Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
DDFFMMFF
AA DDiiggiittaall FFoorreennssiicc MMaannaaggeemmeenntt FFrraammeewwoorrkk
Thesis
by
CORNELIA PETRONELLA GROBLER
Submitted in fulfilment of the requirements
for the degree
PHILOSOPHIAE DOCTOR
in
INFORMATICS
in the
Faculty of Science
at
UNIVERSITY OF JOHANNESBURG
Promoter: Prof SH von Solms
Co-promoter: Prof CP Louwrens
November 2011
2
AACCKKNNOOWWLLEEDDGGEEMMEENNTTSS
Thank you ….
My promoter, Prof Basie von Solms for your guidance and support through all my post-graduate
studies
My co-promotor, Prof Buks Louwrens for your incredible patience, support, guidance, technical
expertise, and enthusiasm during my studies.
Prof Elize Ehlers for your interest, support, and understanding during my illness and studies.
My husband, Vernon and children Werner and Vernandi, for your understanding, support,
motivation and love throughout my studies
My parents for your unconditional support, motivation, and love in my life
My parents in law, sisters and their family for your continuous support
All colleagues and friends for your consistent motivation and interest
Mrs Strydom and van den Bergh at the Faculty of Science, and Tosca at the department for your
help and ensuring that all the administration is in place
Reviewers for your constructive comments to make the thesis more complete
AND to God for granting me the ability and life to complete this thesis.
