or root cause analysis (Kruse & Heiser, 2004).

The process of identifying, preserving, analysing and presenting the digital evidence in a

manner that is legally accepted (Leighland & Krings, 2004).

The use of analytical and investigative techniques to identify, collect, examine and

preserve evidence and information which is magnetically stored or encoded (Louwrens &

von_Solms, 2005).

However, the format and nature of digital evidence and technology has changed and computer

forensics as defined above cannot always cope with the new needs. Digital forensics is more

comprehensive than computer forensics as it does not consider a single computer or device to

investigate any evidence digitally stored (not only magnetically). Various definitions for DF exist in

the literature:

“the use of scientifically derived and proven methods toward the preservation, collection,

validation, identification, analysis, interpretation, documentation, and presentation of

computer evidence derived from digital sources for the purpose of facilitation or furthering

the reconstruction of events found to be criminal, or helping to anticipate unauthorized

actions shown to be disruptive to planned operations” (Reith et al., 2002).

“The scientific study of the processes involved in the recovery, preservation and

examination of digital evidence, including audio, imaging and communication devices”

(TC-11, 2006).

Many investigators believe that digital forensics is about acquiring the evidence to identify the

perpetrator of a digital crime by putting together a case for prosecution. Stephenson suggests that



digital forensics takes up one of two directions, namely to determine the root cause of the incident;

or to focus upon legal and law enforcement aspects of an incident (Stephenson, 2002).

We will use the definition of TC-11 as it provides a clear scope for DF:

A discipline should be supported by fundamental characteristics. It is well accepted that

confidentiality, integrity, and availability are fundamental characteristics of Information Security

(Info Sec). Ieong (2006) has identified the following DF fundamentals:

Reconnaissance: The DF investigator should use all tools and processes available to

recover all relevant evidence.

Reliability: Maintain the chain of evidence during extraction, analysis, storage, and

transportation of data. In general, the chain of evidence, time, integrity of evidence and

the person relationship with the evidence should be considered with a non-repudiation

feature of DF.

Relevancy: Usefulness and the weight of the evidence are linked to the relevancy of all

evidence related to the case.

These fundamental characteristics support all DF activities in organisations.

Traditionally, an organisation will conduct a DF investigation once a security breach has been

encountered, but it is essential that organisations consider the early identification of potential

evidence (proactive), and the acquisition of live evidence. To demonstrate, the investigators in the

case study conducted a reactive investigation (par. 2.3.1) as it happened after the incident. However,

some preparation took place to have evidence in place before an incident occurs, for example, the

CCTV camera images and potential gate access records. This can be viewed as a proactive

component that ensures that evidence is in place if required. The live CCTV camera images and

eyewitnesses can provide some ‘live’ evidence.

Often, when asked for specific digital evidence, most organisations do not have all the evidence

available (Clark, 2006). According to the Guide to Investigations and Evidence (Sommer, 2005), most

organisations underestimate the demand for evidence. To understand how organisations should

DF is the scientific study of all the processes, involved in the recovery,

preservation and examination of digital evidence, including audio, imaging

and communication devices (TC-11, 2006)



prepare themselves we will identify and discuss driving factors behind the use of DF and evidential

needs in organisations.

2.5 DRIVING FACTORS FOR THE USE OF DF IN ORGANISATIONS

Nikkel (2006) has classified the driving factors behind digital evidence and the use of DF tools and

technologies as either external (par. 2.5.1) or internal (par. 2.5.2).

2.5.1 External factors

Nikkel (2006) has identified legal and regulatory requirements (par. 2.5.1.1) and industry best

practices (par.2.5.1.2) as two external factors that drive the need for DF in an organisation.

2.5.1.1 Factor 1: Legal and regulatory requirements

Different countries have different laws and regulations. Corporate governance reports and

legislation, for example: Sarbanes-Oxley (Sarbanes-Oxley Act of 2002, 2002), King II and King III

(King, 2003; 2009) demand that management be responsible and accountable for the IT

infrastructure, applications and information of the organisation. Management should provide

reasonable assurance to assess the efficiency of controls and compliance by having available

documented evidence of assessments and ‘good’ evidence (Parkinson & Baker, 2005).

Organisations should assess all relevant business processes, policies and procedures, for

example, changing management in the organisation to determine if it is reliable, effective, and

efficient. The Sarbanes-Oxley Act also specifies explicit penalties for deliberate destruction of

essential files (Sarbanes-Oxley Act of 2002, 2002).

IT systems are the foundation of accurate information that managers use to substantiate their

everyday decisions. The proactive application of DF tools and techniques are currently used to

support management by providing the required information (Nikkel, 2006).

Evidence is required to demonstrate good governance, as it can assist management to

measure performance or compliance. The King II and III reports on corporate governance

require that management pay special attention to risk management (King, 2003; 2009) by

ensuring that “a systematic, documented assessment of the processes and outcomes

surrounding key risks is undertaken”. It also states that the “board and executive management



must provide strategic direction, ensuring that risks are managed appropriately and verifying

that the enterprise’s resources are used responsibly”. The King II report states that:

a) “The board should make use of generally recognised risk management and internal control

models and frameworks in order to maintain a sound system of risk management and internal

control to provide reasonable assurance regarding the achievement of organisational objectives

with respect to:

effectiveness and efficiency of operations

safeguarding of the company’s assets (including information)

compliance with applicable laws, regulations and supervisory requirements

supporting business sustainability under normal as well as adverse operating conditions

reliability of reporting

behaving responsibly towards all stakeholders.

b) The board is responsible for ensuring that a systematic, documented assessment of the processes

and outcomes surrounding key risks is undertaken, at least annually, for making its public

statement on risk management. It should, at appropriately considered intervals, receive and

review reports on the risk management process in the company. This risk assessment should

address the company’s exposure to at least the following:

physical and operational risks

human resource risks

technology risks

business continuity and disaster recovery

credit and market risks

compliance risks. (von_Solms & von_Solms, 2009)”.

A DF capability can provide organisations with a mechanism to focus upon legal and law

enforcement aspects of an incident (Stephenson, 2002), reasonably assuring assessment of

the efficiency of controls, compliance, and behaving responsibly, as required by point ‘a’ of

King II (discussed above). DF tools and techniques can assist management with the evidence of

the assessments to prove that the processes and outcomes surrounding key risk areas have

been undertaken, as required by point ‘b’ of King II (discussed above).

Different regulated industries, e.g., finance, healthcare, telecommunications and insurance,

have industry-specific requirements, for example Swiss ISP log retention (Nikkel, 2006). The

other external factor is industry best practices.



2.5.1.2 Factor 2: Industry best practices

Several guidelines or best practices exist for IT governance, one of the most commonly used

‘best practices’ being CobiT (Control Objectives for Information and related Technology).

CobiT is a set of documents made available by ISACA, the Information Systems Audit and

Control Association (ITGI, 2000). The USA uses the Statement of Auditing Standards (SAS70) to

formulate the parameters for security audits (Wikipedia, 2012b).

Various industry best practices, e.g., ISO/IEC 27001 and ISO/IEC 27002 for Info Sec governance

(ISO/IEC17799, 2005) and the IAAC’s (Information Assurance Advisory Council) guidelines for

ensuring DF readiness (Sommer, 2005), require that corporations look at procedures to collect

evidence and to analyse incidents. It is essential to consider risk management and determine

the evidence requirements for identified risks. Best practices, for example the ISO/IEC 27001,

recognise that Info Sec architectures must look at digital evidence and digital evidence

preservation (ISO/IEC17799, 2005). There is a need for organisations to plan for DF

investigations and evidence availability.

IT Service Management (ITSM) refers to the management and provision of IT services in and to

an organisation. IT management hinges on the efficient use of four Ps: people, processes,

products (tools and technology) and partners (suppliers, vendors, and outsourcing

organisations) (Rudd, 2004). We will consider the Information Technology Infrastructure

Library (ITIL) as best practice when developing policies and processes for ITSM. It is essential

to consider potential needs for, and application of DF requirements, for example to ensure

that processes and standard operating procedures are DF sound and friendly.

The industry best practices consider the implementation of policies, controls, and procedures.

Sound management and good governance require organisations to be able to evaluate the

controls. DF can enable an organisation to acquire digital evidence that can demonstrate the

effectiveness of implemented controls or procedures. The next section will discuss the internal

factors that drive application for the use of DF.

2.5.2 Internal factors

There is a growing need for digital evidence and sound processes in organisations. The following

functional areas in an organisation will need a forensic capability in an organisation: Nikkel (2006)

has identified the following six areas (pars. 2.5.2.1 - 2.5.2.6):



2.5.2.1 Factor 1 / functional area 1: Legal

The internal legal department in an organisation will need assistance with the

acquisition of evidence after an incident. It is also important to ensure compliance with

local laws and regulations.

2.5.2.2 Factor 2 / functional area 2: Internal audit

The internal audit department is required to use forensic tools as reflected by the ISACA

G28 (ISACA, 2004) guideline of forensics to advise on fraud and irregular use of IT

infrastructure. A DF capability can assist organisations to prove compliance of corporate

policies and procedures. Audit requirements and recommendations will also benefit

from DF, as it will be possible to obtain more and relevant evidence when required.

2.5.2.3 Factor 3 / functional area 3: Human resources

Human resources would use DF as a tool to recover evidence for internal hearings that

can result in the termination of service, to prove employee misconduct, and even in

extreme cases with evidence related to suicide or kidnapping.

2.5.2.4 Factor 4 / functional area 4: Other units, e.g. risk management

Other corporate units or bodies that can benefit are risk management and risk control to

investigate incidents.

2.5.2.5 Factor 5 / functional area 5: Intellectual property

The Intellectual Property (IP) in organisations is very important. DF will be able to assist

in investigating IP abuse or infringement. It will also be used when investigating

fraudulent websites and phishing attacks that pose a risk to the reputation of the

organisation.

2.5.2.6 Factor 6 / functional area 6: IT department

The IT department can use DF extensively to:

assess the security posture, for example, to assist with intrusion analysis

(Richardson, 2008)

investigate security breaches, IT policy violations, and IT infrastructure abuse or

misuse

use forensic tools and skills for legitimate but non-forensic purposes, for example, to

verify corporate disk-wiping procedures; verify disk or network encryption

implementation; data recovery from a crashed disk or from old and obsolete media;

legitimate password recovery requests; assistance with obscure troubleshooting;

and to improve the IT architecture of the organisation.



The need for solid ‘good’ evidence and the application of DF tools is evident in most of the driving

factors as discussed. It is summarised by the common reasons listed in the next paragraph.

2.5.3 Common reasons (needs) for the application of DF in organisations

We analysed the needs and drivers as discussed in the previous section, and have identified the

following reasons to have evidence available and forensic sound processes in place:

2.5.3.1 Investigate incidents, fraud or employee behaviour (pars. 2.5.2.1 - 2.5.2.5)

2.5.3.2 Ensure the availability of good, admissible digital evidence (par. 2.5.2)

2.5.3.3 Assess effectiveness and efficiency of controls or procedures (par. 2.5.1.1)

2.5.3.4 Measure legal or regulatory compliance (pars. 2.5.1.1; 2.5.1.2)

2.5.3.5 Use DF tools for non-investigative purposes to improve IT and Info Sec governance

structures and performance (par. 2.5.2.6).

The identified reasons highlight the need to prepare organisations to identify evidence

proactively, before an incident; ensure that relevant processes and procedures exist, for example

a DF investigation protocol; and formulate clear policies and procedures for the use of DF tools.

DF readiness as defined in literature (Louwrens et al., 2006b; Rowlingson, 2004) will address

some of the purposes, as it concentrates on evidence availability, training of employees and

ensuring that the infrastructure and tools are available for investigating incidents. It does not

consider the use of DF tools for non-investigative purposes or the measuring of compliance.

From the discussion and identified purposes, it is clear that DF is no longer only an investigative

tool that organisations use after an incident has occurred. DF investigations will be carried out to

investigate incidents caused by cybercrime and cyber-criminals. The next section will provide a

short discussion of cybercrime to provide context for the thesis, as most investigations are

necessitated by a cybercrime incident.

2.6 CYBERCRIME

2.6.1 Definition of cybercrime

There are various descriptions of cybercrime, including:



‘Cybercrime contains all criminal offences which are committed with the aid of

communication devices in a network. This can be for example the Internet, the

telephone line or the mobile network’ (Wikipedia, 2008).

‘Cybercrime is criminal activity done using computers and the Internet and can be

divided into 3 major categories:

Cybercrimes against persons

Cybercrimes against property

Cybercrimes against government’ (Babu & Parishat, 2004).

The 10th UN Congress on the Prevention of crime and the treatment of offenders (Commission on

Crime Prevention and Criminal Justice, 2001) has categorised cybercrimes into three categories:

Category 1: Crimes committed against the technologies and their users:

Unauthorised access to computers and computer systems

Unauthorised use of computer systems

Reading, copying or taking data without authorisation

Creating or propagating hostile programs

Computer espionage.

Category 2: Conventional crimes committed using computer or communications

technologies:

Offences involving offensive content

Internet-related abduction

Fraud

Commercial or industrial espionage

Intellectual property crimes

Gambling

Money laundering.

Category 3: Use of the technologies to support other criminal activities.

According to the South African Electronic Communications and Transactions Act (25 of 2002),

(2002) cybercrimes can be defined as:

intentional and unauthorised access to / or interception of data (S86.1)

intentional and unauthorised interference with data (S86.2)

possession of a device to unlawfully overcome security measures (S86.3)



using a device to unlawfully overcome security measures (S86.4)

denial of service (S86.5)

extortion (S87.1)

fraud and forgery (S87.2)

attempting, aiding or abetting the above (S88).

(The S number indicates the corresponding section in the ECT act).

From the definitions of cybercrime, it is clear that most attacks focus on gaining unauthorised

access to commit the crime. Typical examples of attacks are system penetrations for theft of

proprietary information, malicious code (virus or worms), web page defacements, domain name

hijacking, transmission of child-pornography, denial of service attacks and financial fraud, cyber-

squatting, cyber-stalking, cyber-terrorism, information warfare, discrimination and harassment,

insider trading and copyright violations (Casey, 2011). Cyberwarfare occurs when a state or

nation is responsible for an attack on any business or governmental or public sector enterprise

for example the STUXNET attack. Cybercrimes are not necessarily new crimes but are very similar

to regular crimes committed outside the cyber arena, the main difference being that the criminal

uses the computer or digital device to commit the crime or to launch an attack on another digital

device.

2.6.2 Cybercriminals

Typical cybercriminals can be anyone, for example a disgruntled employee, intentional insider,

temporary employee, vendor, partner, intentional outsider, hacker, cracker, malicious code

writer, fraudster, unscrupulous competitor, terrorist, organised crime syndicate, disgruntled

customer, bored teenager or person engaged in industrial espionage.

The cybercriminal normally utilises attack tools to conduct attacks, examples of which are:

war diallers (software to dial all possible numbers to gain access to remote access

servers)

war driving (physically driving around looking for non-secure wireless networks)

password crackers (software to crack passwords), sniffing tools (software to find specific

data patterns)

key-loggers (technology to record all keystrokes), e-mail capture, Trojan horses (hidden

malicious code)

dumpster diving (physical examination of dustbins)



social engineering techniques (luring people to leak relevant information) and software

tools.

The next section will discuss types of attack used by cybercriminals.

2.6.3 Types of attacks

The 2006 CSI/FBI survey (Gordon, Loeb, Lucyshyn & Richardson, 2006), 2007 CSI survey

(Richardson, 2007), and 2008 - 2011 CSI surveys (Richardson, 2008; Richardson, 2012) indicate

that cybercrime is increasing and costs organisations vast sums of money. The average loss per

respondent has increased from $168 000 in 2006 and $350 000 in 2007, to $288 618 in 2008

(Richardson, 2008). Types of attack reported included viruses; laptop or mobile theft; insider

abuse of Internet access; unauthorised access to information; theft of proprietary information;

financial fraud; telecommunication fraud; and phishing.

Cybercrime is a definite threat to the so-called ‘Information Society’, with various new types

having surfaced as the need for information is increasing with the development of the Internet

and associated applications. New risks are typically spam, spoofing, phishing, adware, spyware

and misleading applications (Pieterse, 2006; Turner, Entwisle & Denesiuk, 2007).

Whenever a cybercrime is committed or a threat has been manifested as an attack, it will be

declared as an incident. Organisations must have a formal investigation protocol in place to

ensure that the incident can be contained and successfully investigated. The forensic

investigation should have a seamless interaction with the IR, business continuity, disaster

recovery plans, audit, and legal divisions of the organisation.

Courts and internal investigations now require not only document-based evidence but also digital

or electronic-based evidence. Criminal investigations require solid, well-documented, acceptable

procedures and relevant, admissible evidence. DF tools and procedures should be able to

identify, extract, process and document accurate digital evidence. The next section will define

and briefly discuss digital evidence to provide a context for the thesis.

2.7 DIGITAL EVIDENCE

Good evidence is a business enabler, which organisations require to prove due diligence with respect

to corporate governance and to investigate and manage internal and external incidents (ISACA,



2004). Internal and external forensic investigations hinge on it. Evidence in itself is not absolute but

is only valuable when it is used to establish the truth about a particular incident. The next section

uses the literature studied to propose a definition for digital evidence, types of digital evidence, and

characteristics of good evidence, and then proposes a new definition for comprehensive digital

evidence.

2.7.1 Definition of digital evidence

Chawki (2004) defines evidence as ‘something that tends to establish or disprove a fact. It can

include documents, testimony, and other objects’.

There are various types of evidence. The Scientific Working Group on Digital Evidence

(SWGDE/IOCE) standards classify evidence into three main categories: digital evidence, physical

evidence and data objects (SWGDE & IOCE, 2000):

Category 1: Digital evidence, e.g., e-mail messages, logging data, backups, forensically

recovered data and eavesdropped data (traffic and content) where the data is stored or

transmitted in electronic or magnetic form. Subtypes are:

Original digital evidence, for example files stored on a CD: physical items and the

data objects associated with such items at the time of acquisition or seizure (SWGDE

& IOCE, 2000).

Duplicate digital evidence, e.g., scanned document or backup copy of a file: an

accurate digital reproduction of all data objects contained on an original physical

item (SWGDE & IOCE, 2000).

Copy, for example of an encrypted MS Word® document: an accurate reproduction

of information contained on an original physical item, independent of the original

physical item (SWGDE & IOCE, 2000).

Live evidence, e.g., register content, swap files or RAM content of a specific target

machine (SWGDE & IOCE, 2000).

Category 2: Physical evidence, for example flash drives, where the digital information is

stored, or transmitted through a physical media (SWGDE & IOCE, 2000).

Category 3: Data objects, e.g., metadata, directory data, and configuration data where

the information is linked to physical items or digital evidence (SWGDE & IOCE, 2000).

From a legal perspective, various types of evidence exist. Chawki (2004) has identified three

categories:



Category 1: Real or physical evidence, which consists of tangible objects.

Category 2: Testimonial evidence, where the testimony of a witness can be given during

a trial, based on a personal observation or experience.

Category 3: Circumstantial evidence, which is based on a remark, or observation of

realities that tends to support a conclusion, but not to prove it.

Casey (2004; 2011) adds the following legal category:

Category 4: Evidence is hearsay, in which a statement in court repeats a statement out

of court in order to prove the truth of the content of the out-of-court statement.

Similarly, evidence in a document is hearsay if the document is produced to prove

statements in court.

Other categories of evidence are:

Technical evidence: In which a forensic technician has carried out some procedures on

original or real evidence and has produced results. This evidence is not expert evidence

but can be viewed as opinion evidence (Sommer, 2005).

Expert evidence: The opinion of someone who is an expert in the particular field or

conclusions of the expert after an investigation (Sommer, 2005).

Derived evidence: For example, a chart or video, created from primary evidence to

illustrate how conclusions were drawn.

During the analysis phase of an investigation, digital evidence is categorised as:

Inculpatory evidence: Evidence that supports the theory.

Exculpatory evidence: Evidence that contradicts the theory.

Evidence of tampering: Evidence not related to the theory but indicating that the system

has been tampered with to avoid identification (Carrier, 2003b; Rowlingson, 2004).

For the purpose of this thesis, we will consider evidence to be digital evidence (includes static,

legacy and live digital evidence; and data objects) and physical evidence. Figure 2-2 (below) is a

graphical representation of evidence as used in the thesis.

Figure 2-2. Graphical representation of evidence (by author)



Various definitions of digital evidence exist in the literature:

digital evidence of an incident ‘as digital data that contain reliable information that

support or refute a hypothesis about the incident being investigated’ (Carrier & Spafford,

2005).

digital evidence ‘as any information of probative value that is either stored or transmitted

in a binary form’. This field includes not only computers in the traditional sense but also

digital audio and video (SWGDE & IOCE, 2000).

digital evidence ‘as evidence that encompasses any and all digital data that can establish

that a crime has been committed, or can provide a link between a crime and its

perpetrator’ (Casey, 2004).

After considering the above-mentioned definitions, we propose the following definition:

The proposed definition requires that evidence must be ‘good’ and reliable. The next section

discusses characteristics for reliable or good digital evidence.

2.7.2 Characteristics of ‘good’ evidence

Various factors can determine the value, applicability, admissibility, and trustworthiness of

evidence. Digital evidence can easily be contaminated or compromised when handled incorrectly.

Failure to produce relevant and admissible evidence very often leads to financial losses and failed

investigations (Sommer, 2005).

There are specific requirements for digital evidence to be admissible in a court of law. Various

countries and judiciaries have different requirements. The Electronic Communications and

Transactions Act of South Africa (ECT) (2002) prescribes the following requirements for

determining the admissibility of a digital document or evidence in a court of law:

Digital evidence is any data stored or transmitted using a digital device

that tends to establish or disprove a fact. (Chawki, 2004). The data

stored or transmitted:

should be reliable information that supports or refutes a hypothesis and

can establish that a crime has been committed (Casey, 2004) or

can provide a link between a crime and its perpetrator (Casey, 2004).



the reliability of the manner in which the record was communicated and stored

how the integrity of the data was maintained

the manner in which the originator / author of the record is identified

determination of whether the evidence was legally obtained.

Not all the information stored is necessarily useful evidence. DF tools can retrieve the evidence

required in a legally acceptable format, admissible in a court of law, and provide a chain of

evidence and custody. We propose a new term to encapsulate the requirements of ‘good’

evidence.

Investigators will use CDE to determine the root cause of the incident, link the attacker to the

incident and lead to a successful prosecution of the perpetrator in an investigation.

An increasing number of commercial organisations, law enforcement agencies, military and

government agencies and data recovery teams have a need for DF tools and technology. Each of

the mentioned entities has a different purpose for the application of DF. DF forensic tools and

technology are normally used to acquire evidence. Evidence is becoming a business enabler.

DF investigators normally compile an investigation framework to conduct an investigation or to

acquire relevant evidence by using published best practices. The success of an investigation can

be determined by the use of acceptable DF tools and procedures. It may be necessary to use

multiple tools to ensure accuracy of the result of the application of the relevant tools. The next

section will discuss the concept of our CDF capability.

2.8 COMPREHENSIVE DIGITAL FORENSIC CAPABILITY

Most of the researched DF frameworks consider three areas or components:

Component 1: Preparation to ensure DF readiness

Component 2: Live evidence acquisition

Component 3: Reactive forensic investigation

Comprehensive digital evidence (CDE) is digital evidence that will have

evidentiary weight in a court of law and that contains all the evidence necessary

(relevant and sufficient) to establish a fact or disprove a claim (by author).



(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,

2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004).

We have identified three areas in the case study as discussed in par. 2.3.1:

The CCTV camera and gate access records are examples of proactive collection of

evidence and structuring of procedures (access control at gate) - PROACTIVE

Eyewitnesses and CCTV footage are examples of live evidence gathering - ACTIVE.

The actual investigation of the incident followed, using the evidence that is in place from

the proactive gathering and live sources - REACTIVE.

Note to reader:

We propose that our comprehensive DF (CDF) capability consists of three components:

Proactive DF (ProDF) component prepares organisations for DF investigations and

ensures digital evidence availability and forensic sound processes exist before an

incident.

Reactive DF (ReDF) component investigates the incident after an incident has

occurred.

Active DF (ActDF) component gathers live or additional evidence during an on-going

incident.

Figure 2-3 (below) is a graphical representation of our CDF capability.

The identification and definition of the individual components is essential for the formulation of

our CDF capability. The next section discusses each component of our CDF capability and provides

an initial definition for each component.

2.8.1 Reactive DF (ReDF) component

Most of the researched DF frameworks are reactive and focus on the DF investigation after an

incident has occurred. The frameworks involve the use of specified analytical and investigative

techniques to acquire evidence, analyse the evidence, establish the root cause of an incident, and

to present the evidence in court. ReDF investigations are often referred to as ‘dead’ forensics or

Figure 2-3. Graphical representation of our comprehensive DF capability (by author)



conducting a ‘post-mortem’ (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &

Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain,

2004).

We used the definitions of the DF research workshop, Kruse & Heiser (2004), Reith et al (2002).,

Palmer (2001) and Rowlingson (2004) to compile the following definition for Reactive DF (ReDF):

ReDF will be discussed in more detail in Chapters 3 and 5 of the thesis.

2.8.2 Proactive DF (ProDF) component

ProDF will prepare organisations for investigations or make them DF-ready. It is essential to

determine the evidence required before an incident occurs and to have the evidence available in

an acceptable and admissible format. For example, applicable transaction and network logs

should be available when investigating a fraudulent transaction or to prove compliance.

DF readiness as discussed in literature ensures that organisations have the ability to maximise

their potential to use digital evidence whilst minimising the costs of an investigation (Rowlingson,

2004). DF readiness concentrates on readiness for post-incident investigations. However, the

driving factors (par. 2.5) demonstrate reasons organisations have the need to ensure evidence

availability and forensic sound processes (par. 2.5.3) to:

investigate incidents, fraud or employee behaviour

assess effectiveness and efficiency of controls or procedures

measure compliance

use DF tools for non-investigative purposes to improve IT governance structures

assess the security posture of the organisation.

DF readiness as discussed in literature partially addresses the first point above. The proposed

ReDF is an application of analytical and investigative tools and techniques for

the preservation, identification, extraction, documentation, analysis and

interpretation of digital media for evidentiary and/or root-cause analysis and

the presentation of digital evidence derived from digital sources for the

purpose of facilitation or furthering the reconstruction of incidents.



ProDF component will enable an organisation to become DF-ready and use DF tools and

technologies to acquire evidence to demonstrate good Corporate and IT Governance.

Note to reader:

In this thesis, we claim that Pro-active DF is more complete than DF readiness. In general,

DF readiness concentrates on preparation of infrastructure, people, technology, and the

availability of digital evidence. The frameworks and viewpoints researched do not consider

the application of DF tools for non-investigative purposes, for example to enhance

governance structures (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Bradford

et al., 2007; Carrier & Spafford, 2003; Casey, 2004; Ieong, 2006; Louwrens et al., 2006b;

O'Ciardhuain, 2004; Rowlingson, 2004).

We propose the following initial definition for Proactive DF (ProDF):

Note to reader:

It is clear that ProDF will require that sufficient forensically sound processes, procedures,

technologies and operational infrastructure, trained staff and relevant admissible digital

evidence be in place to enable a successful investigation, with minimal disruption to

business activities, and the use of DF technology to enhance security posture of the

organisation and ensure good corporate governance.

ProDF will require that the legal authority must be determined to clearly define the role

and responsibility of an expert witness. Wikipedia (2012a) defines “An expert witness,

professional witness or judicial expert [as] a witness, who by virtue of education, training,

skill, or experience, is believed to have expertise and specialised knowledge in a particular

subject beyond that of the average person, sufficient that others may officially and legally

rely upon the witness's specialized (scientific, technical or other) opinion about an evidence

or fact issue within the scope of his expertise, referred to as the expert opinion, as an

assistance to the fact-finder. Expert witnesses may also deliver expert evidence about

ProDF is the forensic preparation of an organisation to ensure

successful, cost-effective investigations, with minimal disruption to

business activities, and the use of DF to establish and manage

governance programmes.

http://en.wikipedia.org/wiki/Witness

http://en.wikipedia.org/wiki/Education

http://en.wikipedia.org/wiki/Training

http://en.wikipedia.org/wiki/Skill

http://en.wikipedia.org/wiki/Experience

http://en.wikipedia.org/wiki/Expert

http://en.wikipedia.org/wiki/Knowledge

http://en.wikipedia.org/wiki/Scientific_evidence_(law)

http://en.wikipedia.org/wiki/Evidence

http://en.wikipedia.org/wiki/Fact

http://en.wikipedia.org/wiki/Fact-finder



facts from the domain of their expertise. At times, their testimony may be rebutted with

a learned treatise, sometimes to the detriment of their reputations”. ProDF will be

discussed in more detail in Chapter 4 of the thesis.

2.8.3 Active DF (ActDF) component

It is not possible to be 100% prepared for all incidents, and there is a need to be able to

investigate a new or on-going incident. An on-going incident is one that is in progress or is

happening in real time, a typical example being a phishing attack on an organisation or a person

accessing unauthorised information on a company network. The incident detection component of

the IRP will play its role. The need to acquire live evidence will activate the ActDF component to

gather live evidence and compile a solid evidence base or platform for a ReDF investigation to

continue. A new, unknown, or specific incident can trigger the ActDF component, which must

integrate seamlessly with the IRP of the organisation. We propose the following initial definition

for Active DF (ActDF):

We will discuss ActDF in detail in Chapter 6. The three components of our CDF capability cannot

exist in isolation, as there is a relationship between them. The next section discusses the

relationship.

2.8.4 Potential relationship between the components of a CDF capability

An incident alert will activate a forensic investigation, and will be the catalyst between the

components of our CDF capability:

ProDF will be concentrating on pre-incident activities, for example evidence

identification, process structuring, employee education and assessment of controls

ActDF will deal with the gathering of ‘live’ digital evidence during on-going incidents

ReDF will deal with the actual post-incident investigations.

There is an interaction between ActDF and ReDF as live evidence gathering is part of the ReDF

evidence acquisition protocol. Once the ActDF component has acquired the ‘live’ digital

evidence, the ReDF component will continue with the investigation. Figure 2-4 (below) is a

ActDF is the ability of an organisation to gather relevant digital evidence

whilst minimising the effect of the incident during an on-going incident to

facilitate a successful investigation.

http://en.wikipedia.org/wiki/Learned_treatise



graphical representation of the expected relationship. We will investigate this relationship in the

next three chapters.

The ProDF component adds a different slant towards the application of DF in organisation as it

looks at the structuring of processes, internal systems and potentially the evaluation of controls

to prove due diligence and demonstrate good corporate governance.

The discussion above and the drivers for DF as identified in par. 2.5 demonstrate the shift in

application of DF tools and technologies. Stephenson has identified the following two directions.

DF can:

be used to determine the root cause that permitted the incident (Stephenson, 2002)

focus upon legal and law enforcement aspects of an incident (Stephenson, 2002).

We add the following two additional directions to DF:

ensure that relevant, adequate evidence, processes and procedures exist that are legally

admissible and acceptable to ensure cost-effective investigations (Rowlingson, 2004;

Sommer, 2005).

enable an organisation to demonstrate due diligence with respect to good corporate (IT)

governance by ensuring the availability of ‘good’ evidence to assess the effectiveness and

efficiency of controls (Hilley, 2006).

2.9 SUMMARY

This Chapter has provided a background to DF by defining it and briefly discussing the difference

between computer forensics and DF. DF is becoming increasingly important for governments,

organisations and individuals as the evidence needed for compliance, investigations and assessment

is increasing by referring to cybercrime and new developments in security threats. To provide

definitions for the remainder of the thesis, the chapter briefly discussed cybercrime, digital evidence

Figure 2-4. Relationship between components of CDF capability (by author)



and digital evidence requirements. Due to the importance of the admissibility and quality of digital

evidence, we proposed a new definition for CDE (comprehensive digital evidence). DF is no longer a

reactive discipline and the last section proposed the concept of our CDF capability that consists of

ProDF, ActDF and ReDF. The next chapter will investigate conventional DF frameworks.

Part 1: Background to Digital Forensic

3-51 | P a g e Chapter 3: Conventional DF frameworks

3 CHAPTER 3

CCOONNVVEENNTTIIOONNAALL AAPPPPRROOAACCHH TTOO DDIIGGIITTAALL FFOORREENNSSIICCSS

3.1 INTRODUCTION

The way that digital forensic investigations and incident responses are handled is very important, as

it will determine the success of an investigation. Various frameworks exist to guide investigators to

solve cybercrime cases where computers and digital media have been involved. From the literature

studied, most of the traditional frameworks concentrate on the investigation after an incident has

occurred (ReDF) with limited reference to ‘live investigations’ (ActDF) and the preparation of

organisations for DF (ProDF).

From the literature studied, we have identified two types of framework:

Process frameworks: (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &

Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain,

2004)

A role-based framework (Ieong, 2006).

The process frameworks follow a ‘waterfall approach’ with typical phases of preparation, acquisition,

analysis, reconstruction, and presentation of the findings. There may be iterations between the

phases to gather more evidence to support the hypothesis. Ieong (2006) has proposed a holistic

role-based legal framework that concentrates on the legal environment and the different people

who should perform certain tasks.

This chapter discusses and compares various process frameworks, using the comparison to identify a

comprehensive set of phases with associated steps needed to formulate our CDF capability. During

the discussion and comparison of the various frameworks, it will identify the phases and steps in

terms of the proposed components of our CDF capability: ReDF, ActDF, and ProDF. The last section

discusses the role-based framework of Ieong (2006) and compares it to the process framework to

identify potential gaps and essential aspects that should be included in the formulation of our CDF

capability, or other aspects to consider in the formulation of the implementation and management



DF framework (DFMF). This chapter is the cornerstone of the thesis as it provides a comprehensive

literature review of selected DF frameworks. The first version of our CDF capability derived from the

comparisons to be made in the chapter becomes the starting point for formulating each component

of the CDF capability. Figure 3-1 (below) depicts the role of this chapter within the overall thesis.


The aim of the chapter is to investigate current DF frameworks by:

discussing the identified process frameworks and identifying phases and steps inherent in

ProDF, ActDF and ReDF (par. 3.3) for the formulation of our CDF capability.

comparing the various composite process frameworks (par. 3.4) to establish the phases and

steps of our CDF capability.

proposing an initial draft of our CDF capability (par. 3.5).

discussing a role-based framework (par. 3.6).

comparing the role-based framework with the comprehensive process framework (par. 3.7).

The comparison will identify potential gaps in the phases and steps of our CDF capability.

Note to reader:

We have included a fold-out at the end of the chapter - par. 3.9, p. 3-91 to use as a map to

guide the reader. We suggest that this page be folded out at this stage to provide

context. It is also advised that it be referred to continuously to ensure that the context is

preserved.

Figure 3-1. Role of the chapter in the thesis







Part 1: Background


of DFMF

Part 3: Conclusion







Part 1: Background


of DFMF

Part 3: Conclusion



The next section will discuss process-oriented frameworks.

3.3 PROCESS-ORIENTED FRAMEWORKS

When an incident occurs, there are various courses of action that can be taken. The type of

organisation will determine the response to the incident:

Law enforcement will secure the crime scene as soon as possible and acquire potential

evidence.

Military operations and critical infrastructures will perform a risk identification and

elimination exercise as soon as possible, to enable speedy recovery and possible offensive

measures.

Business will try to contain the incident to minimise financial losses, restore systems as soon

as possible, and perform root cause analysis to determine the cause of the incident.

Most of the conventional process-oriented DF frameworks follow a linear (waterfall) approach

consisting of consecutive steps. The result of one step normally serves as the input to the next step.

Iteration structures exist between steps to enable the investigator to review and gather more

evidence that is relevant from a previous step, if required. Typical process framework steps are to

detect the incident, identify and acquire the evidence, analyse the acquired evidence, reconstruct

the incident and present the findings (Figure 3-2, below).

Figure 3-2 Typical process framework (by author)

A general trend in the development of DF frameworks is to use phases and steps of existing

frameworks to propose a new improved composite framework, for example the framework of

Séamuas Ó Ciardhuáin (2004), who has used those of Lee (2001), Palmer (2001) and Reith et al.

(2002) to propose his.

The next section provides a brief overview of the following seven composite frameworks:

Ó Ciardhuáin (2004), par. 3.3.1

Carrier and Spafford (2003), par. 3.3.2

Detect incidentAnalyse acquired

evidence

Identify and

acquire evidence

Reconstruct the

incident

Present the

findings



Baryamureeba and Tushabe (2004), par. 3.3.3

Beebe and Clark (2005), par. 3.3.4

Louwrens et al (2006b), par. 3.3.5

Casey (2004), par. 3.3.6

Forrester and Irwin (2007), par. 3.3.7.

Note to reader:

We will apply the various definitions of ProDF, ActDF and ReDF as defined in Chapter 2, to

identify phases and steps for the formulation of each component for our CDF (par. 2.8.1 -

2.8.3) The proposed components are ProDF – to prepare organisations for the use of DF

tools and technologies to ensure evidence availability and DF sound processes; ReDF is the

traditional DF investigation after an incident and ActDF focus on live evidence acquisition

and analysis.

We will use tags to identify the phase or step that inherently belongs to a component. We will use

(REACTIVE) as a ReDF tag, and / or (PROACTIVE) as a ProDF tag and / or (ACTIVE) as an ActDF tag

when discussing the various frameworks.

3.3.1 FRAMEWORK 1: Ó Ciardhuáin (2004)

Séamuas Ó Ciardhuáin has proposed an extended framework for cybercrime investigations,

which provides a reference framework to support the development of tools, techniques, and

training. The framework concentrates on information flow during an investigation. Ó Ciardhuáin

has compared the frameworks of Lee (2001), Palmer (2001) and Reith et al. (2002) to propose his

framework. Most of these frameworks concentrate on the investigation and not on information

flows through an investigation. The framework concentrates on the post-incident investigation,

and proposed the following 13 steps:

3.3.1.1 Step 1: Awareness - Create awareness that an investigation is needed. (REACTIVE)

3.3.1.2 Step 2: Authorisation - Obtain authorisation from internal and external parties to

conduct the investigation. (REACTIVE)

3.3.1.3 Step 3: Planning – Determine the internal and external requirements (e.g., regulatory or

legal). (REACTIVE)



3.3.1.4 Step 4: Notification - Notify concerned parties that an investigation is taking place. This

activity may not be appropriate if the possibility of destruction of evidence exists.

(REACTIVE)

3.3.1.5 Step 5: Search for and identification of evidence - Locate the source of evidence internally

and externally. (REACTIVE)

3.3.1.6 Step 6: Collection of evidence - Collection and preservation of evidence is a systematic

and legally acceptable process. (REACTIVE)

3.3.1.7 Step 7: Transport of evidence - Ensure that the way that evidence is transported will not

compromise its integrity. (REACTIVE)

3.3.1.8 Step 8: Storage of evidence - Preserve the integrity of the evidence. (REACTIVE)

3.3.1.9 Step 9: Examination of evidence - Use of acceptable tools and techniques to examine the

evidence. (REACTIVE)

3.3.1.10 Step 10: Formulate a hypothesis - Investigators formulate a hypothesis based on

evidence gathered. (REACTIVE)

3.3.1.11 Step 11: Presentation of hypothesis - Presentation of the hypothesis to relevant internal

and/or external parties will determine the cause of action to be taken. (REACTIVE)

3.3.1.12 Step 12: Proof / defence of hypothesis - Investigator needs to prove the hypothesis.

(REACTIVE)

3.3.1.13 Step 13: Dissemination of information - Disseminate the report / result of the

investigation to the relevant parties. (REACTIVE)

This framework proposes that an investigation will proceed in a waterfall fashion. There may be

situations in which feedback loops may exist between various steps of an investigation. The

framework concentrates on information flow from one-step to the next.

The framework also identifies the information flows to and from other parts of the organisation

that can have an impact on the investigation. This framework identifies the need to revise

organisational policies and consider the regulatory and legal requirements.

Note to reader:

The framework of Ó Ciardhuáin includes extra activities that were not included in the

supporting models, as well as the concept of information flows. The framework is still on an

abstract level and will have to be applied in the context of the organisation. The

framework identifies the need to revise organisational policies and the influence of legal

and regulatory requirements.



3.3.2 FRAMEWORK 2: Carrier and Spafford (2003)

The framework of Carrier and Spafford used the following frameworks as a starting point: IR

process framework, DOJ crime scene investigation guide (Nolan, O'Sullivan, Branson & Waits,

2001), US Air Force framework and physical crime scene investigation (Carrier & Spafford, 2003).

This framework treats the physical computer as the primary crime scene and applies the physical

crime scene investigation techniques first. The digital crime scene is secondary to the physical

scene which will allow one to link the person to the digital crime. Carrier et al. (2003) introduced

the following terms:

Physical evidence is evidence that can establish that a crime has been committed, provide

a link between the crime and the victim, or provide a link between the crime and the

perpetrator, for example, hard disk, PDA, flash drive or cell phone.

Digital evidence is digital data that can establish that a crime has been committed or can

provide a link between a crime and the perpetrator, for example data in memory, on a

hard disk or in a cell phone linked to the suspect or crime.

Physical crime scene is the physical environment in which the physical evidence of a crime

or incident exists. The environment in which the crime or incident has originated will be

the primary crime scene and all the subsequent scenes will be secondary (Carrier &

Spafford, 2003; Lee et al., 2001). This size of this scene is determined by natural

boundaries.

Digital crime scene is the virtual environment created by hardware and software where

digital evidence of a crime exists.

The environment where the first criminal act occurs is the primary scene and all

subsequent scenes will be secondary.

The integrated digital investigation framework of Carrier and Spafford (2003) organises the

process into five groups:

3.3.2.1 GROUP 1: Readiness (Entire group is PROACTIVE)

3.3.2.1.1 Operational readiness refers to a fully trained human capacity.

3.3.2.1.2 Infrastructure readiness will ensure that evidence is available by employing the

relevant hardware and software to capture the data.



3.3.2.2 GROUP 2: Deployment

3.3.2.2.1 Detection and notification phase will detect the incident and notify the relevant

party. (REACTIVE)

3.3.2.2.2 Confirmation and authorisation phase will confirm the incident and obtain the

required legal authorisation to continue with the investigation. (REACTIVE)

3.3.2.2.3 Sometimes it will be necessary to analyse the live system and to verify that an

incident has occurred. It is then essential to acquire the relevant evidence, e.g., root

kits or suspicious network activities. (ACTIVE)

3.3.2.2.4 It is essential to contain the incident and minimise its impact on the system.

(REACTIVE)

3.3.2.3 GROUP 3: Physical crime scene investigation

3.3.2.3.1 Preservation phase - Preserve the physical crime scene. (REACTIVE)

3.3.2.3.2 Survey phase - The investigator to walk through crime scene and identify potential

evidence. (REACTIVE)

3.3.2.3.3 Documentation phase - Taking of photographs, sketches, videos of crime scene and

physical evidence. (REACTIVE)

3.3.2.3.4 Search and collection phase - An in-depth search of the scene and collection of

evidence to obtain as much as possible prior to the digital investigation. This can

include the collection of live evidence. (REACTIVE), (ACTIVE)

3.3.2.3.5 Reconstruction phase - Organising the results from the analysis conducted so far and

developing a theory for the incident. (REACTIVE)

3.3.2.3.6 Presentation phase - Present the physical and digital evidence in a court of law or to

corporate management. (REACTIVE)

3.3.2.4 GROUP 4: Digital crime scene investigation (Entire group is REACTIVE)

3.3.2.4.1 Preservation phase - Preserves the digital crime scene so that evidence will be

preserved.

3.3.2.4.2 Survey phase - Investigator transfers all relevant data from the controlled venue to a

controlled location for investigations.

3.3.2.4.3 Documentation phase - Documents the evidence as it is found.

3.3.2.4.4 Search and collection phase - In-depth analysis of evidence by the use of software

tools. The investigator should reveal hidden, deleted, swapped and corrupted files

that were used, including the meta-data. Low-level time-lining can be performed to

trace the user activity.

3.3.2.4.5 Reconstruction phase - Uses all the evidence to develop an investigative hypothesis.



3.3.2.4.6 Presentation phase - Presents the digital evidence found to the investigative team.

3.3.2.5 GROUP 5: Review – The investigator should review results to identify areas of

improvement. The result could, for example, be new policies and procedures or

additional training. (REACTIVE)

Note to reader:

This framework illustrates that DF is broader than evidence collection as it deals with

event reconstruction. It also describes the interaction between the physical and digital

investigations should an incident occur. The framework allows for the collection of data

from a ‘live’ system, but considers it as physical evidence.

The physical scene of the incident or crime acts as the central focus of the investigation.

The digital investigation results feed into the physical investigation results. This is a

potential problem as not all physical crime scenes are accessible, for example, if a crime

was committed over the Internet and therefore potentially no real physical crime scene

exists.

The framework includes readiness that is part of ProDF. The collection of ‘live evidence’

can be included in the ActDF component. These will be taken into consideration in Chapter

6.

3.3.3 FRAMEWORK 3: Baryamureeba and Tushabe (2004)

This framework is known as the ‘Enhanced Digital Investigation’ process framework. The authors

have considered the following frameworks: Electronic crime scene investigation - A guide to first

responders of the National Institute of Justice (Nolan et al., 2001), the framework of Reith et al.

(2002) and Carrier and Spafford (2003).

It is essential to define a physical crime scene and a digital crime scene investigation:

The physical crime scene is defined as the physical environment where physical evidence of a

crime or incident exists.

A digital crime scene is defined as the virtual environment created by hardware and

software where evidence of a digital crime or incident exists.



Baryamureeba and Tushabe (2004) distinguish between physical and digital crime scene

investigations. The framework that Baryamureeba proposes has five phases:

3.3.3.1 PHASE 1: Readiness phase (two steps) (Entire phase is PROACTIVE)

3.3.3.1.1 Step 1: Operations readiness - ensure that human capacity is fully trained and

equipped to deal with an incident.