i
TTAABBLLEE OOFF CCOONNTTEENNTTSS
ACKNOWLEDGEMENTS 2
TABLE OF CONTENTS I
TABLE OF FIGURES IX
TABLE OF TABLES I
AFFIDAVIT: MASTER’S AND DOCTORAL STUDENTS I
GLOSSARY OF TERMS I
ABBREVIATIONS AND ACRONYMS USED IN THIS THESIS I
1 CHAPTER 1 OVERVIEW OF THESIS 1-1
1.1 Introduction 1-1
1.2 Background 1-2
1.3 Challenges to Digital Forensics 1-4
1.3.1 Challenge 1: Inadequate evidence 1-5
1.3.2 Challenge 2: Continuity strategies do not consider evidence or procedure requirements 1-5
1.3.3 Challenge 3: Need for live investigative frameworks 1-5
1.3.4 Challenge 4: Need for new DF tools and technologies 1-5
1.3.5 Challenge 5: Use of DF tools and technologies for non-investigative purposes 1-6
1.3.6 Challenge 6: Implementation of a DF capability 1-6
1.4 Problem statement 1-8
1.5 Objective of the thesis 1-8
1.5.1 Sub-objective 1: Provide background to DF 1-8
1.5.2 Sub-objective 2: Provide background to our CDF capability 1-9
1.5.3 Sub-objective 3: Formulate our CDF capability 1-9
ii
1.5.4 Sub-objective 4: Construct our holistic, theoretical DF implementation and management framework
(DFMF) 1-9
1.5.5 Sub-objective 5: Identify challenges to DFMF and further research 1-9
1.6 Approach to achieving the objectives 1-10
1.6.1 Part 1: Background 1-10
1.6.2 Part 2: Construction of our DFMF to implement our CDF capability 1-11
1.6.3 Part 3: Conclusion 1-13
1.7 The structure and overview of the thesis 1-13
1.8 Part 1: Background 1-14
1.8.1 Chapter 1: Overview of thesis 1-14
1.8.2 Chapter 2: Introduction to DF 1-14
1.8.3 Chapter 3: Conventional approach to DF 1-16
1.8.4 Chapter 4: Proactive DF (ProDF) 1-16
1.8.5 Chapter 5: Reactive DF (ReDF) 1-17
1.8.6 Chapter 6: Active DF (ActDF) 1-17
1.9 Part 2: Construction of our DFMF 1-18
1.9.1 Chapter 7: CDF capability 1-18
1.9.2 Chapter 8: Construction of the holistic CDF management framework (DFMF) 1-19
1.10 Part 3: Conclusion 1-19
1.10.1 Chapter 9: Conclusion 1-20
1.11 Research results from this thesis so far 1-20
1.11.1 Articles presented and published 1-20
1.11.2 Future articles 1-21
1.12 Summary 1-21
PART 1 BACKGROUND 22
2 CHAPTER 2 INTRODUCTION TO DIGITAL FORENSICS 2-23
2.1 Introduction 2-23
2.2 Aim and structure of this Chapter 2-25
2.3 Background 2-25
iii
2.3.1 Case study 2-25
2.4 Digital Forensics 2-31
2.5 Driving factors for the use of DF in organisations 2-33
2.5.1 External factors 2-33
2.5.2 Internal factors 2-35
2.5.3 Common reasons (needs) for the application of DF in organisations 2-37
2.6 Cybercrime 2-37
2.6.1 Definition of cybercrime 2-37
2.6.2 Cybercriminals 2-39
2.6.3 Types of attacks 2-40
2.7 Digital evidence 2-40
2.7.1 Definition of digital evidence 2-41
2.7.2 Characteristics of ‘good’ evidence 2-43
2.8 Comprehensive Digital Forensic capability 2-44
2.8.1 Reactive DF (ReDF) component 2-45
2.8.2 Proactive DF (ProDF) component 2-46
2.8.3 Active DF (ActDF) component 2-48
2.8.4 Potential relationship between the components of a CDF capability 2-48
2.9 Summary 2-49
3 CHAPTER 3 CONVENTIONAL APPROACH TO DIGITAL FORENSICS 3-51
3.1 Introduction 3-51
3.2 Aim and structure of this Chapter 3-52
3.3 Process-oriented frameworks 3-53
3.3.1 FRAMEWORK 1: Ó Ciardhuáin (2004) 3-54
3.3.2 FRAMEWORK 2: Carrier and Spafford (2003) 3-56
3.3.3 FRAMEWORK 3: Baryamureeba and Tushabe (2004) 3-58
3.3.4 FRAMEWORK 4: Beebe and Clark (2005) 3-61
3.3.5 FRAMEWORK 5: Louwrens et al. (2006b) 3-65
3.3.6 FRAMEWORK 6: E Casey (2004) 3-68
3.3.7 FRAMEWORK 7: Forrester and Irwin (2007) 3-70
iv
3.4 Comparison of process–oriented frameworks 3-72
3.5 Draft version of our CDF capability 3-79
3.5.1 ProDF component 3-79
3.5.2 ActDF component 3-81
3.5.3 ReDF component 3-82
3.6 Role based Framework: FORZA (Ieong, 2006) 3-86
3.7 Comparison of role-based and process frameworks 3-89
3.8 Summary 3-89
3.9 Fold-out for Chapter 3 3-91
4 CHAPTER 4 PROACTIVE DIGITAL FORENSICS (PRODF) 4-92
4.1 Introduction 4-92
4.2 Aim and structure of this Chapter 4-94
4.3 Background: Why ProDF? 4-95
4.3.1 ProDF needs 4-97
4.4 Relationship between DF Readiness views and ProDF 4-99