3.3.3.1.2 Step 2: Infrastructure readiness - ensure that infrastructure is adequate and

sufficient to deal with incidents to come.

3.3.3.2 PHASE 2: Deployment phase (five steps) (Entire phase is REACTIVE)

Provide a mechanism for an incident to be detected and confirmed. This can be done at the

place where the crime was committed (five steps):

3.3.3.2.1 Step 1: Detection and notification.

3.3.3.2.2 Step 2: Physical crime scene investigation and identification of potential digital

evidence. The physical crime scene investigation has five sub-steps.

Preservation - preservation of physical scene so that evidence can be later identified

and collected by trained personnel. It will also involve identifying, removing and

separating witnesses from the crime scene.

Survey - investigator walks through the crime scene, identifies potential pieces of

physical and potential evidence, determines the extent of the search, develops a

preliminary theory and documents a narrative.

Documentation - capture as much information as possible by using, for example,

videos and photographs so that the details of the crime scene are preserved.

Search and collect - in-depth search of the scene to identify additional evidence and

allow the digital investigation to begin.

Presentation - all identified digital evidence is transported and delivered to the

digital investigation team.

3.3.3.2.3 Step 3: Digital crime scene investigation - an electronic examination of the scene and

digital evidence is obtained with the possible extent of the impact of the damage. A

digital crime scene investigation has four sub-steps:

Preservation - preserve the digital crime scene so that evidence can be

synchronised. Make forensic copies of the evidence.

Survey - identify potential evidence from the imaged data set.



Search and collection - an in-depth analysis of digital evidence using software tools,

fusion, correlation, graphing, mapping and time-lining data to develop various

investigative hypotheses.

Documentation - document the digital evidence as it is found.

3.3.3.2.4 Step 4: Confirmation - the incident is confirmed and authorisation has been obtained

from regulatory and legal authorities.

3.3.3.2.5 Step 5: Submission - presenting physical and digital evidence to legal entities or

corporate management.

3.3.3.3 PHASE 3: Trace-back phase (two steps) (Entire phase is REACTIVE)

During this phase, the perpetrator’s physical crime scene of operations is tracked down,

leading to the identification of the devices used to perform the act.

3.3.3.3.1 Step 1: Digital crime scene investigation – use clues from the previous phases to

identify the primary crime scene.

3.3.3.3.2 Step 2: Authorisation phase - obtain authorisation from local authorities to permit

further investigations.

3.3.3.4 PHASE 4: Dynamite phase (four steps) (Entire phase is REACTIVE)

The aim of this phase is to investigate the primary crime scene, as well as to collect and

analyse items found at the primary crime scene to obtain further evidence that the crime

originated there. It will help to identify potential perpetrators.

3.3.3.4.1 Step 1: Physical crime scene investigation

3.3.3.4.2 Step 2: Digital crime scene investigation

3.3.3.4.3 Step 3: Reconstruction

3.3.3.4.4 Step 4: Communication - present to a court of law or corporate management the

final interpretations and conclusions about physical and digital evidence that have

been investigated.

3.3.3.5 PHASE 5: Review phase (REACTIVE)

The aim of this phase is to review the result of the investigation and apply lessons learned.

This framework proposes an iterative process that will consider the primary and secondary crime

scenes.



Note to reader:

This framework makes a clear distinction between the physical and digital crime scenes,

but provides clear guidelines to merge the digital and physical investigation. This will

ensure that all aspects of the investigation are covered.

A problem within the framework is that there must be a physical crime scene before a

digital investigation can be concluded (see Trace-back phase). A further constraint is that

all digital evidence must be collected from the physical crime scene and transported to the

DF investigation laboratory to be investigated, however this is not always feasible or

possible.

The definition of the physical crime scene can pose a problem when an attack is launched

from a remote location, for example over the Internet. Legislative requirements of the

particular countries involved must be abided by.

The framework includes readiness as a component of ProDF. These will be taken into

consideration in Chapter 6. ActDF is not considered as it concentrates mainly on post-

incident investigations.

3.3.4 FRAMEWORK 4: Beebe and Clark (2005)

Beebe and Clark propose a hierarchical objectives-based framework for the digital investigative

process. They have used the frameworks of Palmer (2001), DOJ (Nolan et al., 2001), Reith et al.

(2002), Carrier and Spafford (2003), Beebe and Clark (2005). This hierarchical framework consists

of six high-level phases with sub-phases, each of which has principles and objectives. The phases

and sub-phases are distinct, discrete steps in the process that are normally in a sequential

sequence. The framework considers the following six first tier phases:

3.3.4.1 PHASE 1: Preparation phase (Entire phase is PROACTIVE)

Keep in mind steps to maximise digital evidence availability in support for deterrence,

detection, investigation, and prosecution related to security incidents:

3.3.4.1.1 Assess the risk by considering vulnerabilities, threats, loss and exposure

3.3.4.1.2 Develop an information retention plan (pre- and post-event)



3.3.4.1.3 Develop or augment an IRP (including policies, procedures, staff assignments,

technical requirements)

3.3.4.1.4 Develop technical capabilities

3.3.4.1.5 Train staff

3.3.4.1.6 Prepare host and network devices

3.3.4.1.7 Develop evidence preservation and handling procedures

3.3.4.1.8 Document the result of activities

3.3.4.1.9 Develop a legal activity coordination plan.

3.3.4.2 PHASE 2: Incident response phase (Entire phase is REACTIVE)

3.3.4.2.1 Detect a suspicious activity

3.3.4.2.2 Report the suspicious activity to the relevant authority

3.3.4.2.3 Validate as an incident

3.3.4.2.4 Assess the damage to or impact on the organisation

3.3.4.2.5 Develop a strategy regarding containment, eradication, recovery, and investigation

considering business, legal, technical and political factors and goals

3.3.4.2.6 Coordinate all the resources by including managerial, human, and legal resources

3.3.4.2.7 Formulate an initial investigative plan for data collection and analysis.

3.3.4.3 PHASE 3: Data collection phase

3.3.4.3.1 Collect evidence to support response strategy and investigative plan (REACTIVE)

(ACTIVE)

3.3.4.3.2 Complete the ‘live response’ data collection (ACTIVE)

3.3.4.3.3 Obtain network-based evidence (REACTIVE) (ACTIVE)

3.3.4.3.4 Obtain host-based evidence (REACTIVE)

3.3.4.3.5 Obtain removable media (REACTIVE)

3.3.4.3.6 Install an active monitoring capability (PROACTIVE)

3.3.4.3.7 Ensure high integrity and authenticity of evidence (REACTIVE) (ACTIVE)

3.3.4.3.8 Package, transport, and store digital evidence. (REACTIVE) (ACTIVE)

3.3.4.4 PHASE 4: Data analysis phase (Entire phase is REACTIVE)

The purpose is to confirm suspicion and/or to reconstruct the incident



3.3.4.4.1 Transform large volumes of data into manageable size

3.3.4.4.2 Conduct initial data survey to determine skill level of suspect

3.3.4.4.3 Employ data extraction techniques

3.3.4.4.4 Examine, analyse and reconstruct the incident.

3.3.4.5 PHASE 5: Presentation of findings phase

Communicate findings to different audiences, e.g., management, legal authorities and technical

staff. (REACTIVE)

3.3.4.6 PHASE 6: Incident closure phase (Entire phase is REACTIVE)

3.3.4.6.1 Conduct a critical review of the entire process to identify and apply lessons learned

3.3.4.6.2 Make and act upon decisions

3.3.4.6.3 Dispose of evidence, if legally permissible

3.3.4.6.4 Collect and preserve all information related to incident.

Beebe and Clark define the digital investigative principles. The principles are overarching

procedures, guidelines and methodological steps that represent goals and objectives throughout

the process. The principles are applicable to all digital investigations and should be included in

the formulation of our CDF capability and the DF implementation and management framework

(DFMF).

3.3.4.7 Digital investigation principles

The two principles are evidence preservation and documentation. These principles apply to all

the phases of the investigation process and cannot be linked to certain phases only.

3.3.4.7.1 Principle 1: Evidence preservation is to:

maximise the availability and quality, and maintain the integrity of the evidence.

ensure that adequate, relevant evidence is gathered during the preparation phase

so that it is available should it be needed.

preserve live evidence during the acquisition process.

collect the evidence in a forensically sound way; for example, calculate check sums

and hashes during the data analysis phase and use of environmental protections.



During the data analysis phase, the investigator should create forensic copies of the

evidence.

provide evidence that the chain of evidence and chain of custody have been

maintained during the presentation phase by the investigator and process.

employ evidence disposition measures during the incident closure phase.

3.3.4.7.2 Principle 2: Documentation

The principle of documentation is to capture enough evidence during the investigation

process to maintain the chain of evidence and chain of custody throughout the process.

The validity of the procedure followed can determine the legal acceptability of the

investigation.

The framework also considers various levels of abstraction (Beebe & Clark, 2005; Carrier,

2003a). Each layer will consider, for example, physical media, media management system, file

system, applications, and network.

Each of the above phases will have a second tier or sub-layer with specific objectives linked to

it. The data analysis phase can have, for example, the following sub-layers:

Survey sub-phase: facilitate data extraction

Extract sub-phase: keyword searches, mining for hidden data

Examine sub-phase: answers to who, what, when, where, why and how.

Note to reader:

This framework does not specifically incorporate the physical investigation leg of an

investigation as Carrier has suggested. A complete framework includes a detailed Pro-

active part with a preparation and a pre-incident detection phase. We will use these

aspects as part of the ProDF component of our CDF capability. The framework includes a

more comprehensive list of activities of ProDF. These will be taken into consideration in

Chapter 4. It has also identified explicit components of ActDF, which will be used in

Chapter 6.

The ‘Examine’ sub-phase provides a hint as to who should do what and when. We will include it

when we discuss the dimensions of DF in Part 2.



3.3.5 FRAMEWORK 5: Louwrens et al. (2006b)

The framework proposes a reference framework that is similar to the CobiT framework (2000) as

it proposes control objectives as a basis that enables users to employ a structured process for the

investigation of an incident. This framework proposes four phases of the DF process, each of

which has DF control objectives (DFCO) and detailed DF control objectives (DDFCO).

3.3.5.1 PHASE 1: Planning and preparation phase (Entire phase is PROACTIVE)

3.3.5.1.1 Group 1: DF Readiness (4 DFCOs and 21 DDFCOs) (Entire group is PROACTIVE)

a. DFCO 1: Retain information

Define business scenarios that require digital evidence

Identify available sources and types of evidence

Determine evidence collection requirement

Establish policy for secure storage and handling of evidence

Establish a capability of securely gathering legally admissible evidence

Time synchronization of all relevant devices and systems

Systematically gather potential evidence

Prevent anonymous activities.

b. DFCO 2: Plan the response

Ensure monitoring is targeted to deter and detect incidents

Implement an IDS

Specify circumstances when to escalate to a full investigation

Establish a Computer Emergency Response Team (CERT)

Establish capabilities and response times for external DF investigation professionals.

c. DFCO 3: DF Training

Train staff for incident awareness

Develop in-house DF capabilities

Enhance capability of evidence retrieval.

d. DFCO 4: Accelerate the investigation

Document and validate DF protocol against best practices

Acquire appropriate DF tools

Ensure legal review to facilitate further action

Clear definition of CERT and DF investigation teams



Define circumstances when to engage professional external digital forensic

investigation (DFI) services.

3.3.5.2 PHASE 2: Incident response phase

3.3.5.2.1 Group 2: Evidence preservation (4 DFCOs and 13 DDFCOs)

a. DFCO 1: Incident response (REACTIVE)

Initiate IRP (REACTIVE)

Activate CERT (REACTIVE)

Secure Evidence. (REACTIVE) (ACTIVE)

b. DFCO 2: Secure physical environment of the crime scene

Secure all relevant logs and data (REACTIVE)

Secure volatile evidence (ACTIVE)

Secure hardware (REACTIVE) (ACTIVE)

Label and seal all exhibits (REACTIVE)

Preserve chain of evidence. (REACTIVE) (ACTIVE)

c. DFCO 3: Transport evidence (Entire step is REACTIVE))

Securely transport evidence

Preserve chain of custody in transport.

d. DFCO 4: Store evidence

Store evidence in a safe custody room (REACTIVE)

Control access to evidence (PROACTIVE)

Preserve chain of custody in storage. (REACTIVE)

3.3.5.3 PHASE 3: Investigation phase

3.3.5.3.1 Group 3: Forensic acquisition (5 DFCOs and 8 DDFCOs)

a. DFCO 1: Ensure integrity of evidence

Follow established DF investigation protocols (REACTIVE) (ACTIVE)

Write protect all media. (REACTIVE)

b. DFCO 2: Acquire evidence

Acquire evidence in order of volatility (ACTIVE)

Acquire non-volatile evidence. (REACTIVE)

c. DFCO 3: Make a forensic copy of all evidence (REACTIVE) (ACTIVE)

d. DFCO 4: Authenticate evidence



Authenticate all evidence to be identified as original (REACTIVE) (ACTIVE)

Timestamp all copies of authenticated evidence. (REACTIVE) (ACTIVE)

e. DFCO 5: Document acquisition process (consider the chain of custody) (REACTIVE)

(ACTIVE)

3.3.5.3.2 Group 4: Forensic analysis (6 DFCOs and 14 DDFCOs)

a. DFCO 1: Plan investigation (REACTIVE)

Review all available information regarding the incident

Identify expertise required

Identify suitable DF tools to be utilised.

b. DFCO 2: Develop hypothesis (REACTIVE)

Develop hypothesis to cover most likely scenarios

Define criteria to prove / disprove the hypothesis.

c. DFCO 3: Acquire the evidence (REACTIVE) (ACTIVE)

Acquire evidence by using the most suitable DF tool

Analyse evidence by means of most suitable tool

Conform to the requirements of best evidence rule.

d. DFCO 4: Test hypothesis (REACTIVE)

Reconstruct sequences of events

Compare evidence to known facts.

e. DFCO 5: Make findings that are consistent with all evidence (REACTIVE)

Reconstruct sequences of events

Compare evidence to known facts.

f. DFCO 6: Document finding (REACTIVE)

Document the case

Document all aspects of the case

Enter documentation in safe custody.

3.3.5.4 PHASE 4: Juridical / evidentiary phase (REACTIVE)

3.3.5.4.1 Group 5: Evidence presentation (3 DFCOs and 10 DDFCOs)

a. DFCO 1: Prepare case (REACTIVE)

Determine the target audience

Assemble all evidence required for presentation

Prepare expert witnesses



Prepare exhibits

Prepare presentation aids

Preserve chain of custody.

b. DFCO 2: Present case (REACTIVE)

Present the evidence in a logical, understandable way to indicate the relevance of

the evidence to the case

Use graphical / physical examples to demonstrate difficult concepts

Ensure a DF expert is available to assist in provision of expert evidence.

c. DFCO 3: Preserve all the evidence after the case has been presented. (REACTIVE)

Note to reader:

The framework is a high-level comprehensive conceptual one that provides control

objectives with sub-objectives. These objectives can be used to guide the DF

implementation in an organisation. The framework refers to the physical crime scene, but

concentrates on the digital investigation process. The framework includes aspects of

ProDF. We will use these aspects in Chapter 6 to define the ProDF component of our CDF

capability.

3.3.6 FRAMEWORK 6: E Casey (2004)

The framework that Casey proposed encourages a complete, rigorous investigation, ensures proper

evidence handling, and reduces potential mistakes. The framework proposes the following twelve

steps:

3.3.6.1 STEP 1: Incident alert or accusation – determine crime or policy violation. (REACTIVE)

3.3.6.2 STEP 2: Determine the assessment of worth.

One needs to prioritise or choose to determine if it is a real incident. It will result in

either one of two categories: no further activities or continue with the investigation.

(REACTIVE)

3.3.6.3 STEP 3: Incident / crime scene protocols - actions at scene including real and virtual

actions. (REACTIVE) (ACTIVE)

3.3.6.4 STEP 4: Identification and seizure of evidence - recognition and proper packaging.

(REACTIVE) (ACTIVE)



3.3.6.5 STEP 5: Preservation - ensure the integrity of evidence – ensure that modification is not

possible (REACTIVE) (ACTIVE)

3.3.6.6 STEP 6: Recovery - collect all evidence by including hidden and deleted evidence or

evidence not available (REACTIVE) (ACTIVE)

3.3.6.7 STEP 7: Harvesting - gather all data and metadata about the incident (REACTIVE)

3.3.6.8 STEP 8: Reduction - analyse the evidence and eliminate the evidence that is not relevant

to the case (REACTIVE)

3.3.6.9 STEP 9: Organisation and search - prepare relevant evidence to focus the analysis of the

incident (REACTIVE)

3.3.6.10 STEP 10: Analysis (REACTIVE)

The analysis phase is a detailed scrutiny of the data or evidence identified in the previous

step. The step includes the following four sub-steps:

Assess the content and context of the evidence. The evidence must be human readable.

Use the evidence to determine means, motivation and opportunity. (REACTIVE)

Experiment by using different tools and techniques while analysing the evidence.

(REACTIVE)

Often evidence alone will not provide the lead to the incident and data from different

sources should be combined to provide positive leads (apply fusion and correlation

techniques). It is essential to determine the chronological order of events and indicate

how the data from the different sources is related. (REACTIVE);

Validate the result of the analysis done so that it will be admissible and acceptable in a

court. (REACTIVE)

Casey stresses that the investigator must adhere to principles for handling of

digital evidence:

Do not change any data that might be used as evidence

Only competent people should handle data to ensure that it can be used in

court

Create a verifiable audit trail to record all processes applied to digital

evidence

Ensure that no law or any of the above principles is violated.



3.3.6.11 STEP 11: Reporting of the findings of the incident

Provide a transparent view of the investigative process and reports. Include all steps,

methods used to seize, document, collect, preserve, recover, reconstruct, organise and

search for key evidence. (REACTIVE)

3.3.6.12 STEP 12: Persuasion and testimony - translate the result of the investigation into an

understandable narrative for discussion with the decision-makers. (REACTIVE)

It is important to manage each case and activities in a proper way. The framework can be perceived

as a linear progression of events, but there will be a need to revisit some previous steps to arrive at a

more complete investigation result. However, the output of the one-step will be used as input into

the next step.

Note to reader:

The framework concentrates on the investigation of an incident. No reference is made to

preparation for the investigation as part of the framework and no distinction is made

between physical or digital crime scenes.

3.3.7 FRAMEWORK 7: Forrester and Irwin (2007)

The framework that the above authors present has been focussing on providing an investigative

framework for business organisations. They have used the frameworks of Carrier and Spafford

(2003), Palmer (2001) and electronic crime scene investigation – first responders guide (Nolan et al.,

2001) as supporting frameworks to construct their framework. The framework proposes the

following eight steps:

3.3.7.1 STEP 1: Readiness (PROACTIVE)

Preparation of organisation for investigation in terms of:

training of the people

formulating relevant policies and procedures

having the technical infrastructure available.

3.3.7.2 STEP 2: Deployment (REACTIVE)

Identify and assess the incident to determine the scope of the incident.



3.3.7.3 STEP 3: Incident evaluation (REACTIVE)

Evaluate the incident to gain an understanding of who is affected by the incident, e.g.,

systems, users and data. The result of the evaluation will determine:

the course of action (REACTIVE)

which live system analysis tools can be used to analyse the affected systems (ACTIVE)

if it will be a formal or informal investigation. (REACTIVE) (ACTIVE)

3.3.7.4 STEP 4: Scene preservation (REACTIVE)

Secure and search the physical area around the digital crime scene

Secure the sources of evidence of digital crime scene.

3.3.7.5 STEP 5: Interaction of investigation and service restoration (REACTIVE)

The investigator will try to determine the sequence of events but at the same time will

interact with the systems restoration phase to minimise downtime of the systems.

3.3.7.6 STEP 6: Reporting (REACTIVE)

The findings of the investigation are properly documented and presented.

3.3.7.7 STEP 7: Decision on what course of action to be taken

3.3.7.8 STEP 8: Incident review to identify possible areas of improvement to prevent future

incidents.

Note to reader:

This framework is a very high-level overview with little detail of the processes involved.

The notion of interaction between investigation and service restoration has not been

covered by any of the other frameworks and we will consider the inclusion of this

interaction in the formulation of our CDF. The framework acknowledges the need to

prepare an organisation and live investigations, and we will include the aspects in the

components for ProDF (Chapter 4) and ActDF (Chapter 6).

The next section will compare the discussed frameworks to identify common elements (phases with

steps) to formulate each component of our CDF capability.



3.4 COMPARISON OF PROCESS–ORIENTED FRAMEWORKS

During the discussion of the various DF frameworks in the previous paragraph we have tagged the

phases and steps as being (REACTIVE), and / or (PROACTIVE) and / or (ACTIVE). We will organise the

overlapping and missing elements (phases and steps) of the various DF frameworks in terms of the

three proposed DF components: ProDF, ActDF and ReDF of our CDF capability.

Table 3.1 (below) is a comparison of the ProDF elements

Table 3.2 (below) is a comparison of the ActDF elements

Table 3.3 (below) is a comparison of the ReDF elements as identified in the previous

paragraph (par.3.3).

We have included the paragraph number of the various DF frameworks as reference to substantiate

the existence of the component.

Note to reader:

The different authors of the discussed frameworks have used the terms Groups, Phases,

and Steps as synonymous. We will the use the terms ‘Phases with related Steps’ for the

ReDF and ActDF components. The ReDF and ActDF components follow a typical process

model where the result of one phase leads to the next phase. The ProDF component

however concentrates on ‘elements’ that must be implemented to prepare organisations for

the application of DF. We will refer to the different elements when describing the ProDF

component.



Table 3.1. Comparison of Proactive (ProDF) elements (by author)

Element Description of Seven Elements Carrier Par.

Baryamueeba Par.

Beebe Par.

Louwrens Par.

Casey Par.

Forrester Par.

1 Infrastructure: 3.3.7.1

Operational 3.3.3.1.2 3.3.4.1.6 3.3.5.1.1 a

Investigative 3.3.3.1.2 3.3.4.1.4 3.3.5.1.1 d

2 Assess risks for business scenarios 3.3.4.1.1 3.3.5.1.1 a

3 Information retention plan: 3.3.4.1.2

evidence identification 3.3.5.1.1 a

evidence collection requirements 3.3.5.1.1 a

o legal and regulatory requirements

o technical requirements

evidence handling 3.3.5.1.1 a

systematic gathering of evidence 3.3.4.3.6 3.3.5.1.1 a

4 Develop policies / procedures for: 3.3.5.1.1 3.3.6.3 3.3.7.1

evidence handling 3.3.4.1.7 3.3.5.1.1 a

evidence preservation 3.3.4.1.7

incident response 3.3.4.1.3

prevention of anonymous activities 3.3.5.1.1 a

secure storage 3.3.5.1.1 a

5 IR preparation: To

IRP – plan response 3.3.4.1.3 3.3.5.1.1 b

staff assignment (establish CERT) 3.3.4.1.3 3.3.5.1.1 b 3.3.6.3

implementation of IDS 3.3.5.1.1 b

incident / crime scene protocols 3.3.5.1.1 d

determination of when to accelerate investigation

3.3.5.1.1 b



6 DF training and awareness 3.3.3.1.1 3.3.3.1.1 3.3.4.1.5, 3.3.4.1.4

3.3.5.1.1 c 3.3.7.1

7 Develop legal coordination action plan 3.3.4.1.9 3.3.5.1.1 d

Table 3.2. Comparison of Active (ActDF) phases and steps (by author)

Phases Description of Four Phases Carrier Par.

Baryamueeba Par.

Beebe Par.

Louwrens Par.

Casey Par.

Forrester Par.

1 Acquire relevant live evidence 3.3.2.2.3 3.3.4.3.2, 3.3.4.3.3, 3.3.4.3.4

3.3.5.3.1 b 3.3.5.3.2 c

3.3.6.4 3.3.7.3

Secure live evidence 3.3.5.2.1 b

Consider the order of volatility 3.3.5.3.1 a 3.3.6.4

Use acceptable live evidence acquisition protocol

3.3.5.3.1 a

Ensure integrity 3.3.4.3.7

3.3.5.3.1

2 Preserve acquired evidence / forensic copy

3.3.5.3.1 c 3.3.6.5

Ensure that competent people use reliable tools

3.3.5.3.2 a, c

Secure evidence 3.3.4.3.8

Authenticate – timestamp the evidence

3.3.4.3.7 3.3.5.3.1 c, d

3 Document live acquisition process 3.3.5.3.1 e

4 Analyse live evidence 3.3.5.3.2 c



Table 3.3. Comparison of Reactive (ReDF) phases and steps (by author)

Phase Phases and steps descriptions O’ Ciarduain

Par.

Carrier &

Spafford

Par.

Barayumureeba

Par.

Beebe

and Clark

Par.

Louwrens

et.al.

Par.

Casey

Par.

Forrester

Par.

.1 PHASE 1: Incident Response and confirmation

Initiate IRP from Info Sec 3.3.5.2.1 a 3.3.6.1

Detect activity 3.3.1.1 3.3.2.2.1 3.3.3.2.1 3.3.4.2.1 3.3.7.2

Report incident 3.3.2.2.1 3.3.4.2.2

Determine assessment of worth o Validate incident relevance o Assess damage and impact of the incident o Confirm the incident o Determine the nature of investigation

(formal / informal)

3.3.2.2.2 3.3.3.2.4 3.3.4.2.3 3.3.4.2.4

3.3.6.2 3.3.7.3 3.3.7.3

Obtain authorisation – internal and external 3.3.1.2 3.3.2.2.2

Determine incident containment strategy 3.3.2.2.4 3.3.4.2.5

Coordinate resources 3.3.1.3 3.3.4.2.6

Formulate investigation plan 3.3.4.2.7

Accelerate investigation

Notification of investigation 3.3.1.4 3.3.3.2.5

.2 PHASE 2: Physical Investigation (if relevant)

Preserve physical crime scene 3.3.2.3.1 3.3.3.2.2 3.3.7.4

Survey crime scene for potential evidence 3.3.2.3.2 3.3.3.2.2 3.3.5.2.1 b 3.3.7.4

Document – capture enough information to preserve details of the crime scene

3.3.2.3.2 3.3.3.2.2 -

Acquire all evidence 3.3.3.2.2 -

Search, collect and secure potential physical evidence

3.3.2.3.4 3.3.3.2.2 - 3.3.3.2.3

3.3.5.2.1 b

3.3.7.4

Identify and secure possible digital evidence Including live evidence and static evidence – to be sent to the digital investigation team

3.3.1.5 3.3.2.3.4 3.3.3.2.2 3.3.4.2.1 3.3.6.4

Label and seal all evidence 3.3.5.2.1 b




Par.

Carrier &

Spafford

Par.

Barayumureeba

Par.

Beebe

and Clark

Par.

Louwrens

et.al.

Par.

Casey

Par.

Forrester

Par.

Reconstruction of the incident 3.3.2.3.5

Transport evidence 3.3.3.2.2 3.3.5.2.1 c

Storage of evidence Determine the storage requirements: safe custody room, access control, chain of custody

3.3.3.4 3.3.5.2.1 d

.3 PHASE 3: Digital Investigation 3.3.3.3

3.1 Sub-phase 1: Secure the Digital Evidence

Preserve digital crime scene 3.3.2.4.1 3.3.2.4.2

Ensure integrity 3.3.4.3.7 3.3.5.3.1 a 3.3.6.5

Follow established DF investigation protocols

3.3.5.3.1 a 3.3.6.3

Write protect all media 3.3.5.3.1 a

3.2 Sub-phase 2: Acquire the Evidence

Acquire or recover relevant evidence 3.3.1.6 3.3.2.4.4 3.3.3.2.3 3.3.4.3 3.3.5.3.1 b

Collect all evidence – volatile and non-volatile, hidden and deleted evidence or evidence not available

3.3.2.4.4 3.3.3.2.3 3.3.4.3.1 3.3.4.3.3 3.3.4.3.4 3.3.4.3.5

3.3.5.3.1 b 3.3.6.6

Harvesting - gather all data and metadata about the incident

3.3.2.4.4 3.3.6.7

Preservation of evidence by making a forensic copy

3.3.1.6 3.3.2.4.1 3.3.3.2.3 3.3.4.3.7 3.3.4.3.8

3.3.5.3.1 c

Authenticate the evidence as original by applying a timestamp

3.3.2.4.2 3.3.4.3.7 3.3.5.3.1 d

Transport the evidence 3.3.1.7 3.3.2.4.2 3.3.4.3.8

Store the evidence 3.3.1.8 3.3.4.3.8

Document acquisition process 3.3.2.4.3 3.3.3.2.3 3.3.5.3.1 e




Par.

Carrier &

Spafford

Par.

Barayumureeba

Par.

Beebe

and Clark

Par.

Louwrens

et.al.

Par.

Casey

Par.

Forrester

Par.

.3.3 Sub-phase 3: Analysis

Revisit investigation plan Consider available information, look at tools and expertise and ensure evidence is human readable

3.3.2.4.4 3.3.5.3.2 a

Develop a hypothesis (define hypothesis and criteria to prove hypothesis)

3.3.1.10 3.3.5.3.1 b

Prepare evidence - (Segment large volumes of data to manageable size)

3.3.4.4.1 3.3.6.9 3.3.6.10

Analyse evidence 3.3.4.4 3.3.5.3.2 c

Examine evidence – best evidence 3.3.1.11 3.3.6.10

Reduction - Analyse the evidence and eliminate the evidence that is not relevant to the case

3.3.2.4.4 3.3.6.8 3.3.6.9

Assessment – determine means motivation, opportunity and skill level of suspect

3.3.6.10

Experimentation - use different tools 3.3.6.10

Reconstruct event (fusion and correlation) 3.3.2.4.5 3.3.3.2.3 3.3.4.4.4 3.3.6.10

Test hypothesis 3.3.4.4.3 3.3.5.3.2 d

Validate the results of analysis 3.3.5.3.2 e 3.3.6.10

Document findings 3.3.5.3.2 f

Secure documentation 3.3.5.3.2 f

.3.4 Sub-phase 4: Service Restoration

Interaction with IS BCP team to restore services

3.3.7.5

.4 PHASE 4: Incident Reconstruction 3.3.2.4.6

Consolidate physical investigation and digital 3.3.2.4.5




Par.

Carrier &

Spafford

Par.

Barayumureeba

Par.

Beebe

and Clark

Par.

Louwrens

et.al.

Par.

Casey

Par.

Forrester

Par.

investigation findings

.5 PHASE 5: Present Findings to Management / Authorities

3.3.1.11 3.3.1.12

3.3.3.4.4 3.3.4.5 3.3.5.4.1 3.3.6.11

3.3.7.6

Prepare case 3.3.5.4.1 a

Determine target audience 3.3.5.4.1 a

Assemble all evidence required for presentation

3.3.5.4.1 a

Prepare expert witness 3.3.5.4.1 a

Prepare exhibits 3.3.5.4.1 a

Use appropriate presentation aids 3.3.5.4.1 a

Preserve chain of custody 3.3.5.4.1 a

Present case 3.3.5.4.1 b 3.3.6.12

Preserve evidence 3.3.4.6.4 3.3.5.4.1 c

.6 PHASE 6: Dissemination of Result of Investigation or Incident Closure

3.3.1.13

Review to identify and apply lessons learned 3.3.2.5 3.3.4.6.1 3.3.4.6.2 3.3.4.6.2

3.3.7.8

Dispose / return / preserve evidence 3.3.4.6.3 3.3.4.6.4



Thee comparison in tables 3.1, 3.2 and 3.3 demonstrates that not one of the identified DF

frameworks includes all elements of ProDF or phases with associated steps for the ReDF and ActDF

components. Most of the identified frameworks:

concentrate on the actual post-incident investigation (ReDF component) by referring to

the identification, collection, analysis, and presentation of evidence

include some aspects of readiness (ProDF component) by considering awareness,

training, preparation of operations and infrastructure

include some aspects of live evidence gathering (ActDF component).

We used the comparison of the identified DF frameworks to identify common elements, re-

organised similar phases or steps, and included missing phases or steps to propose the three

components for our CDF capability, as demonstrated by Figure 3-3 (below):

Based on the comprehensive analysis in the previous paragraphs we will formulate a draft version of

our CDF capability.

3.5 DRAFT VERSION OF OUR CDF CAPABILITY

Our CDF capability has three potential components.

Note to reader:

The ProDF component will consist of a set of elements and the ReDF and ActDF

components will have phases with related steps.

3.5.1 ProDF component

From the comparison in Table 3.1 we have proposed the following list of seven elements:

3.5.1.1 ELEMENT 1: Ensure DF-ready infrastructure

The operational infrastructure must be prepared (Beebe & Clark, 2005; Forrester & Irwin,

2007; Louwrens et al., 2006b). Organisations must ensure that an investigation

infrastructure is in place if they want to investigate incidents internally (Barayumureeba &

Figure 3-3. Comprehensive DF capability (also Figure 2-3) (by author)



Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007;

Louwrens et al., 2006b). Configure the infrastructure to prevent anonymous activities and

anti-forensic activities (Louwrens et al., 2006b).

3.5.1.2 ELEMENT 2: Assess risks for all business scenarios (Beebe & Clark, 2005; Louwrens et al.,

2006b)

It is essential to consider all business scenarios to identify potential risks, to enable the

proactive identification of potential evidence.

3.5.1.3 ELEMENT 3: Develop an information retention plan (Beebe & Clark, 2005)

The plan should consider evidence identification (Louwrens et al., 2006b), legal, judicial,

regulatory and technical evidence collection and handling requirements, and ensure the

systematic gathering of evidence (Beebe & Clark, 2005; Louwrens et al., 2006b).

3.5.1.4 ELEMENT 4: Develop DF policies and procedures (Casey, 2004; Forrester & Irwin, 2007;

Louwrens et al., 2006b)

Typical policies and procedures to develop are: evidence handling (Beebe & Clark, 2005;

Casey, 2004; Louwrens et al., 2006b), evidence preservation (Beebe & Clark, 2005), IR

(Beebe & Clark, 2005), prevention of anonymous activities (Louwrens et al., 2006b), and

prevention of anti-forensic activities (Louwrens et al., 2006b).

3.5.1.5 ELEMENT 5: Prepare for incident response

Organisations have IRPs as part of their contingency plans. It is essential to consider DF

requirements when planning the response to ensure that evidence is not destroyed. (Beebe

& Clark, 2005; Louwrens et al., 2006b). The IRP should prescribe the establishment of a CERT

by assigning specific employees to the team (Beebe & Clark, 2005; Louwrens et al., 2006b).

Louwrens recommends the implementation of an IDS and the formulation or augmenting of

existing incident or crime scene protocols (Louwrens et al., 2006b). After incident evaluation,

it is essential to activate the incident containment strategy and to determine when to

accelerate the investigation (Beebe & Clark, 2005; Louwrens et al., 2006b). It is also essential

to establish when to engage with external DF investigation (DFI) services (Louwrens et al.,

2006b).



3.5.1.6 ELEMENT 6: Establish DF training and awareness programmes (Barayumureeba &

Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007;


3.5.1.7 ELEMENT 7: Document and validate a DF protocol against best practice (Louwrens et

al., 2006b).

3.5.2 ActDF component

We have identified the following four phases using Table 3.2:

3.5.2.1 PHASE 1: Acquire relevant live evidence (Beebe & Clark, 2005; Carrier & Spafford, 2003;

Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b)

To acquire live evidence it is essential to use an acceptable live evidence acquisition protocol

and to consider the order of volatility (Beebe & Clark, 2005; Louwrens et al., 2006b).

3.5.2.2 PHASE 2: Ensure integrity (Beebe & Clark, 2005; Louwrens et al., 2006b)

To establish integrity means that the investigator must ensure that the evidence acquired

does not change in any way, and preserve the acquired evidence by making a forensic copy

of the evidence (Casey, 2004; Louwrens et al., 2006b). It is also essential to ensure that

competent people use reliable tools (Forrester & Irwin, 2007; Louwrens et al., 2006b). The

evidence and forensic copies must be secured, authenticated and time-stamped to

guarantee the integrity (Beebe & Clark, 2005; Louwrens et al., 2006b).

3.5.2.3 PHASE 3: Document the live acquisition process (CP Louwrens et al., 2006a)

Documentation is essential during the entire live evidence acquisition process to maintain

the chain of custody and evidence.

3.5.2.4 PHASE 4: Analyse the live data (CP Louwrens et al., 2006a)

The acquired evidence is analysed to determine if the required evidence has been acquired

to either enable the investigator to determine the root-cause of the incident or to start a

meaningful investigation.



3.5.3 ReDF component

From the comparison in Table 3.3 we have identified the following six phases:

3.5.3.1 PHASE 1: Incident response and confirmation phase (ten steps)

3.5.3.1.1 Step 1: Initiate the IRP from Info Sec or the corporate contingency plan (Casey, 2004;

Louwrens et al., 2006b).

3.5.3.1.2 Step 2: Detect an activity (Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester &

Irwin, 2007; O'Ciardhuain, 2004).

3.5.3.1.3 Step 3: Report the incident (CP Louwrens et al., 2006a).

3.5.3.1.4 Step 4: Determine the assessment of worth of the incident (Beebe & Clark, 2005;

Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007).

The incident must be evaluated to determine if it is a valid incident; the incident

responder must assess the damage that the incident can cause or impact of the

incident on the organisation. The next step will be to confirm the incident or to

declare it as ‘no incident’. It is essential to determine relevance and nature of

investigation. This will determine if it will be a formal or informal investigation.

3.5.3.1.5 Step 5: Obtain the relevant internal and external authorisation (Carrier & Spafford,

2003; O'Ciardhuain, 2004).

3.5.3.1.6 Step 6: Activate the incident containment strategy (Beebe & Clark, 2005; Carrier &

Spafford, 2003).

3.5.3.1.7 Step 7: Coordinate all the resources (Beebe & Clark, 2005; Louwrens et al., 2006b).

3.5.3.1.8 Step 8: Formulate an investigation plan (Beebe & Clark, 2005).

3.5.3.1.9 Step 9: Depending on condition set out by policy, accelerate the investigation

(Louwrens et al., 2006b).

3.5.3.1.10 Step 10: Notify the relevant parties of the investigation (Forrester & Irwin, 2007;

O'Ciardhuain, 2004).

3.5.3.2 PHASE 2: Physical investigation phase (if relevant) (six steps)

3.5.3.2.1 Step 1: Secure the physical crime scene (Barayumureeba & Tushabe, 2004; Carrier &

Spafford, 2003; Forrester & Irwin, 2007).

3.5.3.2.2 Step 2: Survey the crime scene for potential evidence (Barayumureeba & Tushabe,

2004; Carrier & Spafford, 2003; Louwrens et al., 2006b).

3.5.3.2.3 Step 3: Acquire physical evidence (Barayumureeba & Tushabe, 2004).

The investigator must survey the crime scene, search for and collect potential

evidence, using an acceptable procedure, for example, photograph, bag, label, and

document the individual evidential items. The investigator must identify different



types of evidence, e.g., fingerprint or digital to ensure that it will be analysed by the

relevant forensic laboratory (Barayumureeba & Tushabe, 2004; Carrier & Spafford,

2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).

3.5.3.2.4 Step 4: Reconstruct the incident (Barayumureeba & Tushabe, 2004).

3.5.3.2.5 Step 5: Transport the evidence to a relevant investigation laboratory whilst ensuring

the chain of custody (Barayumureeba & Tushabe, 2004; Louwrens et al., 2006b).

3.5.3.2.6 Step 6: Store the evidence in a secure facility.

Determine the storage requirements by considering a safe custody room, access

control, and requirements to maintain the chain of custody (Barayumureeba &

Tushabe, 2004; Louwrens et al., 2006b).

3.5.3.3 PHASE 3: Digital investigation phase

This phase consists of four sub-phases:

3.5.3.3.1 Sub-phase 1: Secure the digital evidence (three steps) (Carrier & Spafford, 2003)

Step 1: Preserve the digital crime scene (O'Ciardhuain, 2004).

Step 2: Ensure the integrity of the evidence (Beebe & Clark, 2005; Casey, 2004;

Louwrens et al., 2006b). The investigators must follow established DFI protocol

(Casey, 2004; Louwrens et al., 2006b) and write protect all media (Louwrens et al.,

2006b).

Step 3: Preserve and make a forensic copy of the potential evidence

(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Louwrens et al., 2006b).

3.5.3.3.2 Sub-phase 2: Acquire the evidence (five steps)

Step 1: Acquire the relevant evidence (Barayumureeba & Tushabe, 2004; Beebe &

Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b). To do so

it is essential to recover or collect static, live, hidden, and deleted evidence. Harvest

all data and metadata relevant to the incident.

Step 2: Authenticate the evidence by applying verification algorithms (e.g. hashing)

to ensure originality. Investigators should timestamp all evidence to enable time

lining (Carrier & Spafford, 2003; Louwrens et al., 2006b).

Step 3: Transport the evidence to the relevant laboratory whilst ensuring the chain

of custody (Carrier & Spafford, 2003; O'Ciardhuain, 2004).

Step 4: Store the evidence in a secure facility (Beebe & Clark, 2005; O'Ciardhuain,

2004).



Step 5: Consolidate the documentation of the acquisition process (Barayumureeba &

Tushabe, 2004; Carrier & Spafford, 2003; Louwrens et al., 2006b).

3.5.3.3.3 Sub-phase 3: Analyse the evidence (nine steps)

Step 1: Revisit the initial investigation plan. Consider the available information,

consider the tools and expertise allocated to the team and ensure that the evidence

is human readable (Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b;


Step 2: Develop a hypothesis and criteria to prove it (Louwrens et al., 2006b;


Step 3: Prepare the evidence for analysis. It may be necessary to convert large

volumes of data to a manageable size (Beebe & Clark, 2005; Casey, 2004; Louwrens

et al., 2006b).

Step 4: Analyse the available evidence (Beebe & Clark, 2005; Louwrens et al.,

2006b).

Examine evidence to establish the best evidence (Casey, 2004; Louwrens et al.,

2006b; O'Ciardhuain, 2004). The investigator must apply reduction techniques to

eliminate the evidence that is not relevant to the case (Carrier & Spafford, 2003;

Casey, 2004). It will be useful to assess the results to determine means, motivation,

and opportunity, as well as the skill level of the suspect. The investigator should use

more than one DF tool to analyse the evidence.

Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004; Beebe & Clark,

2005; Carrier & Spafford, 2003; Casey, 2004).

Step 6: Test the hypothesis by applying fusion and correlation techniques (Beebe &

Clark, 2005; Casey, 2004; Louwrens et al., 2006b). Test the hypothesis by using the

criteria set.

Step 7: Validate the analysis results (Louwrens et al., 2006b).

Step 8: Document the findings (Casey, 2004; Louwrens et al., 2006b).

Step 9: Secure the documentation (Louwrens et al., 2006b).

3.5.3.3.4 Sub-phase 4: Restore the services

Interact with the organisational (Info Sec) BCP team to restore services as soon as possible

to minimise the interruption to business activities (Forrester & Irwin, 2007).



3.5.3.4 PHASE 4: Incident reconstruction

Consolidate physical investigation and digital investigation findings and determine if the

consolidated evidence acquired supports the hypothesis (Carrier & Spafford, 2003).

3.5.3.5 PHASE 5: Presentation of findings (three steps)

Present findings to management and/or authorities (Barayumureeba & Tushabe, 2004;

Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007;

Louwrens et al., 2006b; O'Ciardhuain, 2004).

3.5.3.5.1 Step 1: Prepare case

To present a case successfully, it is essential to prepare properly. The investigator should

determine who the target audience is, use appropriate presentation aids, assemble all

evidence required, and prepare exhibits. If one needs to use an expert witness2 during

the presentation, prepare the witness. When preparing the evidence and exhibits the

chain of custody should be preserved at all times (Louwrens et al., 2006b).

3.5.3.5.2 Step 2: Present the case (Casey, 2004; Louwrens et al., 2006b)

3.5.3.5.3 Step 3: Preserve the evidence (Louwrens et al., 2006b)

3.5.3.6 PHASE 6: Incident closure (two steps)

Disseminate the result of the investigation and incident closure (Beebe & Clark, 2005; Carrier

& Spafford, 2003; O'Ciardhuain, 2004);

3.5.3.6.1 Step 1: Review the result to identify and apply lessons learned (Beebe & Clark, 2005;

Forrester & Irwin, 2007).

3.5.3.6.2 Step 2: Dispose / return / preserve applicable post-investigation evidence (Beebe &

Clark, 2005).

Note to reader:

We have identified overlapping and unique elements from the comparison to formulate a

draft version of the three components of our CDF capability: ProDF, ActDF, and ReDF. We

will use the draft version as a foundation to refine each component in more detail in

Chapters 4, 5, and 6. We will add component-specific viewpoints, for example Rowlingson’s

2 The investigator can be the expert witness. An expert witness may also be a subject matter expert, for

example a Microsoft Windows 7 operating system expert as an adjunct expert depending on the case requirements.



viewpoint on DF readiness, to expand on the content of the ProDF component (Rowlingson,

2004) in Chapter 4. We have not included the component-specific viewpoints in the

comparisons in this Chapter, as we have only considered frameworks that cover the entire

DF investigation process.

As indicated in par. 1.8.3, we have identified two types of DF frameworks: Process and Role-

based DF frameworks. The next section discusses a role-based framework by Ieong (2006).

3.6 ROLE BASED FRAMEWORK: FORZA (IEONG, 2006)

The FORZA (FORensic framework based on ZAchman framework) framework is a technical

independent framework that aims to break the barrier between technologists, legal practitioners

and investigators. It has been developed using the Zachman framework to include legal advisors and

prosecutors in the wider perspective. The Zachman framework for enterprise architecture proposes

the following roles: a Planner, Owner, Designer, Builder, and Subcontractor. The FORZA framework

proposes the following roles:

Case leader: planner and orchestra of entire digital investigation process. He / she should

lead the case and determine whether the investigation should continue or not.