4.4.1 DF Readiness goals 4-100
4.4.2 DF Readiness elements 4-102
4.4.3 DF Readiness versus ProDF 4-106
4.5 Proposed ProDF plan for the ProDF component 4-109
4.5.1 ProDF definition 4-109
4.5.2 ProDF goals 4-109
4.6 Summary 4-114
4.7 Fold-out for Chapter 4 4-115
5 CHAPTER 5 REACTIVE DIGITAL FORENSICS (REDF) 5-116
5.1 Introduction 5-116
5.2 Aim and structure of this Chapter 5-117
v
5.3 Definition of ReDF 5-117
5.4 Goals of ReDF 5-118
5.5 ReDF protocol 5-118
5.5.1 PHASE 1: Incident response and confirmation phase 5-118
5.5.2 PHASE 2: Physical investigation phase (if relevant) 5-119
5.5.3 PHASE 3: Digital investigation phase 5-120
5.5.4 PHASE 4: Incident reconstruction phase 5-122
5.5.5 PHASE 5: Presentation of findings phase 5-122
5.5.6 PHASE 6: Incident closure phase 5-122
5.6 Evaluation of the six phases of the ReDF component 5-123
5.7 Summary 5-125
6 CHAPTER 6 ACTIVE DIGITAL FORENSICS (ACTDF) 6-126
6.1 Introduction 6-126
6.2 Aim and structure of this Chapter 6-127
6.3 Need for Active or live investigations 6-128
6.4 Incident response (IR), Intrusion detection system (IDS) and live investigations 6-130
6.5 Live investigation tools and techniques 6-133
6.6 Live investigation frameworks 6-136
6.6.1 FRAMEWORK 1: Payer (2004) 6-137
6.6.2 FRAMEWORK 2: Ren and Jin (2005) 6-138
6.6.3 FRAMEWORK 3: Foster and Wilson (2004) 6-140
6.6.4 FRAMEWORK 4: Grobler (2009) 6-141
6.6.5 FRAMEWORK 5: Ieong and Leung (2007) 6-145
6.7 ActDF component of our CDF capability 6-150
6.7.1 ActDF definition 6-151
6.7.2 Goals for ActDF 6-151
6.7.3 ActDF protocol 6-152
6.8 Summary 6-155
vi
6.9 Fold-out for Chapter 6 6-157
PART 2 CONSTRUCTION OF OUR DFMF 6-158
7 CHAPTER 7 COMPREHENSIVE DF CAPABILITY 7-159
7.1 Introduction 7-159
7.2 Aim and structure of this Chapter 7-160
7.3 Proactive DF (ProDF) component 7-161
7.3.1 ProDF Goal 1: Become DF-ready. See on the ProDF fold-out 7-162
7.3.2 ProDF Goal 2: Implement and manage DF to improve governance programmes (two sub-goals). See
on the ProDF fold-out. 7-175
7.4 Reactive DF (ReDF) component 7-178
7.4.1 ReDF Phase 1: Incident Response and confirmation phase. See on the ReDF fold-out. 7-180
7.4.2 ReDF Phase 2: Physical investigation phase (par.5.5.2). See on the ReDF fold-out. 7-182
7.4.3 ReDF Phase 3: Digital investigation phase (par. 5.5.3). See on the ReDF fold-out. 7-183
7.4.4 ReDF Phase 4: Incident reconstruction phase (par. 5.5.4) (three steps). See on the ReDF fold-out. 7-
187
7.4.5 ReDF Phase 5: Presentation of findings phase (par. 5.5.5). See on the ReDF fold-out. 7-188
7.4.6 ReDF Phase 6: Incident closure phase (par. 5.5.6). See on the ReDF fold-out. 7-189
7.4.7 To-do list 7-190
7.5 Active DF (ActDF) component 7-190
7.5.1 ActDF Phase 1: Incident response and confirmation phase. See on the ActDF fold-out. 7-193
7.5.2 ActDF Phase 2: ActDF investigation phase (par. 6.7.3). See on the ActDF fold-out. 7-195
7.5.3 ActDF Phase 3: Limited incident reconstruction phase (par. 6.7.3.3) (two steps) (Figure 7-15 - below).
See on the ActDF fold-out. 7-197
7.5.4 ActDF Phase 4: ActDF investigation closure phase (par. 6.7.3.4). See on the ActDF fold-out. 7-198
7.5.5 To-do list 7-198
7.6 Relationship between ProDF, ReDF and ActDF 7-198
7.7 Summary 7-199
7.8 FOLD-OUT FOR ProDF 7-204
7.9 FOLD-OUT FOR ReDF 7-205
vii
7.10 FOLD-OUT FOR ActDF 7-206
8 CHAPTER 8 CONSTRUCTION OF OUR HOLISTIC DF MANAGEMENT FRAMEWORK
(DFMF) 8-207
8.1 Introduction 8-207
8.2 Aim and structure of the chapter 8-208
8.3 Catagorise the to-do list 8-209
8.4 Step-by-step construction of the DFMF 8-212
8.4.1 Legal and judicial dimension 8-213
8.4.2 Governance dimension 8-214
8.4.3 Policy dimension 8-216
8.4.4 Process dimension 8-220
8.4.5 People dimension 8-226
8.4.6 Technology dimension 8-228
8.5 Consolidated view of our DFMF 8-231
8.6 Summary 8-232
PART 3 8-233
CONCLUSION 8-233
9 CHAPTER 9 CONCLUSION 9-234
9.1 Introduction 9-234
9.2 Part 1 9-235
9.3 Part 2 9-237
9.3.1 ProDF component 9-237
9.3.2 ReDF component 9-239
9.3.3 ActDF component 9-240