System / business owner: owner of system to be inspected. He / she can be the victim /

suspect or the sponsor of the case.

Legal advisor: the first legal advisor that the case leader will contact for legal advice.

Security / system architecture / auditor: these people understand the controls and security

architecture and can provide the case leader with an estimate of the scope of the event and

the security controls implemented.

DF specialist: plans the entire DF investigation process. This is not a static process, but will

provide a strategy for the investigation.

DF investigator / system administrator / operator: the person who will carry out the actual

investigation – data collection, extraction, preservation and storage of evidence.

DF analyst: analyses the evidence, proves the hypothesis.

Legal prosecutor.

Figure 3-4 (below) is a diagrammatic representation of the proposed process flows between the

roles.



These layers are interrelated through a set of six questions: what? (data attributes), why?

(motivation), how? (procedure), who? (people), where? (location) and when? (time). Table 3.4

(above) is a high level view of the FORZA framework (Ieong, 2006).

Note to reader:

This framework is a role-based framework that includes a process component (how?). The

process component correlates with the phases and steps (process view) of the various

components of our CDF capability as identified in par. 3.4. The framework adds value by

answering the questions of why? who? where? when? how? and what? The process

framework covers the questions implicitly, but we want to use it to formulate our

framework to implement and manage DF in an organisation: DFMF. There is an intuitive

overlap between the FORZA framework’s Why, How, Where, When, What and Who

questions, and the identified dimensions that we intend to use in the formulation of the

management component of the proposed DFMF.

The next section will compare the process- and role-based frameworks.

Case leader

Contextual

investigation layer

System owner: Contextual layer

Legal advisor: Legal Advisory layer

Security architect: Conceptual security

architecture layer

DF specialists: Technical presentation layer

DF investigators: Data acquisition layer

DF analysts: Data analysis layer

Legal Prosecutor: Legal presentation layer

Figure 3-4 Diagrammatic representation of the proposed process flows between roles (Ieong, 2006)



Table 3.4. High-level view of the FORZA framework (Ieong, 2006)

Role Why (Motivation)

What (Data) How (Function) Where (Network)

Who (People) When (Time)

Case leader Contextual investigation layer

Investigation objectives

Event nature Request initial investigation

Investigation geography

Initial participant Investigation timeline

System owner Contextual layer

Business objectives

Business and event nature

Business and system process framework

Business Geography

Organisation and participants relationship

Business and incident timeline

Legal advisor Legal advisory layer

Legal objectives Legal background and preliminary issues

Legal procedure for further investigations

Legal geography Legal entities and participants

Legal timeframe

Security architect Conceptual security layer

Security controls objectives

Security information and security control framework

Security mechanisms

Security domain and network infrastructure

Users and security entity framework

Security timing and sequencing

DF specialist Technical presentation layer

DF investigation strategic objectives

Forensic data framework

Forensic strategy design

Forensic data geography

Forensic entity framework

Hypothetical forensic event timeline

DF investigator Data acquisition layer

Forensic acquisition objectives

On-site forensic data observation

Forensic acquisition / seizure procedures

Site network forensic data acquisition

Participants interviewing and hearing

Forensic acquisition timeline

DF analyst Data analysis layer

Forensic examination objectives

Event data reconstruction

Forensic analysis procedures

Network address extraction and analysis

Entity and evidence relationship analysis

Event timeline reconstruction

Legal prosecutor Legal presentation layer

Legal presentation objectives

Legal presentation attributes

Legal presentation procedures

Legal jurisdiction location

Entities in litigation process

Timeline for entire event presentation



3.7 COMPARISON OF ROLE-BASED AND PROCESS FRAMEWORKS

A comparison of the process and role-based frameworks as discussed in this chapter reveals that the

process frameworks:

concentrate on the how (function).

make limited references to the who, when, where and what aspect of the FORZA

framework. Beebe and Clark refer to an examination sub-phase that refers to answers to

‘who’, ‘what’, ‘when’, ‘where’, ‘why’ and ‘how’ (see par. 3.3.4) (Beebe & Clark, 2005).

follow a step-by-step waterfall approach with some iteration between steps and phases,

whereas the role-based framework provides a high-level plan based on who should do what,

when, where, how and at which level.

do not prescribe the roles or level of performance.

do not include comprehensive legal requirements as indicated by the role of the legal

prosecutor.

The FORZA model does not add value in a sense that it adds additional steps to the content of the

components of our CDF capability. However, the roles and the questions asked (who, when, where,

how, where and why) of the Ieong’s framework will be included in the formulation of our DF

management framework in Part 2 to implement and manage our CDF capability. It will provide us

with aspects to consider, for example, on who must do what, why, when and how, if an incident

arises or we need evidence. We will map the questions of the FORZA framework to the identified

dimensions of DF: governance, people, process, policy, and technology (par. 3.6) when formulating

our DFMF in Chapter 8.

3.8 SUMMARY

We have researched and discussed the identified conventional composite process DF frameworks

and a role-based framework. The discussed frameworks have been compared and we have used the

comparison to identify elements for the ProDF and phases with steps for the ReDF, and ActDF

components of our CDF capability. We have used tags (PROACTIVE, ACTIVE and REACTIVE) to classify

the different phases and steps during the discussion of each framework. The comparisons made in

paragraph 3.4 indicate that not one of the discussed DF frameworks is comprehensive as no

framework includes all three components with the identified phases with steps. We have identified a



draft version of our CDF capability in par. 3.4. This will be the starting point for formulating more

comprehensive components of our CDF capability.

The next three chapters (4, 5, and 6) will formulate each component of the comprehensive

capability. The DF frameworks researched in this chapter focus on the preparation for investigations,

however, as indicated in Chapter 2, evidence is also required in organisations for non-investigation

purposes, for example to prove compliance (paragraph 1.3.5). In the next chapter, we will evaluate

other views on DF readiness and ProDF to obtain a comprehensive view of the ProDF component.

The ReDF component of our CDF capability has been well researched and we will consolidate the

views of the various authors and the role-based DF framework to propose a single comprehensive

view of this component in Chapter 5. The ActDF component will be formulated in Chapter 6.



3.9 FOLD-OUT FOR CHAPTER 3

Conventional DF frameworks

Framework 1:Ó Ciardhain

Framework 2:Carrier and Spafford

Chapter 3

Par. 3.3.1

Par. 3.3.2

Framework 3:Baryamureeba and Tushabe

Par. 3.3.3

Par. 3.3.4

Framework 4: Beebe and Clark

Par. 3.3.5

Par. 3.3.7

Par. 3.6

Par. 3.3.6

Framework 7: Forrester and irwin

Role-based framework:Ieong

Framework 6:Casey

Framework 5: Louwrens et. al

3.5.1.1 Element 1: Ensure DF ready infrastructure;3.5.1.2 Element 2: Assess risks for all business scenarios;3.5.1.3 Element 3: Develop Information retention plan3.5.1.4 Element 4: Develop DF policies and procedures;3.5.1.5 Element 5: Prepare for incident response3.5.1.6 Element 6: Establish DF training and awareness programmes3.5.1.7 Element 7: Document and validate a DF protocol against best practice

Par 3.5.2 ActDF

3.5.2.1 Phase 1: Acquire relevant live evidence;3.5.2.2 Phase 2: Ensure integrity;3.5.2.3 Phase 3: Document live acquisition process;3.5.2.4 Phase 4: Analyse the live data

Par. 3.5.3 ReDF

3.5.3.1 Phase 1: Incident response and confirmation3.5.3.2 Phase 2: Physical investigation3.5.3.3 Phase 3: Digital investigation3.5.3.4 Phase 4: Incident reconstruction3.5.3.5 Phase 5: Presentation of findings3.5.3.6 Phase 6: Incident closure

3.5

Firs

t Dra

ft o

f com

preh

ensi

ve D

F Ca

pabi

lity

Par. 3.2

Par. 3.6

Role-based framework

Process oriented Frameworks

Par. 3.4

Comparison of process frameworks

Conventional DF frameworksChapter 3

Par 3.5.1 ProDF


4-92 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)

4 CHAPTER 4

PPRROOAACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((PPrrooDDFF))

4.1 INTRODUCTION

“Whoever quipped, ‘An ounce of prevention is worth a pound of cure‘ must

have been a system administrator. Many system problems can best be

solved by preventing them from occurring. However, because not all

problems can be prevented, the next best practice is preparation. Indeed,

The Coroners Toolkit (TCT) documentation says, ‘TCT probably won’t help

you out unless you’ve already looked at it, played with it, and know what

tools do, as well as what to expect from them‘ (Frye, 2005).

Info Sec aims to protect the organisation against attacks and misuse. Controls are designed to deter

and prevent attacks but do not consider evidence and process requirements for admissible and

suitable evidence and processes. Traditionally DF is applied as a reactive discipline that concentrates

on the investigation of an incident. However, the application of DF in organisations is changing as DF

is changing from an investigation and response mechanism to a powerful pro-active measure.

DF tools are used by organisations to:

collect digital evidence in a legally acceptable format

audit an organisation’s networks and structure

validate policies and procedures

assist in identifying and prioritising major risks

provide access to an organisation’s most valuable data during an investigation

provide training in first response to avoid the contamination of evidence (Nikkel, 2006).

The CSI 2010/2011 computer crime and security survey (Richardson, 2012) has revealed that 43.2%

of respondents are using forensic tools as part of their security technology suite. DF examinations



and tools are becoming indispensable for law enforcement, corporate security and intelligence

gathering (Allen, 2005).

We have identified that our CDF capability has a proactive component in Chapter 2 par. 2.8.2 and

Chapter 3 par. 3.5.1. Being proactive is defined as ‘creating or controlling a situation rather than just

responding to it’ (Soanes & Hawker, 2005).

The researched literature on DF readiness concentrates on evidence identification, handling and

storage, first line incident response, DF investigation infrastructure and tool availability and training

requirements (Barayumureeba & Tushabe, 2004; Carrier & Spafford, 2003; Garcia, 2005; Louwrens

et al., 2006b; Rowlingson, 2004). It does not consider the proactive inclusion of DF requirements to

enhance corporate governance structures and specifically IT governance structures, for example to

acquire digital evidence to assess and validate controls, procedures, and policies, as discussed in par.

2.5.

The chapter will use the elements of the ProDF component identified in Chapter 3 par. 3.5.1 and

examine other specific views on proactive forensics (Bradford et al., 2007) and DF readiness (Garcia,

2005; Rowlingson, 2004) to determine the relationship between ProDF and DF readiness. We will

establish that DF readiness is a subset of ProDF.

We will propose a comprehensive ProDF component for our CDF capability. The ProDF component

will enable an organisation to take the initiative by implementing adequate measures to become DF-

ready, demonstrate due diligence for good corporate governance and specifically IT governance, and

provide a mechanism to assess IT Governance frameworks and therefore improve the frameworks

(Chapter 2, par. 2.8.2). Figure 4-1 (below) depicts the role of this chapter within the overall thesis.









Part 1: Background


of DFMF

Part 3: Conclusion


The aim of the chapter is to discuss and refine the ProDF component (as identified in Chapter 3, par.

3.5.1) of our CDF capability. The chapter will:

provide a brief background to ProDF (par. 4.3)

define and discuss DF readiness (par. 4.4)

compare the elements of the ProDF component (Chapter 3, par. 3.5.1) and DF readiness

viewpoints of Garcia (2005) and Rowlingson (Rowlingson, 2004) (par. 4.4)

illustrate inadequacies in current DF readiness frameworks to meet the need for a ProDF

component (Table 4.3)

demonstrate that DF readiness is a subset of ProDF (Table 4.3)

formulate the ProDF component by defining the component, propose, and briefly discuss

proposed goals and supporting elements for ProDF (par. 4.5).

Note to reader:

We have included a fold-out in par. 4.7, p. 4-115. We suggest that this page be folded out

at this stage to provide context. It is also advised that the fold-out be referred to

continuously, as it ensures that the context of reading is preserved.

Figure 4-1 Role of the Chapter in the thesis (by author)



4.3 BACKGROUND: WHY PRODF?

We are living in the knowledge age where information and knowledge are the most sought after

commodities. Criminals, competitors, and even employees exploit loopholes in current security

architectures, use anti-forensic techniques and tools to hide their traces and apply forensic tools and

techniques to obtain the required information to commit cybercrimes.

Organisations spend much time, money, and effort in planning for incidents, natural disasters, or

security breaches. They draft incident response, disaster recovery and business continuity plans.

These plans identify potential threats or incidents and prescribe the best way to recover and to

continue with the business as quickly as possible as Info Sec, and contingency plans focus on the

prevention of, detection of, containment of, and recovery from security breaches or attacks. Very

little thought is given to the identification and preservation of evidence or the correct structuring of

processes for possible prosecution. The result is that investigations fail due to the lack of ‘good

evidence’ or inadequate procedures being followed.

Various driving factors for the use of DF in organisations have been discussed in Chapter 2, par. 2.5.

Organisations need CDE (comprehensive digital evidence) as defined in par. 2.7.2 . Organisations use

DF to:

investigate incidents, fraud or employee behaviour (pars. 2.5.2.1; 2.5.2.2; 2.5.2.3; 2.5.2.4;

2.5.2.5)

assess effectiveness and efficiency of controls or procedures (par. 2.5.1.1)

assess legal, regulatory and best practice compliance (pars. 2.5.1.1; 2.5.1.2)

use DF tools for non-investigative purposes or, for example, to improve IT and Info Sec

governance structures and performance (par.2.5.2.6).

Evidence is not only information stored but can also be logs generated by business processes,

snapshots of systems, cell phone records, and access control records. Different business units or

areas will have different evidence requirements. It will be necessary for organisations proactively to

determine what evidence the different business units may require.

Corporate Governance reports and legislation, for example Sarbanes-Oxley (Sarbanes-Oxley Act of

2002, 2002), King II and King III (King, 2003; 2009), demand that management be responsible and

accountable for the IT infrastructure, applications and information of the organisation, provide



Evidence

preservation (severe

penalties for

destruction

reasonable assurance to assess the efficiency of controls and prove compliance by having

documented evidence of assessments and ‘good’ evidence available.

Sarbanes-Oxley requires that companies review their policies and

procedures closely regarding internal investigations, and implement the

necessary processes and tools to react quickly and effectively to reports of

fraudulent activities (Patzakis, 2003).

The application of DF tools and techniques can enable management to retrieve evidence, if the

organisation has planned their evidence requirements properly. Sarbanes-Oxley (SOX) requires an

internal computer investigation after an incident has been confirmed. The development of a whistle-

blowing policy to report any fraudulent activities is essential (Patzakis & Limongelli, 2004) . Figure

4-2 (below) is an adapted diagrammatic representation of internal computer investigation

requirements (required by SOX) as presented by Patzakis and Limongelli (2004).

Figure 4-2 Adapted diagrammatic representation of internal computer investigations SOX requirements (Patzakis &

Limongelli, 2004)

Organisations are aware of the corporate governance requirements, but few realise the value that

the application of DF can add. The DF protocols and tools can be used to acquire evidence to assess

the effectiveness of controls. The tools can provide documented proof of the assessment to

demonstrate due diligence with respect to good governance. It is therefore essential that

organisations prepare themselves for the use and application of DF.

The frameworks discussed and compared in Chapter 3 (par. 3.5.1) identified the need to prepare for

investigations or to become DF-ready. We have identified seven elements for a ProDF component in

Chapter 3. We will use the identified elements and existing views on DF readiness to determine if the

proposed ProDF component is the same as DF readiness. The next section will identify and

consolidate needs for ProDF.

Section 806,

1107

Protection

and

encouragem

ent

Section 301

Complaints

and

allegations of

fraud

Section 802

Evidence

preservation

duty

Internal investigation infrastructureInternal investigations enterprise computer

forensic best practice

Section 302

CEOs evaluate internal

controls and disclose

internal fraud

Section 409

Timely reporting

Section 404

Effective internal controls required



4.3.1 ProDF needs

We have identified and compiled the following list of eleven needs using the discussion in

Chapter 2, par. 2.5 and the ProDF elements identified in Chapter 3 (par. 3.5.1):

1. Identify, gather and manage potential evidence with minimal business interruption

(Beebe & Clark, 2005; Louwrens et al., 2006b; Nikkel, 2006; Rowlingson, 2004).

2. Minimise the cost and impact of an investigation (Louwrens et al., 2006b).

3. Establish training and awareness programmes (Barayumureeba & Tushabe, 2004; Beebe

& Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).

4. Demonstrate that organisations practice good corporate governance by demonstrating

due diligence through the application of DF tools, techniques and processes (par.

2.5.1.1).

5. Assess compliance to legal, regulatory and best practice requirements (Nikkel, 2006).

6. Assess effectiveness and efficiency of controls to enhance the IT governance and Info

Sec governance frameworks of the organisation (Louwrens & von_Solms, 2005; Nikkel,

2006).

7. Incorporate DF evidence and process requirements in the contingency plans, policies

and procedures. The IRP should include criteria to prescribe when to activate trigger

events for predetermined incidents to gather live evidence (Louwrens et al., 2006b).

8. Apply DF tools using an acceptable protocol or process to ensure admissible evidence,

and a successful investigation (Louwrens et al., 2006b).

9. Ensure that the operational and investigation infrastructure can support the application

of DF tools and technologies.

10. Enable forensic activities by designing DF-friendly systems and processes. Organisations

should structure the relevant processes as forensically sound and design software

systems in such a way that makes future DF investigations easier (Bradford et al., 2007).

11. Disable anti-forensic activities (Louwrens et al., 2006b).

The list of needs may be incomplete, but we will use the above-mentioned eleven needs to

determine if ProDF is more comprehensive than DF readiness. We have identified the following

definitions for proactive forensics from literature:

Proactive computer systems forensics is the design, construction and configuration of

systems to make them most amendable to DF analysis in the future (Bradford et al.,

2007).



Proactive forensics is the ability to ‘catch’ or detect a crime as it occurs (Orebaugh,

2006).

The proactive mode of DF ensures that all necessary processes, procedures and

technologies are in place to enable action when required. (Louwrens, von_Solms &

Kannelis, 2006a).

The current views and definitions of ProDF refer to DF readiness and include some aspects of

structuring of systems to enable DF investigations (Bradford et al., 2007).

Note to reader:

The definitions above do not meet the expectations of the industry and governance

reports, such as Sarbanes-Oxley (Sarbanes-Oxley Act of 2002, 2002) and King II and III

(King, 2003; 2009), as they do not cover:

any assessment of controls or make provision for the documented proof of

assessment

assessment of controls for the enhancement of Governance (IT and Info Sec)

frameworks

the prevention of anti-forensic activities (Louwrens et al., 2006b).

We have proposed the following definition for ProDF in Chapter 2: (par. 2.8.2).

The next section will investigate DF readiness as discussed in the literature. We will compare

elements of the identified ProDF component from Chapter 3 (par. 3.5.1) with other specific

views on DF readiness. The purpose of the comparison is to determine if ProDF is already

contained in the current views on DF readiness, or if DF readiness is a subset of ProDF.

ProDF is the forensic preparation of an organisation to ensure successful,

cost-effective investigations, with minimal disruption to business activities,

and the use of DF to establish and manage governance programmes.



4.4 RELATIONSHIP BETWEEN DF READINESS VIEWS AND PRODF

We have compared various DF frameworks (Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,

2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004) in Chapter 3. Most of the

mentioned frameworks included a ‘preparation’ or ‘DF readiness’ component and have proposed

different elements to implement DF readiness in organisations.

We have identified the following definitions for DF readiness from literature:

Rowlingson defines DF readiness as the ability of an organisation to maximise its potential to

use digital evidence whilst minimising the costs of an investigation (Rowlingson, 2004).

Garcia defines DF readiness as the ‘art of maximising the environment’s ability to collect

credible evidence’ (Garcia, 2005).

We propose the following definition for DF Readiness – adapted from Rowlingson (2004):

Note to reader:

We have identified different goals for DF readiness from literature and will compare the

goals to propose those for DF readiness. We will then identify and compare elements

(phases and/or steps) of DF readiness from literature to propose a comprehensive list of

elements for DF readiness. We identify the goals and elements to determine if DF

readiness as defined in literature addresses the ProDF needs (par. 4.3.1).

We have not referred to any goals for various elements in the frameworks discussed in

Chapter 3. We will now identify the goals for DF readiness of the frameworks discussed in

Chapter 3 (Beebe and Clark; Louwrens; Barayumureeba; and Tushabe) as well as the goals

for DF readiness as identified by Garcia and Rowlingson.

We have not included Rowlingson (2007) and Garcia (2005) in Chapter 3 as their views

concentrate on DF readiness and not on the entire investigation process of incidents.

DF readiness is the ability of an organisation to maximise its potential

to use comprehensive digital evidence whilst minimising the costs of

an investigation.



4.4.1 DF Readiness goals

4.4.1.1 DF readiness (preparation) goals as identified by the frameworks discussed in Chapter 3

The various authors (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &

Spafford, 2003; Louwrens et al., 2006b) have formulated different goals for their preparation

or readiness phases. We have identified three goals:

4.4.1.1.1 Goal 1: The goal of the readiness or preparation phase is to ensure that operations

and infrastructure fully support an investigation (Barayumureeba & Tushabe, 2004;

Carrier & Spafford, 2003).

4.4.1.1.2 Goal 2: The goal of the preparation phase is to keep in mind steps to maximise

digital evidence availability in support, for deterrence, detection, investigation, and

prosecution related to security incidents (Beebe & Clark, 2005).

4.4.1.1.3 Goal 3: The goal of the planning and preparation phase is to provide guidance on

planning and preparation of DF by referring to information retention, response

planning, DF training, cost-effective investigations, and how to accelerate an

investigation (Louwrens et al., 2006b).

Garcia and Rowlinson proposed the following goals for DF readiness:

4.4.1.2 DF Readiness goals of Garcia (2005)

Garcia has proposed a DF readiness framework that concentrates on continuity (incident

response) readiness with four goals.

4.4.1.2.1 Goal 1: Prepare the incident response capabilities.

4.4.1.2.2 Goal 2: Prepare an incident response team by defining proper processes and training

programmes.

4.4.1.2.3 Goal 3: Prepare systems and networks.

4.4.1.2.4 Goal 4: Prepare for containments.

4.4.1.3 DF Readiness goals of Rowlingson (Rowlingson, 2004)

Rowlingson proposes five goals:

4.4.1.3.1 Goal 1: Gather admissible evidence legally and without interfering with business

processes.

4.4.1.3.2 Goal 2: Gather evidence by targeting the potential crimes and disputes that may

have an adverse impact an organisation.

4.4.1.3.3 Goal 3: Allow an investigation to proceed at a cost in proportion to the incident.

4.4.1.3.4 Goal 4: Minimise interruption to the business from any investigation.



4.4.1.3.5 Goal 5: Ensure that evidence makes a positive impact on the outcome of any legal

action.

4.4.1.4 Our proposed DF readiness goals (four goals)

We have compared, re-organised and consolidated the various goals identified to propose four

goals for DF readiness in Table 4.1 (below) (Barayumureeba & Tushabe, 2004; Beebe & Clark,

2005; Carrier & Spafford, 2003; Garcia, 2005; Louwrens et al., 2006b; Rowlingson, 2004). The

number in the table refers to the corresponding paragraph number.

Table 4.1. Comparisons of goals for DF readiness (by author)

We summarise four DF readiness goals from Table 4.1 as:

Goal 1: Maximise CDE availability (Beebe & Clark, 2005; Louwrens et al., 2006b;

Rowlingson, 2004).

Goal 2: Ensure that operations and infrastructure fully support an investigation

(Barayumureeba & Tushabe, 2004; Garcia, 2005; Louwrens et al., 2006b)

Goal 3: Prepare responsible and competent employees (Barayumureeba & Tushabe,

2004; Garcia, 2005; Louwrens et al., 2006b).

Goal 4: Ensure a cost-effective investigation (Louwrens et al., 2006b; Rowlingson,

2004).

Goal Barayumureeba Carrier Par.

Beebe and Clark Par.

Louwrens et. Al. Par.

Garcia Par.

Rowlingson Par.

.1 Maximise CDE availability 4.4.1.1.2 4.4.1.1.3 4.4.1.3.1 4.4.1.3.2 4.4.1.3.5

.2 Ensure that operations and infrastructure fully support an investigation

4.4.1.1.1 4.4.1.1.3 4.4.1.2.1 4.4.1.2.3 4.4.1.2.4

.3 Prepare a responsible, competent human resource capability

4.4.1.1.1 4.4.1.1.3 4.4.1.2.2

.4 Ensure cost-effective investigations

4.4.1.1.3 4.4.1.3.3 4.4.1.3.4



Note to reader:

The various authors who we reference in this section use ‘steps’ or ‘phases with related

steps’ to discuss what is covered by their DF readiness or preparation component. The

authors did not discriminate between the terms ‘phases’ and ‘steps’.

We will now compare phases and/or steps of the identified authors to identify elements of

DF readiness. The elements should support the identified goals of DF readiness. There is

no explicit correlation between individual goals and the supporting phases and/or steps

(elements).

4.4.2 DF Readiness elements

We will compare the identified elements of ProDF from Chapter 3 (par. 3.5.1) and phases or

steps proposed by Garcia (2005) and Rowlingson (2004) to propose a set of elements for DF

readiness.

4.4.2.1 Garcia (2005)

Garcia has suggested the following four phases:

4.4.2.1.1 Phase 1: Prepare the incident response capabilities

Laboratory: ensure that there is an isolated network, forensic servers, short- and long-

term servers, isolated systems and disk servers

Availability of a jump bag: blank media, disk duplicators and networking gear

Availability of relevant forensic tools.

4.4.2.1.2 Phase 2: Prepare an incident response team

Define forensic sound processes: consider crime scene procedures, how to maintain the

chain of custody and legalities

Provide forensic tool training: these tools can include commercial or free tools,

operating systems, applications, hardware and physical devices

Include real life case training in the training programmes.

4.4.2.1.3 Phase 3: Prepare systems and networks

Utilise and maximise logging capabilities

Use profiling

Use periodical auditing



Analyse forensic data

Use forensic friendly file systems

Use good practices for file system separation

Enable remote logging.

4.4.2.1.4 Phase 4: Prepare for containments

Consider the network by using good practices for network design and choke points

Set up host-based firewalls

Have a restricted investigative team.

4.4.2.2 Rowlingson (2004)

Rowlingson proposed ten steps:

4.4.2.2.1 Step 1: Define the business scenarios that will require digital evidence

4.4.2.2.2 Step 2: Identify available sources and different types of potential evidence

4.4.2.2.3 Step 3: Determine the evidence collection requirements

4.4.2.2.4 Step 4: Establish a capability to securely gather legally admissible evidence

4.4.2.2.5 Step 5: Establish a policy for secure storage and handling of evidence and write up a

secure evidence policy

4.4.2.2.6 Step 6: Ensure that monitoring and auditing is targeted to detect and deter major

incidents

4.4.2.2.7 Step 7: Specify the circumstances of when to escalate to a full formal investigation

4.4.2.2.8 Step 8: Train staff in incident awareness, including their role in the investigation

process and the legal requirements of evidence

4.4.2.2.9 Step 9: Document an evidence-based case describing the incident and its impact

4.4.2.2.10 Step 10: Ensure legal review to facilitate action in response to the incident.

4.4.2.3 Proposed DF readiness elements

We have consolidated, re-organised, and compared the preliminary elements of the

proposed ProDF component as identified in Chapter 3 (par. 3.5.1), phases of Garcia (par.

4.4.2.1), and the steps by Rowlingson (par. 4.4.2.2) for DF readiness in Table 4.2 (below) to

propose five elements for DF readiness.



Table 4.2. Comparison of DF readiness elements (by author)

Element DF readiness element Chapter 3 Par.

Garcia Par.

Rowlingson Par.

.1

Develop an information retention plan

3.5.1.2 3.5.1.3 3.5.1.4

4.4.2.2.1 4.4.2.2.2 4.4.2.2.3 4.4.2.2.5

.2 Prepare the infrastructure

Operational Infrastructure (including incident response capabilities)

DF investigation infrastructure

3.5.1.1 3.5.1.5

4.4.2.1.1 4.4.2.1.2 4.4.2.1.3 4.4.2.1.4

4.4.2.2.4 4.4.2.2.6 4.4.2.2.7

.3 Develop a DF training and awareness programme 3.5.1.6 4.4.2.2.8

.4 Establish DF management capability 3.5.1.5 3.5.1.7

4.4.2.2.10

.5 Document and validate a DFI protocol against best-practice Documented evidence-based cases describing the incident and its impact available

3.5.1.4 3.5.1.5

4.4.2.2.9

We propose the following five DF readiness elements from Table 4.2:

4.4.2.3.1 Element 1: Develop an information retention plan (pars. 3.5.1.2 - 3.5.1.4; 4.4.2.2.2;

4.4.2.2.3; 4.4.2.2.5)

Define the business scenarios that will require digital evidence during risk assessment

(pars. 3.5.1.2; 4.4.2.2.1).

Identify available sources and different types of potential evidence (pars. 3.5.1.2,

3.5.1.3; 4.4.2.2.2).

Determine the evidence collection requirement; include legal, regulatory, and technical

requirements (pars. 3.5.1.3; 4.4.2.2.3; 4.4.2.2.4).

Establish relevant policies and procedures; for example, secure storage, handling of

evidence, evidence preservation policy to preserve the chain of custody (pars. 4.4.2.2.5;

3.5.1.4)

Establish a capability to gather evidence systematically (par.3.5.1.3).

Ensure monitoring and auditing is targeted to detect and deter major incidents (par.

4.4.2.2.6).

This element supports DF readiness goal 2: maximise CDE availability.

4.4.2.3.2 Element 2: Prepare the infrastructure (pars. 3.5.1.1; 4.4.2.1.3)

We discriminate between the operational and investigation infrastructure:

Prepare the operational Infrastructure by preparing systems and networks (pars. 3.5.1.1;

4.4.2.1.3). Organisations should:



establish a capability to systematically gather legally admissible evidence, for

example, turn on and maximise logging capabilities and periodical auditing (par.

4.4.2.1.3). Implement an IDS to ensure the early detection of incidents (par. 3.5.1.5)

by using, for example, profiling (par. 4.4.2.1.3).

enable remote logging (par. 4.4.2.1.3) for live evidence acquisition.

configure relevant devices, for example time synchronization of all relevant devices

and systems, to prevent anonymous activities and the use of anti-forensic strategies,

for example, data destruction, manipulation, or data hiding (pars. 3.5.1.1; 3.5.1.4).

design systems to enable forensic activities, for example, use forensic friendly file

systems and use good practices for file system separation (pars. 4.3 (10); 4.4.2.1.3).

augment the IRP (including policies, staff assignments, and technical responsibilities

(par.3.5.1.5). Specify circumstances when to escalate to a full formal investigation

(pars. 3.5.1.5; 4.4.2.2.7) and augment or develop incident response policies and

procedures (pars. 3.5.1.5; 4.4.2.1.1). It is essential to develop strategies to contain

incidents (par. 4.4.2.1.4).

Create and prepare a DF investigation infrastructure.

Ensure the availability of a fully equipped DF investigation laboratory to ensure there is

available an isolated network, forensic servers, short- and long-term servers, and

isolated systems (pars. 3.5.1.1; 4.4.2.1.1).

The laboratory must have available blank media, disk duplicators, networking gear and

appropriate forensic tools (par. 4.4.2.1.1). Ensure there are the relevant tools and

technologies available to acquire and analyse live, static, and legacy evidence (par.

4.4.2.1.1).

This element supports DF readiness goal 1: Ensure that operations and infrastructure fully

support an investigation.

4.4.2.3.3 Element 3: Develop DF education, training and awareness programmes to prepare

responsible and competent employees

It will be essential to establish different education, training and awareness programmes

(pars. 3.5.1.6; 4.4.2.1.2), for example, forensic tool training or first-responder’s training and

awareness programmes for the employees.

This element supports DF Readiness goal 3: Prepare a responsible competent human

resource capability.



4.4.2.3.4 Element 4: Establish a DF management capability

To manage the application of DF in an organisation, it is essential to define roles,

responsibilities, and a clear strategy on how to apply DF in the organisation. We have

identified the following:

Establish a CERT (pars. 3.5.1.5; 3.5.1.7; 4.4.2.1.2; 4.4.2.1.4)

Clearly define responsibilities and authority for the CERT and DFI teams (par. 3.5.1.5)

Define circumstances when it would be necessary to engage professional DFI services

(par. 3.5.1.5)

Establish capabilities and response times for external digital forensic investigation (DFI)

professionals (pars. 3.5.1.5; 4.4.2.1.2)

Ensure legal review to facilitate action in response to the incident (par. 4.4.2.2.10).

This element supports DF readiness goal 1: Ensure that operations and infrastructure fully

support an investigation and goal 4: Ensure cost-effective investigation.

4.4.2.3.5 Element 5: Document and validate a DFI protocol against best practice (pars.

3.5.1.4; 3.5.1.5; 4.4.2.2.10)

Organisations will be able to conduct successful investigations and documented evidence-

based cases describing the incident and its impact on the organisation (par. 4.4.2.2.9) will be

available.

This element supports DF readiness goal 1: ensure that operations and infrastructure fully

support an investigation, and goal 4: ensure cost-effective investigation.

4.4.3 DF Readiness versus ProDF

The above five elements of DF readiness concentrate on proactive identification, handling,

preservation and acquisition evidence, an acceptable protocol for the handling of incidents,

training, some aspects of the management of DF in organisations, and infrastructure readiness.

We have indicated that the five elements fully support the four goals of DF readiness as

identified in par. 4.4.1.4.

To determine if DF readiness is the same as the proposed ProDF component, we will now

compare the identified needs for ProDF as identified in par.4.3.1 and the five elements of DF

readiness.

We have identified a list of reasons organisations should themselves prepare (needs for ProDF -

par.4.3.1) to ensure evidence availability and DF sound processes. Table 4.3 (below) maps the



needs with the identified elements of DF readiness to determine if ProDF is more comprehensive

than DF readiness.

Table 4.3. Relationship between ProDF needs and DF readiness (by author)

ProDF needs (par.4.3.1) Status of ProDF need DF readiness

element

1. Identify, gather and manage potential evidence with

minimal business interruption (Beebe & Clark, 2005;

Louwrens et al., 2006b; Rowlingson, 2004)

Fully met

Element 1

2. Minimise the cost and impact of an investigation

(Louwrens et al., 2006b; Rowlingson, 2004)

Partially met

Element 4

3. Establish DF training and awareness programme

(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005;

Carrier & Spafford, 2003; Forrester & Irwin, 2007;


Fully met

Element 3

4. Demonstrate that organisations practice good corporate

governance by through due diligence with the use of DF

tools, techniques and processes (Rowlingson, 2004)

Not met

5. Assess compliance to legal and regulatory requirements

(Nikkel, 2006)

Not met

6. Assess the effectiveness and efficiency of controls and

processes to enhance the IT governance and Info Sec

governance frameworks of the organisation (Louwrens &

von_Solms, 2005; Nikkel, 2006)

Not met

7. Incorporate DF evidence and process requirements in the

contingency plans, policies and procedures. The IRP should

include criteria to prescribe when to activate trigger events

for predetermined incidents to gather live evidence

(Louwrens et al., 2006b)

Partially met

Elements 2, 4

8. Application of DF tools using an acceptable protocol or

process to ensure admissible evidence and a successful

investigation (Louwrens et al., 2006b)

Fully met Elements 1, 4,

5

9. Ensure that the operational and investigation

infrastructure can support the application of DF tools and

technologies

Fully met Element 2



ProDF needs (par.4.3.1) Status of ProDF need DF readiness

element

10. Enable forensic activities by designing DF-friendly systems

and processes. Organisation should structure the relevant

processes to be forensically sound and design software

systems in such a way to facilitate future DF investigations

(Bradford et al., 2007)

Partially met

Element 2

11. Disable anti-forensic activities (Louwrens et al., 2006b) Fully met Element 2

The elements for DF readiness fully address needs 1, 3, 8, 9; 11 and partially address needs 2, 7

and 10. The needs 4, 5, and 6 have not been addressed.

We propose including the partially covered need 7: to activate an ActDF investigation into DF

readiness phase 3: Prepare infrastructure. Organisations can configure the infrastructure and

incident response procedures to incorporate criteria as to when to start an ActDF investigation.

The needs not fully addressed by DF readiness phases (Table 4.3 above) are:

Minimise the cost and impact of an investigation (need 2)

Use DF to demonstrate good corporate and / or IT governance (need 4)

Demonstrate compliance (need 5)

Enhance the security posture and IT governance frameworks (need 6)

Incorporate DF evidence and process requirements in the contingency plans, policies

and procedures. The IRP should include criteria to prescribe when to activate trigger

events for predetermined incidents to gather live evidence (need 7)

Enable forensic activities in organisations (need 10).

Note to reader:

DF readiness as discussed in the researched literature in this chapter is therefore a

subset of ProDF.

Now that we have determined that DF readiness is a subset of our intended ProDF component, we

can proceed to define and propose goals with supporting elements for the ProDF component of our

CDF capability. The next section proposes a ProDF plan for our ProDF component.



4.5 PROPOSED PRODF PLAN FOR THE PRODF COMPONENT

Sommer (2005) suggests that organisations should have a DF readiness plan, however, we are

convinced that organisations need more than this as DF readiness is a subset of ProDF. We propose

extending the DF readiness plan to a ProDF plan with GOALS and associated elements for the ProDF

component of our CDF capability. The next section provides a definition for ProDF, and proposes

goals for the ProDF component.

4.5.1 ProDF definition

We have compared different definitions for ProDF in par. 4.3.1 and will use the proposed

provisional definition for ProDF from Chapter 2 (par. 2.8.2):

Note to reader:

It is our opinion that the focus of ProDF is on having DF sound processes, prepared

employees and infrastructure, well-defined policies, and trained staff, the use of trusted

DF tools and acceptable and trustworthy evidence available.

4.5.2 ProDF goals

We use the identified needs for ProDF (par. 4.3.1 and Table 4.3) to identify two goals for ProDF:

ProDF Goal 1: Become DF-ready (needs 1, 2, 3, 7, 8, 9, 10, 11 )

ProDF Goal 2: Implement and manage DF to improve governance programmes (IT and

Info Sec) (needs 4, 5, and 6).

The nature of ProDF goal 2 necessitates moving element 4: Establish a DF Management

capability (par. 4.4.2.3.4) of DF readiness to ProDF goal 2. The next section will briefly discuss

each of the two goals identified above to provide an overview of the ProDF component.

ProDF is the forensic preparation of an organisation to ensure successful, cost-

effective investigations, with minimal disruption to business activities, and the

use of DF to establish and manage governance programmes



4.5.2.1 ProDF Goal 1: Become DF-ready

The chapter has proposed the following four sub-goals for DF readiness in (par. 4.4.1.4):

4.5.2.1.1 Sub-goal 1: Prepare the infrastructure

Prepare the operational and DF investigation infrastructure (element 2 of DF readiness).

4.5.2.1.2 Sub-goal 2: Maximise CDE availability

Develop an information retention plan (element 1 of DF readiness).

4.5.2.1.3 Sub-goal 3: Prepare a responsible, competent employees

Develop relevant DF education, training and awareness programmes (element 3 of DF

readiness).

4.5.2.1.4 Sub-goal 4: Ensure a cost-effective investigation

To ensure a cost-effective investigation it is essential to determine the impact of the incident

on the organisation (partially element 4 of DF readiness), document and validate a DFI

protocol against best practice (element 5 of DF readiness).

4.5.2.2 ProDF Goal 2: Implement and manage DF to improve governance programmes

Organisations have in place governance programmes to enable them to achieve organisational

objectives. The governance programmes (including IT and Info Sec) of the organisation can be

improved by the implementation of our CDF capability to ensure CDE availability. It will ensure

that management can demonstrate due diligence with respect to good governance as

documented assessments can be available to prove the effectiveness of controls measured

against business objectives (IT and Info Sec objectives).

Governance programmes generally must be established, implemented, managed and reviewed.

The managing and review processes will be recursive. We will discuss how the incorporation of

DF can improve governance programmes.

We have identified two sub-goals:

4.5.2.2.1 Sub-goal 1: Establish a DF management capability

The first step that organisations should consider is to augment the organisational structure

to include DF (with roles and responsibilities to deal with DF in the organisation) (Nikkel,

2006).



There should be a clear segregation of duties between the DF, Risk management, CERT, and

Info Sec teams. Investigations are often compromised when these roles and responsibilities

are not clearly defined or segregated (par. 4.4.2.3.4).

The decision when to engage with professional DFI services (outsource) should be clearly

defined; and legal services should be available to facilitate action in response to the incident

(par. 4.4.2.3.4).

4.5.2.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of

organisational objectives

DF requirements for evidence and processes should be included in the accepted risk

management and control frameworks to provide reasonable assurance regarding the

achievement of organisational objectives to:

safeguard the organisation’s assets (including information).

It is essential that the board of directors guarantee the integrity of all documents (Hilley,

2006). Section 802 of Sarbanes-Oxley indicates that there are criminal penalties if

documents are altered. DF procedures must adhere to legal requirements for evidence;

therefore, it will be possible to prove that the information is original and has not been

altered.

DF tools and techniques can be applied to acquire evidence to investigate the misuse of

equipment. It is also essential to develop a whistle-blowing policy (Patzakis & Limongelli,

2004). The Info Sec team should incorporate DF techniques in the IT auditing

procedures, as this will enable a more accurate audit trail so that the evidence acquired

can stand up to legal scrutiny.

assess compliance with applicable laws, regulations, industry and supervisory

requirements.

DF readiness can assist organisations by the proactive identification of information as

potential evidence on the corporate network. The evidence can be used to prove

compliance.

support business sustainability under normal as well as adverse operating conditions.

Under normal operating conditions, DF can be applied to assess key risk areas. The risk

assessment should address the company’s exposure to, at least: physical and

operational risks; human resource risks; technology risks; business continuity and

disaster recovery; credit and market risks; and compliance risks.

IT and Info Sec governance frameworks in organisations will have weak points.

Organisations apply DF tools for penetration tests to determine the vulnerabilities



(Richardson, 2008). Organisations should evaluate all emerging technologies to

determine the risks involved and whether the current DF tools will be adequate to

investigate an incident.

The responsible use of DF tools can improve the effectiveness and efficiency of the

application of technology in an organisation. DF tools and techniques can be applied to

assist in data recovery (crashed hard disk), wiping of hard disk before the disposal of

equipment and retrieval of lost passwords. Operations can resume after the application

of the tools and interruption to business operations can be minimised.

It is necessary to consider DF requirements when formulating the IT Governance

controls, policies, and processes. We researched the literature and propose that the

following CobiT (ITGI, 2000) controls should be covered (Guldentops et al., 2005;

Louwrens & von_Solms, 2005). All the controls in Table 4.4 (below) should consider

DF requirements.

Table 4.4. CobiT controls to include DF requirements (by author)

In adverse conditions, it is essential to consider the revision or augmentation of

contingency plans and policies and procedures (incident response, disaster recovery and

business continuity) to ensure minimum business interruption and impact on the

PO: Planning and organisation AI: Acquisition and implementation

PO1, Define strategic plan PO2, Define the information architecture PO3, Determine technological direction PO4, Define IT processes, organisation and relationships PO6, Communicate management aims and direction PO8, Manage quality PO9, Assess risks and manage IT risks

AI1, Identify automated resources AI2, Acquire and maintain application software AI3, Acquire and maintain technology / infrastructure AI4, Enable operations and use AI5, Procure IT resources AI6, Manage changes AI7, Install and accredit solutions and changes

DS: Delivery and Support M: Monitor and evaluate

DS1, Define and manage service levels DS2, Manage third party services DS3, Manage performance and capacity DS4, Ensure continuous service DS5, Ensure system security DS6, Identify and allocate cost DS7, Educate and train users DS8, Manage service desk and incidents DS9, Manage configuration DS10, Manage problems DS11, Manage data DS12, Manage physical environment DS13, Manage operations

M1, Monitor and evaluate IT performance M2, Monitor and evaluate internal control M3, Ensure regulatory compliance M4, Provide IT governance



operations of the organisation (some aspects have been covered by DF readiness sub-

goal 1).

ensure reliability of reporting

The application of DF tools, techniques and frameworks can enable the board to meet

the King II requirement (von_Solms & von_Solms, 2009) that stipulates that

‘the board is responsible for ensuring that a systematic, documented assessment of

the processes and outcomes surrounding key risks is undertaken annually, for the

purpose of making a public statement on risk management. Should an incident arise

and an investigation is completed the organisation should provide a report

describing the incident; its impact and review report should be available’.

The incorporation of DF techniques in auditing procedures will ensure more credible

audit results. Management should receive regular reports on the risk management

process in the organisation as well as regular updates on an investigation progress.

encourage responsible behaviour towards all stakeholders. (King, 2003)

Management will be able to use the documented assessments to prove that regular

checks have been performed. It is essential to demonstrate transparency and

responsibility towards the stakeholders to communicate impact of the incident on the

organisation, the root cause of the incident and the result of an investigation.

Figure 4-3 (below) is a graphical representation of the ProDF component.

Figure 4-3. Graphical representation of the ProDF component (by author)

The chapter has discussed the need for a ProDF component, compared current DF readiness

frameworks and ProDF viewpoints. We have formulated a ProDF framework with two goals and

associated sub-goals. We will use the ProDF framework for the ProDF component of our CDF

capability in Chapter 7.

ProDF

ProDF goal 1: Become DF-readyProDF goal 2: Implement and manage DF

to improve governance programmes

Sub-goal 1:

Prepared

infrastructure

Sub-goal 4:

Ensure a

cost-effective

investigation

Sub-goal 3:

Prepare

responsible,

competent

employees

Sub-goal 2:

Maximise

CDE

availability

Sub-goal 1:

Establish a DF

management

capability

Sub-goal 2:

Apply DF to provide

reasonable assurance

regarding the achievement of




4.6 SUMMARY

DF is no longer a reactive discipline, but plays a distinct proactive role in organisations. In the

chapter, we have argued and demonstrated that ProDF is more than readiness. DF readiness

concentrates on evidence identification and management, training of staff, incident response and

infrastructure readiness.

The ProDF component is concentrating on the wider application of DF requirements for digital

evidence availability and process formulation to meet requirements as set out by corporate

governance reports. The evidence can be used to enhance governance frameworks by assessing the

effectiveness and efficiency of controls and to prove compliance.

ProDF also considers other factors that can influence DF investigations, for example, prevention of

anti-forensic strategies and tools that can contaminate or delete potential evidence. It is essential

when preparing organisations for digital investigations to design and implement systems that will

enable forensic activities.

The chapter proposed a ProDF plan (par. 4.5) with goals and steps that will be used in the

consolidation of the ProDF component of our CDF capability in Chapter 7. The next chapter will

consolidate the ReDF component of our CDF capability.




Proactive DF

(ProDF)

Background: Why

ProDF?

Relationship

between DF-

readiness and

ProDF

Proposed

ProDF plan for

the ProDF

component

ProDF definition

Chapter 4

Par. 4.3

Par. 4.4

Par. 4.5

Par. 4.5.1

Par. 4.5.2

ProDF goals

Goals of DF-

Readiness

4.4.1.1 DF-Readiness

goals form chapter 3


goals of Rowlingson


goals of Garcia

ProDF needs

DF-Readiness

elements

4.4.1.4 Our proposed

DF-Readiness goals

4.4.2.1 Garcia

4.4.2.2

Rowlingson

4.4.2.3

Our proposed 7

DF-Readiness

elements

4.4.3.2.3.1 Element 1: Develop

information retention plan

4.4.2.3.4 Element 4: Establish a

DF management capability

4.4.2.3.3 Element 3: Develop a

training and awareness strategy

4.4.2.3.2 Element 2: Prepare the

infrastructure

4.4.2.3.5 Element 5: Document

and validate DFI protocol

GOAL 1: Ensure that operations and infrastructure fully support an investigationGOAL 2: Maximise CDE availability GOAL 3: Prepare a responsible, competent human resource capability GOAL 4: Ensure a cost effective investigation

Par. 4.3.1

Par. 4.4.1

Par. 4.4.2

4.5.2.1

ProDF goal 1:

Become DF-

ready

4.5.2.2

ProDF goal 2:

Implement DF to

enhance

governance

programmes

4.5.2.1.1 Sub-goal 1: Prepare

infrastructure

4.5.2.1.2 Sub-goal 2: Maximise

CDE availability

4.5.2.1.3 Sub-goal 3: Prepare a

responsible, competent HR

capability

4.5.2.1.4 Sub-goal 4: Ensure

cost-effective investigation

4.5.2.2.1 Sub-goal 1: Establish

DF management capability

4.5.2.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of organisational objectives

Proactive DFChapter 4


5-116 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)

5 CHAPTER 5

RREEAACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((RReeDDFF))

5.1 INTRODUCTION

In a perfect world there would be no need for forensic investigations, but incidents happen, cyber-

attacks are launched and disgruntled employees can destroy data. Organisations must determine

how the incident happened, who was responsible, and what damage was caused.

Comprehensive digital evidence (CDE) will be required to provide management with the answers

however, forensics is a very specific discipline, operating in a well-defined legal and regulatory

environment. Rules and requirements for admissible evidence exist and procedures must be

designed to be DF sound (Louwrens et al., 2006a). Most of the DF investigation frameworks are very

specific and provide a systematic framework by what should be done and how.

The ReDF component is well researched and we have compared various frameworks in Chapter 3.

We used the comparison to identify a comprehensive list of six phases with associated steps for the

ReDF component as none of the frameworks contained all the phases and steps, as indicated in

Table 3.3. The purpose of this chapter is to consolidate the ReDF component as identified in Chapter

3. Figure 5-1 (below) depicts the role of this chapter within the overall thesis.







Part 1: Background


of DFMF

Part 3: Conclusion

Figure 5-1. Role of the chapter in the thesis




The aim of the chapter is to consolidate the ReDF component of our CDF capability as identified in

Chapter 3. It will:

confirm the definition of ReDF (par.5.3)

propose goals for the ReDF component as the identified frameworks discussed in

Chapter 3 did not include explicit goals for ReDF (par. 5.4)

consolidate an ReDF protocol with a comprehensive list of phases with related steps for

the ReDF component as proposed in Chapter 3 (par. 5.5)

Evaluate the phases and steps of the ReDF component (par.5.6).

Note to reader:

There is a large amount of repetition in this chapter from Chapter 3, in which the ReDF

phases and steps were proposed. However, we have included them to provide a clear

overview of the content of the ReDF component.

The next section will confirm the definition of ReDF.

5.3 DEFINITION OF REDF

No organisation is fully prepared for all incidents. ReDF as defined by us concentrates on the

traditional DF investigation (dead forensics) that will take place after an incident is detected and

confirmed. It is essential that organisations, specifically first responders and DF investigators, should

use an acceptable and proven DF investigation protocol to conduct the investigation (Louwrens et

al., 2006b). We have proposed a provisional definition for ReDF in par. 2.8.1 as:

An ReDF component is application of analytical and investigative techniques for the

preservation, identification, extraction, documentation, analysis, and interpretation of

digital media, for evidentiary and/or root cause analysis and the presentation of

comprehensive digital evidence derived from digital sources for the purpose of

facilitation or furthering the reconstruction of incidents (Kruse & Heiser, 2004; Palmer,

2001; Reith et al., 2002; Rowlingson, 2004).



The identified DF frameworks in Chapter 3 did not explicitly state goals for ReDF investigations. The

next section will propose goals of ReDF.

5.4 GOALS OF REDF

The ReDF component will be activated after an incident has been detected. We have used the

definitions for DF and the frameworks discussed in Chapter 3 to propose the following two goals of

ReDF (investigations) (Kruse & Heiser, 2004; Palmer, 2001; Reith et al., 2002; Rowlingson, 2004):

ReDF Goal 1: Successfully investigate an incident

To achieve this goal it is essential to acquire the relevant CDE and to determine the root

cause of the incident, link the perpetrator to the incident, and present the case successfully.

ReDF Goal 2: Minimise the impact of an incident.

The ReDF protocol will support the above-mentioned goals. The protocol has a list of phases

with related steps. The next section consolidates the protocol with six phases and associated

steps as identified in par. 3.5.3, p. 3-82 for the ReDF component.

5.5 REDF PROTOCOL

We have already proposed the following phases with steps in Chapter 3, par. 3.5.3:

5.5.1 PHASE 1: Incident response and confirmation phase

This phase consists of ten steps:

5.5.1.1 Step 1: Initiate the IRP from Info Sec or the corporate contingency plan (Casey, 2004;


5.5.1.2 Step 2: Detect an activity (Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester &

Irwin, 2007; O'Ciardhuain, 2004)

5.5.1.3 Step 3: Report the incident (Louwrens et al., 2006b)

5.5.1.4 Step 4: Determine the assessment of worth of the incident (Beebe & Clark, 2005; Carrier

& Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007)



The incident must be evaluated to determine if it is valid. The first responder must

assess the damage that the incident can cause or its impact on the organisation. The

next step will be to confirm the incident or to declare it as ‘no incident’. It is essential to

determine the relevance and nature of the investigation, and whether it will be a formal

or informal investigation.

5.5.1.5 Step 5: Obtain the relevant internal and external authorisation (Carrier & Spafford, 2003;

O'Ciardhuain, 2004)

5.5.1.6 Step 6: Activate the incident containment strategy (Beebe & Clark, 2005; Carrier &

Spafford, 2003)

5.5.1.7 Step 7: Coordinate all the resources (Beebe & Clark, 2005; Louwrens et al., 2006b)

5.5.1.8 Step 8: Formulate an investigation plan (Beebe & Clark, 2005)

5.5.1.9 Step 9: Depending on condition set out by policy, accelerate the investigation (Louwrens

et al., 2006b)

5.5.1.10 Step 10: Notify the relevant parties of the investigation (Forrester & Irwin, 2007;


5.5.2 PHASE 2: Physical investigation phase (if relevant)

This phase consists of seven steps:

5.5.2.1 Step 1: Secure the physical crime scene (Barayumureeba & Tushabe, 2004; Carrier &

Spafford, 2003; Forrester & Irwin, 2007)

5.5.2.2 Step 2: Survey the crime scene for potential evidence (Barayumureeba & Tushabe, 2004;

Carrier & Spafford, 2003; Louwrens et al., 2006b)

5.5.2.3 Step 3: The investigator must search for, and collect potential evidence.

5.5.2.4 Step 4: Acquire the physical evidence

The investigator should use an acceptable procedure, for example, photograph, bag,

label, and document the individual evidence items The investigator must identify

different types of evidence, e.g., fingerprint or digital, to ensure that the evidence will be

analysed by the relevant forensic laboratory (Barayumureeba & Tushabe, 2004; Carrier

& Spafford, 2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).

5.5.2.5 Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004)

5.5.2.6 Step 6: Transport the evidence to a relevant investigation laboratory whilst ensuring the

chain of custody is maintained (Barayumureeba & Tushabe, 2004; Louwrens et al.,

2006b)



5.5.2.7 Step 7: Store the evidence in a secure facility

Determine the storage requirements by considering a safe custody room, access

control, and requirements to maintain the chain of custody (Barayumureeba &

Tushabe, 2004; Louwrens et al., 2006b).

5.5.3 PHASE 3: Digital investigation phase

This phase consists of four sub-phases:

5.5.3.1 Sub-phase 1: Securing the digital evidence (four steps) (Carrier & Spafford, 2003)

5.5.3.1.1 Step 1: Preserve the digital crime scene (O'Ciardhuain, 2004)

5.5.3.1.2 Step 2: Ensure the integrity of the evidence (Beebe & Clark, 2005; Casey, 2004;

Louwrens et al., 2006b):

The investigators must follow established DFI protocol (Casey, 2004; Louwrens et al.,

2006b) and write-protect all media (Louwrens et al., 2006b)

5.5.3.1.3 Step 3: Preserve the evidence by making a forensic copy of the potential evidence

(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Louwrens et al., 2006b)

5.5.3.1.4 Step 4: Document all activities to ensure the chain of evidence and chain of custody.

5.5.3.2 Sub-phase 2: Evidence acquisition (five steps)

5.5.3.2.1 Step 1: Acquire the relevant evidence (Barayumureeba & Tushabe, 2004; Beebe &

Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b):

To acquire the relevant evidence, it is essential to recover or collect static, live,

hidden, and deleted evidence. Harvest all data and metadata relevant to the

incident.

5.5.3.2.2 Step 2: Authenticate the evidence by applying verification algorithms to ensure

originality:

Investigators should timestamp all evidence to enable time-lining (Carrier &

Spafford, 2003; Louwrens et al., 2006b).

5.5.3.2.3 Step 3: Transport the evidence to the relevant laboratory whilst ensuring the chain

of custody is maintained (Carrier & Spafford, 2003; O'Ciardhuain, 2004)

5.5.3.2.4 Step 4: Store the evidence in a secure facility (Beebe & Clark, 2005; O'Ciardhuain,

2004)

5.5.3.2.5 Step 5: Document the acquisition process (Barayumureeba & Tushabe, 2004; Carrier

& Spafford, 2003; Louwrens et al., 2006b).



5.5.3.3 Sub-phase 3: Analysis (nine steps)

5.5.3.3.1 Step 1: Revisit the initial investigation plan:

Consider the available information, consider the tools and expertise allocated to the

team and ensure that the evidence is human readable (Carrier & Spafford, 2003;

Casey, 2004; Louwrens et al., 2006b; O'Ciardhuain, 2004).

5.5.3.3.2 Step 2: Develop a hypothesis and criteria to prove the hypothesis (Louwrens et al.,

2006b; O'Ciardhuain, 2004)

5.5.3.3.3 Step 3: Prepare the evidence for analysis:

It may be necessary to convert large volumes of data to a manageable size whilst

protecting the evidential integrity (Beebe & Clark, 2005; Casey, 2004; Louwrens et

al., 2006b)

5.5.3.3.4 Step 4: Analyse the available evidence (Beebe & Clark, 2005; Louwrens et al.,

2006b):

Examine evidence to establish the best evidence (Casey, 2004; Louwrens et al.,

2006b; O'Ciardhuain, 2004). The investigator must apply reduction techniques to

eliminate the evidence that is not relevant to the case (Carrier & Spafford, 2003;

Casey, 2004).

It will be useful to assess the results to determine means, motivation, and

opportunity, as well as the skill level of suspect. The investigator should use different

DF tools to analyse the evidence.

5.5.3.3.5 Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004; Beebe & Clark,

2005; Carrier & Spafford, 2003; Casey, 2004)

5.5.3.3.6 Step 6: Test the hypothesis by applying fusion and correlation techniques (Beebe &

Clark, 2005; Casey, 2004; Louwrens et al., 2006b):

Test the hypothesis by using the criteria set.

5.5.3.3.7 Step 7: Validate the analysis results (Louwrens et al., 2006b)

5.5.3.3.8 Step 8: Document the findings (Casey, 2004; Louwrens et al., 2006b)

5.5.3.3.9 Step 9: Secure the documentation (Louwrens et al., 2006b).



5.5.3.4 Sub-phase 4: Service restoration

Interact with the organisational (Info Sec) business continuity team to restore services as

soon as possible, and thus minimise the interruption to business activities (Forrester &

Irwin, 2007).

5.5.4 PHASE 4: Incident reconstruction phase

Consolidate physical investigation and digital investigation findings and determine if the

consolidated evidence acquired supports the hypothesis (Carrier & Spafford, 2003).

5.5.5 PHASE 5: Presentation of findings phase

Present findings to management or the authorities (Barayumureeba & Tushabe, 2004; Beebe &

Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,

2006b; O'Ciardhuain, 2004) (three steps):

5.5.5.1 Step 1: Prepare case

To present a case successfully, it is essential to prepare the presentation of it properly. The

investigator should determine the target audience, use appropriate presentation aids, assemble

all evidence required, and prepare exhibits for the presentation. If you need to use an expert

witness during the presentation, prepare him or her. When preparing the evidence and exhibits

ensure that you preserve the chain of custody at all times (Louwrens et al., 2006b).

5.5.5.2 Step 2: Present the case (Casey, 2004; Louwrens et al., 2006b)

5.5.5.3 Step 3: Preserve the evidence (Louwrens et al., 2006b).

5.5.6 PHASE 6: Incident closure phase

Disseminate the result of the investigation or incident closure (Beebe & Clark, 2005; Carrier &

Spafford, 2003; O'Ciardhuain, 2004) (two steps):

5.5.6.1 Step 1: Review the result to identify and apply lessons learned (Beebe & Clark, 2005;

Forrester & Irwin, 2007)

5.5.6.2 Step 2: Dispose of / return / preserve applicable post-investigation evidence (Beebe &

Clark, 2005).

Figure 5-2 (below) is a graphical representation of the six ReDF phases.



5.6 EVALUATION OF THE SIX PHASES OF THE REDF COMPONENT

The six phases with related steps of the ReDF protocol of the ReDF component follow a waterfall

approach with some iteration between the phases and steps. To demonstrate, the investigator can

start with an investigation by entering a physical crime scene then formulate an initial hypothesis.

Evidence will be acquired and potential digital evidence identified. The evidence gathered during the

physical investigation will be documented and analysed, then used to provide a motive for the

incident, determine its cause and identify the perpetrator. The investigator will forward the different

types of evidence to different specialised forensic investigation units, for example, bullet shells to

ballistics, fingerprints to the fingerprint unit, blood to the forensic pathology laboratory and digital

evidence to the DF investigators.

The DF investigation team will acquire the evidence, analyse it, reconstruct the incident, and

determine its root cause. It may be necessary to combine the physical evidence recovered from the

crime scene to reconstruct the incident and to link the perpetrator to it. If evidence is lacking the

investigators will repeat the evidence identification, acquisition, and analysis steps until they can

reconstruct the incident and have the evidence in place to support the hypothesis. The result of the

investigation will be a case file with supporting evidence. The case will be prepared and presented to

Phase 1:

Incident

response and

confirmation

Phase 2:

Physical

investigation

Phase 3: Digital investigation

Phase 4: Incident

reconstruction

Phase 5:

Presentation of

findings

Phase 6: Incident

closure

ActDF

Sub-phase 2:

Evidence acquisition

Sub-phase 3: Analysis

Sub-phase 4: Service

restoration

Sub-phase 1: Securing

the evidence

Figure 5-2 Graphical representation of the six phases of ReDF component (by author)



the relevant authorities. Once the investigation is complete, the case file and supporting evidence

must be preserved.

The outcome of an investigation should be communicated back to the risk management and Info Sec

departments of the organisation to ensure that the incident cannot happen again, as controls can be

adapted or ones implemented.

The ReDF component and traditional contingency plans of an organisation should integrate

seamlessly. Normally, the IDS or an employee will alert the authorities to a suspicious activity. The

incident response team will react to assess the suspicious activity and determine whether or not it is

an incident. The ReDF component is activated after an incident has been detected.

The actions of the incident response team and first responders are important, as they need to

incorporate DF process requirements for DF sound processes and the identification and preservation

of evidence requirements. There is an overlap of activities of incident response in DF and Info Sec as

both handle the response to an incident. We propose that organisations should augment current

contingency plans with associated policies and procedures to ensure that the relevant procedures

are DF sound and that evidence is preserved.

The incorporation of DF requirements in the incident response, disaster recovery and business

continuity plans of organisations are not always well accepted. The reason is that organisations want

to resume business as quickly as possible to provide a remedy for the security breach or incident,

and evidence identification can cause delays. The 2010/2011 CSI computer survey states that 23.9%

of respondents attempted to identify the perpetrator with their own resources, and 62.3%

attempted to patch the security holes as soon as possible (Richardson, 2012). Organisations

therefore realise that they should balance the need to identify the perpetrator and to patch the

security breach.

The ReDF component needs a well-accepted DF investigation protocol, policies and procedures,

trained competent staff, relevant DF tools and technologies, a prepared operational and

investigation infrastructure. The ProDF component should define the mentioned requirements.

Should live evidence be required for an investigation, the ReDF components will not acquire the live

or volatile evidence, but the ActDF component will be activated. We have proposed a separate



component for the acquisition of live evidence in par. 2.8.3. The live DF investigation protocols,

evidence acquisition and handling, and tools and technologies are different. Once the live evidence

has been gathered, the ReDF component will receive the acquired evidence and continue with the

ReDF investigation, as discussed in par. 2.8.4.

5.7 SUMMARY

Once an incident has been detected, it is essential that organisations decide whether or not they

want to investigate. If they do, an ReDF investigation protocol should be in place. We have identified

goals and consolidated a comprehensive list of phases with associated steps for the ReDF

component of our CDF capability.

Due to the close relationship between the DF incident detection and the incident detection and

response phase of the traditional contingency plan, organisations must include DF evidence and

process requirements in the relevant contingency plans (risk assessment, incident response,

business impact analysis, business continuity, and disaster recovery plans) and augment the relevant

policies and procedures.

The next Chapter will discuss the ActDF component of the capability. The ActDF component is

essential due to the change in the nature of evidence.


6-126 | P a g e Chapter 6: Active Digital Forensics (ActDF)

6 CHAPTER 6

AACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((AAccttDDFF))

6.1 INTRODUCTION

During the discussion of conventional DF frameworks in Chapter 3, we identified a need for ‘live

evidence’ acquisition and handling. Investigations require important, relevant, live evidence, for

example, volatile evidence (memory (RAM) content), swap files and network processes, to

determine the root cause of an incident and successfully prosecute the perpetrator. A famous

example is the ‘code red worm’, where one can only conduct a ’live’ investigation as the worm is

memory-resident and never writes to the disk. Many real-time systems cannot be powered down

and investigations must be made into the live systems (Adelstein, 2006; Sremack, 2005).

The intrusion detection system (IDS) of an organisation will detect an incident and activate the

incident response (IR) protocol of the organisation. It is however becoming essential to integrate live

forensic investigation protocols with the IR protocol to ensure that relevant and admissible live CDE

is available if required for investigatory purposes. IR protocols do not consider the importance of

evidence identification, gathering and preservation of live data (Sommer, 1999).

According to Ioeng and Leung (2007), live forensic investigations are hampered by the following

factors:

missing definitions of live forensics

absence of standard procedures in live investigations

certification of live evidence.

Various tools and frameworks exist to conduct live investigations, but as it is a new field it faces

numerous challenges, for example, to prove the trustworthiness of the tools and therefore the

admissibility of the gathered evidence. The tools must also demonstrate that they do not have an

unacceptable impact on the system performance (Garfinkel, 2010). Traditional ReDF investigation

frameworks will ensure that no changes will be made to the evidence and the seized content. By

using live investigation software tools, changing data is unavoidable; therefore, the live investigative



process must be documented in a forensic sound manner to maintain the chain of custody and

evidence.

The purpose of this chapter is to use the identified phases of Chapter 3 (par. 3.5.2) to formulate the

ActDF protocol for the ActDF component of a DF capability (ActDF). The chapter identifies live and

real-time investigation tools, techniques, and frameworks and proposes potential phases, steps that

can be included in an ActDF component to assist us to formulate the comprehensive view of our CDF

capability. Figure 6-1 (below) depicts the role of this chapter within the overall thesis.


The aim of the chapter is to discuss and define the ActDF component of our CDF capability. The

chapter will:

discuss the need for an ActDF component (par.6.3)

discuss the relationship between IDS, incident response, and live DF (par.6.4)

discuss live investigation tools and techniques (par. 6.5)

evaluate existing ‘live’ DF frameworks (par.6.6)

use the phases identified in Chapter 3 (par. 3.5.2) to compare the phases or steps of the

identified ‘live’ DF frameworks to formulate the ActDF component (par. 6.7)

consolidate phases with related steps for the ActDF component (par.6.7.3).

Note to reader:

We have included a fold-out page at the end of the chapter (par. 6.9, p. 6-157). We suggest

that this page be folded out at this stage to provide context. It is also advised that the







Part 1: Background


of DFMF

Part 3: Conclusion




fold-out be referenced when every paragraph is read, as it ensures that the context of

reading is preserved.

The next section will discuss the need for active or live investigations.

6.3 NEED FOR ACTIVE OR LIVE INVESTIGATIONS

At the 2006 Digital Forensic Research Workshop, the FBI advocated that live forensic investigations

become one of the standard steps in performing DF investigations (Ieong & Leung, 2007). Some of

the motivating factors were:

that the systems may not be powered down due to the nature of the system or the cost

of shutting down and therefore need real-time investigations

the increased need for obtaining live evidence, for example volatile data, by the

investigator due to the nature of incidents

the need to detect a crime as it occurs (Orebaugh, 2006)

the need to investigate or monitor a suspect but without him or her being aware of the

investigation.

According to Carrier (2006), the only difference between using live and dead analysis tools (ReDF

tools) and techniques is the reliability of the results. The reason is that live analysis tools rely on

applications that can modify evidence. The most common source of false data is from root kits, also

described as “Trojan horse backdoor tools” that modify existing operating systems software so that

the attacker can hide on a machine.

Rootkits insert a filter in the data flow of the normal processing of an application, which will then

hide the file or process from the investigator so the intruder can continue with his/her activities.

There are counter-measures to deal with root kits, for example, the use of trusted tools on a CD that

cannot be modified or tools that do not use the Trojan libraries. During the development of live

forensic applications it is important to eliminate standard system calls and writes (Campia, 2012;

Wikipedia, 2009).

It is neither practical nor feasible to acquire all live data (e.g., memory dumps, and network logs) due

to the volume of the data. It is important to acquire only relevant data when needed as evidence for



a live investigation of a potential incident. The result is that the evidence is normally like a snapshot

of the current state of a machine or protocol stack.

It is also important to note that the evidence gathered from using live investigation tools will not

necessarily meet the evidence requirement of reproduction or repeatability. However, as standards

are developed, the courts are beginning to accept evidence generated by live analysis tools.

There is also a need to develop tools and techniques to deal with real-time systems, which include

all systems in which time constraints exist for the completion of events that must be satisfied with

acceptable predictability (Sremack, 2005). These systems require fast, deterministic execution of

instructions to ensure that they perform their tasks properly. Examples are power-grid monitoring

systems, enterprise routers, life-sustaining medical devices and emergency call centres (Sremack,

2005). These systems are very structured and operate to very rigid timelines. In the past, they

operated in an isolated environment, reliability being the most important criteria, while security and

investigation of incidents did not receive much attention.

However, industry has started to consolidate real-time systems with other devices and users. This

poses a huge threat, as current investigation techniques are unsuitable for real-time investigations.

New techniques will have to be developed to deal with the challenge posed by real-time systems, as

data is stored in a unique way on these devices. It is very difficult to access and retrieve volatile data

and there is a lack of system logs. There is a need to adapt current real-time systems to include

security measures and proactively consider potential evidence sources.

Organisations must identify, assess, and contain an incident as soon as possible to prevent further

damage. It is not enough that tools and techniques for active investigations exist in the organisation,

but a proper framework should exist to guide the use of tools and behaviour of investigators or first

responders. The IT and Info Sec governance processes, policies and procedures, for example Incident

Response, must be developed in such a way that clear guidance exists on what to do should an

incident occur, when to continue with a live investigation, and when to terminate the live

investigation and start with a formal reactive investigation.

There is an intuitive overlap between Incident Response and live investigations. The next section will

discuss the relationship between IR, IDS, and the live investigations.



6.4 INCIDENT RESPONSE (IR), INTRUSION DETECTION SYSTEM (IDS) AND LIVE

INVESTIGATIONS

Incident detection normally relies either on human or automated systems. It can be an alert from an

employee, customer or even an outsider of a system malfunction or a wrong transaction. The

network administrator can detect a malfunction on the network, for example slow network

performance.

The help desk normally identifies an unusual event and then classifies it as an incident. Mechanisms

that can detect potential incidents are IDS (host-based and network-based), firewalls and virus

detection software (Whitman & Mattord, 2009). The aim of an IDS is to detect incidents. Typical

outcomes are:

timely reaction to prevent substantive damage by manual or automatic intervention

timely reaction to mitigate substantive damage

identification of whether activity is a precursor of a more serious event

identification of the perpetrator

discovery of new attack patterns

provision of additional protection to systems

collection of evidence.

Various automated IDSs exist. An IDS can have some or all of the proactive methods or tools built

into it. Various proactive methods and techniques are available to detect an incident as it occurs

(Orebaugh, 2006):

Active monitoring systems, which can be human or automated.

Design, construction, and configuration of systems to facilitate future forensic

investigations. This concept will span all activities in the organisation.

Use of digital fingerprinting for proprietary information. A digital fingerprint is a unique

label, assigned to an individual, which is inserted into a document or content before

distribution. The document can be traced and the fingerprint can identify users who

want to use the data for unauthorised use.

Employment of process forensics. This is a merger between intrusion detection and

checkpoint technologies. These checkpoints are periodic snapshots of running programs

or processes and can be used for investigations.



The IDS that is in use will have a direct impact on the strategy and methodology employed by the

organisation for a live DF investigation.

Most IDSs can be categorised as either misuse or anomaly detections. ‘Misuse’ usually refers to

systems that utilise some form of fingerprinting to determine if a process is part of an intrusion.

‘Anomaly’ refers to systems that attempt to define ‘normal’ behaviour, to classify a process as a

normal or intrusive process. The main challenge is to define ‘normal’. Foster proposes that the

system of determining normal behaviour use incremental check-pointing to build a normal profile

(Foster & Wilson, 2004). Profiling is important with the detection of incidents in an organisation.

As soon as the incident has been evaluated and confirmed, the current IRP will dictate whether it

should be investigated. Factors that should be considered are the severity of the incident, its impact,

type (intentional or criminal), reliability of the alert and the profile of the attacker. However, the cost

of powering systems down can also play a major role. There is an increasing need to be able to

investigate live systems. The organisation can decide on different plans of action.

The organisational risk policy and IR programme will determine whether or not to investigate, allow

an incident to continue or to terminate all incidents, and when to terminate an investigation. A

specific incident detection or investigation policy will be required so that it can prescribe a desired

action.

Some organisations will only investigate if there is a potential significant monetary or financial loss,

loss of intellectual property or a potential loss of public profile, whilst other organisations will

investigate all incidents, as small incidents can be a ‘smoke signal’ of a larger problem.

IDSs collect data to assist with the incident detection, however, it is important to note that they are

not designed to collect or protect the integrity of data as valid, admissible evidence (Sommer, 1999).

Typical evidence comprises system logs, audit logs, application logs, network management logs,

network traffic capture, and manual entries.

The logs can lack sufficient details, be incomplete for a specific period, and may not be able to

distinguish between legitimate and unwanted access or to identify the perpetrator in a useful way.

The logs must be tamperproof so that they may not have been compromised prior to, during or even

after the collection phase. It is sometimes necessary to process this primary data (derived data) to



make it easier to analyse and understand. However, this poses a problem as the evidence can be

compromised.

Sommer has proposed the following points to enable IDS to be a source of evidence (Sommer,

1999):

The value of an IDS depends on the extent to which timely and accurate information can

be supplied regarding the likelihood of an incident so that evasive action can be taken

Evidence acquisition should be a separate, but related process

Single streams of evidence may not be enough, and multiple independent streams

should be able to corroborate each other

The multiple evidence streams should be synchronised

Logging information should be done by a trusted tool

Logging evidence must adhere to the rules of admissibility of evidence

It must be ensured that evidence collection during logging cannot be compromised

It must be ensured that raw logs are always available

There should be maintenance of the chain of custody or continuity of evidence from

source to court

Addition of additional procedures or products should concentrate on evidence collection

and preservation.

Note to reader:

We accept that an IDS is in place that will be able to detect a potential incident when

formulating our CDF capability as well as the proposed DFMF.

However, a ‘NEW’ (zero day) incident may bypass all the security barriers and manifest itself in a

specific way. When the new incident is detected, the organisation may suddenly realise that it is not

prepared for the incident. The next section will briefly discuss current live investigation tools and

techniques.



6.5 LIVE INVESTIGATION TOOLS AND TECHNIQUES

ReDF investigations involve ‘dead’ analysis techniques, which use no software that exists on a

system during the timeframe of the investigation (Carrier, 2006). Proactive tools and techniques do

not include investigation techniques, but they prepare all systems, processes and procedures to

capture CDE by having appropriate tools, processes and procedures in place.

Live analysis is often associated with IR and IDSs but is auxiliary to the Info Sec programmess. Virus

software is an example of a live analysis tool. Most of the live investigation tools and techniques are

software-based, however current research is considering the use of hardware devices to acquire

evidence.

Live forensic investigations are currently being carried out by using remote forensic preservation and

acquisition tools, e.g., EnCase® Enterprise edition and ProDiscover® (Casey & Stanley, 2004). These

tools use live analysis techniques that will use software that pre-exists on the system during the

timeframe being investigated (Carrier, 2006). The target machine is monitored from a remote site

and evidence can be acquired in a forensic sound way with the aid of a tool. Typical activities include

keyword searches, and copying and extraction of files and records from the live remote site. The

user is not aware of the process and an investigation can continue without him/her being aware of

it. The investigator can acquire evidence in a live production environment. Remote forensic

investigations focus more on transforming ReDF examination procedures into live, production

environments.

Other software techniques of gathering live evidence identified by Carrier and Grand (2004) include:

Physical memory devices, where the operating system provides access to physical

memory, for example Unix®, have the /dev/mem device. Disadvantages are that

attackers can abuse the device and it is difficult to analyse the image of the physical

memory.

Sparc OpenBoot® firmware by Sun® systems uses Sparc architecture to dump physical

memory to a storage device. The first responder will suspend the running system by

using an L1-A (STOP A) key, and by typing the sync command the application copies the

memory and registers to a preconfigured device (possibly a swap file on hard disk). The

disadvantage of this technique is that it destroys the content of the swap file area as it

uses it to dump the physical memory.



Process pseudo-file system in UNIX® systems can allow one to identify a suspect process

and obtain the physical memory content related to the specific process. By running the

/proc/ command one will be able to acquire the relevant physical memory, but by

running the command, one will overwrite swap files and therefore potential evidence.

Similar tools, e.g., pcat tool of Coroner’s toolkit® uses the ‘pctrace()’ system call to save

process memory.

A virtual machine, e.g., VMware®, is an application that emulates a computer

environment where, for example, multiple server, operating system, and applications

can execute inside it. The operating system and applications of a virtual machine are not

aware that they operate in a virtual environment. If a virtual machine is compromised,

the content of the machine can be copied seamlessly to another machine to enable the

investigator to acquire evidence.

Hibernation, where servers are equipped with standby power management features

that will save the memory content to the hard drive before finally powering down. This

feature is not readily available.

All of the above techniques are software-based and rely on the operating system, specifically the

operating system kernel that is not a trusted resource as it can be a malicious kernel. This poses a

threat to the reliability of the evidence. A second problem is that the operating system must execute

a command and therefore will have to write to memory. It will therefore also destroy evidence in

the process.

Carrier and Grand (2004) have proposed a hardware-based memory acquisition procedure, that is f a

hardware expansion card pre-installed in a PCI bus that will gather volatile evidence and write it to

external storage device. As soon as the card is switched on the CPU execution is halted and the card

will activate direct memory access (DMA) to copy the content of the physical memory to an external

non-volatile storage device, for example a memory card or IEEE394 (fire wire) hard disk. Once the

memory has been successfully copied, the CPU resumes and the operating system continues with

execution. This procedure has been tested and a patent is pending.

The investigator can also use network forensics to identify sources of live network evidence. It is not

possible to log all activities on a network, but it is essential during a live investigation to identify

potential sources, for example DNS and ‘whois’ servers, websites, FTP servers, local Ethernet servers,

Bluetooth piconets, database servers, chat servers, network routing tables or reply messages of



SOAP servlets (Nikkel, 2005). Evidence that can be gathered includes, for example, slanderous web

pages, illegal files, traffic from port scans, routing tables, wireless signal strength and direction.

The rationale of the various techniques differs as remote online forensic investigations capture data

disregarding the order of volatility (Ieong & Leung, 2007). The other live investigation techniques will

consider the order of volatility of the evidence.

Volatile forensic investigations concentrate on the collection of volatile evidence and should

consider the order of volatility of the evidence. The more volatile evidence must be collected first,

followed by the non-volatile evidence by using traditional reactive DF tools and techniques.

McDougal has discussed the volatility of the evidence in terms of a volatility model, of which Figure

6-2 (below) is a graphical representation (Ieong & Leung, 2007).

From this model and work carried out by Ieong and Leung (2007), the following categories of

volatility emerged:

Highly volatile: physical memory and virtual memory

Medium volatility: network connection, current processes and open files and systems

databases

Low volatility: network status and current user information

Not volatile: system configuration, user account information, pre-set list of processes

and services, event logs and files and directories.

Physical memory

Virtual memory

NetworkCurrent

processes

Open files

and systems

database

Network

status

Current user

information

System

configuration

Use account

informationEvent logs

Preset list of processes and

services

Files and

directories

Most

volatile

Least

volatile

Not

volatile

Figure 6-2 McDougal model of volatility (Ieong & Leung, 2007)



The argument for splitting network connection and status is that the former will change, as will

current processes, open files, and systems databases, as there is normally a direct interaction

between the three groups. Network status and user account information is volatile but less likely to

change during an acquisition process. System configuration, user account information, and pre-set

lists of processes and services are not volatile and traditional ReDF tools and techniques can acquire

the evidence. Although event logs, files, and directories are indicated as ‘not volatile’, it is important

to note that they can be changed if live forensic investigation tools are executed.

One of the goals of proactive DF as defined by Taylor (Orebaugh, 2006) is to: ‘Detect (catch) a crime

as it occurs’. The objective is to use human and system behavioural patterns to detect an incident as

it occurs and to be able to support the investigation as it is happening.

Bradford has developed a model to automatically detect certain events (Bradford et al., 2007). This

is not an IDS, but rather a model that will make it possible to generate appropriate data to provide

good investigation leads and focus search activities by concentrating on trends. There is a great need

to automate the IDS process, but the expert systems must be extended or improved. The expert

system must not only detect the incident but also determine if it is necessary to collect additional

evidence. This expectation has been highlighted by the proposed model of Taylor (Orebaugh, 2006).

The chapter will bear in mind the differences of the tools and techniques when defining the ActDF

component. The next section will evaluate some identified live investigation frameworks as

discussed in the literature.

6.6 LIVE INVESTIGATION FRAMEWORKS

We have identified the following five live or “Active” investigation frameworks. We have not

included the following frameworks in the discussion in Chapter 3, as they concentrate on live

investigations and evidence acquisition and not on the entire DF investigation:

Framework 1: Payer (2004) (par. 6.6.1)

Framework 2: Ren and Jin (2005) (par. 6.6.2)

Framework 3: Foster and Wilson (2004) (par. 6.6.3)

Framework 4: Grobler (2009) (par. 6.6.4)

Framework 5: Ieong and Leung (2007) (par. 6.6.5).



The next section will provide a brief overview of the mentioned frameworks and compare them to

enable us to formulate the ActDF component of our CDF capability.

6.6.1 FRAMEWORK 1: Payer (2004)

Payer (2004) proposed a framework based on stack-based network IDS (NIDS). The prototypes

developed include the integration of IDS mechanisms into the network stack using existing state

transitions, memory content, header information, and packet payload.

Traditional approaches to NDIS include signature-based detection and anomaly detection, based

on heuristic rules. A stack-based stateful mechanism is used to introduce intelligent decisions by

looking for conspicuous patterns. Real-time behaviour requires strict timing constraints and must

therefore use small signatures and fast scanning mechanisms.

The model uses the state rather than transition between states as the indicator for an intrusion.

Unique state transitions can then be stored as a sequence in a database as a state-based

signature. The goal is to analyse state transition behaviour and not content. The scanner can then

scan all states for a defined signature associated with a specific intrusion.

This framework integrates state-based detection mechanisms into the network stack. All

protocols up to application layer are viewed as application protocol machines and state

transitions due to application events.

The framework uses the state-driven layered NDIS approach to find signatures and collect the

required forensic evidence. The IDS is used by Payer to collect the evidence for an active attack,

despite conflicting views from Sommer (1999). The framework proposes that the operating

system, rather than humans, should react in appropriate time and preserve the evidence

methodically, carefully, and deliberately.

It is proposed that the set of detection mechanisms deal with IP spoofing, operating system

detection, blinding of the network stack and shell code and polymorph shell code detection.



Note to reader:

This framework views a network intrusion detection system (NIDS) as an additional

mechanism to secure the organisation. It will gather vast amounts of evidence and must

specify a way to maintain the chain of custody when transferring the evidence to remote

servers. Although not yet tested or implemented, this framework uses a type of checkpoint

technology and can be very useful in capturing additional information not normally captured

by the log files of an IDS.

This framework is useful as it provides guidance on the configuration of the operational

infrastructure to acquire live evidence. There are no guidelines on how to conduct an active

investigation that will support the overall investigation as a forensic sound process in a

court of law.

6.6.2 FRAMEWORK 2: Ren and Jin (2005)

Ren and Jin (2005) have proposed a Honeynet®-based adaptive forensic and real-time

investigation. Honeynet® systems will lure attackers to provide information of themselves and

computer misuse. A network forensic system is used to analyse and reconstruct attack

behaviour.

During an active attack, the purpose of the framework is to capture network and log data

effectively and efficiently and to analyse the traffic and log data according to user needs. A

forensic system includes:

A network forensic server that integrates forensic evidence and analyses it, captures

behaviour on the network monitor, and launches the investigation program as a

response to attacks.

A network forensic agent, which is a program to gather evidence, ensures secure

transportation of the evidence, and provides a digital signature to the evidence. It is

employed on the network and monitors hosts and networks, and includes a packet

capture machine that will capture network traffic.

A network investigator, which is a survey machine that provides the mapping topology

and actively investigates the target when the server requests.



The architecture is represented in Figure 6-3 (below). It has two LAN’s: A monitored Honeynet®

LAN and a secure high speed forensic LAN.

There are four methods of Honeynet® employment, for example: deception services, weakened

systems, hardened systems (known as patches and applied to operating system to secure

system), and user mode servers (functional servers nested within the application space of the

host operating system). In a hardened system, user mode servers, the IDS and the firewall are

integrated.

The network forensic server will, inter alia, integrate the log and audit data and IDS alerts into a

database. Data mining techniques are applied to analyse the data. The server will need a large

amount of storage space, therefore the data to be stored must be carefully selected, e.g., the

source / origin, destination, serviced port, duration, and bytes transferred for every TCP

connection. One can eliminate unnecessary traffic by applying a filter. The server has the ability

to adapt the collection policy, depending on the network traffic. The result of the analysis will be

used to build a profile of the attacker. This framework mainly uses deception technology.

Note to reader:

The framework and architecture requires a separate secure network with the complete

installation of the various specialised servers, however, it does allow the investigator to

conduct the investigation on CDE.

Firewall

C A B

D

Agent

Console

WAN

Monitored Honeynet® LAN

Forensic LAN (SSL)

A: Network monitor B: Network investigator C: Host to be monitored D: Network forensic server

Figure 6-3 Architecture of Ren and Jin (2005)



The application of a filter can create ‘completeness issues’ in a court of law so it is

essential to document the filter criteria, rationale and process to ensure that the

completeness of the evidence set can be proved.

This framework is useful as it provides guidance on the infrastructure required to acquire

live evidence. There are no guidelines on how to conduct an active investigation, which will

support the investigation as a forensic sound process in a court of law.

6.6.3 FRAMEWORK 3: Foster and Wilson (2004)

Foster and Wilson introduced process forensics to enable the capturing of volatile evidence for

digital investigations to supplement reactive investigations, as well as real-time or active

investigations. Process forensics utilise check-point technology. Check-pointing is a technique of

storing a running process’s state in such a way that a process can be restarted from the point

when it was created (Foster & Wilson, 2004).

A check-point is created by stopping the execution of a process and capturing the process

address space and kernel space to a file, and then continuing with the execution of the process.

The creation of a check-point does not alter with the running process, but only requires

additional secure storage space. There are two types of check-pointing, incremental and

terminal. The former creates check-points in regular intervals during the execution of the

process; the latter is created just before the termination of the process and other related

processes.

All programs and actions running on a digital device constitute a process. Processes contain vital

information on the current activities. Every process has a process identification (PID) number,

linked to a workstation. The PID has a parent PID (PPID) and can have ‘children’ or ‘sibling’

processes. The relationship between PIDs and PPIDs is not captured in log files. The process

address space also contains information about the process peripherals, which contain, for

example, opened files, pipes, socket connections, or indications of the intruder’s objective and/or

attempts to cover tracks and/or to isolate the damage done.

The most important aspect of creating the checkpoint is timing. When an alert is issued by the

IDS, the first action of a systems administrator can be to kill all the related processes, but this will

result in the loss of all volatile evidence, vital for the success of the investigation. It will also alert



the attacker that the attack has been discovered. The immediate action must include the

collection of evidence, specifically process forensic data, by using incremental check-points.

General aspects of the check-point files are that they should maintain the chain of evidence and

custody, by, for example, storage as encrypted files in a secure location and in a standardised

format.

Foster and Wilson (2004) also suggests that the IDS must alert the administrator to an incident,

but at the same time activate the check-pointing application. This will allow the IDS to focus on

detection rather than evidence collection.

Note to reader:

Process forensics can be a very valuable tool for active and reactive attacks and should be

included as a component in the formulation of our CDF capability.

This framework is useful as it provides guidance on the configuration of the operational

infrastructure to acquire live evidence. Foster includes no guidelines on how to conduct a

live investigation that would support the investigation as a forensic sound process in a

court of law.

6.6.4 FRAMEWORK 4: Grobler (2009)

Grobler proposed a model for live forensic acquisition - the Liforac model, which is multi-

dimensional with related sub-dimensions and components. The dimensions are the legal and

regulatory, scope, timeline and knowledge (Figure 6-4, below).

Knowledge Scope

Timeline

Legal and regulatory

Figure 6-4 Graphical representation of Liforac model (Grobler, 2009)



6.6.4.1 Dimension 1: Legal and regulatory

The legal and regulatory dimension is the foundation of the model, as forensic investigations

have to consider the legal and judicial environment of the incident and the investigation. The

dimension has the following four sub-dimensions:

6.6.4.1.1 Sub-dimension 1: Common crime laws applicable to cybercrime

6.6.4.1.2 Sub-dimension 2: Specific cyber laws

6.6.4.1.3 Sub-dimension 3: Court cases and precedents

6.6.4.1.4 Sub-dimension 4: Definition of court admissibility.

6.6.4.2 Dimension 2: Timeline

The timeline view is the process view of the model, indicating the sequence of actions

(steps) that should be performed by the investigator. Grobler (2009) has adapted and used

O’Ciardhuain’s (2004) process framework. The Liforac model proposed the following

components for the timeline dimension:

6.6.4.2.1 Component 1: Implied processes

Typical implied processes are specific processes, for example, how to ensure integrity of

evidence. These processes will not have a direct positive impact on a successful timeline.

6.6.4.2.2 Component 2: Explicit processes

The explicit processes are processes that will have a direct impact on a successful

completion of this dimension, for example, awareness, authorisation, planning,

notification, search for and identification of evidence, examination, hypothesis and the

dissemination of information (based on O’ Ciardhuain’s framework).

6.6.4.2.3 Component 3: Before an investigation

This component considers the identification of all possible activities before the

acquisition starts, typically, awareness, authorisation and planning. The sub-components

include determining the power status of the target machine (on or off); selecting an

investigation mode (overt or covert); deciding whether to isolate the target machine or

to secure it; and lastly, acquiring the evidence locally or remotely.