9.3.4 Construction of our DFMF 9-241
9.4 Potential challenges to the application of our CDF capability and DFMF 9-242
viii
9.5 Future research opportunities 9-243
9.6 Achievement of the objective of thesis 9-244
10 BIBLIOGRAPHY 246
ix
TTAABBLLEE OOFF FFIIGGUURREESS
FIGURE 1.1. COMPONENTS OF A DF CAPABILITY (GROBLER, LOUWRENS & VON SOLMS, 2010B) ......................... 1-10
FIGURE 1-2. DIMENSIONS OF DF (BY AUTHOR) ....................................................................................................... 1-12
FIGURE 1-3. OUTLINE OF THE THESIS ...................................................................................................................... 1-13
FIGURE 2-1. ROLE OF THE CHAPTER IN THE THESIS................................................................................................. 2-24
FIGURE 2-2. GRAPHICAL REPRESENTATION OF EVIDENCE (BY AUTHOR) ................................................................ 2-42
FIGURE 2-3. GRAPHICAL REPRESENTATION OF OUR COMPREHENSIVE DF CAPABILITY (BY AUTHOR) ................... 2-45
FIGURE 2-4. RELATIONSHIP BETWEEN COMPONENTS OF CDF CAPABILITY (BY AUTHOR) ...................................... 2-49
FIGURE 3-1. ROLE OF THE CHAPTER IN THE THESIS................................................................................................. 3-52
FIGURE 3-2 TYPICAL PROCESS FRAMEWORK (BY AUTHOR) .................................................................................... 3-53
FIGURE 3-3. COMPREHENSIVE DF CAPABILITY (ALSO FIGURE 2.3) (BY AUTHOR) ................................................... 3-79
FIGURE 3-4 DIAGRAMMATIC REPRESENTATION OF THE PROPOSED PROCESS FLOWS BETWEEN ROLES (IEONG,
2006) ............................................................................................................................................................... 3-87
FIGURE 4-1 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ........................................................................... 4-94
FIGURE 4-2 ADAPTED DIAGRAMMATIC REPRESENTATION OF INTERNAL COMPUTER INVESTIGATIONS SOX
REQUIREMENTS (PATZAKIS & LIMONGELLI, 2004) ......................................................................................... 4-96
FIGURE 4-3. GRAPHICAL REPRESENTATION OF THE PRODF COMPONENT (BY AUTHOR) ..................................... 4-113
FIGURE 5-1. ROLE OF THE CHAPTER IN THE THESIS............................................................................................... 5-116
FIGURE 5-2 GRAPHICAL REPRESENTATION OF THE SIX PHASES OF REDF COMPONENT (BY AUTHOR) ................ 5-123
FIGURE 6-1 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ......................................................................... 6-127
FIGURE 6-2 MCDOUGAL MODEL OF VOLATILITY (IEONG & LEUNG, 2007) ........................................................... 6-135
FIGURE 6-3 ARCHITECTURE OF REN AND JIN (2005) ............................................................................................. 6-139
FIGURE 6-4 GRAPHICAL REPRESENTATION OF LIFORAC MODEL (GROBLER, 2009) .............................................. 6-141
FIGURE 6-5. A REFERENCE ORDER OF DATA COLLECTION PROCESS IN LIVE FORENSIC INVESTIGATIONS (IEONG &
LEUNG, 2007) ................................................................................................................................................ 6-146
FIGURE 6-6. GRAPHICAL REPRESENTATION OF THE ACTDF COMPONENT (BY AUTHOR) ..................................... 6-155
FIGURE 7-1 CDF CAPABILITY (ALSO FIGURE 2.3) (BY AUTHOR) ............................................................................. 7-159
FIGURE 7-2 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ......................................................................... 7-160
FIGURE 7-3 PRODF COMPONENT OF CDF CAPABILITY (ALSO FIGURE 4.3) ............................................................ 7-162