6.6.4.2.4 Component 4: During the investigation

All possible activities during the acquisition process should be determined. Typically,

notification, search and identify, and examination activities should be considered.



6.6.4.2.5 Component 5: After the investigation

Provide full coverage of all possible activities after the acquisition, for example,

hypothesis, information dissemination, and controls. The activities include updating the

chain of custody, securing all evidence, transporting and storing the evidence, analysing

the evidence with forensic sound tools (software), and producing a written report.

6.6.4.3 Dimension 3: Knowledge

The knowledge dimension indicates different stages of awareness and understanding of

investigators. This dimension incorporates the requirements that investigators must meet:

who must be involved, and what skills will be required. If they lack the required skills, they

should receive applicable training. The seven identified components are:

6.6.4.3.1 Component 1: Computer science

The investigators need a sound IT knowledge base to be able to understand the context,

implication and extent of a specific incident.

6.6.4.3.2 Component 2: World trends and events

Awareness of current trends in cybercrime and how to combat the latest crimes will

ensure that the investigator is up to date.

6.6.4.3.3 Component 3: Information systems

Information systems are collections of practices, algorithms, and methodologies that

transform data into useful information. An understanding of information systems will be

useful for the investigator in determining the location of information or data as potential

evidence.

6.6.4.3.4 Component 4: Social sciences

Knowledge of social science can assist the investigator in building a profile of the cyber-

criminal.

6.6.4.3.5 Component 5: Forensic science

Forensic science is a well-defined discipline with solid principles. It is necessary for the

investigator to relate the fundamental forensic principles to DF.

6.6.4.3.6 Component 6: Law

DF and the law are two intertwined disciplines. The investigators need legal and

regulatory knowledge.



6.6.4.3.7 Component 7: New technology

New technologies will have an influence on DF investigations. The investigators must

ensure that they keep up to date with new software and hardware.

6.6.4.4 Dimension 4: Scope

The scope dimension addresses typical problems that investigators will face related to live

investigations. The five components are:

6.6.4.4.1 Component 1: Access to the machine

The investigator should determine the legal requirements to gain access to the targeted

machine. It may require, for example, a search warrant or cooperation from a suspect to

obtain a password or encryption keys.

6.6.4.4.2 Component 2: Dependency on operating system

Each operating system and forensic practice interacts differently.

6.6.4.4.3 Component 3: Data modification

Processes modify data during acquisition with the result that the live evidence acquired

is inadmissible according to legal requirements.

6.6.4.4.4 Component 4: Demonstrate authenticity of evidence

Evidence must be authenticated, it being essential to prove that the evidence presented

in a court is the actual evidence acquired.

6.6.4.4.5 Component 5: Court acceptance

Determine what is required to ensure that the evidence acquired meets the legal

requirements.

Note to reader:

This framework is the only one discussed that provides guidance on the actual live evidence

acquisition. We will use it to propose the ActDF component’s phases.

Dimension 1: Legal and regulatory dimension corresponds to the legal and judicial

dimension that will be used to formulate the holistic DF framework DFMF to

implement and manage our CDF capability in an organisation. The content should

be included in the ProDF component.



Dimension 2: Timeline components will be incorporated in the ProDF, ActDF, and

ReDF components of our CDF capability.

Dimension 3: Knowledge. This dimension adds value in the identification of

potential awareness and training requirements in the ProDF component that

should be considered when we formulate the holistic implementation and

management framework DFMF.

Dimension 4: Scope. We will include aspects of this dimension when formulating

the ActDF component.

6.6.5 FRAMEWORK 5: Ieong and Leung (2007)

Ieong and Leung (2007) have extended the role-based FORZA model (Ieong, 2006) as discussed in

Chapter 3 (par. 3.6) to propose a conceptual framework for live investigations. We have not

included this extension in Chapter 3 as it concentrates on the live investigations and is more

suitable for inclusion in this chapter. It proposes different roles and layers, which are contextual

investigation, contextual, technical preparation, compliance, conceptual security, collection,

analysis, and presentation. The layers and roles are linked to answers to the questions of what?

(the data attributes), why? (motivation), how? (procedure), who? (people), where? (location) and

when? (time). Ieong has demonstrated his model by asking questions as to the layer to identify

how a live investigation should be carried out (Ieong & Leung, 2007).

The evidence acquired during live investigations must adhere to the following criteria:

completeness, time required to successfully acquire, importance, case dependency,

reasonableness, verifiability, integrity, accuracy, repeatability and order of volatility (Ieong &

Leung, 2007). One should consider completeness, time required, importance, and case

dependency leads when selecting data. It is important to determine the likeliness of the

applicability of the evidence, which should be gathered in order of volatility. A reference order of

data collection process is represented in Figure 6-5 (below).



Ieong and Leung (2007) provide a conceptual framework for live investigations that is not linked

to specific live evidence investigative tools or techniques. It does not provide any links with

ProDF, but indicates some links to ReDF investigations as identified in Table 6.1 (below) by layers

1 and 2. We will utilise the questions: who, where, why, where and how to link to the different

dimensions of DF: legal and judicial, governance, process, policy, people, and technology.

Note to reader:

Table 6.1 (below) is a comparison of the frameworks of Ieong and Leung (2007) and Grobler

(2009). We have correlated similar areas and have added an additional one to identify

overlapping areas with the ReDF component and potential content for the ActDF

component.

Start acquisition

Network – from

machine

Physical and virtual

memory collection

Open files and

registtry

Current process

information

System configuration

information

Use information

Current user

information

Network – from

network

Event log

File and directory

information

Preset services list

Preset process list

Completion

Figure 6-5. A reference order of data collection process in live forensic investigations (Ieong & Leung, 2007)



Table 6.1. List of specific questions for live investigations – based on FORZA (Ieong & Leung, 2007)

Ieong and Leung Grobler Author comment

Role Layer Concept (Question) Relation to ReDF component

Case leader or

investigator

1 Contextual

Investigation

What is rational of the operation? (Why?)

What is the nature of the case? / what information is that of interest

(What?)

How urgent is the operation? When did it happen? (When?)

What preliminary actions were performed for collecting the current state of

the target machine (What?)

Determine if local or remote case? (Where?)

Who is involved? Who can permit actions to be performed? (Who?)

6.6.4.2.3

6.6.4.4.1

6.6.4.2.3

Most of the questions are

addressed during the incident

and confirmation step of the

ReDF component

Include the location of evidence

in the evidence collection

procedure

System or

business owner

2 Contextual Why do we need to investigate? Type of case: Internal, civil, or criminal?

(Why?)

What type of data? Sensitivity of the data (What?)

Extent of the disruption to business? (When?)

Can you minimise the effect to the current infrastructure? (How?)

All of the questions covered in

the ReDF framework





Digital Forensics

specialists

3 Technical

preparation

Based on type of incident, what information must you collect? (What?)

What information is required: volatile, non-volatile, network process, or file

access? (What?)

Is memory critical? (What?)

Determine the limitation of the proposed live procedure (How?)

Based on a hypothesis, determine who is involved (Whom?)

Determine where target machine is and other remote machines will be

affected (Where?)

Propose time required in operation (When?)

Derive or reorder information collection procedure (How?)

6.6.4.2.4

6.6.4.4.1

6.6.4.4.2

All the questions should be

included in the ActDF

framework

Legal advisor 4 Compliance

advisory level

Confirm with case legal which legal strategy (civil, internal, or criminal) must

apply (Why?)

What is necessary and sufficient information to meet objective? (What?)

Determine the admissibility of evidence acquired (How?)

Determine the limitation of live investigation tools to guarantee the

admissibility of evidence (How?)

Determine if investigative procedure is forensically sound (How?)

6.6.4.4.5

The how questions should be

included, for example,

admissibility of live evidence,

limitation of live investigative

tools and a forensic sound live

investigative process as defined

by the ProDF component

Security Auditor

/ Systems

architect

5 Conceptual

security level

Any other system-specific volatile evidence? (What?)

Any specific induced volatile information (What?)

Any time limitation induced to non-volatile information. (What?)



framework





Digital forensic

investigator

6 Collection Determine what tools to use. (What?)

Determine live or remote investigation. (What?)

Implement automatic live investigation with procedure? (How?)

Any urgent requirement list confirmed? (What?)

Confirm and collect all volatile data? Determine missing external storage

Any network, router, or firewall information? (What?)

Any specific information search? (What?)

6.6.4.2.4

6.6.4.4.1

6.6.4.4.2

6.6.4.4.3

6.6.4.4.4



framework

DF investigator /

Forensic analyst

7 Analysis Determine if live investigation interrupt or affect evidence collection (How?)

Extract and consolidate forensic evidence for analysis (What?)

6.6.4.2.4



framework

Legal prosecutor 8 Presentation Determine if live investigation is forensically sound (How?)

Determine if collectable evidence id admissible and if any evidence has been

altered (What?)



framework



The next section will use the ActDF phases identified in Chapter 3 and elements of the frameworks

discussed in pars. 6.6.1 to 6.6.4 to formulate the ActDF component by proposing goals and phases

with associated steps.

Note to reader:

The first three frameworks use automated IDS to identify and acquire evidence. Ren and

Jin (2005) use the data to predict the behaviour of the perpetrator. Profiling techniques

can be included in the proposed framework to assist with the compilation of behaviour

patterns. Foster indicates the need to have a separate checkpoint application that will

enable the capturing of checkpoint data as the purpose of the IDS is to detect the

incident, not to capture the CDE.

Forensic sound tools and technology should be employed to guarantee CDE. The discussed

frameworks focus on a tool or technology and do not consider a forensic sound process to

follow, should one engage in a live forensic investigation.

Grobler and Ieong and Leung (2009; 2007) provide tool and technology-independent forensic sound

frameworks. We will use aspects of both frameworks and an analogy of the phases of the ReDF

component to propose the ActDF component. We will also demonstrate the relationship between

the ActDF and ReDF component of our CDF capability.

6.7 ACTDF COMPONENT OF OUR CDF CAPABILITY

From the discussion in the previous section, and the identified phases for the ActDF protocol in

Chapter 3 (par. 3.5.2), we have shown that there is a need for live investigations. However, the

current perceptions and rationale of ‘live’ investigations differ and there is therefore a need to

formalise them (Ieong & Leung, 2007).

Note to reader:

We propose that ActDF include current live forensic tools and techniques, real-time

investigations as well as remote investigations. We do not include the ability to fix the

problem or to facilitate a full-blown investigation, but to provide a platform to gather

required live evidence required by the ReDF component.



6.7.1 ActDF definition

We accept the proposed definition for ActDF component in Chapter 2 (par. 2.8.3) as:

6.7.2 Goals for ActDF

To provide a high-level context for the ActDF component we will propose goals. We have used

the identified phases for ActDF in Chapter 3 (par. 3.5.2) and layers and types of questions asked

in Table 6-1 to propose the following three goals for ActDF:

Goal 1: Acquire and analyse relevant live CDE in a live system or production

environment by using appropriate tools and technologies (Table 6.1, layers 2 – 7;

3.5.2.1 - 3.5.2.4).

Goal 2: Minimise the effect and impact of an on-going incident (Table 6.1, layers 2c,

2d).

Goal 3: Provide a meaningful starting point for a reactive investigation within the

parameters of the risk control framework of the organisation (Table 6.1, layers 7b, 8).

There is a need for a framework to guide investigators conducting live investigations (Ieong &

Leung, 2007). The framework must provide clear guidelines to gather additional required CDE

during an on-going incident and must consider all the legal requirements in terms of processes

followed during the investigation as set out by the ReDF framework (Grobler & von Solms, 2009).

This framework must be included in the ActDF component of our CDF capability of the

organisation.

The ActDF framework must contain policies and procedures to guide behaviour and decision-

making after the need to gather live evidence has been detected. The framework must interlink

with the IDS, traditional IRP, business continuity plan (BCP), and disaster recovery plan (DRP) of

the organisation. The IDS can play a major role in the evidence collection and assistance with

profiling the attacker. The IRP and BCP of the organisation must provide guidelines on the

containment of the incident, preservation of evidence and, if, when and how to proceed with an

investigation.

Active DF is the ability of an organisation to gather (identify, collect and

preserve) Comprehensive Digital Evidence in a live environment to facilitate a

successful investigation.



The decision whether to stop the incident and affected systems or allow them to continue in a

contained environment will be the responsibility of the risk manager of the organisation. This

decision can be influenced by various factors, for example cost of investigation, severity of

incident, and ‘loss of public profile’. It is advisable that Info Sec and DF experts participate in the

decision-making to allow the manager to make an informed decision on the IR.

It is essential that this framework consider the chain of evidence and chain of custody

requirements at all times, to ensure that no one tampers with the evidence. It is therefore

essential to create a culture of documenting all activities during the entire active investigation.

Active investigations will normally be conducted over a network. Various frameworks exist to

conduct real-time investigations, but all of the frameworks are concentrated on utilizing the

network traffic logs as captured by the network operating system and the IDS.

Note to reader:

We combine the dimensions of Grobler and Louwrens (2006), and layers with associated

questions of Ieong and Leung (2007) (Table 6.1) and phases identified in Chapter 3 (par.

3.5.2) to propose phases with associated steps for the ActDF protocol of the ActDF

component independent of any tools and technologies.

We propose the following ActDF framework or protocol for the ActDF component. The protocol

consists of phases and associated steps. Investigators can apply the protocol to acquire live

evidence.

6.7.3 ActDF protocol

We propose the following four phases with associated steps:

6.7.3.1 PHASE 1: Incident response and confirmation phase

Augment the ReDF component as formulated in par. 5.5.1 to include the following ActDF

requirements:

6.7.3.1.1 Step 1: Incident detection and confirmation (par. 3.5.3.3.2; 6.6.4.2.2)



Determine the rationale of the operation. The nature of the case will determine the

urgency of the operation as it must establish when the incident started.

Investigators must also determine the power status of the target machine (on or off),

selecting an investigation mode (overt or covert), whether to isolate the target machine

or to secure it, and lastly to acquire the evidence locally or remotely.

6.7.3.1.2 Step 2: Minimise the impact of the incident (par. 6.6.4.2.3)

Allow incident to continue in a controlled environment when activating the containment

strategy of the organisation. The aim is to minimise the impact of the incident on the

current infrastructure.

6.7.3.2 PHASE 2: ActDF investigation phase

6.7.3.2.1 Sub-phase 1: Acquire the live evidence (pars. 3.5.2.1; 6.6.4.2.2; 6.6.4.2.3; 6.6.4.2.4)

Step 1: Evidence identification

Determine which live evidence must be acquired to successfully investigate the incident.

Based on the type of incident, determine what evidence to collect. Consider the

sensitivity and volatility of the evidence. Include other system-specific volatile evidence,

specific induced volatile information, and time limitation induced to non-volatile

information.

The type of operating system will influence the identification of the evidence (par.

6.6.4.4.2). Determine the limitations of the proposed live acquisition procedure, the

proposed time required for the operation, where the target machine is and which other

remote machines will be affected (par. 6.6.4.2.3).

Step 2: Acquire live evidence

Acquire additional evidence lacking, using appropriate tools, technologies, or

applications that will be required to profile the attacker and acquire the evidence (par.

3.5.2.1 and Table 6.1: layers 4d, 6a – 6e).

It is important to automate the appropriate evidence collection tools, technology or

applications as soon as possible and activate as soon as possible (it can be immediately

after an incident alert has been issued and initiated by a trigger event).

Use acceptable live evidence acquisition protocol (par.3.5.2.1), (Table 6.1: layer 4e).

Apply the following data acquisition baseline (Ieong & Leung, 2007):

Impose minimal user intervention

All actions performed should be necessary and minimal intrusive



Minimal modification of static digital evidence

Data acquisition should follow the order of volatility and priority of digital evidence

collection (par. 3.5.2.1) (Table 6-1: layers 5a – 5c)

Acquire non-priority or volatile evidence through traditional evidence collection

Copying or extraction of data should only be performed when original data and

timestamp is unaffected (pars.3.5.2.2, 6.6.4.4.4).

To ensure the integrity of the acquired live evidence (pars. 3.5.2.2; 6.6.4.4.3; 6.6.4.4.4)

hash all the extracted data and record of actions immediately after collection process

and duplicate before analysis to preserve evidence (par.3.5.2.2) (Table 6.1: layer 8a). It is

essential to document all activities at all times to ensure the integrity of the live

evidence and processes. The reliability of the results must be ensured at all times and

false data eliminated (par. 3.5.2.3).

6.7.3.2.2 Sub-phase 2: Analyse evidence (pars.3.5.2.4; 6.6.4.2.5)

Analyse preliminary evidence to determine if sufficient evidence (Table 6.1: layers 7a,

7b) has been gathered and that which will support the hypothesis.

6.7.3.3 PHASE 3: Limited incident reconstruction phase (par. 3.5.2.4)

Use the results of the ActDF investigation phase to determine if the required live evidence has

been acquired. If more live evidence is required, it will be necessary to repeat the ActDF

investigation phase to acquire more live evidence. Various factors can determine if the

investigation can continue, for example, the risk management framework of the organisation

can prescribe that the impact on the business operations or the cost is too high.

6.7.3.4 PHASE 4: ActDF investigation closure (par. 6.6.4.2.5)

Prepare case files for reactive investigation team to complete the investigation.

Phase 1 supports goal 2 to minimise the effect and impact of an on-going incident; phase 2 and 3

supports goal 1 to acquire and analyse relevant live CDE in a live system or production

environment by using appropriate tools and technologies; and phase 4 supports goal 3 to provide

a meaningful starting point for a reactive investigation within the parameters of the risk control

framework of the organisation.



The ActDF component will be activated by the ReDF component or when live evidence is needed

to investigate the incident (par. 5.5.3.2.1). Once the required evidence has been acquired, control

will be returned to the ReDF team to continue with the investigation (par. 6.7.3.4). Figure 6-6

(below) is a graphical representation of the phases of the ActDF component of our CDF capability.

Figure 6-6. Graphical representation of the ActDF component (by author)

The ActDF framework will do very limited incident reconstruction, as the purpose of this phase is to

determine if the live evidence required for a successful investigation has been captured. The reactive

component will continue to analyse and reconstruct the incident to conclude the investigation.

6.8 SUMMARY

The chapter has discussed the need for an ActDF capability. There are various definitions and

perceptions of live, remote and real-time investigations. It has defined ActDF to include all types of

‘live’ investigations.

There is a close relationship between the IDS, IRP, and active investigations. The chapter has

provided a brief overview of IDS and the shortcomings to provide an explanation of why the data

gathered by IDS is insufficient to support a successful investigation.

There is a definite need for a framework to assist with active DF investigations. Various tools and

techniques exist, but no common procedure to guide organisations. IDS can provide some data, but

ReDF component as proposed in

Chapter 5 Figure 5-2

Common phase

ReDF

ReDF Phase 2:

Physical

investigation

ReDF Phase

3: Digital

investigation

ReDF Phase 4: Incident

reconstruction

ReDF Phase 5: Presentation of

findings

ReDF Phase 6: Incident closure

ActDF

Phase 2: ActDF digital

investigation

Sub-phase 1:


Sub-phase 2:

Analysis

Phase 1:

Incident

response and

confirmation

Phase 4:

Incident closure

Phase 3:

Incident

reconstruction



investigators cannot always use it as evidence. The chapter has highlighted the need to change IDS

so that data collected can also be used as admissible, relevant evidence.

The identified frameworks in par 6.6 are slanted towards IDS and concentrate on the collection and

analysis of the live evidence using specific technology, but do not provide any guidance on the

forensic process that must be followed. Ieong and Leung’s framework (2007) provides a role-based

overview but not a forensic sound process to follow. Grobler (2009) provides some guidance on the

forensic process, but also additional aspects, for example laws and regulatory knowledge scope to

consider when formulating our CDF capability.

The next chapter will consolidate the various components identified for ProDF (Chapter 4), ReDF

(Chapter 5) and ActDF (Chapter 6) of the thesis.




Active Digital

Forensics

(ActDF)Framework 1:

Payer

Framework 2:

Ren and Jin

Chapter 6

Par. 6.6.1

Par. 6.6.2

Framework 3:

Foster and

Wilson

Par. 6.6.3

Par. 6.6.4

Framework 4:

Grobler and von

Solms

Par 6.7.3 ActDF protocol

3.5.2.1 Phase 1:

Incident Response and confirmation;

3.5.2.2 Phase 2:

ActDF investigation;

3.5.2.3 Phase 3:

Limited incident reconstruction;

3.5.2.4 Phase 4:

Investigation closure;

Framework 5:

Ieong and Leung

Par. 6.6.5

6.6

Live investigation

frameworks

Live investigations

tools and

techniques

Relationship

between IDS and

live investigations

Par. 6.4

Par. 6.5

Need for ActDF

Par. 6.3

Active DFChapter 6

ActDF definition

Par. 6.7.1

Goals for ActDF

Par. 6.7.2

ActDF component

Par. 6.7


6-158 | P a g e

PPAARRTT 22

CCOONNSSTTRRUUCCTTIIOONN OOFF OOUURR DDFFMMFF

The aim of Part 2 of the thesis will be to address sub-objectives 3 (par. 1.5.3) and 4 (par. 1.5.4):

Sub-objective 3: Formulate our CDF capability (Chapter 7).

We will:

expand on the identified phases and steps for each component to formulate our CDF

capability

identify to-do lists for the CDF capability

discuss the relationship between the components of a DF capability

consolidate the to-do lists to assist management to implement the CDF capability.

Sub-objective 4: Construct our holistic theoretical DF implementation and management

framework (DFMF) (Chapter 8).

We will:

use the consolidated to-do list as a basis for the formulation of the DFMF

identify deliverables to implement and manage for each component of our CDF capability;

the deliverables will be used to formulate DFMF

use the dimensions of DF to categorise the identified deliverables

use the relationship between the dimensions of DF to construct the holistic, comprehensive

DF implementation and management framework (DFMF)

ensure that our DFMF is easy to use as it should be able to provide management with a high-

level overview of ‘what to do, who should do it, how it should be done’.


7-159 | P a g e Chapter 7: CDF capability

7 CHAPTER 7

COMPREHENSIVE DF CAPABILITY

7.1 INTRODUCTION

We have identified the need for our CDF capability that will cover the preparation for the use of DF

tools and technologies, live evidence acquisition, and the actual reactive investigation with post-

investigation activities (par. 2.8). We have investigated and compared various DF frameworks and

viewpoints in the previous chapters (3, 4, 5 and 6) to define three components of our CDF capability,

as shown in Figure 7-1 (below):

The aim of this Chapter is to consolidate the findings of Chapters 4, 5, and 6, to suggest

improvements to the consolidated findings and to provide a high-level view of our CDF capability.

The DF frameworks discussed in the previous chapters provide guidelines for the actions to be taken

to conduct a DF investigation. There are very few explicit references to the strategies, policies and

procedures that must be formulated to support the investigations. To address the shortcomings, we

identify typical actions in the form of a to-do list for each component of the CDF capability, thus

providing an idea of what should be done by the organisation when implementing or using the CDF

capability.

The to-do lists contain typical actions that must be performed, for example, to establish legal and

regulatory requirements, and to formulate strategies, investigation protocols, policies and

procedures, and to determine education, training, infrastructure and technology requirements. It is

also essential to manage the CDF capability. We include typical management duties in the to-do lists.

The chapter will also provide a discussion of the relationship between the components. Figure 7-2

(below) depicts the role of this chapter within the overall thesis.

Figure 7-1 CDF capability (also Figure 2-3) (by author)




The aim of this chapter is to consolidate the views of ProDF, ActDF, and ReDF, as discussed in the

previous chapters. We will include improvements to specific stages or steps when we:

consolidate the ProDF component (par. 4.5); confirm the definition, goals, sub-goals and

elements (par. 7.3); and identify to-do lists (pars. 7.3.1.2; 7.3.1.4; 7.3.1.6; 7.3.1.8,

7.3.2.3)

consolidate the ReDF component (pars. 5.3 - 5.5); confirm the definition, goals, phases

and steps (par. 7.4); and identify a to-do list (par. 7.4.7)

consolidate the ActDF component (par. 6.7); confirm the definition, goals, phases and

steps (par.7.5); and identify a to-do list (par. 7.5.5)

discuss the relationship between the ProDF, ActDF and ReDF components (par. 7.6)

consolidate the to-do lists to be used in the next chapter to construct the DFMF (par.

7.7).

Note to reader:

There is a substantial amount of repetition in this chapter, however, we are not merely

repeating content but rather adding additional content to the different components to

ensure the comprehensiveness of our CDF capability.

We have included a fold-out for ProDF, ReDF and ActDF at the end of the chapter (par.

7.8, p. 7-204, par. 7.9 p. 7-205, and par. 7.10 p. 7-206) respectively, for use as a map.


Part 1: Background


of DFMF

Part 3: Conclusion


capability

Figure 7-2 Role of the chapter in the thesis (by author)



We suggest that the ProDF page (par. 7.8, p. 7-204) be folded out at this stage to provide

context. It is also advised that the fold-out be referenced when every paragraph is read,

as this ensures that the context of reading is preserved. We label the various paragraphs

with a corresponding number, e.g., on the fold-out.

The next section will suggest improvements and consolidate the ProDF component as discussed in

Chapter 4.

7.3 PROACTIVE DF (PRODF) COMPONENT

The saying ‘prevention is better than cure’ is applicable to organisations in which the digital evidence

requirements for organisations are increasing. A ProDF capability, as discussed, refers to the forensic

preparation of an organisation to ensure successful, cost-effective digital investigations with minimal

business activity disruption and ensuring that comprehensive digital evidence (CDE) and forensic

sound processes are in place and available. The evidence may be needed for an investigation or

during the normal flow of business to demonstrate due diligence with respect to good governance.

From the literature studied, most of the current DF models include a ‘preparation’ or a ‘DF

readiness’ step (Beebe & Clark, 2005; Casey, 2004; Louwrens et al., 2006b; Rowlingson, 2004). We

have provided the following definition (par. 4.4):

We proposed a definition for ProDF in Chapter 4 (par.4.5.1) but wish to refine it as:

DF readiness is the ability of an organisation to maximise its potential

to use comprehensive digital evidence whilst minimising the costs of an

investigation.

ProDF is the forensic preparation of an organisation to ensure

successful, cost-effective investigations, with minimal disruption to

business activities, and the use of DF to establish and manage

governance programmes.



We proposed two goals for ProDF in Chapter 4:

ProDF Goal 1: Become DF-ready (par. 4.5.2.1)

ProDF Goal 2: Implement and manage DF to improve governance programmes (par.

4.5.2.2).

Figure 7-3 (below) is a graphical representation of the ProDF component:

ProDF



Sub-goal 1:

Prepared

infrastructure

Sub-goal 4:

Ensure a

cost-

effective

investigation

Sub-goal 3:

Prepare

responsible,

competent

employees

Sub-goal 2:

Maximise

CDE

availability

Sub-goal 1:

Establish a DF

management

capability

Sub-goal 2:

Apply DF to provide




The next section consolidates each ProDF goal with the associated elements. Having discussed the

goals in Chapter 4 (par.4.5.2) to gather live evidence we will rearrange steps to propose

improvements to certain elements of the ProDF component.

7.3.1 ProDF Goal 1: Become DF-ready. See on the ProDF fold-out

DF readiness is the ability of an organisation to maximise its ability to use CDE whilst minimising

the costs of an investigation (par. 4.4). DF readiness is supported by four sub-goals (par. 4.5.2.1,

p. 4-110):

Sub-goal 1: Ensure a prepared infrastructure (par. 7.3.1.1)

Sub-goal 2: Maximise CDE availability (par. 7.3.1.3)

Sub-goal 3: Prepare a responsible, competent human resource capability by the

development of a DF education, training and awareness strategy with supporting

programmes (par. 7.3.1.5)

Sub-goal 4: Ensure a cost-effective investigation (par. 7.3.1.7).

The next section will expand and clarify the four sub-goals of DF readiness.

Figure 7-3 ProDF component of CDF capability (also Figure 4-3)



7.3.1.1 DF readiness sub-goal 1: Ensure a prepared infrastructure (two elements) (par. 4.5.2.1.1,

p. 4-110). See on the ProDF fold-out.

The prepared infrastructure includes operational and DF investigation infrastructure (par.

4.4.2.3.2). It is essential to determine the legal and judicial requirements regarding acquisition,

configuration and management of the infrastructure. These requirements include the

configuration of hardware or software to ensure the admissibility of evidence produced by the

infrastructure. It is also essential to acquire investigation tools and techniques that will be

acceptable to the legal and judicial community. The infrastructure should be managed and

organisations should have the management structures necessary to ensure the availability of a

prepared infrastructure. We will now consider what should be done to prepare the operational

infrastructure.

7.3.1.1.1 Element 1: Prepare operational infrastructure (par. 4.4.2.3.2)

The entire operational infrastructure of an organisation should be evaluated to

determine where changes might be necessary to enable DF in an organisation.

Organisations should identify business processes, applications, and infrastructure to

become DF-ready. It is essential to design, construct, and configure relevant systems to

enable future forensic investigations. This concept can span all the activities in the

organisation and is not limited to Info Sec and IT systems. To demonstrate:

Include digital evidence and forensic process requirements during the systems

development life cycle when designing new applications or systems

Design, configure, implement and manage the operational infrastructure (with

relevant policies and procedures) to:

prevent anti-forensic activities

prevent anonymous activities

include a capability to ensure the systematic gathering of potential evidence

by enabling logging capabilities

apply good practices to ensure forensic friendly file systems, for example,

file system separation

use profiling techniques to identify attacks or perpetrators; apply periodical

auditing; use digital fingerprinting to ensure the integrity of proprietary

information

include the capability to collect live / volatile evidence, for example, enable

remote logging



time-synchronise all relevant devices and systems for the time-lining of

events during an investigation

implement and configure an IDS to ensure that incidents are detected as

early as possible.

7.3.1.1.2 Element 2: Establish, manage and equip a DF investigation (DFI) infrastructure (par.

4.4.2.3.2)

Management should identify and allocate a dedicated secure venue (DFI laboratory) with

a secure storage area in which to store all case documentation and evidence.

Organisations must ensure the availability of an investigation infrastructure, for example

an isolated network; forensic servers, short- and long-term servers, and other

equipment, for example, disk duplicators, digital cameras, jump bags, and networking

gear. The DFI laboratory must be equipped with appropriate, admissible forensic tools to

acquire, analyse, evaluate, and present legally admissible digital evidence (static, live,

legacy and post-investigation). The laboratory should have the necessary stationary

available during an investigation, for example, blank media, gloves and physical evidence

bags.

To manage the DFI laboratory, it is necessary to formulate a policy and procedure to

control the use of the laboratory, use of tools and access to the laboratory (this can

include logbooks for access control).

Note to reader:

We add backup policies and procedures for the DFI laboratory, which must include

the backup of tools, case files, and evidence to ensure that all versions of tools are

available if one needs to re-open a case (by author).

7.3.1.2 To-do list

Organisations must:

determine the legal and regulatory requirements applicable to the operational and

investigation infrastructure. Consider requirements related to evidence, processes,

admissibility of investigation tools, and the configuration of the operational and

investigation infrastructure (par. 7.3.1.1)



establish the relevant management structures to ensure the availability of facilities

(DFI laboratory, and operational infrastructure), hardware, software and equipment

to ensure a successful investigation (par. 7.3.1.1)

formulate policies and procedures to manage the preparation, use and maintenance

of the operational and investigation infrastructure (pars. 7.3.1.1.1; 7.3.1.1.2)

only consider the acquisition and application of acceptable and admissible forensic

tools, technologies and equipment (par. 7.3.1.1.2).

7.3.1.3 DF readiness sub-goal 2: Maximise CDE availability (par. 4.5.2.1.2, p. 4-110). See on

the ProDF fold-out.

It is essential that organisations put in place measures and controls to identify and manage the

identified digital evidence. Beebe and Clark (2005) recommend the establishment of an

information retention plan.

Note to reader:

We are convinced that organisations need more than an information retention plan, notably

an evidence management plan (EMP) to maximise CDE availability. The information retention

plan as identified in Chapter 4 (par. 4.4.2.3.1) requires the identification of potential CDE

and the development of evidence management policies and procedures.

The EMP should concentrate on the management of required CDE in an organisation. This

includes the identification, legal gathering, preservation, handling, retrieval, retention, and

archiving of CDE. Managing evidence requires the ability of managers to measure the

completeness of the evidence set related to the risks to the organisation.

We therefore include an EMP in the ProDF component, and propose four steps to establish and

manage the EMP:

EMP Step 1: Identify potential CDE proactively for specific risk or scenario (par.

4.4.2.3.1)

EMP Step 2: Organise the CDE by compiling an evidence index, adapted from Casey’s

evidence map (Casey, 2007), and establishing a network evidence map (NEW by

author)



EMP Step 3: Evaluate the evidence status of known assessed risks or scenarios in

terms of the comprehensiveness of the CDE set of the risk or scenario (NEW by

author)

EMP Step 4: Develop and augment evidence-related policies and procedures to

ensure that evidence sets have the highest CDE rating (par. 4.4.2.3.1). The CDE

rating will be an indication of the comprehensiveness of an evidence set associated

with a specific risk or scenario.

We will now discuss each step to explain the content of the EMP.

7.3.1.3.1 EMP Step 1: Identify potential CDE

It is essential to identify all potential business scenarios that will require digital evidence.

Several authors suggest identifying potential evidence during the risk assessment

process (Beebe & Clark, 2005; Louwrens et al., 2006b; Rowlingson, 2004).

During the business impact analysis (BIA), organisations normally compile a threat or

attack profile. The threat profile includes general information about the identified risk,

for example, the risk description or indications, controls applied and policies linked to

the risk (Whitman & Mattord, 2009).

Note to reader:

We suggest expanding the threat profile by adding two columns, one for required evidence

elements for the identified risk or scenario, the other a CDE rating column to indicate the

comprehensiveness of the evidence set related to the risk or scenario. We, therefore,

propose renaming the adapted threat profile as a ‘risk profile’.

To compile the risk profile the organisation must consider the following four sub-steps:

Sub-step 1: Determine all risks or scenarios during BIA that may need evidence

Sub-step 2: Complete the risk profile

Sub-step 3: Identify the evidence elements that will be required to investigate the

risk or scenario. This will address Louwrens et al.’s requirement that monitoring and

auditing be targeted to detect and deter major incidents (Louwrens et al., 2006b)



Sub-step 4: The last field to be completed in the risk profile is the CDE rating field to

the risk profile. This field is an indication of the completeness and potential

admissibility of the evidence set related to the potential risk or scenario. We cannot

calculate the CDE rating for the specific evidence set before we have assigned a

certainty rating to the individual evidence elements.

The next step is to organise the identified evidence elements in the risk profile.

7.3.1.3.2 EMP Step 2: Organise the evidence

It is inevitable that the same evidence elements are required for different scenarios or

risks. Casey proposes the construction of a digital evidence map that will contain all the

information about the evidence, i.e., category, location, retention time, and reference

procedures to collect and retrieve evidence (Casey, 2007).

Note to reader:

We suggest expanding Casey’s map by adding certainty ratings and special requirements to

the evidence map. This expanded map will be referred to as a ‘digital evidence index’.

We propose the following seven sub-steps to organise the CDE into a digital evidence

index:

Sub-step 1: Classify or categorise the evidence element as being physical or digital

(static, live, legacy) evidence

Sub-step 2: Determine the technical requirements to acquire the evidence element

Sub-step 3: Determine the legal and regulatory requirements to ensure that the

identified evidence elements will be admissible in court and have evidentiary weight

Sub-step 4: Assign a certainty rating to each evidence element. We propose using

Casey’s certainty scale C0 - incorrect, C1 - highly uncertain C2 - somewhat uncertain

C3 - possible C4 - probable, C5 - almost certain C6 - certain to evaluate the evidence

(Casey, 2004)

Sub-step 5: Include any special requirements

Sub-step 6: Indicate the location of the evidence element in the information

architecture of the organisation

Sub-step 7: Compile the digital evidence index.



Once all the potential evidence elements have been identified and organised, we need

to augment the information architecture of the organisation and determine the

potential impact of the additional evidence elements on the architecture.

It will be useful to provide a visual representation of the location of the evidence

elements. We propose that the organisation map the evidence elements to its network

diagram. The next step will be to complete the risk profile by evaluating the CDE rating

for each risk or scenario.

7.3.1.3.3 EMP step 3: Evaluate the evidence status and complete the risk profile

We propose using the Upgrader matrix as defined by Arthur, Olivier and Venter (2007)

to calculate the CDE rating and CDE flag colour for the evidence set [E1; E2; …. ;En]

associated with riski or scenarioi. The risk management department should determine

the specific certainty combinations of an evidence set that will be acceptable for the

organisation. We propose to colour code the Upgrader matrix by using three colours

(Figure 7-4) (below).

Cmax

Cmin

C0 C1 C2 C3 C4 C5 C6

C0 C0 C0 C0 C0 C0 C1 C1

C1 C1 C1 C1 C1 C2 C2

C2 C2 C2 C2 C3 C3

C3 C3 C3 C4 C4

C4 C4 C5 C5

C5 C5 C6

C6 C6

Key: C0; C1 R (red) C2 ;C3;C4 O (orange) C5;C6 G (green)

Figure 7-4 Adapted ugrader matrix (by author)

To interpret the matrix:

G Green (C5; C6 ) excellent CDE can result in a successful investigation

O Orange (C2 ; C3; C4 ) average CDE

R Red (C0; C1) insufficient or bad CDE.



Organisations need to determine if the orange O rating is red R or green G. If

evidence is required for an internal hearing the orange O rating may be reclassified as

green G, but if it is for external investigation purposes the orange O may be red R.

This means that orange O is equivalent to G depending on the organisational criteria.

The definition of CDE requires that the evidence have an evidentiary weight, be complete

and relevant (par. 2.7.2). The linking of the evidence element to the scenario or risk

addresses the relevance requirement; determining the evidence elements associated with

each risk or scenario in the risk-profile addresses completeness. We accept that the

evidence acquired will be in an admissible format within the legal operating environment

of the organisation. We will use completeness and Casey’s certainty rating (for

admissibility) to determine the CDE rating for an identified riski or scenarioi.

The combination of the certainty ratings (Ci) of the individual evidence elements (Ei) of

the evidence set related to a risk or scenario rating will have an influence on the CDE

rating of the evidence set. We use Cmin – lowest certainty rating and Cmax – highest

certainty rating and the adapted upgrader matrix to determine the CDE rating of the

evidence set related to a specific riski or scenarioi. The algorithm has been discussed in

the paper presented: Evidence Management Plan (Grobler & Louwrens, 2010). The last

step is to update the CDE rating field in the Risk profile.

The risk profile is now complete and organisations can obtain a high-level view of their

evidence status.

Note to reader:

The organisation can have a very good idea of their evidence status when they view the

risk profile. There is scope for further research to expand this assessment to include

more parameters to compute the CDE rating, for example, the number of evidence items,

admissibility rating (including relevance, legality, integrity, whether producible)

requirements and certainty.

The last step to complete the EMP is to create, update, or augment policies and procedures

related to evidence.



7.3.1.3.4 EMP step 4: Develop and augment evidence management policies and procedures

Policies and procedures guide behaviour and actions in the organisation. Typical policies

and procedures to consider are:

Evidence handling (evidence identification, acquisition, handling, preservation,

authentication, transport, and storage) for static, live and legacy digital evidence.

Post-investigation evidence handling (retention, returning or archiving).

Augmentation of the traditional risk management strategy and contingency plans,

policies and procedures. The IRP, business continuity (BCP) and disaster recovery

(DRP) plans contain policies and procedures, for example, incident detection,

confirmation, containment, escalation, and recovery. The policies must recognise

the importance of CDE identification; preservation and all the relevant procedures

must be forensically sound. All the policies and procedures must ensure the

preservation of the chain of evidence and chain of custody. There should be

development of a containment strategy (including live systems) with supporting

policies and procedures. This may not be a complete list of policies, but serves as an

example of typical policies and procedures to consider.

7.3.1.4 To-do list

Organisations must establish an EMP to manage the evidence, and:

identify evidence for potential risks or scenarios (par. 7.3.1.3.1)

identify the technical, legal and regulatory requirements applicable to digital and

physical evidence (par. 7.3.1.3.2)

determine the completeness of an evidence set associated with a risk or scenario

(par. 7.3.1.3.3)

formulate policies and procedures to manage digital and physical evidence (par.

7.3.1.3.4)

augment the risk management strategy and contingency plans (IRP, BCP and DRP) of

the organisation with supporting policies and procedures to include evidence and

process requirements (par. 7.3.1.3.4).



7.3.1.5 DF readiness sub-goal 3: Prepare responsible and competent employees by the

development of a DF education, training and awareness strategy with supporting

programmes (par. 4.5.2.1.3, p. 4-110). See on the ProDF fold-out.

The aim of this strategy is to develop a preservation culture in the organisation to preserve all

evidence (digital and non-digital). The strategy should also support the importance of doing the

right thing in a correct way.

The DF training and awareness strategy should cover education, training, and awareness

programmes for organisation and must include technical, legal, judicial, and regulatory

requirements in all programmes. It is necessary to create a DF awareness programme to ensure

that employees are aware of DF requirements and the importance of evidence in the

organisation. The strategy will be supported by a DF education, training and awareness policy and

procedure to guide the establishment, implementation, and management of education, training

and awareness programmes.

A successful awareness programme will ensure that employees are aware of the importance of

evidence and following the correct procedures as stipulated by policies and standard operational

procedures. It is important to note that awareness programmes should target specific users, as

different roles require different levels of awareness, for example, a normal data-capturer versus a

network administrator. The goal is to develop a culture of preserving evidence.

Qualification authorities, for example the South African Qualifications Authority (SAQA) or other

certification bodies or authorities should accredit the training programmes. Accredited training

and education programmes can provide assurance on the standard of content. It is advisable to

enable employees to obtain industry certification. The admissibility of evidence acquired during

an investigation by a qualified investigator would thus not easily be questioned, as the courts

could expect that the correct procedures were being followed.

Note to reader:

We have identified two elements in pars. 4.5.2.1.3 and 4.4.2.3.3, but add a third to

encompass the issue of responsible and ethical behaviour.



7.3.1.5.1 Element 1: Create or source different education and training programmes to address

different needs in the organisation. These will provide the following:

Technical training. Develop an in-house DFI capability (if required) by providing

training in the use of forensic tools. These would include training on commercial or

freeware tools for digital (static, live and legacy) and physical evidence acquisition

and analysis. The training must include the preservation and effective retrieval of

evidence from legacy software applications or hardware that uses proprietary

formats, incompatible disk drives, or obsolete operating systems. The training

programmes should include real-life cases to ensure a practical component that

assesses competence.

Training for first responders. This should establish a capability for securely gathering,

preserving, handling, and effectively retrieving CDE. Clear policies and procedures

must exist to guide the staff on what, when and how to do, whenever an incident

alert is issued.

General user training. Apart from the general awareness programme, users (general

and managerial) must be trained, on a need-to-know basis, about the importance of

evidence, processes, and legal implications of specific actions on different levels of

the organisation. These programmes will address the DF requirements for different

roles and positions.

Expert witness training. This would ensure that testimony is admissible.

7.3.1.5.2 Element 2: Establish an awareness programme

Similar to the DF education and training programmes, organisations will be required to use

current issues to design awareness programmes. These will ensure that employees are

aware of important issues and know what is expected from them in certain situations.

Typically, it is issues related to evidence preservation during incident response.

7.3.1.5.3 Element 3: Formulate a code of conduct for the use of DF tools and techniques

Due to the nature of DF tools and technologies, it is essential to create a code of conduct

for various roles, to ensure that the tools and technologies will be used for ethical

purposes.



7.3.1.6 To-do list

Organisations must:

formulate a DF education, training and awareness strategy to ensure that the people

in the organisation will be prepared and competent (par. 7.3.1.5)

establish a policy and procedure to guide the establishment, implementation and

management of education, training and awareness programmes (par. 7.3.1.5)

determine the technical, legal, judicial and regulatory requirements to accredit

education and training programmes and certify staff as competent (par. 7.3.1.5)

develop selective education, training and awareness programmes (par. 7.3.1.5.1,

7.3.1.5.2)

establish a policy to prescribe the training requirements associated with specific

roles in the organisation to ensure the admissibility of evidence in court (pars.

7.3.1.5; 7.3.1.5.1)

formulate a code of conduct for the use and application of DF in the organisation

(par. 7.3.1.5.3).

The last sub-goal for DF readiness will now be discussed.

7.3.1.7 DF Readiness sub-goal 4: Ensure a cost-effective investigation (three elements) (par.

4.5.2.1.4, p. 4-110). See on the ProDF fold-out.

The researched DF frameworks fail to specify how to ensure a cost-effective investigation

(Beebe & Clark, 2005; Garcia, 2005; Louwrens et al., 2006b; Rowlingson, 2004). We have

combined the following elements to rectify this omission (pars. 4.4.2.3.5; 4.5.2.1.4).

7.3.1.7.1 Element 1: Ensure that a well-documented and validated DF investigation protocol is

in place

Document and validate a DF investigation (DFI) protocol (active as well as reactive)

against best practice (par. 4.4.2.3.5). The protocol is accompanied by supporting policies

and processes to ensure that all employees are aware of why, what, when, where and

how they need to act.

7.3.1.7.2 Element 2: Establish a procedure to ensure that an investigation proceeds at a cost

in proportion to the incident (par. 4.5.2.1.4)

The procedure must include relevant factors for the calculation of the cost of an

investigation (Whitman & Mattord, 2008). The factors are the estimated personnel

hours spent; the loss of revenue due to service interruption; and value of any trade



secrets (CERT®_Coordination_Center, 2004). There is a need to develop an algorithm for

cost of incident versus cost of investigation, to justify the cost of preparation for an

investigation.