FIGURE 7-4 ADAPTED UGRADER MATRIX (BY AUTHOR) ........................................................................................ 7-168
FIGURE 7-5 PROPOSED PHASES OF THE REDF PROTOCOL OF THE REDF COMPONENT (BY AUTHOR) – THIS IS A COPY
OF FIGURE 5.2 ............................................................................................................................................... 7-180
FIGURE 7-6 PHASE 1 OF THE REDF PROTOCOL (BY AUTHOR) ................................................................................ 7-180
FIGURE 7-7 PHASE 2 OF THE REDF PROTOCOL (BY AUTHOR) ................................................................................ 7-182
FIGURE 7-8 PHASE 3 OF THE REDF PROTOCOL (BY AUTHOR) ................................................................................ 7-184
FIGURE 7-9 PHASE 4 OF THE REDF PROTOCOL (BY AUTHOR) ................................................................................ 7-188
FIGURE 7-10 PHASE 5 OF THE REDF PROTOCOL (BY AUTHOR) .............................................................................. 7-188
x
FIGURE 7-11 PHASE 6 OF THE REDF PROTOCOL (BY AUTHOR) .............................................................................. 7-189
FIGURE 7-12 GRAPHICAL REPRESENTATION OF THE ACTDF PROTOCOL (ADAPTED FROM FIGURE 6.6) (BY AUTHOR)
...................................................................................................................................................................... 7-192
FIGURE 7-13 PHASE 1 OF THE ACTDF PROTOCOL (BY AUTHOR) ........................................................................... 7-193
FIGURE 7-14 PHASE 2 OF THE ACTDF PROTOCOL (BY AUTHOR) ........................................................................... 7-195
FIGURE 7-15 PHASE 3 OF THE ACTDF PROTOCOL (BY AUTHOR) ........................................................................... 7-197
FIGURE 7-16 PHASE 4 OF THE ACTDF PROTOCOL (BY AUTHOR) ........................................................................... 7-198
FIGURE 7-17 RELATIONSHIP BETWEEN COMPONENTS OF OUR CDF CAPABILITY (ALSO FIGURE 2.4) ( BY AUTHOR) . 7-
199
FIGURE 8-1 ROLE OF THE CHAPTER IN THE THESIS (BY AUTHOR) ......................................................................... 8-208
FIGURE 8-2 RELATIONSHIP BETWEEN THE DIMENSIONS (ALSO FIGURE 1.2) (BY AUTHOR) ................................. 8-209
FIGURE 8-3 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE LEGAL AND JUDICIAL DELIVERABLES
(BY AUTHOR) ................................................................................................................................................. 8-214
FIGURE 8-4 LEGAL AND JUDICIAL DELIVERABLES AS STEP 1 OF THE CONSTRUCTION OF OUR DFMF (BY AUTHOR) .. 8-
214
FIGURE 8-5 FIRST TWO LEVELS OF THE GOVERNANCE DELIVERABLES (BY AUTHOR) ........................................... 8-216
FIGURE 8-6 ADDITION OF THE GOVERNANCE DELIVERABLES AS STEP 2 OF THE CONSTRUCTION OF OUR DFMF (BY
AUTHOR) ....................................................................................................................................................... 8-216
FIGURE 8-7 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE POLICY DELIVERABLES (BY AUTHOR)
...................................................................................................................................................................... 8-220
FIGURE 8-8 ADDITION OF THE POLICY DELIVERABLES AS STEP 3 OF THE CONSTRUCTION OF OUR DFMF (BY
AUTHOR) ....................................................................................................................................................... 8-220
FIGURE 8-9 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE PROCESS DELIVERABLES (BY
AUTHOR) ....................................................................................................................................................... 8-225
FIGURE 8-10 ADDITION OF THE PROCESS DELIVERABLES AS STEP 4 OF THE CONSTRUCTION OF OUR DFMF (BY