Note to reader:

The cost of an incident can be a vital tool when one has to present a request for new

Info Sec controls or other relevant controls to improve governance.

One of the goals of ProDF is to minimise the cost of an incident. If one takes the cost

of the incident before the ProDF implementation and can demonstrate the cost saving

after the implementation of ProDF, it will make business sense to consider the

implementation of ProDF for the organisation and will address the business objective

of minimising the (financial) impact of an incident on services.

7.3.1.7.3 Element 3: Minimise interruption to the business from any investigation (pars.

4.4.2.3.4; 4.4.2.3.5)

If the infrastructure is ready, evidence and processes are in place when required for an

investigation, or to prove compliance. The evidence will be available and can be

acquired with minimal interruption to the daily operations of the organisation. It is

essential to augment and integrate the risk management, business continuity strategy

and supporting plans, policies and procedures to ensure that DF evidence and process

requirements are in place. A clearly defined containment strategy must be formulated to

minimise the impact of the incident.

7.3.1.8 To-do list

Organisations must:

Document and validate a DFI protocol that includes reactive and active

investigations to ensure that investigations are conducted in an organised way (par.

7.3.1.7.1)

Ensure that all the policies and procedures required by the ReDF and ActDF

protocols exist for a successful investigation (par. 7.3.1.7.1)

Create or augment the risk management and business continuity strategy, plans (IR,

BCP and DRP), policies and procedures of the organisation to include DF evidence



and process requirements, and follow a DF-friendly containment strategy and plan

to minimise the impact of an incident whilst maximising the availability of the

evidence (par. 7.3.1.7.3)

Ensure that policies and procedures exist to manage the cost of the investigation

and incident (par. 7.3.1.7.3).

The next section will discuss ProDF Goal 2.

7.3.2 ProDF Goal 2: Implement and manage DF to improve governance programmes (two

sub-goals). See on the ProDF fold-out.

We have identified two sub-goals for this goal (par. 4.5.2.2, p. 4-110):

Sub-goal 1: Establish a DF management capability to support the DF strategy (par.

4.5.2.2.1)

Sub-goal 2: Provide reasonable assurance regarding the achievement of the

organisation’s objectives (par. 4.5.2.2.2).

The effective utilization of DF tools and techniques can enable management to enhance the

governance structures of the organisation by proving (assessing) the effectiveness of controls,

measured against IT and Info Sec objectives (related to business objectives).

Note to reader:

We propose that organisations define a formal DF strategy that will prescribe where

and how DF tools and technologies may be applied. The strategy may specify, for

example, that DF tools and technologies only be used for the investigation of fraud

and security incidents.

7.3.2.1 Sub-goal 1: Establish a DF management capability to support the DF strategy (par.

4.5.2.2.1, p. 4-110). See on the ProDF fold-out.

This strategy will prescribe where and when DF tools and technologies may be applied in the

organisation (four elements):

7.3.2.1.1 Element 1: Management must augment the organisational structure to include DF

(with roles and responsibilities to deal with DF in the organisation).

7.3.2.1.2 Element2: There should be a clear segregation of duties between the DF, risk

management, CERT, and Info Sec teams. Investigations are often compromised when

these roles and responsibilities are not clearly defined or segregated.



7.3.2.1.3 Element 3: The outsourcing of a DF investigation must also be outlined by a well-

defined outsourcing policy and procedures. It is essential to consider the evidence

and process requirements when formulating the Service Level Agreements.

7.3.2.1.4 Element 4: Ensure that a legal review exists to facilitate action in response to the

incident.

7.3.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of

organisational objectives (par. 4.5.2.2.2, p. 4-111). See on the ProDF fold-out.

Policies and procedures should be formulated to guide the application of DF tools and

technologies to provide reasonable assurance regarding the achievement of organisational

objectives with respect to the following five elements:

7.3.2.2.1 Element 1: Safeguarding of the company’s assets (including information)

Organisations must ensure that the integrity of information is maintained. Section 802 of

Sarbanes-Oxley indicates that there are criminal penalties for altering documents. The

board of directors should guarantee the integrity of all documents. DF tools and

techniques can be applied to prove that the information is in its original form.

DF tools and techniques can be applied to acquire evidence to investigate the misuse of

equipment and organisational resources. It is also essential to develop a whistle-blowing

policy (Patzakis & Limongelli, 2004). The Info Sec team should incorporate DF techniques

in the IT auditing procedures, thus enabling more accurate audit trails.

7.3.2.2.2 Element 2: Assessing compliance with applicable laws, regulations, industry and

supervisory requirements.

7.3.2.2.3 Element 3: Supporting business sustainability under normal as well as adverse

operating conditions.

Under normal operating conditions, DF can be applied to assess key risk areas. The risk

assessment should address the company’s exposure to at least: physical and operational

risks; human resource risks; technology risks; business continuity and disaster recovery;

credit and market risks; and compliance risks.

Organisations apply DF tools for penetration tests to determine the vulnerabilities

(Richardson, 2008). They should evaluate all emerging technologies to determine the

risks involved and whether the current DF tools will be adequate to investigate an

incident. There must be monitoring and control of the use of removable or portable

devices to minimise or prevent cybercrimes. Typically, new technologies, e.g., smart



phones, can be used to acquire company-specific information, for example intellectual

property.

The responsible use of DF tools can improve the effectiveness and efficiency of the

application of technology in an organisation. DF tools and techniques can be applied to

assist in data recovery (crashed hard disk), wiping of hard disk before the disposal of

equipment and retrieval of lost passwords. Operations can resume after the application

of the tools and interruption to business operations can be minimised.

It is necessary to consider DF requirements when formulating the IT governance

controls, policies, and processes. We researched the literature and propose a list of

CobiT (Institute, 2000) controls to be covered (Guldentops et al., 2005; Louwrens &

von_Solms, 2005) (see Table 4.4).

In adverse conditions, it is essential to augment the contingency plans, policies and

procedures (IR, disaster recovery and business continuity) to minimise the impact on the

operations of the organisation (DF readiness sub-goal 1 has included some aspects).

7.3.2.2.4 Element 4: Reliability of reporting

It is necessary to make available the reliable reports that, based on CDE, can enable

management to meet the King II requirement (von_Solms & von_Solms, 2009), stipulating

that “the board is responsible for ensuring that a systematic, documented assessment of the

processes and outcomes surrounding key risks is undertaken annually” and can make a

public statement on risk management.

Should an incident arise and an investigation is completed the organisation should provide a

report describing the incident, and its impact and review report should be available. The

incorporation of CDE in audit trails can result in more continuous accurate audit results and

compliance tests. The incorporation of DF techniques in auditing procedures will lead to

more credible audit results.

Management should receive regular reports on the risk management process in the

organisation and regular updates on investigations in progress.

7.3.2.2.5 Element 5: Behaving responsibly towards all stakeholders (King, 2003)

Organisations must demonstrate due diligence with respect to good governance.

Management will be able to provide documented assessments to prove that regular checks

have been performed. It is essential to demonstrate transparency and responsibility towards

the stakeholders to communicate the impact of the incident on the organisation, its root-

cause, and the result of an investigation.



ProDF addresses the need to prepare organisations for DF investigations and to have relevant

digital evidence available by being DF-ready, and the responsible application of DF tools and

techniques to establish and manage governance frameworks in organisations.

7.3.2.3 To-do list

Organisations must:

Formulate a DF strategy to manage the application DF in an organisation (par.

7.3.2.1)

Formulate policies and procedures to support the DF strategy to ensure that clear

directives exist to manage DF for investigative and non-investigative purposes in the

organisation. Policies to establish a DF capability in the organisation (pars 7.3.2.1.1 -

7.3.2.2.5) must be included.

Incidents will happen and should be investigated. The next section consolidates the ReDF

component.

Note to reader:

We suggest that the ReDF page (par. 7.9 p. 7-205) be folded out at this stage to

provide context. It is also advised that the fold-out is referenced when every

paragraph is read, as it ensures that the context of reading is preserved. We label

the various paragraphs with a corresponding number, e.g. on the fold-out.

7.4 REACTIVE DF (REDF) COMPONENT

No organisation is fully prepared for all possible incidents. ReDF, as defined by this thesis,

concentrates on the traditional DF investigation (dead forensics) that will take place after an incident

has been detected and confirmed. In anticipation of an incident occurring, there should be an

acceptable proven DF investigation protocol in place as specified by ProDF on how to conduct the

investigation (Louwrens et al., 2006b).



We proposed a definition for ReDF as (par. 5.3, p. 5-117) and will use it as our formal ReDF

definition:

We have identified two goals for ReDF in Chapter 5 (par. 5.4) as:

ReDF Goal 1: Successfully investigate an incident

To achieve this goal it is essential to acquire the relevant CDE to determine the root

cause of the incident, link the perpetrator to the incident, and present the case

successfully.

ReDF Goal 2: Minimise the impact of an incident.

We have proposed a ReDF component with phases and related steps in Chapter 5 (par. 5.5, p. 5-

118), which distinguishes between a physical and digital investigation. It is therefore essential that

we define a physical and digital crime scene, and accept the following definitions from Chapter 3

(par. 3.3.2, 3.3.3) (Barayumureeba & Tushabe, 2004; Carrier & Spafford, 2003):

A physical crime scene is the physical environment in which physical evidence of

a crime or incident exists.

A digital crime scene is the virtual environment created by hardware and

software in which evidence of a digital crime or incident exists.

We have proposed an ReDF protocol with six phases and related steps in Chapter 5 (par. 5.5, p. 5-

118) of the ReDF protocol for ReDF component, with the related paragraph number from Chapter 5

in parenthesis:

Phase 1: Incident response and confirmation phase (par. 5.5.1)

Phase 2: Physical investigation phase (par. 5.5.2)

Phase 3: Digital investigation phase (par. 5.5.3)

Phase 4: Incident reconstruction phase (par. 5.5.4)

A ReDF component is application of analytical and investigative techniques for

the preservation, identification, extraction, documentation, analysis, and

interpretation of digital media, for evidentiary, and/or root cause analysis and

the presentation of comprehensive digital evidence derived from digital sources

for the purpose of facilitation or furthering the reconstruction of incidents;

(Kruse & Heiser, 2004; Palmer, 2001; Reith, Carr & Gunsch, 2002; Rowlingson,

2004).



Phase 5: Presentation of findings phase (par. 5.5.5)

Phase 6: Incident closure phase (par. 5.5.6).

Figure 7-5 (below) is a graphical representation of the proposed phases of the ReDF protocol.

The next section will consider the consolidation and streamlining of the steps within each phase of

the ReDF protocol.

7.4.1 ReDF Phase 1: Incident Response and confirmation phase. See on the ReDF fold-

out.

We have identified ten steps in Chapter 5 par. 5.5.1, p. 5-118 for phase 1. We have combined some

steps and included additional steps that support the forensic principles of evidence preservation and

documentation (par. 3.3.4.7) to consolidate phase 1 into eight steps. Figure 7-6 (below) indicates

Phase 1: Incident response and confirmation in the ReDF component (eight steps).

Step 1:Detect the incident

Step 2:Initiate incident response plan

Step 3:Confirm the incident

Step 4:Formulate initial DFI plan

Step 5:Obtain authorisation

Step 6:Evaluate incident to determine to accelerate investigation

Step 7:Notify relevant parties

Step 8:Document all activities

Phase 1:

Incident response

and confirmation

phase

Phase 1:

Incident

response and

confirmation

Phase 2:

Physical

investigation


Phase 4: Incident

reconstruction

Phase 5:

Presentation of

findings

Phase 6: Incident

closure

ActDF

Sub-phase 2:




restoration


the evidence

Figure 7-5 Proposed phases of the ReDF protocol of the ReDF component (by author) – this is a copy of Figure 5-2

Figure 7-6 Phase 1 of the ReDF protocol (by author)



7.4.1.1 Step 1: Detect the incident (combined step 2 and 3 of par. 5.5.1)

The IDS will detect suspicious activity (par. 5.5.1.2) and notify the relevant party (par.

5.5.1.3) of the potential incident. Some incident alerts will fire a trigger event to

activate the ActDF component as soon as the incident has been detected, to gather

required live evidence (by author).

7.4.1.2 Step 2: Initiate IRP (steps 1 and 6 of par. 5.5.1)

Activate the CERT, IRP and a containment strategy for the specific incident to minimise

its impact. The IRP and containment strategy must consider business, legal, technical

and political factors and goals (par. 5.5.1.6). Investigators must ensure that forensic

sound procedures are followed and that the evidence is preserved at all times.

7.4.1.3 Step 3: Confirm the incident (step 4 of par. 5.5.1)

Once the incident has been detected, we must determine the assessment of worth (par.

5.5.1.4). Organisations must validate the incident, assess the potential damage or

impact of the incident, and confirm the incident.

The decision to investigate must be made. It is necessary to determine the relevance

and nature of the investigation, for example, if it will be a formal or informal

investigation. The result is either one of two categories: NO incident - no further

activities – or CONFIRMED incident - continue with the investigation or do not

investigate at all (incident pre-defined).

7.4.1.4 Step 4: Formulate initial DF investigation plan (DFI plan) for data collection and analysis

(step 7, 8 of par. 5.5.1)

The formulation of the DFI plan (par. 5.5.1.8) will coordinate all the resources to

conduct the investigation (par. 5.5.1.7) and indicate whether the investigation or partial

investigation must be outsourced if the organisation does not have adequate internal

resources available.

Note to reader:

We propose to formulate an initial hypothesis when evaluating the initial indicators of

the incident.

The DFI plan must include an initial hypothesis, which should cover the most likely

scenarios. It is essential to define criteria to prove or disprove the hypothesis and to



determine which evidence must be acquired to investigate the incident successfully by

consulting the risk profile and digital evidence index.

7.4.1.5 Step 5: Obtain the legal internal and/or external authorisation (par. 5.5.1.5) to continue

with the investigation (step 5 of par. 5.5.1)

7.4.1.6 Step 6: Evaluate the incident to determine if the investigation must be accelerated (par.

5.5.1.9) (step 9 of par. 5.5.1)

7.4.1.7 Step 7: Notify relevant parties of the investigation (par. 5.5.1.10) (step 10 of par. 5.5.1)

7.4.1.8 Step 8: Document all activities of IR and confirmation phase (by author – apply the

principle of Beebe – documentation) (Beebe & Clark, 2005).

7.4.2 ReDF Phase 2: Physical investigation phase (par.5.5.2). See on the ReDF fold-out.

There may be no physical crime scene available and this phase will then be ignored. We have

identified seven steps in Chapter 5 par. 5.5.2, p. 5-118, have combined some and included

additional ones that support the forensic principles of evidence preservation and documentation

(par. 3.3.4.7). Figure 7-7 (below) indicates this phase in the ReDF component (eight steps).

7.4.2.1 Step 1: Secure and preserve the physical crime scene (par. 5.5.2.1) (step 1 of par. 5.5.2)

7.4.2.2 Step 2: Survey and search the crime scene to identify potential evidence (par. 5.5.2.2,

5.5.2.3) (combined step 2 and 3 of par. 5.5.2)

The investigator walks through crime scene to survey it and identifies potential

evidence; it involves the taking of photographs, sketches, and videos of the crime scene

and the identification of potential physical and digital evidence.

Phase 2:

Physical

investigation

phase

Step 1:Secure and preserve the physical crime scene

Step 2:Survey the crime scene

Step 3:Acquire the evidence

Step 4: Analyse evidence

Step 5: Reconstruct incident

Step 6:Make a finding and compile investigation report

Step 7: Transport the evidence

Step 8:Store the evidence




7.4.2.3 Step 3: Acquire evidence (par. 5.5.2.4) (step 4 of par. 5.5.2)

Use an acceptable procedure to acquire the potential evidence. Typical actions are to

photograph, bag, label, and document the individual evidence items. Be sure to

document all actions to maintain the chain of custody.

7.4.2.4 Step 4: Analyse the evidence (by author)

The investigator must identify different types of evidence, e.g., fingerprints, or digital to

ensure that the evidence is analysed by the relevant forensic laboratory.

7.4.2.5 Step 5: Reconstruct the incident (par. 5.5.2.5) (step 5 of par. 5.5.2)

The investigator will use the physical evidence available to make a limited

reconstruction of the incident to determine if the evidence supports the initial

hypothesis.

7.4.2.6 Step 6: Make a finding and compile a physical investigation report with supporting case

file documentation (by author)

The investigator will use the available evidence to make a preliminary finding and

compile an investigation case file with all supporting documentation. The

documentation will supply the chain of evidence and custody for the case.

7.4.2.7 Step 7: Transport the evidence to a relevant investigation laboratory (par. 5.5.2.6) (step 6

of par. 5.5.2)

It is important to preserve chain of custody in transportation of the evidence.

7.4.2.8 Step 8: Store the evidence in a secure facility (par. 5.5.2.7) (step 7 of par. 5.5.2)

Store the physical evidence in a safe custody room and ensure that there is adequate

access control to the evidence and custody room. It is essential to preserve chain of

custody in storage.

7.4.3 ReDF Phase 3: Digital investigation phase (par. 5.5.3). See on the ReDF fold-out.

Figure 7-8 (below) depicts phase 3 in the ReDF component.



This phase has four sub-phases as identified in pars. 3.5.3.3 and 5.5.3:

Sub-phase 1: Secure the digital evidence

Sub-phase 2: Acquire the evidence

Sub-phase 3: Analyse the evidence

Sub-phase 4: Restore the service.

We have identified four steps for sub-phase 1 in par. 5.5.3.1, p. 5-120, and have consolidated

them into three to provide focus to the steps.

7.4.3.1 Sub-phase 1: Secure the digital evidence sub-phase (par. 5.5.3.1) (three steps). See on

the ReDF fold-out.

7.4.3.1.1 Step 1: Preserve the digital crime scene (par. 5.5.3.1.1) (step 1 of par. 5.5.3.1)

Preserve the digital crime scene so that evidence will be preserved. When preserving the

crime scene, adhere to evidence-handling principles (par. 3.3.4.7.1).

7.4.3.1.2 Step 2: Identify and preserve potential digital evidence (pars. 5.5.3.1.2, 5.5.3.1.3

(step 2 and 3 of par. 5.5.3.1)

Consult the risk profile and CDE index to determine what evidence is needed to

investigate the incident. Activate the ActDF component to acquire live evidence.


Phase 3:

Digital

investigation

phase

Sub-phase 1:

Secure the

digital

evidence

Sub-phase 3:

Analyse the

evidence

Sub-phase 4:

Restore the

Service

Sub-phase 2:

Acquire the

evidence

Step 1:

Preserve the digital

crime scene

Step 2:

Identify and ensure

integrity of potential

evidence

Step 3:

Preserve the evidence

Step 1:

Acquire digital

evidence

Step 2:

Authenticate evidence

Step 3:

Transport evidence

Step 4:

Store evidence

Step 5:

Document the

acquisition process

Step 1:

Revisit investigation

plan

Step 2:

Examine and prepare

the evidence

Step 3:

Analyse the evidence

Step 4:

Reconstruct incident

Step 5:

Document the analysis

process

Step 6:

Secure documentation

and CDE

Step 1:

Restore activities



The investigator must follow established DF investigation protocols. To ensure the

integrity of the evidence write-protect all the media, isolate the relevant systems or

power down the relevant systems. Preserve the potential evidence by making a forensic

copy.

If you have to handle physical evidence to acquire digital evidence, for example a hard

drive, document the entire procedure to preserve the chain of evidence before and after

making a forensic copy of the relevant digital evidence. Document all activities to

maintain the chain of custody.

7.4.3.1.3 Step 3: Document all activities (par. 5.5.3.1.4) (step 4 of par. 5.5.3.1)

It is important that only competent people work with the media, to create a verifiable

audit trail by documenting all processes applied to digital evidence to ensure that the

evidence can be used in court.

7.4.3.2 Sub-phase 2: Acquire the evidence sub-phase (par. 5.5.3.2). See on the ReDF fold-out.

7.4.3.2.1 Step 1: Acquire digital evidence (par. 5.5.3.2.1)

To acquire the evidence apply recovery, harvesting, reduction principles. Recovery will

ensure that the investigator will collect all evidence – including hidden and deleted

evidence. Harvesting will gather all data and metadata about the incident. This step will

use the evidence to determine whether it supports the hypothesis. Reduction will

analyse the evidence and eliminate evidence that is not relevant to the case.

Use different and relevant DF tools to reveal hidden, deleted, swapped, and corrupted

files that were used, as well as the related meta-data. Obtain evidence from removable

media as well as network-based evidence and host-based evidence. Use digital evidence

bags (DEB) to store evidence (Turner, 2007). A DEB storage format is a universal

container for digital evidence from any source.

7.4.3.2.2 Step 2: Authenticate all evidence (par. 5.5.3.2.2)

The investigator will authenticate the forensic copy of the acquired evidence by applying

a hashing algorithm. Finally, timestamp all copies of authenticated evidence.

7.4.3.2.3 Step 3: Transport of evidence (par. 5.5.3.2.3)

If the evidence was acquired outside the DFI laboratory, be sure to preserve the chain of

custody during transport to the DF investigation laboratory.



7.4.3.2.4 Step 4: Storage of evidence (par. 5.5.3.2.4)

Store the acquired evidence in the safe custody room. Access to the safe custody room

must be controlled, and apply controls to preserve chain of custody in storage.

7.4.3.2.5 Step 5: Document the acquisition process (par. 5.5.3.2.5)

Document the evidence as found and all actions to maintain the chain of custody.

We have identified nine steps for sub-phase 3 in par. 5.5.3.1, and converted them to six:

7.4.3.3 Sub-phase 3: Analyse the evidence sub-phase (the purpose is to confirm suspicion)

and/or to reconstruct the incident) (six steps). See on the ReDF fold-out.

7.4.3.3.1 Step 1: Revise the investigation plan (par. 5.5.3.3.1) (step 1, 2 of par. 5.5.3.3)

Before you start with the analysis of the evidence, it is necessary to revise the initial

investigation plan. You should review all available information regarding the incident;

determine if you have the expertise required and suitable analysis DF tools to be

utilised; and revisit the hypothesis to determine if still applicable (par. 5.5.3.3.2).

7.4.3.3.2 Step 2: Examine and prepare the evidence (step 3 of par. 5.5.3.3)

Conduct an initial data survey to determine skill level of suspect. Prepare the evidence,

for example, transform large volumes of data into manageable size units (par. 5.5.3.3.3),

or ensure that the evidence is human readable. This ensures that encrypted data can be

analysed.

7.4.3.3.3 Step 3: Analyse the evidence (par. 5.5.3.3.4) (step 4 of par. 5.5.3.3)

The analysis step will be a detailed scrutiny of the evidence identified in the previous

sub-phase. Apply data extraction techniques to examine the evidence. The investigator

will-perform time-lining to trace user activity. The analysis should include the following

sub-categories:

Assessment (content and context). It must be human readable. It will also be used to

determine means, motivation and opportunity as well as the skill level of the

suspect.

Experimentation: use different tools and techniques in analysis.

Fusion and correlation: Often evidence alone will not provide the lead to the

incident and data from different sources should be combined to provide positive

leads. It is essential to determine the chronological order of events and indicate how

the data from the different sources is related.



Validation: It is essential to validate the result of the analysis so that it will be

admissible and acceptable in a court.

Conform to the requirements of best evidence rule.

Document the analysis process.

7.4.3.3.4 Step 4: Reconstruct the incident (par. 5.5.3.3.5) (steps 5, 6 and 7 of par. 5.5.3.3)

Reconstruct the sequence of events and test the hypothesis (par. 5.5.3.3.6) by

comparing the evidence to known facts and the criteria set. Validate the analysis results

(par. 5.5.3.3.7).

7.4.3.3.5 Step 5: Document all actions during the analysis process (par. 5.5.3.3.8) (step 8 of

par. 5.5.3.3)

Document findings and consolidate the evidence of the analysis sub-phase to ensure

chain of evidence and custody.

7.4.3.3.6 Step 6: Secure the documentation and CDE (par. 5.5.3.3.9) (step 9 of par. 5.5.3.3)

The case file generated by the analysis tool will contain the case details, log file of all

analysis activities, and CDE relevant to the case. The case file with associated CDE and

analysis tools used must be backed up and stored in a secure area.

7.4.3.4 Sub-phase 4: Restore the service sub-phase (par. 5.5.3.4) (one step). See on the ReDF

fold-out.

7.4.3.4.1 Step 1: Restore activities

Interact with business continuity team to restore services as soon as possible to

minimise the interruption to business.

7.4.4 ReDF Phase 4: Incident reconstruction phase (par. 5.5.4) (three steps). See on

the ReDF fold-out.

Figure 7-9 (below) illustrates the phase in the ReDF component. This phase has three steps:



7.4.4.1 Step 1: Consolidate the physical investigation and digital investigation findings.

7.4.4.2 Step 2: Validate the consolidated findings by determining if they support the hypothesis.

7.4.4.3 Step 3: Compile an incident or investigation report.

Include all findings and supporting CDE that will provide a transparent view of the

investigative process and reports. Include documentation of all steps, methods used to

seize, collect, preserve, recover, reconstruct, organise, and search for key evidence.

7.4.5 ReDF Phase 5: Presentation of findings phase (par. 5.5.5). See on the ReDF fold-

out.

This phase has four steps. We have added an additional step 3 to enable an appeal process to the

steps identified in par. 5.5.5. Figure 7-10 (below) illustrates phase 5 of ReDF protocol.

7.4.5.1 Step 1: Prepare to present the case (par. 5.5.5.1) (step 1 of par. 5.5.5)

To prepare a solid presentation, determine who the target audience are. The presentation

aids and software must be applied to build a relevant presentation for the specific audience.

Assemble all evidence required for the presentation and prepare all the exhibits. If an expert

witness must testify, prepare the expert witness. Ensure that you preserve chain of custody

during this step.

Phase 5:

Presentation

of findings

Step 1:Prepare case

Step 2:Present case

Step 3:Enable the appeal process

Step 4:Preserve and store the CDE



Phase 4:

Incident

reconstruction

Step 1: Consolidate the physical and digital investigation

Step 2:Validate the consolidated findings

Step 3:Compile the report



7.4.5.2 Step 2: Present the case (par. 5.5.5.2) (step 2 of par. 5.5.5)

Use the relevant presentation to communicate the findings to different audiences, e.g.,

management, legal authorities, risk management, Info Sec, and technical staff.

Present the evidence in a logical, understandable way to indicate its relevance to the case.

Use graphical / physical examples to demonstrate difficult concepts and ensure a DF expert

is available to assist in the provision of expert evidence.

Note to reader:

We propose including an appeal procedure to enable a person to exercise his or her

rights to contest a result of an investigation.

7.4.5.3 Step 3: Enable an appeal procedure (by author)

7.4.5.4 Step 4: Preserve and store CDE (par. 5.5.5.3) and case documentation (step 3 of par.

5.5.5).

7.4.6 ReDF Phase 6: Incident closure phase (par. 5.5.6). See on the ReDF fold-out.

Figure 7-11 (below) indicates the incident closure phase in the ReDF component. This phase has

two steps:

7.4.6.1 Step 1: Review result to identify and apply lessons learned (par. 5.5.6.1)

Review results to identify areas of improvement. The result could be new or augmented

policies or procedures, and additional training.

7.4.6.2 Step 2: Dispose or return or preserve evidence and the case file (par. 5.5.6.2)

The case file and evidence supporting the investigation should be handled and preserved for

later purposes. It is essential to consider legal requirements, for example, evidence retention

time when formulating the post-investigation evidence handling policy.


Phase 6:

Incident

closure

Step 1:Review the result

Step 2:Dispose or return or preserve evidence and the case file



The discussed phases and steps can be perceived as a linear progression of events, but there may be

a need to revisit some previous steps to gather more evidence or to analyse the evidence further, to

arrive at a more complete investigation result. However, the output of the one step will be used as

input into the next step.

7.4.7 To-do list

Organisations must do the following:

Manage and conduct the reactive DF investigation by using the predefined ReDF

protocol. Apply all the policies and procedures required by the ReDF protocol to ensure

a successful investigation.

Identify the legal and judicial requirements for the specific incident.

The next section will consolidate the definition, goals, and steps of the ActDF component as

identified in Chapter 6, par. 6.7.

Note to reader:

We suggest that the ActDF page (par. 7.10 p. 7-206) be folded out at this stage to

provide context. It is also advised that the fold-out is referenced when every

paragraph is read, as it ensures that the context of reading is preserved. We label

the various paragraphs with a corresponding number, e.g., on the fold-out.

7.5 ACTIVE DF (ACTDF) COMPONENT

The need for live evidence is increasing. Traditional DF investigation protocols, tools, and techniques

cannot handle the acquisition of live evidence due to the volatile nature of the evidence.

When an incident occurs, the IDS of an organisation will detect it and the IR protocol of the

organisation will be activated. It is however becoming essential to integrate live forensic

investigation protocols with the IR protocol to ensure that relevant and admissible live CDE is

available, if required for investigatory purposes. IR protocols do not consider the importance of

evidence identification, gathering and preservation of live data (Sommer, 1999).



Traditional ReDF investigation methodologies will ensure that no changes are made to the evidence

and the seized content. Live investigators use software tools that make unavoidable changes to data

acquired. The live investigative process must be documented in a forensically sound manner to

maintain the chain of custody, so that the evidence gathered will be admissible in a court of law.

Live forensic investigations are currently being made by using remote forensic preservation and

acquisition tools, for example EnCase® Enterprise edition and ProDiscover® (Casey, 2011; Casey &

Stanley, 2004). These tools use live analysis techniques and software that pre-exist on the system

during the timeframe being investigated (Carrier, 2006). The target machine is monitored from a

remote site and data can be acquired in a forensic sound way with the aid of a tool. Remote forensic

investigations focus more on transforming ReDF examination procedures onto live, production

environments.

We have researched current live, remote and real-time methodologies that will consolidate the

methodologies in the ActDF component (Foster & Wilson, 2004; Ieong & Leung, 2007; Payer, 2004;

Ren & Jin, 2005). We have proposed the ActDF component in Chapter 6. We proposed the following

definition for ActDF (par. 6.7.1, p. 6-151):

We have identified and proposed three goals for the ActDF component in Chapter 6 (par.6.7.2, p. 6-

152):

ActDF Goal 1: Collect relevant live CDE (including volatile evidence) in a live system or

production environment by using appropriate tools and technologies

ActDF Goal 2: Minimise the effect and impact of an on-going incident

ActDF Goal 3: Provide a meaningful starting point for a reactive investigation within the

parameters of the risk management framework of the organisation.

The goals will support the efficient acquisition of live evidence. The ActDF protocol will support the

ActDF goals. We have proposed four phases with associated steps in Chapter 6 (par. 6.7.3, p. 6-152)

for the ActDF protocol:

Active DF is the ability of an organisation to gather (identify, collect and

preserve) Comprehensive Digital Evidence in a live environment to facilitate a

successful investigation.



Phase 1: Incident response and confirmation phase (par. 6.7.3.1)

Phase 2: ActDF investigation phase (par. 6.7.3.2)

Phase 3: Limited incident reconstruction phase (par. 6.7.3.3)

Phase 4: ActDF investigation closure phase (par. 6.7.3.4).

Note to reader:

The ReDF component can activate the ActDF component in two ways. We have identified in

par. 7.4.1.1 that the ActDF component can be activated during the ReDF phase 1: Incident

response and confirmation phase when a trigger event is fired. The in Figure 7-12

(below) indicates this activation. The second activation is during ReDF phase 3 (sub-phase

2), evidence acquisition, when live evidence is required for the investigation (par. 7.4.3.1).

We indicate the live evidence acquisition request by in Figure 7-12.

We have proposed four phases with supporting steps that are independent of any tool or technology

(par. 6.7.3). Phase 1: Incident response and confirmation is a common phase between the ReDF

and ActDF protocols. Phase 1 of the ReDF component must be augmented to include the ActDF

incident response criteria. We have indicated the overlap and relationship between the two

protocols. Figure 7-12 (below) is an adapted graphical representation of the proposed phases for

ActDF as presented in Chapter 6 (Figure 6-6).

Figure 7-12 Graphical representation of the ActDF protocol (adapted from Figure 6-6) (by author)

ReDF

ReDF Phase 2:

Physical

investigation

ReDF Phase 3:

Digital

investigation


reconstruction


findings


ActDFPhase 2: ActDF digital

investigation

Sub-phase 1:


Sub-phase 2:

Analysis

Phase 1:

Incident

response and

confirmation

Phase 4:

Incident closure

Phase 3:

Incident

reconstruction

1

2

Please note:

Phase 1: Incident response and

confirmation is a common phase

between ReDF and ActDF



The next section will combine and summarise the phases with related steps identified in Chapter 6

(par. 6.7.3).

7.5.1 ActDF Phase 1: Incident response and confirmation phase. See on the ActDF

fold-out.

We have identified two steps in Chapter 6 par. 6.7.3.1. The Incident response and confirmation

phase of ReDF and ActDF protocols are the same. It is however essential to include ActDF

specific requirements in the individual steps. We have used the same eight steps for the phase 1

of the ReDF protocol (pars. 6.7.3.1, 7.4.1 and Figure 7-13).

Step 1:Detect the incident

Step 2:Initiate incident response plan

Step 3:Confirm the incident

Step 4:Formulate initial DFI plan

Step 5: Obtain authorisation

Step 6:Evaluate incident to determine to accelerate investigation

Step 7:Notify relevant parties

Step 8:Document all activities

Phase 1:

Incident response

and confirmation

phase

7.5.1.1 Step 1: Detect the Incident (par. 7.4.1.1) (step 1 of par. 6.7.3.1)

The IDS will detect suspicious activity (par. 6.7.3.1) and notify the relevant party (par.

5.5.1.3) of the potential incident. Some incident alerts will fire a trigger event (indicated by

in Figure 7-12) to activate the ActDF component as soon as the incident has been

detected, to gather required live evidence (by author).

7.5.1.2 Step 2: Initiate IRP (pars. 7.4.1.2, 6.7.3.1.2)

Notify the CERT and obtain the legal internal and / or external authorisation (par. 5.5.1.5) to

continue with the investigation. Activate the IRP and a containment strategy for the specific

incident to respond and contain it and so minimise its impact. Depending on the policy,

allow the incident to continue, but contain it in a controlled environment, to minimise its

impact. The aim is to minimise the effect of the incident on the current infrastructure and

operations.

The IRP and containment strategy must consider business, legal, technical and political

factors and goals (par.5.5.1.6). Investigators must ensure that forensic sound procedures are

followed and that the chain of evidence and custody is preserved at all times.

Figure 7-13 Phase 1 of the ActDF protocol (by author)



7.5.1.3 Step 3: Incident confirmation (par. 6.7.3.1.1)

Once the incident has been detected, we must determine the assessment of worth.

Organisations must validate the incident, assess its potential damage or impact, and confirm

it. The decision whether to investigate must be made. It is necessary to determine the

relevance and nature of the investigation.

7.5.1.4 Step 4: Formulate an ActDF investigation plan (identified by author)

Investigators will formulate an investigation plan at this stage of the ActDF component. We

propose to formulate an ActDF investigation (ActDFI) plan to coordinate all the resources to

conduct the live investigation (par. 5.5.1.7) and indicate that the investigation or partial

investigation must be outsourced if the organisation does not have adequate internal

resources available.

The ActDFI plan must include an initial hypothesis, which should cover the most likely

scenarios. It is essential to define criteria to prove or disprove the hypothesis and to

determine which evidence must be acquired to investigate the incident successfully. This is

done by consulting the risk profile and digital evidence index.

Investigators must also determine the power status of the target machine (on or off),

selecting an investigation mode (overt or covert), whether to isolate the target machine or

to secure it, and, lastly, to acquire the evidence locally or remotely.

7.5.1.5 Step 5: Obtain the legal internal and/or external authorisation (par. 7.4.1.5)

7.5.1.6 Step 6: Evaluate the incident to accelerate the investigation (par. 7.4.1.6)

7.5.1.7 Step 7: Notify relevant parties of the investigation (par. 7.4.1.7)

7.5.1.8 Step 8: Document all activities of incident response and confirmation phase (pars.

7.4.1.8, 3.3.4.7 – apply the principle of Beebe – documentation) (Beebe & Clark, 2005).

Note to reader:

The reason for the inclusion of the incident response and confirmation phase is that

different policies, procedures, and activities for the acquisition of live evidence are

applicable.



7.5.2 ActDF Phase 2: ActDF investigation phase (par. 6.7.3). See on the ActDF fold-out.

The phase has two sub-phases with related steps. Figure 7-14 illustrates phase 2 of the ActDF

protocol:

7.5.2.1 Sub-phase 1: Acquire relevant live evidence sub-phase (par. 6.7.3.2.1) (four steps). See

on the ActDF fold-out.

We have expanded the two steps in par. 6.7.3.2.1, and have included typical steps that will be

part of this sub-phase from the ReDF component.

7.5.2.1.1 Step 1: Identify live evidence

Determine which live evidence must be acquired to investigate the incident by

consulting the risk profile and digital evidence index. The type of incident will determine

what evidence to collect. Consider the sensitivity and volatility of the evidence. Include

other system-specific volatile evidence, specific induced volatile information, and time

limitation induced to non-volatile information.

The type of operating system will influence the identification of the evidence (par.

6.6.4.4.2). Determine the limitations of the proposed live acquisition procedure, the

proposed time required for the operation, where the target machine is and which other

remote machines will be affected.


Phase 2:

ActDF

investigation

phase

Sub-phase 2:

Analyse the

evidence

Sub-phase 1:

Acquire the

live evidence

Step 1:Identify live evidence

Step 2:Acquire relevant live evidence

Step 3:Authenticate evidence

Step 5:Transport and store the evidence

Step 4: Document the acquisition process

Step 1:Revisit investigation plan

Step 2:Analyse the evidence

Step 3:Document the analysis process



7.5.2.1.2 Step 2: Acquire relevant live evidence (pars. 3.5.2.1, 6.7.3.2.1)

Acquire live evidence using appropriate tools, technologies, or applications that will be

required to profile the attacker and acquire the evidence. It is important to automate

the appropriate evidence collection tools, technology or applications and activate them

as soon as possible (this can be immediately after an incident alert has been issued or

initiated by a trigger event).

Use acceptable live evidence acquisition protocol. Apply the following data acquisition

baseline (Ieong & Leung, 2007):

Impose minimal user intervention

All actions performed should be necessary and as least intrusive as possible

Modification of static digital evidence should be minimal

Data acquisition should follow the order of volatility and priority of digital

evidence collection

Acquire non-priority or volatile evidence through traditional evidence collection

Copying or extraction of data should only be performed when original data and

timestamp is not affected.

7.5.2.1.3 Step 3: Authenticate evidence (par. 6.7.3.2.1)

Due to the nature of the live evidence, it is essential to secure and authenticate all the

extracted data by performing a hashing function immediately after collection process.

The next step is to make a forensic copy of the acquired evidence before analysis starts.

7.5.2.1.4 Step 4: Document all activities to ensure the integrity of all evidence and processes

at all times while acquiring live evidence (par. 3.3.4.7)

7.5.2.1.5 Step 5: Transport the acquired evidence and store in a secured area if necessary

It is essential to record all actions during the acquisition process to prove the

authenticity of the evidence and process. The documentation will provide the chain of

evidence and chain of custody.

7.5.2.2 Sub-phase 2: Analyse evidence sub-phase (par. 6.7.3.2.2) (three steps). See on the

ActDF fold-out.

We have formulated three steps for this sub-phase:

7.5.2.2.1 Step 1: Review ActDF investigation plan (by author)

The investigator must review requirements from the ReDF component and ActDF

investigation plan to identify expertise required, and identify suitable analysis tools.



7.5.2.2.2 Step 2: Analyse the live evidence to determine if sufficient evidence has been

gathered (par. 6.7.3.2.2)

Analyse preliminary evidence to determine if sufficient evidence has been gathered to

support the hypothesis. The reliability of the results must be ensured and false data

eliminated.

7.5.2.2.3 Step 3: Document the analysis process

Due to the lack of acceptance of live evidence acquisition tools and procedures by courts

(Ieong & Leung, 2007), it is essential to document all actions to maintain the chains of

evidence and custody, and ensure the validity of processes followed when analysing the

live data (par. 3.3.4.7).

7.5.3 ActDF Phase 3: Limited incident reconstruction phase (par. 6.7.3.3) (two steps)

(Figure 7-15 - below). See on the ActDF fold-out.

Phase 3: Incident

reconstruction

phase

Step 1:Use the results to do limited reconstruction

Step 2:ActDF termination

7.5.3.1 Step 1: Use the results from the analysis step to make a limited reconstruction of the

incident

The aim is to determine if the missing or live required evidence has been acquired. It is

essential to determine if the requirements from ReDF have been met. If more live

evidence is required, it will be necessary to repeat the ActDF investigation phase to

acquire more live evidence.

Various factors can determine if the investigation can continue, for example, the risk

management framework of the organisation can indicate whether the impact on the

business operations or the cost is too high.

7.5.3.2 Step 2: ActDF termination

Determine if you should terminate the ActDF protocol. The termination conditions will

be prescribed by the Risk Management Framework, for example, cost too high; enough

CDE; impact of continued acquisition reassessed. Repeat phase 2 if live evidence is still

lacking.




7.5.4 ActDF Phase 4: ActDF investigation closure phase (par. 6.7.3.4). See on the ActDF

fold-out.

This phase has two steps. Figure 7-16 (below) illustrates phase 4 of the ActDF protocol:

Phase 4:

ActDF investigation

closure phase

Step 1:Prepare documented case files

Step 2:Return control to ReDF component

7.5.4.1 Step 1: Prepare documented case files with CDE for reactive investigation team to

complete investigation

It is essential to compile an investigation report that includes all relevant documentation

that will be required by the ReDF investigation team.

7.5.4.2 Step 2: Return control to the ReDF component to continue with the investigation

Control will be returned to Phase 3 digital investigation phase of the ReDF component.

7.5.5 To-do list

Organisations must do the following:

Manage and conduct the active or live DF investigation by using the predefined ActDF

protocol. Apply all the policies and procedures required by the ActDF protocol to ensure

a successful investigation.

Identify the legal and judicial requirements for the specific incident.

The discussion above has indicated some interaction between the three components of our CDF

capability. The next section will briefly discuss the relationship between the components.

7.6 RELATIONSHIP BETWEEN PRODF, REDF AND ACTDF

Using the definitions and goals of ProDF, ReDF, and ActDF it is clear that the different components of

DF are dependent on each other. The ProDF component will prepare the organisation for the

application of DF tools and technologies. Both ActDF and ReDF depend on the quality and availability

of CDE; the soundness of operational processes; well-defined DF investigation protocols (active and

reactive) with associated policies and procedures; competency of investigators and employees; and




the availability of acceptable tools, technologies, and infrastructure, which is determined by the

ProDF component.

The need for live evidence will be established during the incident response and confirmation phase

and digital investigation phase (evidence acquisition) (pars. 7.4.1.1; 7.4.3.1) of the ReDF component.

The ActDF component will identify, acquire, analyse, and prepare the live evidence so that the ReDF

component can use it to complete the investigation. The findings as discussed confirm the

anticipated relationship between the components of our CDF capability. Figure 7-17 (below) is a

high-level graphical representation of the relationship between the three components (presented as

Figure 2-4).

Our CDF capability ensures that organisations will be prepared and protocols for active and reactive

investigations as defined by the ReDF and ActDF components provide clear directives of the phases

and steps that organisations must perform when an incident is detected and needs to be

investigated.

7.7 SUMMARY

The chapter has consolidated the definition, goals, sub-goals and elements for the ProDF component

(using Chapters 3, 4), definitions, goals and a protocol with phases and related steps for the ReDF

component (using Chapters 3, 5) and ActDF component (using Chapters 3, 6) of the thesis to propose

our CDF capability.

Our CDF capability will address the reasons (needs) for the application of DF in organisations as

identified in Chapter 2 (par. 2.5.3, p. 2-37). Table 7.1 (below) provides a summary of the needs and

an explanation of how we have addressed them:

Figure 7-17 Relationship between components of our CDF capability (also Figure 2-4) (by author)



Table 7.1 Needs addressed by the CDF capability (par. 2.5.3) (by author)

Needs How can we address the need

Investigate incidents, fraud or employee

behaviour (par.2.5.3.1)

Apply the ActDF and ReDF protocol with supporting policies and

procedures to acquire the evidence and link the perpetrator to the

incident (pars. 7.4, 7.5).

Ensure the availability of adequate resources in terms of competent

staff, prepared infrastructure and availability of tools and

technologies (par. 7.3.1).

Establish DF management capability in the organisation (par.7.3.2).

Ensure the inclusion of legal and regulatory requirements in the

applicable structures of the organisation (7.3.1).

Ensure the availability of CDE (par.

2.5.3.2);

Establish an EMP (par. 7.3.1.3).

Assess effectiveness and efficiency of

controls or procedures (par. 2.5.3.3)

DF strategy (par. 7.3.2);

Acquire the required CDE using the ReDF or ActDF protocols (pars.

7.4, 7.5).

Measure legal or regulatory compliance

(par. 2.5.3.4)



7.4, 7.5).

Use of DF tools for non-investigative

purposes to improve IT and Info Sec

governance structures and performance

(par. 2.5.3.5).



7.4, 7.5).

The ReDF and ActDF components are well defined with clear definitions, goals and investigation

protocols. Investigators can use the protocols for investigations. The ProDF component should

ensure that the organisation is DF-ready and can apply DF to establish and manage governance

frameworks. However, there is no explicit implementation guideline on what should be developed in

terms of policies, strategies or processes. It is therefore necessary to re-structure the ProDF

component to provide clear guidelines on what must be considered in terms of legal, judicial and

regulatory requirements, strategies, plans, policies and processes, training of employees, technology

and infrastructure requirements.

To implement the CDF capability we have consolidated the to-do lists identified in the Chapter in

Table 7.2 (below).



Table 7.2 Consolidated to-do list to implement the CDF capability (by author)

To-do list – actions CDF component

reference

1 Determine the legal and regulatory requirements applicable to the operational and

investigation infrastructure. Consider requirements related to evidence, processes,

admissibility of investigation tools, and the configuration of the operational and

investigation infrastructure (par. 7.3.1.1).

ProDF par. 7.3.1.2

2 Establish the relevant management structures to ensure the availability of facilities (DFI

laboratory, and operational infrastructure), hardware, software and equipment to

ensure a successful investigation (par. 7.3.1.1).

ProDF par. 7.3.1.2

3 Formulate policies and procedures to manage the preparation, use and maintenance of

the operational and investigation infrastructure (pars. 7.3.1.1.1, 7.3.1.1.2).

ProDF par. 7.3.1.2

4 Only consider the application and use of acceptable and admissible forensic tools and

technologies (par. 7.3.1.1.2).

ProDF par. 7.3.1.2

5 Identify the technical, legal and regulatory requirements applicable to digital and

physical evidence (par. 7.3.1.3.2).

ProDF par. 7.3.1.4

6 Establish an EMP to manage the evidence:

Identify potential evidence for a risk or scenario (par. 7.3.1.3.1) and set up a risk profile

Organise the evidence into a digital evidence index (par. 7.3.1.3.2)

Determine the comprehensiveness of a specific evidence set for a risk or scenario (par.

7.3.1.3.3).

ProDF par. 7.3.1.4

7 Formulate policies and procedures to manage digital and physical evidence (par.

7.3.1.3.4).

ProDF par. 7.3.1.4

8 Augment the risk management strategy and contingency plans (IRP, BCP and DRP) of

the organisation with supporting policies and procedures to include evidence and

process requirements (par. 7.3.1.3.4).

ProDF par. 7.3.1.4

9 Formulate a DF education, training and awareness strategy to ensure that the people in

the organisation will be prepared and competent (par. 7.3.1.5).

ProDF par. 7.3.1.6

10 Establish a policy and procedure to guide the establishment, implementation and

management of education, training and awareness programmes (par. 7.3.1.5).

ProDF par. 7.3.1.6

11 Determine the technical, legal, judicial and regulatory requirements to accredit

education and training programmes and certify staff as competent (par. 7.3.1.5).

ProDF par. 7.3.1.6

12 Develop selective education, training and awareness programmes (par. 7.3.1.5.1,

7.3.1.5.2).

ProDF par. 7.3.1.6

13 Establish a policy to prescribe the training requirements associated with specific roles in

the organisation to ensure the admissibility of evidence in court (par. 7.3.1.5.1).

ProDF par. 7.3.1.6



To-do list – actions CDF component

reference

14 Create a code of conduct for the use and application of DF in the organisation (par.

7.3.1.5.3).

ProDF par. 7.3.1.6

15 Document and validate a DFI protocol that includes reactive and active investigations to

ensure that investigations are conducted in an organised way (par. 7.3.1.7.1).

ProDF par. 7.3.1.8

16 Ensure that all the policies and procedures required by the ReDF and ActDF protocols

exist to ensure a successful investigation (par. 7.3.1.7.1).

ProDF par. 7.3.1.8

17 Ensure that policies and procedures exist to manage the cost of the investigation and

incident (pars. 7.3.1.7.2; 7.3.1.7.3).

ProDF par. 7.3.1.8

18 Create or augment the risk management and business continuity strategy, plans,

policies and procedures of the organisation to include DF evidence and process

requirements and that a DF-friendly containment strategy and plan exists to minimise

the impact of an incident whilst maximising the availability of the evidence (par.

7.3.1.7.3).

ProDF par. 7.3.1.4

ProDF par. 7.3.1.8

19 Formulate a DF strategy to manage the application of DF in an organisation (par. 7.3.2). ProDF par. 7.3.2.3

20 Formulate policies and procedures to support the DF strategy to ensure that clear

directives exist to manage DF for investigative and non-investigative purposes in the

organisation. Be sure to include policies to establish a DF capability in the organisation

(pars. 7.3.2.1 - 7.3.2.2.5).

ProDF par. 7.3.2.3

21 Manage and conduct the reactive DF investigation by using the predefined ReDF

protocol. Apply all the policies and procedures required by the ReDF protocol to ensure

a successful investigation (par. 7.4).

ReDF par. 7.4.7

ProDF par. 7.3.1.8

22 Manage and conduct the active or live DF investigation by using the predefined ActDF

protocol. Apply all the policies and procedures required by the ActDF protocol to ensure

a successful investigation (par. 7.5).

ActDF par. 7.5.5

ProDF par. 7.3.1.8

23 Identify the legal and judicial requirements for the specific incident (pars. 7.4; 7.5). ReDF par. 7.4.7

ActDF par. 7.5.5

We will use the to-do list in the next chapter to propose a DF framework to implement and manage

the CDF capability.



Note to reader:

Management is not interested in the detail of investigation protocols, but in

successful investigations. It is their responsibility to be concerned with what they

need to have in place to ensure successful investigations or to apply DF to establish

and manage more effective governance frameworks.

Our CDF capability does not provide an explicit framework on the formulation of

strategies, policies, procedures, and training programmes or the infrastructure that

should be in place.

We will use the to-do lists of our CDF capability to formulate a DF implementation

and management framework DFMF. This is not another investigation framework, but a

holistic framework that concentrates on the implementation of a CDF capability in an

organisation.

We will use the consolidated to-do list to formulate the DFMF in the next chapter.



7.8 FOLD-OUT FOR ProDF

ProDF

component

ProDF goal 1:

Become DF-ready

ProDF goal 2:

Implement and manage DF to improve governance programs

DF-Readiness sub-

goal 1:

Prepared

Infrastructure

DF-Readiness sub-

goal 2:

Maximise CDE

availability

Establish an EMP

DF-readiness sub-

goal 3:

Prepare

responsible

competent

employees

DF-Readiness sub-

goal 4:

Ensure cost-

effective

investigations

Sub-goal 1:

Establish a DF

management

capability to

support the DF

strategy

Sub-goal 2:

Apply DF to provide

reasonable

assurance

regarding achieving

organisational

objectives

7.3.1.1.1 Element 1:

Prepare operational infrastructure

7.3.1.1.2 Element 2:

Establish and manage DF

investigation infrastructure

7.3.1.2.1 EMP step 1:

Evidence identification – compile

risk profile

7.3.1.2.2 EMP step 2:

Organise the evidence: Evidence

index

7.3.1.2.3 EMP step 3:

Evaluate evidence status

7.3.1.2.4 EMP step 4:

Establish and augment evidence

policies and procedures

7.3.1.3.1 Element 1:

Create education and training

programmes

7.3.1.3.2 Element 2:

Establish awareness programme

7.3.1.3.3 Element 3:

Formulate a code of conduct

7.3.1.4.1 Element 1:

Ensure well documented DFI

protocols exist

7.3.1.4.2 Element 2:

Establish procedure to calculate

cost of investigation

7.3.1.4.3 Element 3:

Minimise interruption to business

7.3.2.1.1 Element 1:

Augment organisational structure

7.3.2.1.2 Element 2:

Clear segregation of duties

7.3.2.2.1 Element 1:

Safeguard company’s assets

7.3.2.2.2 Element 2:

Compliance

7.3.2.2.3 Element 3:

Support business sustainability

7.3.2.2.4 Element 4:

Reliability of reporting

7.3.2.2.5 Element 5:

Behave responsible towards

stakeholders

Par.7.3

Par. 7.3.1

Par. 7.3.1.4

Par. 7.3.1.1

Par. 7.3.1.2

Par. 7.3.1.3

Par. 7.3.2.2

Par. 7.3.2.1

7.3.2.1.3 Element 3:

Outsourcing

7.3.2.1.4 Element 4:

Ensure legal review

ProDFcomponent

Chapter 7

1

2

3

4

5

7

8

Par. 7.3.26



7.9 FOLD-OUT FOR ReDF

ReDF

component

Phase 1:

Incident

response and

confirmation

Phase 2:

Physical

investigation

Phase 3:

Digital

Investigation

7.4.2.1 Step 1: Secure and preserve physical crime scene

7.4.2.2 Step 2: Survey and search the crime scene

7.4.2.3 Step 3: Acquire evidence

7.4.2.4 Step 4: Analyse the evidence

7.4.2.5 Step 5: Reconstruct the incident

7.4.2.6 Step 6: Make a finding and compile an investigation report

7.4.2.7 Step 7: Transport the evidence

7.4.2.8 Step 8: Store the evidence

Sub-phase 2:


Sub-phase 3:

Analysis

7.4.5.1 Step 1: Prepare the case

7.4.5.2 Step 2: Present the case

7.4.5.3 Step 3: Enable an appeal procedure

7.4.5.4 Step 4: Preserve and store CDE

7.4.1.1 Step 1: Incident detection

7.4.1.2 Step 2: Initiate incident response plan

7.4.1.3 Step 3: Incident confirmation

7.4.1.4 Step 4: Formulate initial investigation plan

7.4.1.5 Step 5: Obtain authorisation

7.4.1.6 Step 6: Evaluate the incident to accelerate the investigation

7.4.1.7 Step 7: Notify relevant parties

7.4.1.8 Step 8: Document all activities

7.4.3.2.4 Step 1: Acquire relevant evidence

7.4.3.2.5 Step 2: Authenticate all evidence

7.4.3.2.6 Step 3: Transport the evidence

7.4.3.2.7 Step 4: Storage of evidence

7.4.3.2.8 Step 5: Document the acquisition process

7.4.3.3.1 Step 1: Revise investigation plan

7.4.3.3.2 Step 2: Examine and prepare evidence

7.4.3.3.3 Step 3: Analyse evidence

7.4.3.3.4 Step 4: Reconstruct the incident

7.4.3.3.5 Step 5: Document analysis process

7.4.3.3.6 Step 6: Secure Documentation

7.4.3.4.1 Step 1: Restore activities

7.4.6.1 Step 1: Review result to identify lessons learned

7.4.6.2 Step 2: Dispose / Return / preserve evidence and

case files

Par.7.4

Par. 7.4.1

Par. 7.4.2

Par. 7.4.3.2

Par. 7.4.3

Phase 4:

Incident

reconstruction

Par. 7.4.4

Par. 7.4.5

Par. 7.4.6

Phase 5:

Present case

Phase 6:

Incident

closure

Par. 7.4.3..3

Par. 7.4.3..4

Sub-phase 4:

Service restoration

7.4.4.1 Step 1: Consolidate the findings

7.4.4.2 Step 2: Validate the finding

7.4.4.3 Step 3: Compile incident or investigation report

Sub-phase 1:

Secure digital evidence

Par. 7.4.3.1

7.4.3.1.1 Step 1: Preserve the digital crime scene

7.4.3.1.2 Step 2: Preserve digital evidence

7.4.3.1.3 Step 3: Document all activities

ReDF component

Chapter 7

ReDF protocol

1

6

5

4

3

2

10

9

8

7

Phase 1:

Incident response

and confirmation

Phase 2:

Physical

investigation

Phase 3:

Digital investigation

Phase 4:

Incident

reconstruction

Phase 5:

Presentation of

findings

Phase 6:

Incident closure

ActDF

Sub-phase 2:Acquire the

evidence

Sub-phase 3: Analyse

the evidence

Sub-phase 4: Restore

the service

Sub-phase 1: Secure the

evidence



7.10 FOLD-OUT FOR ActDF

ActDF

component

Phase 1:

Incident response

and confirmation

Phase 2:

ActDF investigation

Sub-phase 1:

Acquire live

evidence

Sub-phase 2:

Analysis

7.5.4.1 Step 1: Prepare documented case files;

7.5.4.2 Step 2: Return control to ReDF component;

7.5.1.1 Step 1: Incident detection;

7.5.1.2 Step 2: Initiate IRP;

7.5.1.3 Step 3: Incident confirmation;

7.5.1.4 Step 4: Formulate ActDF investigation plan;

7.5.1.5 Step 5: Obtain authorisation;

7.5.1.6 Step 6: Evaluate incident to accelerate investigation

7.5.1.7 Step 7: Notify relevant parties;

7.5.1.8 Step 8: Document all activities.

7.5.2.1.1 Step 1: Evidence Identification;

7.5.2.1.2 Step 2: Acquire live evidence;

7.5.2.1.3 Step 3: Authenticate evidence;

7.5.2.1.4 Step 4: Document all activities;

7.5.2.1.5 Step 5: Transport the evidence and store

in secure area

7.5.2.2.1 Step 1: Review ActDF investigation plan;

7.5.2.2.2 Step 2: Analyse live evidence;

7.5.2.2.3 Step 3: Document the analysis process;

Par. 7.5

Par. 7.5.1

Par. 7.5.2.1

Par. 7.5.2

Phase 3:

Limited incident

reconstruction

Par. 7.5.3

Par. 7.5.4

Phase 4:

ActDF investigation

closure

Par. 7.5.2.2

7.5.3.1 Step 1: Use results to do reconstruction;

7.5.3.2 Step 2: ActDF termination ;

ActDF component

Chapter 7

6

5

3

1

2

4

ReDF

ReDF Phase 2:

Physical

investigation

ReDF Phase

3: Digital

investigation


reconstruction


findings



investigation

Sub-phase 1:


Sub-phase 2:

Analysis

Phase 1:

Incident

response and

confirmation

Phase 4:

Incident closure

Phase 3:

Incident

reconstruction

1

2

Please note:





8-207 | P a g e Chapter 8: Construction of our holistic DFMF

8 CHAPTER 8

CONSTRUCTION OF OUR HOLISTIC DF MANAGEMENT FRAMEWORK (DFMF)

8.1 INTRODUCTION

The previous chapter formulated our CDF capability, the components of which are distinct but

dependent on each other. If an organisation wishes to implement our CDF capability they must do so

in a structured way.

The ReDF and ActDF components are the investigation components. Investigators can apply the

proposed protocols when investigating incidents, however it is essential that organisations prepare

for the application of the protocols and formulate policies and procedures, train staff, and ensure

that the appropriate tools, technologies and infrastructure are in place to facilitate the

investigations.

The ProDF component provides guidance for organisations to establish management structures,

formulate policies and processes, configure infrastructure and apply tools and technology by

considering the legal and regulatory requirements of the organisation. We have identified typical to-

do lists (Table 7.2, p. 7-201) to assist organisations with implementation of the CDF capability.

However, it is necessary to structure the to-do list, as different activities are dependent on each

other. A structured to-do list will ease the identification, formulation and implementation of the

activities. To demonstrate, organisations must determine the legal and judicial requirements of

evidence handling before they engage in the establishment of the EMP and related evidence

handling policies and procedures, as well as the training and awareness programmes and technology

needed.

The legal and judicial environment of the organisation is the backdrop of all the activities in an

organisation. The governance or management frameworks (corporate and IT) will dictate the

development of policies needed, which will drive the relevant processes, guidelines and procedures.



The implementation and use of DF tools and technologies must be managed in any organisation. The

success of evidence availability and successful investigations hinges on knowledgeable and

competent individuals who can apply admissible DF tools and technologies.

The to-do list does not provide a detailed list of legal and judicial requirements to identify, nor

exactly which strategies, policies and procedures to formulate. None of the DF frameworks as

discussed in Chapters 3, 4, 5, and 6 prescribes exactly what must be in place to implement a CDF

capability. We will use the to-do list actions (Table 7.2, p. 7-201) to identify specific deliverables that

must be implemented. A deliverable is a tangible output that organisations can implement. A policy,

procedure and training programme are examples of typical deliverables. We will use the dimensions

of DF (par.1.9.2) to categorise the deliverables in the consolidated to-do list (Table 7.2, p. 7-201).

The categorised to-do list and the relationship between the dimensions are the foundation of our

high-level DF implementation and management framework, DFMF. Figure 8-1 (below) depicts the

role of this chapter within the overall thesis:

8.2 AIM AND STRUCTURE OF THE CHAPTER

The aim of the chapter is to propose a holistic DF implementation and management framework

(DFMF), to implement and manage our CDF capability. This chapter will:

identify and categorise the deliverables of to-do list (par. 8.3)

construct DFMF step by step and provide a graphical representation for the category

with the supporting groups of deliverables (par. 8.4)

consolidate the deliverable categories using the first level deliverables to demonstrate a

high-level view of our DFMF (par. 8.5).


Part 1: Background


of DFMF

Part 3: Conclusion


capability




The next section will use the consolidated to-do list as a starting point to construct the concept

DFMF and categorise the to-do list. We will use the categorised list for the formulation of the DFMF.

8.3 CATAGORISE THE TO-DO LIST

We will use the dimensions of DF, legal and judicial, management or governance, policy, process,

people and technology related activities or deliverables (Grobler & Louwrens, 2006) to categorise

the individual actions.

The dimensions cannot exist in isolation but interdependent. The legal and judicial dimension is the

backdrop to all the other dimensions. The legal, regulatory and judicial requirements of the country

or operating environment will influence all activities of the organisation. The governance dimension

is a subset of the legal and judicial dimension. The policy dimension is a subset of the governance

dimension and the people, process and technology dimensions are subsets of the policy dimension.

There is continuous interaction between people, process, and technology during the implementation

of DF in an organisation. We will use the relationship between the dimensions as a basis for the

relationship between the deliverable categories. Figure 8-2 (below) is a graphical representation of

the relationship:

We have categorised and re-organised the individual actions in the to-do list in par. 7.7 (Table 7.2),

by using the six identified dimensions in Table 8.1 (below). We will use abbreviations to reference

the individual activities when constructing the DFMF in the next section by referring to dimension

numbers, for example, Gi for different Governance, Li for Legal and Judicial, PPi for Policy and

Process, Ti for Technology and Pi for People activities; the i refers to the number of the action.

Potential deliverables are highlighted (printed bold) in the table below.

Figure 8-2 Relationship between the dimensions (also Figure 1-2) (by author)



Table 8.1 Categorised TO-DO list (by author)

Dimension

number

Dimension To-do list – actions or deliverables Table 7.2,

p. 7-201

number

CDF

component

reference

G1 Governance Establish the relevant management structures to ensure the

availability of facilities (DFI laboratory, and operational

infrastructure), hardware, software and equipment to ensure a

successful investigation (par. 7.3.1.1).

2 ProDF

par. 7.3.1.2

G2 Governance Establish an EMP to manage the evidence:

Identify potential evidence for a risk or scenario (par. 7.3.1.3.1)

and set up a risk profile

Organise the evidence into a digital evidence index (par.

7.3.1.3.2)

Determine the comprehensiveness of a specific evidence set for

a risk or scenario (par. 7.3.1.3.3).

6 ProDF

par. 7.3.1.4

G3 Governance Augment the risk management strategy and contingency plans

(IRP, BCP and DRP) of the organisation with supporting policies

and procedures to include evidence and process requirements

(par. 7.3.1.3.4).

8 ProDF

par. 7.3.1.4

G4 Governance Formulate a DF education, training and awareness strategy to

ensure that the people in the organisation will be prepared and

competent (par. 7.3.1.5).

9 ProDF

par. 7.3.1.6

G5 Governance Document and validate a DFI protocol that includes reactive

and active investigations to ensure that investigations are

conducted in an organised way (par. 7.3.1.7.1).

15 ProDF

par. 7.3.1.8

G6 Governance Create or augment the risk management and business

continuity strategy and plans of the organisation to include DF

evidence and process requirements, and ensure that a DF-

friendly containment strategy and plan exists to minimise the

impact of an incident whilst maximising the availability of the

evidence (par. 7.3.1.7.3).

18 ProDF

par. 7.3.1.4

ProDF

par. 7.3.1.8

G7 Governance Formulate a DF strategy to manage the application DF in an

organisation (par. 7.3.2).

19 ProDF

par. 7.3.2.3

L1 Legal and

Judicial

Determine the legal and regulatory requirements applicable to

the operational and investigation infrastructure. Consider

requirements related to evidence, processes, admissibility of

investigation tools, and the configuration of the operational and

investigation infrastructure (par. 7.3.1.1).

1 ProDF

par. 7.3.1.2

L2 Legal and

Judicial

Identify the legal and regulatory requirements applicable to

digital and physical evidence (par. 7.3.1.3.2).

5 ProDF

par. 7.3.1.4



Dimension

number


p. 7-201

number

CDF

component

reference

L3 Legal and

Judicial

Determine the technical, legal, judicial and regulatory

requirements to accredit education and training programmes

and certify staff to be competent (par. 7.3.1.5).

11 ProDF

par. 7.3.1.6

L4 Legal and

Judicial

Identify the legal and judicial requirements for the specific

incident (par. 7.4, 7.5).

23 ReDF

par. 7.4.7

ActDF

par. 7.5.5

P1 People Develop selective education, training and awareness

programmes (pars. 7.3.1.5.1, 7.3.1.5.2).

12 ProDF

par. 7.3.1.6

P2 People Create a code of conduct for the use and application of DF in

the organisation (par. 7.3.1.5.3).

14 ProDF

par. 7.3.1.6

PP1 Policy and

Procedure

Formulate policies and procedures to manage the preparation,

use and maintenance of the operational and investigation

infrastructure (pars. 7.3.1.1.1, 7.3.1.1.2).

3 ProDF

par. 7.3.1.2

PP2 Policy and

Procedure

Formulate policies and procedures to manage digital and


7 ProDF

par. 7.3.1.4

PP3 Policy and

Procedure

Establish a policy and procedure to guide the establishment,

implementation and management of education, training and

awareness programmes (par. 7.3.1.5).

10 ProDF par.

7.3.1.6

PP4 Policy and

Procedure

Establish a policy to prescribe the training requirements

associated with specific roles in the organisation to ensure the

admissibility of evidence in court (pars. 7.3.1.5, 7.3.1.5.1).

13 ProDF

par. 7.3.1.6

PP5 Policy and

Procedure

Ensure that all the policies and procedures required by the

ReDF and ActDF protocols exist to ensure a successful

investigation (par. 7.3.1.7.1).

16 ProDF

par. 7.3.1.8

PP6 Policy and

Procedure

Ensure that policies and procedures exist to manage the cost of

the investigation and incident (par. 7.3.1.7.3).

17 ProDF

par. 7.3.1.8

PP7 Policy and

Procedure

Create or augment the risk management and business

continuity (IR, BCP and DRP) policies and procedures of the

organisation to include DF evidence and process requirements

and ensure that DF-friendly containment policies and

procedures exist to minimise the impact of an incident whilst

maximising the availability of the evidence (par. 7.3.1.7.3).

18 ProDF

par. 7.3.1.4

ProDF

par. 7.3.1.8

PP8 Policy and

Procedure

Formulate policies and procedures to support the DF strategy

to ensure that clear directives exist to manage DF for

investigative and non-investigative purposes in the organisation.

Be sure to include policies to establish a DF capability in the

organisation (pars. 7.3.2.1 - 7.3.2.2.5).

20 ProDF

par. 7.3.2.3



Dimension

number


p. 7-201

number

CDF

component

reference

PP9 Policy and

Procedure

Manage and conduct the reactive DF investigation by using the

predefined ReDF protocol. Apply all the policies and procedures

required by the ReDF protocol to ensure a successful

investigation (par. 7.4).

21 ReDF

par. 7.4.7

ProDF par.

7.3.1.8

PP10 Policy and

Procedure

Manage and conduct the active or live DF investigation by using

the predefined ActDF protocol. Apply all the policies and

procedures required by the ActDF protocol to ensure a

successful investigation (par. 7.5).

22 ActDF par.

7.5.5

ProDF par.

7.3.1.8

T1 Technology Only consider the application and use of acceptable and

admissible forensic tools and technologies (par. 7.3.1.1.2).

4 ProDF par.

7.3.1.2

T2 Technology Identify the technical requirements applicable to digital and


5 ProDF par.

7.3.1.4

We will use the to-do list actions to identify specific deliverables to implement our CDF capability.

However, the actions can also be part of a hierarchy; for example, the general DF policy is supported

by a set of sub-policies, such as evidence management and handling, incident management and

handling and education and training policies. We will refer to the general DF policy as a first level

action and the supporting sub-policies as second level activities.

The next section will use the dimensions and relationship between the dimensions of DF to propose

a concept framework of our DFMF in a graphical format. The development of a fully functional DFMF

is not part of this thesis, but will be researched and developed in future.

8.4 STEP-BY-STEP CONSTRUCTION OF THE DFMF

We will now consider the to-do list actions to identify specific deliverables (using the CDF capability

in Chapter 7) to construct our DFMF. The construction will be step by step, starting from the legal

and judicial dimension, moving to the governance, then policy followed by process, people and

technology. The next section will consider the legal and judicial dimension.



8.4.1 Legal and judicial dimension

The legal and judicial dimension will ensure that organisations identify applicable legal,

regulatory and judicial requirements for their organisation. The legal and judicial deliverables as

identified by the to-do list in Table 8.1 (above) are:

8.4.1.1 Table 8.1 L2: Evidence handling and management requirements (par. 7.3.1.4)

This group will consider digital (static, live, legacy), physical and post-investigation evidence

requirements.

8.4.1.2 Table 8.1 L1, L4: Process requirements (pars.7.3.1.4, 7.3.1.7.1, 7.3.1.8, 7.3.2.3)

The investigation process (incident handling) and the correct formulation of SOP in

organisations are essential. Organisations must consider the ReDF, ActDF and SOP process

requirements in terms of admissibility in a court of law.

8.4.1.3 Table 8.1 L1: Infrastructure requirements (par. 7.3.1.2)

The legal and judicial requirements of a prepared operational and investigation

infrastructure, as well as the validity of DF tools and technology, must be considered to

ensure the admissibility of evidence acquired in court.

8.4.1.4 Table 8.1 L3: Other legal, regulatory and judicial requirements.

These requirements can be for example SAQA requirements, to accredit training

programmes and to certify staff (par.7.3.1.6). The technical competence of the investigator

will influence the admissibility of evidence in a court of law.

Figure 8-3 (below) is a graphical representation of the first two levels of the legal and judicial

deliverables:



The requirements will be found in relevant laws, treaties, best practices, regulatory, judicial

requirements, and other regulatory bodies, for example, a qualification authority. Organisations

must identify all relevant laws, treaties, regulations, best practices, and judicial requirements

applicable to the organisation. If the organisation operates internationally, the different

countries’ legal and judicial requirements must be met. We use the first level legal and judicial

deliverables to construct DFMF in Figure 8-4 (below).

The second step will be to consolidate the governance dimension.

8.4.2 Governance dimension

The governance dimension deals with management issues, and will ensure that organisations

consider the strategic importance and the management of the application and implementation

of DF in an organisation. We have identified three groups of governance deliverables using the

to-do list in Table 8.1 (above).

8.4.2.1 Table 8.1 G7: Group 1: Formulate the DF strategy (par. 7.3.2.3)

The DF strategy should provide direction for the use and application of DF in an organisation. We

propose that the DF strategy should address the following three groups of activities:

Evidence

requirements

Process

requirements

Infrastructure

requirements

Other

requirements

Digital

Physical

Post incident

ActDF

SOP

ReDF

Investigation

Tools

Operational

Programme

accreditation

Certification

Par. 8.4.1.1 Par. 8.4.141Par. 8.4.1.3Par. 8.4.1.2

Figure 8-4 Legal and judicial deliverables as step 1 of the construction of our DFMF (by author)

LEGAL AND JUDICIAL

Evidence

requirements

Process

requirements

Infrastructure

requirements

Other

requirements

Figure 8-3 Graphical representation of the first two levels of the legal and judicial deliverables (by author)



8.4.2.1.1 Table 8.1 G1, G5, G6, and G7: Manage the CDF capability (par. 7.3.2) (by author)

General management of the CDF capability

Manage DF investigations (case management)

Manage the use of DF for non-investigative purposes in the organisation

8.4.2.1.2 Table 8.1 G2; Establish an evidence management plan (par. 7.3.1.4)

8.4.2.1.3 Table 8.1 G4: Formulate a DF education, training and awareness strategy with

supporting policies and programmes (par. 7.3.1.6)

8.4.2.2 Table 8.1 G3, G6: Group 2: Augment the risk management / contingency strategy and

plans

The governance category must integrate DF requirements in the risk management and

contingency strategy and plans of the organisation. It is essential to establish or augment the

organisational risk management and contingency plans to include evidence and process

requirements (consider staff assignments and technical responsibilities) (par.7.3.1.7.3). Plans to

augment are as follows:

Business impact analysis to include evidence elements for specific risks (from evidence

management plan (par. 7.3.1.3.1).

Formulate or augment the contingency plans (pars. 7.3.1.3.4; 7.3.1.4; 7.3.1.7.3; 7.3.1.8),

and be sure to include the following:

IRP and the incident containment strategy by considering business, legal, technical,

and political factors and goals. It is also essential to specify incident acceleration

criteria in the IRP.

Disaster recovery plan.

Business continuity plan.

Include the assessment of new technologies in risk assessment to determine the impact

of the new technologies on forensic investigations (par. 7.3.2.2.3.).

8.4.2.3 Table 8.1 G1: Group 3: Manage infrastructure

Organisations must manage the physical infrastructure, which includes the physical investigation

laboratory, operational infrastructure (including all hardware and software) (pars. 7.3.1.1,

7.3.1.2).



Figure 8-5 (below) is a graphical representation of the first two levels of typical deliverables of

the governance category. We used the deliverable groups with sub-deliverables from par. 8.4.2.

The governance dimension is a subset of the legal and judicial dimension. We will add the first level

governance deliverable groups to the current version of DFMF in Figure 8-6 (below):

LEGAL AND JUDICIAL


GOVERNANCE

Formulate

DF strategyManage

infrastructure

Risk management/


Management

of DF

capability

Evidence

management

plan

DF education,

training and

awareness strategy

DFMF

The third step will be to consolidate the policy dimension.

8.4.3 Policy dimension

Organisations must formulate a general DF policy to support the DF strategy. We have identified

and re-organised the following policies and propose the following six groups of related policies

with supporting policies that support the general DF policy using the to-do list in Table 8.1

(above). The policy deliverable groups are:

Formulate

DF strategy

Evidence

management plan

Education, training

and awareness

strategy

Manage DF

capbility

Augment risk

management / contingency

strategy

Manage

infrastructure

IRP

DRP

BIA

BCP

Evaluate new

technology

Operational

Investigation

Par. 8.4.2.1 Par. 8.4.2.2 Par. 8.4.2.3

Figure 8-5 First two levels of the governance deliverables (by author)

Figure 8-6 Addition of the governance deliverables as step 2 of the construction of our DFMF (by author)



8.4.3.1 Table 8.1 PP2: Group 1: Evidence management and handling policies

8.4.3.1.1 Evidence management policies (par.7.3.1.4)

8.4.3.1.2 Digital evidence handling policies (par. 7.3.1.3.4)

Include static, live, legacy and archived digital evidence handling policies.

8.4.3.1.3 Physical evidence handling policies (par.7.4.2)

8.4.3.1.4 Post-investigation case documentation and evidence handling policy (par.7.3.1.4)

8.4.3.2 Table 8.1 PP5, PP6, PP9, PP10: Group 2: Incident management policies (par. 7.4.1)

8.4.3.2.1 Incident handling policy (by author)

Provide directives on the types of incident and criteria of when to investigate and the level

(internal or formal investigation). Include the management of the cost of an incident and

investigation.

8.4.3.2.2 ReDF investigation policy with supporting policies (par. 7.4)

IR policy. Include the ActDF activation criteria in the IR policy of the organisation

physical investigation policy

digital investigation policy

incident reconstruction policy

case presentation policy to provide guidelines for the presentation of the case

incident closure policy to provide guidelines for the closure of the case and the

dissemination of the result of the investigation.

8.4.3.2.3 ActDF investigation policy to include (par. 7.5):

IR policy. Include the ActDF activation criteria in the IR policy of the organisation – this

policy is from the contingency policies of the organisation

live evidence acquisition, analysis, limited reconstruction and ActDF termination criteria

ActDF termination policy.

8.4.3.3 Table 8.1 PP7: Group 3: Augment the organisational risk management and contingency

policies

Augment the organisational risk management and contingency policies to include DF

requirements. Typical policies are:

8.4.3.3.1 business impact analysis policy – change threat profile to be a risk profile as

suggested in par. 7.3.1.3.1



8.4.3.3.2 IR policies (par.7.4.1, 7.5.1)

The ActDF and ReDF IR policies should be the same as this policy. The containment

policy is pertinent and must be in place to contain incidents to minimise the impact of

the incident on the organisation. Include incident acceleration criteria in the policy.

8.4.3.3.3 disaster recovery policies (pars.7.4.1, 7.3.1.7.3)

8.4.3.3.4 business continuity policies (par.7.3.1.7.3).

Note to reader:

This is not necessarily a complete list of policies, but an example of typical risk

management or contingency policies that should be augmented to include evidence

requirements and sound DF procedure structuring.

8.4.3.4 Table 8.1 PP3, PP4: Group 4: Education, training, and awareness policy (par. 7.3.1.6)

8.4.3.4.1 Include the curriculation requirements to offer accredited education and training

courses

8.4.3.4.2 Specify the minimum qualifications and requirements for DF investigators and first

responders in terms of training and certification.

8.4.3.5 Table 8.1 PP8: Group 5: DF Management policies

8.4.3.5.1 General DF management policies (par. 7.3.2.1)

Policy to describe the establishment of CERT

Policy to prescribe the segregation of duties of CERT, internal DF team, external DF

team, auditing, risk management, and Info Sec departments

Outsourcing policy

Whistle-blowing policy

An appeal policy

Policy for the use and application of DF tools and technologies

Policy to ensure cost-effective investigations and evidence acquisition.

8.4.3.5.2 Management and use of DF for non-forensic investigation purposes policies

(par.7.3.2.2)

Policy for the use of DF tools and technologies for non-investigation purposes, for

example, policies that guide the use of DF tools for data recovery, password recovery,

and disk wiping



Policy to apply DF tools and techniques to safeguard the company’s assets

Policy to apply DF to acquire evidence for continuous audits, quality assurance, and

compliance testing

Policy to apply DF tools and techniques to assess the effectiveness and efficiency of

operations and controls of the governance frameworks (pars. 7.3.2.2; 7.3.2.2.3).

8.4.3.6 Table 8.1 PP1: Group 6: Infrastructure policies (par. 7.3.1.1)

8.4.3.6.1 Operational infrastructure policies (par. 7.3.1.1.1)

Configuration of networks, IDS and other infrastructure (hardware and software)

A monitoring policy that provides clear directives on the systematic gathering of

evidence and targeted monitoring

Policy to ensure the inclusion of DF principles in design, implementation, and

development (SDLC) for applications and systems to ensure DF-friendly systems

Policy to prevent anti-forensic activities

Policy to prevent anonymous activities

Policy to evaluate new technologies and techniques.

8.4.3.6.2 DF laboratory policies (par. 7.3.1.1.2)

Policy for the acquisition and maintenance of DF tools and technologies

Policy for version control of DF tools to ensure the handling of legacy evidence (by

author)

Laboratory access control policy

Use of DF laboratory policy

Secure storage area policy

Backup policy

Ensure that a well-defined backup and recovery plan with policies exist for the DF

laboratory. It is essential to consider not only the evidence that includes data and

metadata, but also the tools and versions of tools.

Figure 8-7 (below) is a graphical representation of some of the first two level policy deliverables.



The policy dimension is a subset of the governance dimension. We will add the first level policy

deliverable to the current version of DFMF. Due to the importance of policies, we also include

the second level policy deliverable groups in Figure 8-8 (below):

The fourth step will be to consolidate the process deliverables.

8.4.4 Process dimension

To manage DF in an organisation, policies must be supported by well-defined forensically sound

procedures and guidelines. The process category is prominent in DF, as the procedure followed

during an investigation or assessment will determine the admissibility of the evidence gathered and

ultimately the success of an investigation. We propose the following six groups of process

deliverables to support the corresponding policy deliverable groups:

General DF policy

Education, training

awareness policies

Incident

management

policies

Risk management /

Contingency

policies

Management

policies

Evidence management

and handling

policies

Infrastructure

policies

Par. 8.4.3.1 Par. 8.4.3.2 Par. 8.4.3.3 Par. 8.4.3.4 Par. 8.4.3.5 Par. 8.4.3.6

Par. 8.4.3

Figure 8-7 Graphical representation of the first two levels of the policy deliverables (by author)

Figure 8-8 Addition of the policy deliverables as step 3 of the construction of our DFMF (by author)

LEGAL AND JUDICIAL

Evidence

requirements

Process

requirements

Infrastructure

requirements

Other

requirements

GOVERNANCE

POLICY General DF

Policy

Evidence

management

and handling

policies

Risk

management /

contingency

policies

DF

Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness

policy

Formulate

DF strategy

Manage

Infrastructure

Augment the risk management /

contingency strategy



8.4.4.1 Table 8.1 PP2: Group 1: Evidence management and handling procedures (pars. 7.3.1.3 -

7.3.1.4)

8.4.4.1.1 Evidence management procedures (par.7.3.1.3.1)

Procedure to provide directives on the creation and management of the risk profile,

calculation of CDE rating or an evidence set associated with a risk, and compilation of the

evidence index.

8.4.4.1.2 Digital evidence handling procedures (par. 7.3.1.3.4)

Static digital evidence handling procedures (par. 7.4.3)

The static evidence handling procedures should include identification; collection;

acquisition; ensuring integrity; authentication; preservation; storage and transportation

of digital evidence.

Live evidence handling procedures (par. 7.5.2)

The live evidence handling procedures are identification; collection (to be done by

considering the order of volatility); maintenance of the integrity of the evidence; live

evidence acquisition; live evidence authentication; live evidence transportation (same as

static evidence); and live evidence storage (same as static evidence).

Legacy evidence handling procedure (par. 7.3.1.3.4).

8.4.4.1.3 Physical evidence handling procedures (par.7.4.2)

Physical evidence handling procedures, for example, identification, collection (search

and collect), documentation, storage, and transportation procedures.

8.4.4.1.4 Post-investigation case documentation and evidence management and handling

procedures (par. 7.4.6.2,)

The procedures should consider the disposal, return and archiving of all evidence.

Include the presentation, storage, and transportation of the case file and evidence.

Consider the legal aspects of evidence retention.

8.4.4.2 Table 8.1 PP5, PP6, PP9, PP10: Group 2: Incident-management procedures (par.

7.3.1.7.1)

Organisations must have detailed DFI protocols for ActDF and ReDF (par. 7.4), which must

adhere to accepted investigation best practices with documentation and reporting

specifications. The detailed protocols of the ReDF and ActDF have been discussed in Chapter

7.The protocols will be supported by procedures and guidelines. We have identified the

following process deliverables in Chapter 8:



8.4.4.2.1 ReDF processes or procedure

We have proposed a ReDF investigation protocol with phases and steps in par. 7.4. Typical

ReDF processes and procedures that would support the ReDF investigation protocol are:

incident detection and confirmation procedures (from contingency planning – IRP)

(par.7.4.1)

This procedure or set of procedures should include incident detection, activation of

ActDF component to acquire live evidence, notification of incident, incident validation

and confirmation, internal and external authorisation, containment, acceleration of an

investigation and notification of investigation procedure.

physical investigation procedure with supporting procedures. Typical procedures include

securing physical crime scene, and acquisition and analysis of physical evidence.

digital investigation procedure with supporting procedures. Include digital crime scene

preservation, evidence acquisition, analysis procedures and service restoration

procedure.

incident reconstruction procedure.

presentation procedure.

appeal procedure.

incident closure procedure.

8.4.4.2.2 ActDF processes or procedures

We have proposed an ActDF investigation protocol with phases and related steps in par. 7.5.

Typical deliverables that will support the protocol are:

incident detection and confirmation procedure (from the ReDF phase 3 or the trigger

event during phase 1)

securing the live investigation crime scene and containment procedure

ActDF investigation procedures

inclusion of live evidence acquisition and analysis procedures

limited incident reconstruction procedure

termination of the ActDF investigation procedure.

8.4.4.3 Table 8.1 PP7: Group 3: Augment the risk management and contingency procedures

It is essential that the current contingency procedures, for example, risk management and

Info Sec, are augmented and changed to deal with the forensic evidence and procedural

requirements of the organisation. Typical procedures or guidelines to consider are:



8.4.4.3.1 business impact analysis procedures, which should change threat profile to be a risk

profile as suggested in (par.7.3.1.3.1)

8.4.4.3.2 IR procedures (par. 7.4.1, 7.5.1) – the ActDF and ReDF incident detection and

confirmation procedures should be the same as these procedures

8.4.4.3.3 disaster recovery procedures (pars. 7.3.1.7.3; 7.4.3.4)

8.4.4.3.4 business continuity procedure (par. 7.3.1.7.3; 7.4.3.4)

8.4.4.3.5 include a procedure to evaluate new technologies to determine risk factor in terms

of forensic investigations (par.7.3.2.2.3) during the risk assessment of risk

management.

8.4.4.4 Table 8.1 PP8: Group 4: DF Management procedures

8.4.4.4.1 General DF management procedures (par. 7.3.2)

The general management policies should be supported by procedures and guidelines, for

example:

when and how to outsource DF functions

whistle-blowing procedure to report violations

apply DF tools to safeguard organisation’s assets

calculate the cost of an investigation, ensuring that the cost is in proportion to the

investigation.

8.4.4.4.2 The management of the use of DF for non-forensic purpose procedures (par. 7.3.2.2)

are:

procedure and guidelines to enable DF in systems and processes

Include other areas of the organisation, and by including DF process and evidence

requirements in the formulation of business processes. Adapt the SOP of relevant

business processes for quality audits, compliance reports or, for example, change

management and ensure the existence of a procedure to measure or assess the

effectiveness and efficiency of controls within frameworks.

procedure for the use of DF tools and technologies for non-investigative purposes

Include for example, procedures that guide the use of DF tools for data recovery,

password recovery, and disk wiping.

procedure to apply DF tools and techniques to safeguard the company’s assets

procedure to apply DF to acquire evidence for continuous audits, quality assurance, and

compliance testing



procedure to apply DF tools and techniques to acquire evidence to assess the

effectiveness and efficiency of operations and controls of the governance frameworks

(pars. 7.3.2.2; 7.3.2.2.3).

8.4.4.5 Table 8.1 PP1: Group 5: Infrastructure procedures

DF tools and technologies can be very dangerous if used by the wrong people for the wrong

purposes therefore it is essential to formulate procedures and guidelines for their use (pars.

7.3.2.2.1; 7.3.1.1).

The organisation should have a DF laboratory if they have an internal DF team. Clear

procedures must be in place to regulate access to the laboratory and actions in it, as well as

backup and recovery of the evidence and related tools in the laboratory.

The evidence produced by DF tools and techniques must be acceptable in a court of law. It is

therefore essential to ensure that when acquiring DF tools the courts and the judicial system

recognise the tool as a forensically sound tool. A well-defined guideline should exist when

acquiring DF tools and techniques. Investigators must ensure that they use ActDF tools and

technologies that are acceptable in courts. The physical investigation will require specific

items, for example, evidence bags, cameras, and registers.

8.4.4.5.1 Operational infrastructure procedures (par. 7.3.1.1.1)

Management must ensure that procedures exist to configure:

the networks and operational infrastructure (hardware and software)

a systematic targeted monitoring or evidence collection capability

the IDS – set criteria, for example, the trigger event

Define clear procedures to prevent anti-forensic activities and anonymous activities

The infrastructure development procedures should be augmented to include DF

requirements when designing new systems, to ensure DF-friendly infrastructure

(par. 7.3.1.1.1).

8.4.4.5.2 DF investigation laboratory procedure (par. 7.3.1.1.2)

The physical laboratory procedure to include:

procedures to setup and manage the physical investigation infrastructure (DFI

laboratory)

access control procedure to the DFI laboratory and strong room



the use of the DFI laboratory procedure

a well-defined backup and recovery procedure for the DFI laboratory. The backup

procedure should include evidence (data and metadata), tools and case evidence

a procedure for DF tool acquisition, availability, version control, and maintenance.

Figure 8-9 (below) is a graphic representation of the first two levels of the process deliverables.

Incident

management

procedures

Risk management

and contingency

procedures

DF Management

procedures

Evidence management

and handling

procedures

Infrastructure

procedures

DRP

BCP

IRP

New technologies

BIA

Use of DF for non-

DFI purposes

General

management

Physical

evidence

Post incident

evidence

Digital

evidence

Operational

infrastructure

DFI infrastructure

Incident handling

Investigation

procedures

Evidence

management

Par. 8.4.4.1 Par. 8.4.4.5Par. 8.4.4.4Par. 8.4.4.3Par. 8.4.4.2

Figure 8-9 Graphical representation of the first two levels of the process deliverables (by author)

The process dimension is a subset of the policy dimension. We have added the process deliverables

to the current version of DFMF to Figure 8-10 (below):

Figure 8-10 Addition of the process deliverables as step 4 of the construction of our DFMF (by author)

LEGAL AND JUDICIAL


GOVERNANCE



POLICY

PROCESS

Evidence

handling

procedures

Incident

management

procedures

Infrastructure

procedures

Management

procedures

Risk management /

Contingency

procedures

General DF Policy

Evidence management

and handling

policies

Risk management /


Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness policy

Management

of DF

capability

Evidence

management

plan

DF Education,

training and

awareness strategy

DFMF



The fifth step will be to consolidate the people deliverables.

8.4.5 People dimension

People are the most uncertain and risky category, and it is very difficult to manage them in an

organisation. Effective training and awareness programmes can influence the behaviour of

employees. Everybody in the organisation must be aware of the role and application of DF in it

but it is essential to note that not all the employees will need the same training. One of the

governance deliverables is a DF education, training and awareness strategy (par.7.3.1.6). We

have identified three groups of people deliverables:

8.4.5.1 Table 8.1 P1: Group 1: DF education and training programmes (par. 7.3.1.5.1)

Organisations must curriculate education, training and awareness programmes. It will be

necessary to develop different education, training and awareness programmes to address

the different roles in the organisation. Typical education and training programmes include

those for first responders, general users, management, investigators, and the preparation of

expert witnesses.