AUTHOR) ....................................................................................................................................................... 8-225
FIGURE 8-11 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE PEOPLE DELIVERABLES (BY AUTHOR)
...................................................................................................................................................................... 8-227
FIGURE 8-12 ADDITION OF THE PEOPLE DELIVERABLES AS STEP 5 OF THE CONSTRUCTION OF OUR DFMF (BY
AUTHOR) ....................................................................................................................................................... 8-228
FIGURE 8-13 GRAPHICAL REPRESENTATION OF THE FIRST TWO LEVELS OF THE TECHNOLOGY DELIVERABLES (BY
AUTHOR) ....................................................................................................................................................... 8-230
FIGURE 8-14 ADDITION OF THE TECHNOLOGY DELIVERABLES AS STEP 6 OF THE CONSTRUCTION OF OUR DFMF (BY
AUTHOR) ....................................................................................................................................................... 8-230
FIGURE 8-15 HIGH LEVEL GRAPHICAL VIEW OF OUR DFMF (BY AUTHOR) ............................................................ 8-231
FIGURE 9-1 PRODF COMPONENT (ALSO FIGURE 7.3) ............................................................................................ 9-238
FIGURE 9-2 REDF PROTOCOL (ALSO FIGURE 7.5) .................................................................................................. 9-240
FIGURE 9-3 ACTDF PROTOCOL (ALSO FIGURE 7.12) .............................................................................................. 9-241
i
TTAABBLLEE OOFF TTAABBLLEESS
TABLE 3.1. COMPARISON OF PROACTIVE (PRODF) ELEMENTS (BY AUTHOR) ......................................................... 3-73
TABLE 3.2. COMPARISON OF ACTIVE (ACTDF) PHASES AND STEPS (BY AUTHOR) .................................................. 3-74
TABLE 3.3. COMPARISON OF REACTIVE (REDF) PHASES AND STEPS (BY AUTHOR) ................................................. 3-75
TABLE 3.4. HIGH-LEVEL VIEW OF THE FORZA FRAMEWORK (IEONG, 2006) ........................................................... 3-88
TABLE 4.1. COMPARISONS OF GOALS FOR DF READINESS (BY AUTHOR) .............................................................. 4-101
TABLE 4.2. COMPARISON OF DF READINESS ELEMENTS (BY AUTHOR) ................................................................. 4-104
TABLE 4.3. RELATIONSHIP BETWEEN PRODF NEEDS AND DF READINESS (BY AUTHOR) ....................................... 4-107
TABLE 4.4. COBIT CONTROLS TO INCLUDE DF REQUIREMENTS (BY AUTHOR) ...................................................... 4-112
TABLE 6.1. LIST OF SPECIFIC QUESTIONS FOR LIVE INVESTIGATIONS – BASED ON FORZA (IEONG & LEUNG, 2007) .. 6-
147
TABLE 7.1 NEEDS ADDRESSED BY THE CDF CAPABILITY (PAR. 2.5.3) (BY AUTHOR) .............................................. 7-200
TABLE 7.2 CONSOLIDATED TO-DO LIST TO IMPLEMENT THE CDF CAPABILITY (BY AUTHOR) ............................... 7-201
TABLE 8.1 CATEGORISED TO-DO LIST (BY AUTHOR) .............................................................................................. 8-210
TABLE 9.1 EVALUATION OF OUR CDF CAPABILITY AND DFMF (BY AUTHOR) ........................................................ 9-243
TABLE 9.2 SUMMARY OF THE ACHIEVEMENT OF THE SUB-OBJECTIVES OF THE THESIS ...................................... 9-244
i
AAFFFFIIDDAAVVIITT:: MMAASSTTEERR’’SS AANNDD DDOOCCTTOORRAALL SSTTUUDDEENNTTSS
TO WHOM IT MAY CONCERN
This serves to confirm that I, Cornelia Petronella Grobler
ID Number 6206140172088
Student number 908115739 enrolled for the
Qualification PhD (Informatics)
Faculty of Science
Herewith declare that my academic work is in line with the Plagiarism Policy of the University of
Johannesburg which I am familiar.
I further declare that the work presented in the Thesis (minor dissertation/dissertation/thesis) is
authentic and original unless clearly indicated otherwise and in such instances full reference to the
source is acknowledged and I do not pretend to receive any credit for such acknowledged quotations,
and that there is no copyright infringement in my work. I declare that no unethical research practices were
used or material gained through dishonesty. I understand that plagiarism is a serious offence and that
should I contravene the Plagiarism Policy notwithstanding signing this affidavit, I may be found guilty of a
serious criminal offence (perjury) that would amongst other consequences compel the UJ to inform all
other tertiary institutions of the offence and to issue a corresponding certificate of reprehensible academic
conduct to whomever request such a certificate from the institution.
Signed at Johannesburg________________ on this _______ of ____________________2012
Signature__________________________________ Print name Cornelia Petronella Grobler
STAMP COMMISSIONER OF OATHS
Affidavit certified by a Commissioner of Oaths
This affidavit conforms with the requirements of the JUSTICES OF THE PEACE AND COMMISSIONERS OF OATHS ACT 16 OF
1963 and the applicable Regulations published in the GG GNR 1258 of 21 July 1972; GN 903 of 10 July 1998; GN 109 of 2
February 2001 as amended.
i
GGLLOOSSSSAARRYY OOFF TTEERRMMSS
Term / abbreviation Description
Active DF The ability of an organisation to gather (identify, collect and preserve) comprehensive
digital evidence in a live environment to facilitate a successful investigation.
Chain of custody A system of recording who is responsible for the evidence at any point of time from the
moment it was collected until it is used in the court room.
Chain of evidence A series of events in which the evidence has not been altered at any stage.
Competent Having suitable or sufficient skill, knowledge, experience, etc., for some purpose;
properly qualified: He is perfectly competent to manage the bank branch.
Comprehensive DF
capability
A capability consisting of the combination of reactive, active, and proactive DF
components.
Comprehensive digital
evidence
Digital evidence that will have evidentiary weight in a court of law and that contains all
the evidence necessary (relevant and sufficient) to establish a fact or disprove a claim.
DF readiness The ability of an organisation to maximise its potential to use comprehensive digital
evidence whilst minimising the costs of an investigation.
Digital crime scene The virtual environment created by hardware and software where evidence of a digital
crime or incident exists.
Digital evidence Any data stored or transmitted using a digital device that tends to establish a fact or
disprove a claim.
Digital forensic The scientific study of all the processes involved in the recovery, preservation and
examination of digital evidence, including audio, imaging and communication devices
(TC-11, 2006).
Forensic sound
process
A process that maintains the integrity of evidence, ensuring that the chain of custody
remains unbroken and that collected evidence will be admissible in a court of law.
Physical crime scene The physical environment where physical evidence of a crime or incident exists.
Proactive DF The forensic preparation of an organisation to ensure successful, cost-effective
investigations, with minimal disruption to business activities, and the use of DF to
establish and manage governance programmes.
Reactive DF The application of analytical and investigative techniques for the preservation,
identification, extraction, documentation, analysis, and interpretation of digital media,
for evidentiary, and/or root cause analysis and the presentation of comprehensive
digital evidence derived from digital sources for the purpose of facilitation or furthering
the reconstruction of incidents.
Risk profile Adapted threat profile.