It is essential to accredit internal training programmes with a qualification authority, for

example SAQA or another certification authority, e.g., En-Case® certified investigator. This

will ensure that training is at an acceptable level for the DF community and the courts.

Courts will rather accept evidence acquired by a competent investigator (certified) as it will

be assumed that the person possesses the skills to perform the investigation properly.

Employees can be certified at certain levels to ensure the successful prosecution of

perpetrators and positive investigation results.

The success of an investigation can be determined by the competence of an expert witness.

It is essential to prepare expert witnesses. Figure 8-12 (below) is a graphical representation

of the people deliverables. We have given examples of some technical training programmes.

8.4.5.2 Table 8.1 P1: Group 2: DF Awareness programmes (par. 7.3.1.5.2)

The awareness programmes should be integrated in the Info Sec or risk management

awareness programmes to alert employees and other stakeholders of the importance of

evidence and following the correct procedures.



8.4.5.3 Table 8.1 P2: Group 3: Code of conduct (par. 7.3.1.5.3)

It is important that the training and awareness strategy embrace the ethical values of the

organisation so that it supports the organisation’s ethical culture. Due to the nature of DF

tools and technologies, the ethical use of DF is essential for the organisation. Organisations

must have a code of conduct for the use of DF tools and techniques in the organisation.

Figure 8-11 (below) is a graphical representation of the first two levels of the people deliverables:

The people dimension is a subset of the policy dimension. We will now add the people deliverables

to the current version of DFMF in Figure 8-12 (below):

DF awareness

programmes

Code of conduct

DF education and

training

programmes

General user

Management

First responders

Investigator

Technical

education and

training

Expert

witness

Par. 8.4.5.1 Par. 8.4.5.2 Par. 8.4.5.3

Figure 8-11 Graphical representation of the first two levels of the people deliverables (by author)



LEGAL AND JUDICIAL


GOVERNANCE



POLICY

PROCESS

Evidence

handling

procedures

Incident

management

procedures

Infrastructure

procedures

Management

procedures

Risk management /

Contingency

procedures

General DF Policy

Evidence management

and handling

policies

Risk management /


Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness policy

Management

of DF

capability

Evidence

management

plan

DF Education,

training and

awareness strategy

DFMF

PEOPLEEducation

and training

programmes

Awareness

programmes

Code of

Conduct

The last step will be to consolidate the technology deliverables.

8.4.6 Technology dimension

The technology dimension will consider all technology requirements for the operational

infrastructure and DFI infrastructure (par. 7.3.1.1).

The acquisition and management DFI tools and techniques are essential, as not all tools are

admissible in a court of law. The investigation must be managed to ensure that systematic

documentation exists to provide the chain of evidence and chain of custody required by courts,

therefore organisations should invest in case-management software (par. 7.4.7). The

investigator will also need presentation software to present the case. We have identified three

groups of technology deliverables:

Figure 8-12 Addition of the people deliverables as step 5 of the construction of our DFMF (by author)



8.4.6.1 Table 8.1 T1, T2: Group 1: Operational infrastructure (pars. 7.3.1.1; 7.3.1.1.2;)

Install an IDS

Establish a capability to systematically gather evidence

Establish a capability to monitor activities.

8.4.6.2 Table 8.1 T1, T2: Group 2: Physical DF investigation (DFI) infrastructure (par. 7.3.1.1)

8.4.6.2.1 Hardware

It is essential to ensure the availability of DFI specific infrastructure, for example, an

isolated network, forensic servers, and short- and long-term servers

DFI hardware tools and technologies, for example, disk duplicators and write blockers

General equipment, for example, digital cameras, jump bags, networking gear, and a

backup facility.

8.4.6.2.2 Software

Static ReDF investigation toolkits, for example EnCase® or Forensic Toolkit®

Live evidence ActDF investigation toolkits for example: EnCase® Enterprise

Legacy or older versions of toolkits (by author)

Case management software (by author)

Presentation software

Backup software.

8.4.6.2.3 Miscellaneous items

The facility will also need general items required for investigations, for example, evidence

bags, gloves and blank media.

Figure 8-13 (below) is a graphical representation of the first two levels of the technology

deliverables or requirements:



Operational

infrastructure

DFI

infrastructure

IDS

Monitoring

Networks

Systematic

gathering

Time-synchronize

Software

Miscellaneous

Hardware

Par. 8.4.6.1 Par. 8.4.6.2

The technology dimension is a subset of the policy dimension. We will add the technology

deliverables to the current version of DFMF in Figure 8-14 (below): miscellaneous

Figure 8-14 Addition of the technology deliverables as step 6 of the construction of our DFMF (by author)

Figure 8-13 Graphical representation of the first two levels of the technology deliverables (by author)

LEGAL AND JUDICIAL


GOVERNANCE



POLICY

PROCESS

Evidence

handling

procedures

Incident

management

procedures

Infrastructure

procedures

Management

procedures

Risk management /

Contingency

procedures

General DF Policy

Evidence management

and handling

policies

Risk management /


Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness policy

Management

of DF

capability

Evidence

management

plan

DF Education,

training and

awareness strategy

DFMF

PEOPLEEducation

and training

programmes

Awareness

programmes

Code of

Conduct

TECHNOLOGY

Operational

infrastructure

DFI

infrastructure



The next section will provide a high-level view of our DFMF.

8.5 CONSOLIDATED VIEW OF OUR DFMF

We have constructed the DF implementation and management framework DFMF step by step in the

previous part of the chapter. The current version of our DFMF consists of nested deliverable

categories. There are some important relationships between deliverables within the policy and

governance dimensions. The general DF policy will provide the strategic directives for all the

supporting policies in the organisation. The DF strategy will provide guidance for the application of

DF in the organisation and will be supported by the management of the DF capability, evidence

management plan and the DF education, training and awareness strategy (Figure 8-5). We have

reorganised some of the deliverable groups to propose our DFMF in Figure 8-15 (below):

Figure 8-15 High level graphical view of our DFMF (by author)

LEGAL AND JUDICIAL


GOVERNANCE



POLICY

PROCESSEvidence

management

and handling

procedures

Incident

management

procedures

Infrastructure

procedures

Management

procedures

Risk

management

/ Contingency

procedures

General DF Policy

Evidence

management and

handling

policies

Risk management /


Management

policies

Infrastructure

policies

Incident

management

policies

Education,

training and

awareness policy

PEOPLEEducation

and training

programmes

Awareness

programmes

Code of

Conduct

TECHNOLOGY

Operational

infrastructure

DFI

infrastructure

Management

of DF

capability

Evidence

management

plan

DF Education,

training and

awareness strategy

DFMF



Management can use the framework to implement a CDF capability. The implementation of the CDF

capability using the DFMF can be done by starting from the outer legal and judicial dimension, then

working systematically towards the inner dimensions. The framework encapsulates the relationship

between the deliverables that is essential for the successful implementation of the CDF.

8.6 SUMMARY

We have used the to-do list actions of Chapter 7 and have categorised the actions by using the

dimensions of DF as categories (legal and judicial, governance, policy, process, people and

technology). The dimensions of DF are related and we have used the relationship between the DF

dimensions to construct our concept DFMF. The legal and judicial dimension provides the

background to the governance dimension. The policy dimension is a subset of the governance

deliverables. The policy dimension encapsulates the process, people and technology dimensions.

The chapter has proposed a holistic, DF management framework (DFMF) to implement and manage

our CDF capability in an organisation. The framework is comprehensive as it contains all three

components of our CDF capability (Chapter 7) by covering the to-do lists of all the components

(Table 7.2). The framework is holistic in that it provides management with a high-level concept guide

when considering the implementation of the CDF capability in an organisation. Although the

framework is on a high level, it is possible to drill down in a specific deliverable group. The DFMF will

be refined in further research.

8-233 | P a g e

PART 3

CONCLUSION

The aim of this part of the thesis will be to determine if the problem statement and objectives of the

thesis have been addressed in accord with sub-objective 5 (par. 1.5.5).

Sub-objective 5: Discuss potential challenges to the implementation of our DFMF and identify

further research opportunities.

Part 3: Conclusion

9-234 | P a g e Chapter 9: Conclusion

9 CHAPTER 9

CONCLUSION

9.1 INTRODUCTION

The prevalence of cybercrime and fraud and demands from corporate governance reports to

demonstrate due diligence with respect to good IT and Info Sec governance create the demand for

‘good’ evidence (CDE) in organisations. The need for evidence is increased by a requirement to prove

legal and regulatory compliance, and to assess the effectiveness of controls so as to improve the

governance frameworks. DF is becoming a survival tool for organisations to acquire evidence;

however, it is essential to prepare the organisation for the application of DF tools and technologies

to ensure that good evidence is available when needed. We have identified some challenges that

organisations face in preparing for DF that will prevent the realisation of the full benefit of its

application.

DF is traditionally a reactive investigation discipline. We have defined DF as the scientific study of all

the processes involved in the recovery, preservation and examination of digital evidence, including

audio, imaging and communication devices (TC-11, 2006) (par. 2.4). The conventional DF frameworks

researched in this thesis (Chapter 3) confirm this view (Barayumureeba & Tushabe, 2004; Carrier &

Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b). Most of the

frameworks recognise the need to become DF-ready, but concentrate on the preparation for

investigations (Chapter 4). Live evidence is becoming increasingly important for investigations and

various acquisition tools exist to acquire it during an investigation. Some of the conventional DF

frameworks refer to its acquisition but do not provide any specific guidelines on the process. Very

few technology-independent live DF investigation frameworks exist (Chapter 6) (Grobler, 2009;

Ieong & Leung, 2007). None of the frameworks discussed in this thesis contains all three components

(preparation, live evidence acquisition and actual reactive investigation); therefore, the first

challenge is to establish a CDF capability.

Other challenges that organisations face are that they are not prepared for the application of DF

tools and technologies. This manifests itself in failed investigations due to a lack of good evidence or

Part 3: Conclusion


spoiled evidence owing to poorly formulated policies and procedures, or incompetent staff. The

infrastructure should be configured to enable the application of DF.

We are therefore convinced that no holistic DF framework exists to manage and implement a

DF capability in an organisation (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Casey,

2004; Forrester & Irwin, 2007; Ieong, 2006; Louwrens et al., 2006b; Nikkel, 2006). The objective of

the thesis has been to develop a holistic, theoretical DF Management Framework (DFMF) to

implement and manage an effective DF capability in an organisation.

The thesis has consisted of three main parts, as represented in Figure 1-3 p. 1-13:

Part 1: Background to DF

Part 2: Construction of the DFMF

Part 3: Conclusion.

We have made our own contribution to the body of knowledge (BOK) for Digital Forensics in the

thesis.

9.2 PART 1

The first part of the thesis provided a background to DF, with definitions and discussion of its

internal and external drivers to identify common reasons for its application in an organisation (par.

2.5.3). Organisations apply DF tools and technologies for investigative and non-investigative

purposes. For instance, they investigate cybercrimes to acquire digital evidence, both of which we

have discussed. Not all evidence is good evidence so it was essential to determine its characteristics.

Digital evidence must adhere to legal and judicial criteria if it is to be admissible in a court of law. We

have proposed a comprehensive DF (CDF) capability that includes preparation (Proactive DF - ProDF),

live evidence (Active DF - ActDF) and reactive investigation (Reactive DF - ReDF) components (par.

2.8), as well as a definition of digital evidence. We coined a term: comprehensive digital evidence

(CDE).

DF frameworks can be classified as process- or role-based frameworks (par. 3.1), and in Chapter 3

we identified, discussed, and compared various process DF frameworks, i.e., Carrier and Spafford,

O’Ciardhuan, Barayumureeba, Beebe and Clark, Louwrens et al., Casey and Forrester, and a role-

based framework (Ieong). Most of the researched DF frameworks consider three areas or

components:

Part 3: Conclusion


Component 1: Preparation to ensure DF readiness

Component 2: Live evidence acquisition

Component 3: Reactive forensic investigation

(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,

2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004).

None of the DF frameworks addressed all three components comprehensively. We used the

comparison of the different frameworks and viewpoints to formulate a draft version of our CDF

capability in par. 3.5. Our CDF capability consists of three distinct, but related components, namely

ProDF, ActDF and ReDF. We coined another term: comprehensive DF (CDF) capability.

The ProDF component deals with the preparation of organisations for the application and use of DF

tools and technologies. The ReDF and ActDF components concentrate on the actual investigation of

incidents; with ReDF, handling the traditional investigations after an incident has been detected,

whereas the ActDF component focuses on the acquisition of live evidence during an incident.

We have used the identified ProDF component of the first draft of our CDF capability (par. 3.5.1) and

the DF readiness views of Rowlingson and Garcia to identify goals and elements for DF readiness

(par. 4.4.2.3). We have compared DF readiness as proposed in Chapter 4 and the common list of

reasons why organisations should prepare themselves for the application of DF (par. 2.5.3). The

comparison clearly demonstrated that DF readiness is a subset of ProDF (par.4.4; Table 4.3). We

have formulated a ProDF component by confirming the definition for ProDF, identified goals (par.

4.5), sub-goals and related elements for the component. This component will enable organisations

to become DF-ready, and to implement and manage DF to improve governance programmes in the

organisation. ProDF is a new concept that we have added to the BOK for DF, as it refers to more than

DF readiness.

We have consolidated the ReDF component in Chapter 5, confirmed the definition for ReDF,

identified goals, and provided a comprehensive ReDF investigation protocol. Our protocol has six

phases with related sub-phases and/or steps (par. 5.5).

To formulate a comprehensive ActDF component, we have identified, discussed and compared

different live investigation frameworks (Payer, Ren, Foster, Grobler & Ieong) and the ActDF

component (as identified in Chapter 3, par. 3.5.1) to define ActDF, identify goals for ActDF and

Part 3: Conclusion


formulate our ActDF protocol with four phases and related sub-phases and/or steps to acquire live

evidence during an on-going incident (par. 6.7). There is a need for an ActDF protocol (par. 1.3.3).

Contribution to BOK:

Digital evidence is any data stored or transmitted using a digital device that tends to

establish or disprove a fact(Chawki, 2004). The data stored or transmitted should be reliable

information that supports or refutes a hypothesis and can establish that a crime has been

committed (Casey, 2004), or can provide a link between a crime and its perpetrator (Casey,

2004) (par. 2.7.1).

Comprehensive Digital Evidence (CDE) is digital evidence that will have evidentiary weight in

a court of law and that contains all the evidence necessary (relevant and sufficient) to

establish or disprove a fact (par. 2.7.2).

A Comprehensive DF (CDF) capability includes a preparation (Proactive DF - ProDF), live

evidence acquisition (Active DF - ActDF) and reactive investigation (Reactive DF - ReDF)

component (par. 2.8).

The second part of the thesis began in Chapter 7, in which we proposed the CDF capability.

9.3 PART 2

This part of the thesis used the results of Chapters 3, 4, 5, and 6 of Part 1 as a starting point to

formulate our CDF capability in Chapter 7. The CDF capability is our main contribution to the BOK for

DF. Chapter 7 formulated our CDF capability by considering the ProDF, ReDF and ActDF components

individually and discussed the relationship between the components.

9.3.1 ProDF component

The ProDF component as proposed in this thesis has not been defined in the literature. We consider

the preparation of the organisation for the application of DF for investigative and non-investigative

purposes. We have formulated our ProDF component by defining ProDF, formulated goals, sub-goals

and related elements.

We are convinced that the successful implementation of the ProDF component will enable

organisations to realise the full potential of the implementation of DF tools in the organisation.

Part 3: Conclusion



9.3.1.1 General ProDF

ProDF definition (par. 7.3)

The ProDF component with goals with related sub-goals and elements (Figure 7-3).

ProDF



Sub-goal 1:

Prepared

infrastructure

Sub-goal 4:

Ensure a

cost-effective

investigation

Sub-goal 3:

Prepare

responsible,

competent

employees

Sub-goal 2:

Maximise

CDE

availability

Sub-goal 1:

Establish a DF

management

capability

Sub-goal 2:

Apply DF to provide




Figure 9-1 ProDF component (also Figure 7-3)

9.3.1.2 ProDF goal 1: Become DF-ready

The prepared infrastructure includes operational and investigation infrastructure (par.

7.3.1.1).

The operational infrastructure preparation includes the formulation of DF sound SOP,

configuration of infrastructure to enable the productive application of DF, and the

inclusion of DF requirements in the development of new systems and applications. The

digital forensic infrastructure should include the laboratory, admissible tools and

technologies, software and hardware. A backup policy and procedure for the DFI

laboratory is essential.

To maximise the CDE availability and to ensure the proactive identification of evidence

for specific risks or scenarios (par. 7.3.1.3) we have proposed an Evidence Management

Plan (EMP).

We proposed the construction of a risk profile that will expand the typical attack profile

by adding evidence elements and a rating for the completeness of the evidence set for

the specific risk or scenario (par. 7.3.1.3.3). We have organised the identified evidence

into an evidence index (par. 7.3.1.3.2). The EMP recommends the formulation of all

evidence-related policies and procedures and includes the legal, regulatory, judicial and

technical requirements of the identified evidence (par. 7.3.1.3.4).

Part 3: Conclusion


The EMP is a completely new concept as it enables an organisation to determine the

comprehensiveness and availability of the evidential status of known risks or scenarios.

To prepare responsible and competent employees, we have proposed the formulation

of a DF education, training and awareness strategy with supporting accredited

programmes.

We highlight the importance of accrediting training programmes and the certification of

employees to improve the credibility of the investigator and evidence. We recommend

the formulation of a code of conduct for the application and use of DF tools and

technologies (par. 7.3.1.5).

To ensure a cost-effective investigation we recommended well-defined acceptable

investigation protocols, and the balancing of the cost of an investigation and the cost of

the incident.

DF requirements must be incorporated in the risk management and contingency

strategies, plans and policies of the organisation (par. 7.3.1.7).

9.3.1.3 ProDF goal 2: Implement and manage DF to improve governance programmes is a

unique contribution to the BOK for DF (par. 7.3.2).

ProDF goal 2 considers the application of DF tools and technologies for non-investigative

purposes. A successful implementation and management approach will be to:

formulate a DF strategy

establish a DF management capability by providing clear guidelines on how to include DF

in the organisational structures

specify how to include DF requirements in the contingency and risk management

strategy, plans, policies and procedures of the organisation, to ensure the admissibility

and availability of evidence, should an investigation be required

provide clear guidelines for the use of DF tools and techniques to provide reasonable

assurance for the achievement of organisational objectives – we focus on the application

of DF for non-investigation purposes.

9.3.2 ReDF component

The ReDF component is well defined and researched in the literature. We have identified

process- and role-based DF frameworks. We have formulated our ReDF component by defining

ReDF, formulated goals, and a ReDF protocol with six phases and related sub-goals and/or

steps. Our ReDF protocol is a process framework by which the result of a phase serves as input

Part 3: Conclusion


to the next phase; however, it is possible to revert to a previous phase if it is required.

We are convinced that our ReDF protocol is more comprehensive than the DF frameworks

reviewed in Chapter 3, as we have included all possible activities from the various frameworks as

well as unique steps in our protocol.


ReDF definition and goals (par. 7.4).

We proposed the following ReDF protocol (Figure 9-2 – below) with six phases and related

steps:

Phase 1: Incident response and confirmation is part of the incident response plan of the organisation

and organisations should augment their plans to include the specified DF activities, policies and

procedures.

The protocol clearly indicates the activation of the ActDF component to acquire live evidence.

Include an appeal procedure in phase 5 (par. 7.4.5.3, p. 7-189).

9.3.3 ActDF component

We have identified the need for a technology independent ActDF framework in par. 6.3. We

have used the format of our ReDF protocol to propose the ActDF protocol. We have formulated

our ActDF component by defining ActDF, formulated goals and an ActDF protocol with four

Figure 9-2 ReDF protocol (also Figure 7-5)

Phase 1: Incident

Response and

confirmation

Phase 2: Physical

investigation


Phase 4: Incident

reconstruction

Phase 5:

Presentation of

findings

Phase 6: Incident

closure

ActDF

Sub-phase 2: Evidence

acquisition



restoration


the evidence

Part 3: Conclusion


phases and related sub-goals and /or steps (par. 6.7). Phase 1 of the ReDF and ActDF protocols is

a shared phase. The ActDF protocol will be activated if live evidence is required.


ActDF definition and goals

A unique ActDF protocol with four phases and related steps (Figure 9-3 ActDF protocol (also

Figure 7-12) below):

The ActDF protocol is activated by specific pre-determined incidents or by the ReDF protocol

if live evidence is required.

Phase 4 is unique as the Incident closure phase is the consolidation of the live evidence

acquired and control is passed to the ReDF component to continue with the investigation.

9.3.4 Construction of our DFMF

To implement the CDF capability in an organisation, it will be necessary to determine exactly what to

do. To assist organisations with the formulation of strategies, plans, policies and procedures, the

preparation of the operational and investigation infrastructure and a competent HR capacity, we

have identified typical to-do activities after each component of the CDF capability in Chapter 7. None

of the researched DF frameworks provides this level of guidance or detail to assist with the

implementation or management of DF in an organisation.

Figure 9-3 ActDF protocol (also Figure 7-12)

ReDF

ReDF Phase 2:

Physical

investigation

ReDF Phase

3: Digital

investigation


reconstruction


findings



investigation

Sub-phase 1:


Sub-phase 2:

Analysis

Phase 1:

Incident

response and

confirmation

Phase 4:

Incident closure

Phase 3:

Incident

reconstruction

1

2

Please note:




Part 3: Conclusion


In Chapter 8, we categorised the consolidated to-do list from Chapter 7, using the dimensions of DF

(legal and judicial, governance, policy, process, people and technology). We used the relationship

between the dimensions of DF to propose a concept DF implementation and management

framework (DFMF). There is no DF framework available in the literature that provides the level of

detail of precisely what to formulate to establish and manage a CDF capability in an organisation.

Our CDF capability and associated DFMF provide organisations with a complete guide to prepare

organisations successfully and to manage and apply DF in an organisation for investigative and non-

investigative purposes. The result will be that organisations will be able to apply DF tools and

techniques to (par. 2.5.3):

investigate incidents, fraud or employee behaviour

ensure the availability of good, admissible digital evidence

assess effectiveness and efficiency of controls or procedures

measure legal or regulatory compliance

use DF tools for non-investigative purposes to improve IT and Info Sec governance structures

and performance.


A concept DFMF that provides a structured approach to implementing and managing our

CDF capability.

Detailed deliverable lists in terms of legal and judicial, governance, policy, procedure, people

and technology perspectives.

The DFMF encapsulates the relationship between the deliverables.

9.4 POTENTIAL CHALLENGES TO THE APPLICATION OF OUR CDF CAPABILITY AND

DFMF

Our CDF capability and DFMF are theoretical frameworks and have not been tested in a real life

environment. To evaluate the CDF capability and DFMF we use Casey’s criteria for a DF

framework in Table 9.1 (below):

Part 3: Conclusion


Table 9.1 Evaluation of our CDF capability and DFMF (by author)

Requirements by Casey (Casey, 2004) Evaluation Result

Accepted - determine if professional steps and methods from literature have been used for the formulation of the framework.

We have applied steps and methods from the literature to formulate the CDF capability and the DFMF.

Meets requirement

Reliable - determine if the framework recommends the use of proven methods.

DFMF recommend the use of proven method, admissible tools and competent investigators.

Meets requirement

Repeatable - determine if the process can be repeated to provide the same result.

Any process is repeatable, as the framework will prescribe the same deliverable for a specific need.

Meets requirement

Ensure integrity - provide evidence that can be trusted.

All evidence requirements have top priority in the CDF capability and the DFMF. The EMP will ensure the availability and integrity of all digital evidence.

Meets requirement

Can determine cause and effect - determine if there is a logical connection between the suspected individual, events and evidence.

The ReDF component goal 1 is to investigate an incident successfully. To achieve this goal it is essential to acquire the relevant CDE to determine the root cause of the incident and link the perpetrator to the incident, and present the case successfully.

Meets requirement

Ensure that documentation exists - including the recording of all testamentary evidence.

The CDF capability explicitly includes the documentation for all phases of the investigation protocols.

Meets requirement

9.5 FUTURE RESEARCH OPPORTUNITIES

We have identified the following future research opportunities:

Use our CDF capability and determine the DF readiness of organisations in South Africa.

Determine how well organisations are prepared for DF (evaluate the ProDF component).

Expand on the evidence management plan to assess the comprehensiveness of an evidence

set to incorporate more attributes in the algorithm.

Determine the relationship between e-discovery and the application of DF tools and

technologies.

Incorporate measurable attributes to the deliverables to enable management of our CDF

capability.

Refine and conduct further research on the DFMF to provide a comprehensive framework

for implementation and management of our CDF capability.

Develop a user-friendly application for DFMF (dashboard) that management can use.

Part 3: Conclusion


9.6 ACHIEVEMENT OF THE OBJECTIVE OF THESIS

In this thesis, we have developed a holistic, theoretical DF Management Framework (DFMF) to

implement and manage an effective CDF capability in an organisation and have therefore achieved

the objective (par. 1.5). Table 9.2 (below) provides a summary with references to the chapters of the

achievement of the sub-objectives as stated in Chapter 1.

Table 9.2 Summary of the achievement of the sub-objectives of the thesis

Sub-objective Chapter Status of the sub-

objective

Provide background to DF (par. 1.5.1)

Define DF

Discuss driving factors for DF

Discuss cybercrime and digital evidence

Propose our Comprehensive DF (CDF) capability

Chapter 2 Fully addressed

Provide background to our CDF capability (par. 1.5.2)

Identify, discuss and compare various DF frameworks

Use the comparison of the DF frameworks and views of DF

readiness to propose the formulation of a preparation (proactive)

DF component (ProDF) with goals and steps

Use the comparison of the DF frameworks to propose the

formulation of a post-incident investigation (reactive) DF

component (ReDF) with goals and steps

Use the comparison and investigate live and real-time

investigation practices and frameworks to formulate a live (active)

DF component (ActDF) with DF goals and steps

Chapters 3,

4, 5, 6

Fully addressed

Formulate our CDF capability (par. 1.5.3)

Expand on the identified phases and steps for each component to

formulate our CDF capability and identify to-do lists for the CDF

capability

Discuss the relationship between the defined components of our

CDF capability

Consolidate the to-do lists to assist management to implement

the CDF capability


Part 3: Conclusion


Sub-objective Chapter Status of the sub-

objective

Construct our holistic, theoretical implementation and management DF

framework (DFMF) (par. 1.5.4)

Use the consolidated to-do list as a basis for the formulation of

the DFMF

Identify deliverables to implement and manage for each

component of our CDF capability. The deliverables will be used to

formulate DFMF

Use the dimensions of DF to categorise the identified deliverables

Use the relationship between the dimensions of DF to construct

the holistic, comprehensive DF implementation and management

framework (DFMF)

Ensure that our DFMF is easy to use as it should be able to

provide management with a high-level overview of ‘what to do,

who should do it, how to do it’


Identify challenges to the implementation of our DFMF and further

research opportunities (par. 1.5.5)


In summary, the thesis has addressed the problem statement that no holistic DF framework exists

to manage and implement a DF capability in an organisation by the proposal of the CDF capability

and the DFMF. We have assessed all the sub-objectives of the thesis and have determined that we

have addressed them all. We have therefore met the objective of the thesis as we have developed a

holistic, theoretical DF Management Framework (DFMF) to implement and manage an effective CDF

capability in an organisation.

We are confident that we have made a substantial contribution to the BOK for DF. If organisations

implement our CDF capability they will be able to realise the full value of DF, as evidence will be

available, processes sound and the evidence acquired can enable organisations to conduct effective

investigations successfully, and demonstrate due diligence with respect to good governance and

improving governance frameworks of the organisation.

DF will become the lifeline (survival tool) for organisations to ensure the availability

of CDE in a competitive world where good governance is a priority and cybercriminals

will exploit all vulnerabilities to launch cyberattacks (by author).

246 | P a g e Bibliography

10 BIBLIOGRAPHY

ADELSTEIN, F. (2006). Live Forensics: Diagnosing your system without killing it first. Communications of the ACM, 49(2) 63-6. (Accessed May 5, 2008).

ALLEN, W. (2005). Computer Forensics. IEEE: Security and Privacy 3(4) 59-62. Available from: http://0-ieeexplore.ieee.org.raulib.rau.ac.za/iel5/8013/32072/01492345 .pdf?tp=&arnumber =1492345&isnumber=32072 (Accessed August 6, 2009).

ARTHUR, K., VENTER, H. & OLIVIER, M. (2007). Applying the BIBA integrity model within a forensic evidence management system. In: IFIP International Federation for Information Processing. Advances in Digital Forensics III. Edited by CRAIZER, P. & SHENOI, S.: Springer.

BABU, M. & PARISHAT, M. (2004). What is cybercrime? , Star Of Mysore Online. Available from: http://www.crime-research.org/analytics/702/ (Accessed 1 September 2010).

BARAYUMUREEBA, V. & TUSHABE, F. (2004). The enhanced digital investigation process model. Conference proceedings of the Fourth Annual Digital Forensics Research Workshop held in Baltimore, Maryland. 11- 13 August 2004. Available from: http://www.dfrws.org/2004/bios/day1/Tushabe_EIDIP.pdf (Accessed 5 March 2005).

BEEBE, N. & CLARK, J. (2005). A hierarchical, objectives-based framework for the digital investigations process Digital Investigation Journal, Elsevier, 2 147-67.

BRADFORD, P., BROWN, M. & PERDUt, J. (2007). Towards Proactive Computer-Systems Forensics. Available from: www.cs.ua.edu/~pgb/papers/proactiveForensics.pdf (Accessed February 2, 2007).

CAMPIA, M. (2012). Security+ Guide to networking security fundamentals. Course Technology. CARRIER, B. (2003a). Defining digital forensic examination and analysis tools using abstraction

layers. International Journal of Digital Evidence, 1(4). CARRIER, B. (2003b). Open Source Digital Forensics Tools, The Legal Argument, @stake Research

Report. Available from: www.digital-evidence.org/papers/opensrc_legal.pdf (Accessed 26 June 2007).

CARRIER, B. (2006). Risks of live Digital Forensic analysis. Communications of the ACM, 49(2) 56 - 61.

CARRIER, B. & SPAFFORD, E. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2).

CARRIER, B. D. & GRAND, J. (2004). A Hardware-Based Memory Acquisition Procedure for Digital Investigations. Digital Investigation Journal, 1(1). Available from: http://www.digital-evidence.org/papers/tribble-preprint.pdf (Accessed 6 April 2006).

CARRIER, B. D. & SPAFFORD, E. H. (2005). Automated digital evidence target definition using outlier analysis and existing evidence. Conference proceedings of the 2005 Digital Forensic Research Workshop (DFRWS) held in New Orleans. Available from: www.dfrws.org/2005/proceedings/carrier_targetdefn.pdf (Accessed 17 April 2006).

CASEY, E. (2004). Digital evidence and computer crime. Elsevier academic press. CASEY, E. (2007). Digital evidence maps - A sign of the times. Digital Investigation, Elsevier, 4( ) 1-

2. CASEY, E. (2011). Digital evidence and computer crime, forensic science, computers and the

Internet. Elsevier. CASEY, E. & STANLEY, A. (2004). Tool review - remote forensic preservation and examination

tools. Digital Investigation Journal, Elsevier, 1 284-97.

http://0-ieeexplore.ieee.org.raulib.rau.ac.za/iel5/8013/32072/


CERT®_COORDINATION_CENTER. (2004). How the FBI investigates computer crime. Available from: www.cert.org/tech_tips/FBI_investigates_crime.html (Accessed Aug 9, 2009).

CHAWKI, M. (2004). The Digital Evidence in the Information Era Computer Crime Research Center. Available from: http://www.crime-research.org/articles/chawki1/2 (Accessed October 6, 2008).

CLARK, A. (2006). Are you ready for Forensics? Available from: http://www.inforenz.com/press/20060223 (Accessed October 6, 2008).

COMMISSION ON CRIME PREVENTION AND CRIMINAL JUSTICE, T. S. (2001). Conclusions of the Study on effective measures to prevent and control high-technology and computer-related crime. No:E/CN.15/2001/4.

Computer evidence defined [Online]. (2008). Available from: http://www.forensics-intl/def4.html (Accessed July 1, 2011).

FBI, U. D. O. J. (1999). Trace evidence recovery guidelines. Forensic science communications, 1 (3). Available from: http://www.fbi.gov/hq/lab/fsc/backissu/oct1999/trace.htm (Accessed February 5, 2009).

FERGUSON, N. (2006). AES-CBC + Elephant di®user A Disk Encryption Algorithm for Windows Vista. Available from: http://pdos.csail.mit.edu/6.858/2011/readings/bitlocker.pdf (Accessed 20 February 2012).

FORRESTER, J. & IRWIN, B. (2007). A Digital Forensic investigative model for business organisations. Conference proceedings of the IFIPSec 2007 held in Sandton, South Africa. 14-16 May 2007

FOSTER, M. & WILSON, J. (2004). Process Forensics: A pilot study on the use of checkpointing technology in computer forensics. International Journal of Digital Evidence, 3(1).

FRYE, M. (2005). The Coroner’s Toolkit. Linux magazine, Tuesday, 15 March 2005. GARCIA, J. (2005). Proactive and Reactive Forensics. Available from:

http:rediris.es/cert/doc/reuniones/af05/proactive_n_reactive_forensics.pdf (Accessed 5 September 2005).

GARFINKEL, S. (2010). Digital forensic research: The next 10 years. Digital Investigation, Elsevier, 7 64-78.

GORDON, L., LOEB, M., LUCYSHYN, W. & RICHARDSON, R. (2006). CSI/FBI Computer Crime and Security Survey.

GROBLER, C. & LOUWRENS, C. (2006). Digital Forensics: a multi dimensional discipline. Conference proceedings of the 4th annual Information Security South Africa conference held in Sandton, South Africa. 5 - 7 July 2006.

GROBLER, C. & LOUWRENS, C. (2007). DF readiness a component of Information Security best practise. Conference proceedings of the IFIPSec 2007 held in Sandton, South Africa. 14-16 May 2007. Springer.

GROBLER, C. & LOUWRENS, C. (2009). High-level integrated overview of DF. Conference proceedings of the Information Security of South Africa held in Johannesburg.

GROBLER, C. & LOUWRENS, C. (2010). Evidence Management Plan. Conference proceedings of the Information Security South Africa held in Sandton South Africa. IEEE Express.

GROBLER, C., LOUWRENS, C. & VON_SOLMS, S. (2010a). A framework to guide the implementation of Proactive Digital Forensics in organizations. Conference proceedings of the Workshop for Digital Forensics 2010 held in Krakow, Poland. IEEE Explore.

GROBLER, C., LOUWRENS, C. & VON_SOLMS, S. (2010b). A multi-component view of Digital Forensics. Conference proceedings of the Workshop for Digital Forensics held in Krakow, Poland. 15-18 February 2010. IEEE Explore.

GROBLER, M. (2009). Liforac, a model for live forensic acquisition. PhD Computer Science, University of Johannesburg.

GUIDANCE_SOFTWARE. (2005). EnCase Enterprise detailed product description. Available from: http://www.encaseenterprise.com/support/resources.aspx (Accessed 8/8/2009).


GULDENTOPS, E., HARDY, G., HESCHL, J. & STROUD, R. (2005). Aligning COBIT, ITIL and ISO 17799 for Business Benefit.

HILLEY, S. (2006). The Corporation: the non-policed state. Available from: http://www.infosecurity-magazine.com/features/novdec04/corp_novdec.html).

IEONG, R. (2006). FORZA – Digital forensics investigation framework that incorporate legal issues. Digital Investigation 329-36.

IEONG, R. & LEUNG, H. (2007). Deriving Cse-specific Live Forensics Investigation Procedures from FORZA. Conference proceedings of the 2007 ACM symposium on Applied computing held in Seoul, Korea. 2007. ACM Press New York, NY, USA. Available from: http://portal.acm.org/citation.cfm?id=1244049 (Accessed 11 Oct 2007).

INSTITUTE, I. G. (2000). Control Objectives for Information and related technologies. Available from: ('Accessed').

ISACA. (2004). IS Auditing guideline Computer forensics Document G28. Available from: http://www.isaca.org/AMTemplate.cfm?Section=Standards,_Guidelines,_Procedures_for_IS_Auditing&Template=/ContentManagement/ContentDisplay.cfm&ContentID=18642.

ISO/IEC17799. (2005). ITGI. (2000). Control Objectives for Information and related Technologies. Available from:

www.isaca.org/cobit (Accessed 20 Feruary 2007). KING. (2003). King II Report on Corporate Governance. Available from:

http://iodsa.co.za/lod%20draft%20king%20report.pdf (Accessed January 2006). KING. (2009). King III Report on Corporate Governance. Available from:

http://www.iodsa.co.za/downloads/documents/King_Code_of_Governance_for_SA_2009.pdf (Accessed 13 October 2009).

KRUSE, W. & HEISER, J. (2004). Computer Forensics, Incident Response Essentials. Addison-Wesley.

LEE, H., PALMBACH, T. & MILLER, M. (ed.). 2001. Henry Lee’s crime scene handbook. : San Diego: Academic Press.

LEIGHLAND, R. & KRINGS, A. (2004). A Formalization of Digital Evidence. International journal of Digital Evidence, 3(2).

LEMOS, R. (2011). Stuxnet more effective than bombs. Info world Techwatch, 19 January 2011. LOUWRENS, C. & VON_SOLMS, S. (2005). Relationship between Digital Forensics, Corporate

Governance, Information Technology and Information Security Governance. In: Digital Crime and Forensic Science in Cyberspace. Edited by KANELLIS, P., KIOUNTOUZIS, E., KOLOKOTRONIS, N. & MARTAKOS, D.: National and Kapodistrian University of Athens, Greece.

LOUWRENS, C., VON_SOLMS, S. & KANNELIS (ed.). 2006a. Digital Crime and forensic Science in Cyberspace: The relationship between Digital Forensics, Corporate Governance, IT Governance and IS Governance Idea Group publishing, Hershey

LOUWRENS, C., VON_SOLMS, S., REECKIE, C. & GROBLER, T. (2006b). A control Framework for Digital Forensics. Conference proceedings of the IFIP11.9 International Conference on Digital Forensics held in Orlando Florida. Springer.

NIKKEL, B. (2006). The role of Digital Forensics within a corporate organization. Conference proceedings of the IBSA Conference held in Vienna. May 2006. Available from: http://digitalforensics.ch/nikkel06a.pdf#search=%22digital%20Forensic%20readiness%22 (Accessed November 2007).

NIKKEL, B. J. (2005). Generalizing sources of live network evidence. Digital Investigation Journal, 2(3) 193-200.

NOLAN, R., O'SULLIVAN, C., BRANSON, J. & WAITS, C. (2001). Electronic Crime Scene Investigation: A Guide for first responders. No:NIJ#: 187736. Available from: http://www.ncjrs.org (Accessed June 2007).


O'CIARDHUAIN, S. (2004). An extended model of cybercrime investigations. International journal of Digital Evidence, 3(1).

OREBAUGH, A. (2006). Proactive Forensics. Journal of Digital Forensic Practice, Volume 1 37-41. PALMER, G. (2001). A Roadmap for Digital Forensics Research. Conference proceedings of the

Digital Forensic Research Workshop held in Utica, New York. 7- 8 August 2001. Available from: http://www.dfrws.org/2001/dfrws-rm-final.pdf (Accessed 2 February 2006).

PARKINSON, M. & BAKER, N. (2005). IT and Enterprise Governance. Journal of Information Systems Control, 3 17-21.

PATZAKIS, J. (2003). Computer Forensics as an Integral component of the Information Security Enterprise. Available from: http://www.guidancesoftware.com/downloads/ getpdf.aspx?fl=.pdf (Accessed 10 May 2009).

PATZAKIS, J. & LIMONGELLI, V. (2004). Internal computer investigations as a critical control activity under Sarbanes-Oxley. Available from: http://www.guidancesoftware.com/ downloads/getpdf.aspx?fl=.pdf (Accessed 10 May 2009).

PAYER, U. (2004). Realtime intrusion forensics: A first prototype implementation (based on a stack-based NDIS). Conference proceedings of the Terena networking conference held in University of Aegean, Rhodes, Greece. 7-10 June. Terena publishing.

PIETERSE, I. (2006). E-mail risk not managed. ITWeb, 11 July 2006. REITH, M., CARR, C. & GUNSCH, G. (2002). An examination of Forensic models. International

Journal of Digital Evidence, 1(3). REN, W. & JIN, H. (2005). Honeynet based distributed adaptive network forensics and active real-

time investigation. Conference proceedings of the ACM Symposium on Applied Computing held in Santa Fe, New Mexico, USA. 13-17 March 2005.

RICHARDSON, R. (2007). The 12th Annual Computer Crime and Security Survey. Available from: http://www.gocsi.com/forms/csi_survey_thanks.jhtml?_DARGS=/forms/csi_survey.jhtml.2 (Accessed 29 February 2008).

RICHARDSON, R. (2008). The 13th CSI/FBI Computer Crime & Security Survey. RICHARDSON, R. (2012). 15th Annual 2010/1022 Computer crime and security survey. Available

from: www.GoCSI.com (Accessed February 25, 2012). ROGERS, M. & SIEGFRIED, K. (2004). The future of computer forensics: a needs analysis survey.

Computers and Security, 23(1) 12-6. ROWLINGSON, R. (2004). A ten step process for forensic readiness. International journal of

Digital Evidence, Elsevier, 2(3). Available from: www.ijde.org (Accessed June 2006). RUDD, C. (ed.). 2004. An Introductory Overview of ITIL® Version 1.0a: ITSMF Ltd. SAPS. (2011). Crime Situation in South Africa Available from:

http://www.saps.gov.za/statistics/reports/crimestats/2011/crime_stats.htm (Accessed 28 February 2012).

Sarbanes-Oxley Act of 2002. (2002). USA. Available from: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf. (Accessed 10 November 2008).

SHELDON, A. (2004). Forensic Auditing, The role of computer forensics in the corporate toolbox. Available from: http://www.itsecurity.com/papers/p11.htm (Accessed 25/3/2004).

SHIPLEY, T. G. & REEVE, H. R. (2006). Collecting evidence from a running computer: A technical and legal primer for the justice community. Available from: http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Accessed Aug 8, 2009).

SINANGIN, D. (2002). Computer forensics investigations in a corporate environment. Computer Fraud and Security Bulletin, 8(June) 11-4.

SOANES, C. & HAWKER, S. (2005). Oxford Dictionary. Oxford University press. Available from: http://www.askoxford.com/dictionaries/?view=uk).


SOMMER, P. (1999). Intrusion Detection Systems as Evidence. Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 31 , (I23-24 (December 1999)) 2477 - 87 Available from: http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf.

SOMMER, P. (2005). Directors and Corporate Advisors' Guide to Digital Investigations and Evidence, Information Assurance Advisory Council. Available from: http://www.iaac.org.uk/Portals/0/Evidence%20of%20Cyber-Crime%20v12-rev.pdf (Accessed June 3, 2007).

SREMACK, J. (2005). Investigating real-time systems forensics. Conference proceedings of the Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, SecureComm 2005 held in Athens, Greece. 5-9 Sept 2005. IEEE Explore.

STEPHENSON, P. (2002). End to End Forensics. Computer Fraud and Security Bulletin, 2002(9) 17-9.

STEPHENSON, P. (2003). Conducting incident post mortems. Computer Fraud and Security. Available from: www.emich.edu/cerns/downloads/pstephen/Conducting-Incident-Post-Mortems.pdf (Accessed January 2006).

SWGDE & IOCE (2000). Digital Evidence: Standards and Principles. Forensic Science Communications, April 2000 Volume 2 (2). Available from: http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (Accessed June 2008).

TC-11, I. (2006). Digital Forensics - Fact sheet. Available from: http://www.tc11.uni-frankfurt.de/WG/Factsheet_WG_11-9.pdf (Accessed February 3, 2007).

TECHNET. (2009). Windows BitLocker Drive Encryption Frequently Asked Questions. Available from: http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx#BKMK_WhatIsBitLocker (Accessed August 6, 2009).

THOMAS, D. (2005). Organisations need a digital evidence plan. Computing, 21 Sep 2005. TURNER, D., ENTWISLE, S. & DENESIUK, M. (2007). Symantec Internet Security Threat Report

Trends for July–December 06, Volume XI. Available from: http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_keyfindings_03_2007.en-us.pdf (Accessed January 2008).

TURNER, P. (2007). Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags. Digital Investigation, (4) 30-5.

UNESCO. (1997). Definitions, Technology and Learning portfolio. Available from: http://www.unesco.org/education/educprog/lwf/doc/portfolio/definitions.htm (Accessed 8 August 2008).

VON_SOLMS, S. & VON_SOLMS, R. (2009). Information Security Governance. Springer. WHITMAN, M. & MATTORD, H. (2008). Managment of Information Security. Course Technology

Cengage learning. WHITMAN, M. E. & MATTORD, H. J. (2009). Princilples of Information Security. Thompson Course

technology. WIKIPEDIA. (2008). Cybercrime. Available from: http://en.wikipedia.org/wiki/Cyber_Crime

(Accessed July 19, 2008). WIKIPEDIA. (2009). BitLocker Drive Encryption. Available from: http://en.wikipedia.org/

wiki/BitLocker_Drive_Encryption#Security_concerns (Accessed January 2010). WIKIPEDIA. (2012a). Expert witness. Available from: http://en.wikipedia.org/wiki/Expert_witness

(Accessed 20 February 2012). WIKIPEDIA. (2012b). Statement on auditing standards. Available from: http://

en.wikipedia.org/wiki/SAS_70 (Accessed February, 28 2012).