Standard operating
procedure
Documented quality control guidelines that are supported by proper case records and
use broadly accepted procedures, equipment, and material.
i
AABBBBRREEVVIIAATTIIOONNSS AANNDD AACCRROONNYYMMSS UUSSEEDD IINN TTHHIISS TTHHEESSIISS
Acronym /abbreviation Description
ActDF Active digital forensics
ActDFI Active digital forensic investigation
BCP Business continuity plan
BIA Business impact analysis
BOK Body of knowledge
CDE Comprehensive digital evidence
CDF Comprehensive digital forensics
CERT Computer Emergency Response Team
CPU Central processing unit
DF Digital forensics
DFI Digital forensic investigation
DFMF Digital forensic management framework
DRP Disaster recovery plan
ECT act Electronic communication and transactions act
EMP Evidence management plan
FBI Federal Bureau of Investigation
IDS Intrusion detection system
Info Sec Information security
IR Incident response
IRP Incident response plan
ITIL Information Technology Infrastructure Library
ITSM IT Service Management
LAN Local area network
PID Process identification number
PPID Parent process identification number
ProDF Proactive digital forensics
RAM Random access memory
ReDF Reactive digital forensics
SAQA South African Qualifications Authority
SOP Standard operating procedure
TCP Transmission control protocol
ii
Note to reader:
The thesis uses the first person plural to facilitate a broader narrative delivery. We also
include notes to the reader to increase the readability and context.
Part 1: Background to Digital Forensics
1-1 | P a g e Chapter 1: Overview of thesis
1 CHAPTER 1
OOVVEERRVVIIEEWW OOFF TTHHEESSIISS
"The modern thief can steal more with a computer than with a gun.
Tomorrow's terrorist may be able to do more damage with a keyboard than
with a bomb." National Research Council” (Computers at Risk, 1991).
The “Stuxnet attack was more effective than bombs – using an anti-bunker
bomb to take out the Natanz facility could have delayed Iran’s efforts by
three years … Stuxnet and other non-military efforts have put Iran four
years behind.” (Lemos, 2011).
1.1 INTRODUCTION
We are living in an increasingly complex world in which much of society is dependent on technology
and its various offshoots and incarnations (Rogers & Siegfried, 2004). There is ample evidence of the
influence of technology on our daily lives. We communicate via e-mail, use chat groups to interact
and conduct business by using e-commerce. People relate each other’s existence to a presence on
Facebook.
The convergence of the products, systems and services of information technology is changing the
way of living. The latest smart and cell phones have cameras, applications, and access to social
networking sites. These phones contain sensitive information, for example photographs, e-mail,
spread sheets, documents, and presentations. The loss of a cell phone therefore may pose a serious
problem to an individual or an organisation, when considering privacy and intellectual property
issues from an information security (Info Sec) perspective (Pieterse, 2006).
Organisations have accepted the protection of information and information assets as a fundamental
business requirement and managers are therefore implementing an increasing number of security
counter measures, such as security policies, intrusion detection systems, access control mechanisms,
Part 1: Background to Digital Forensics
1-2 | P a g e Chapter 1: Overview of thesis
and anti-virus products to protect the information and information assets from potential threats.
However, incidents still occur, as no system is 100% secure. The incidents must be investigated to
determine their root cause and potentially to prosecute the perpetrators (Louwrens, von_Solms,
Reeckie & Grobler, 2006b).
Humankind has long been interested in the connection between cause and event, wishing to know
what happened, what went wrong and why it happened. The need for computer forensics emerged
when an increasing number of crimes were committed with the use of computers and the evidence
required was stored on the computer. In 1984, a Federal Bureau of Investigation (FBI) laboratory
began to examine computer evidence (Barayumureeba & Tushabe, 2004), and in 1991 the
international association of computer investigation specialists (IACIS) in Portland, Oregon coined the
term ‘computer forensics’ during a training session.
The environment in which digital crimes are committed has changed dramatically with the
emergence of personal computers, the Internet, cell phones, flash disks and wireless devices. It is no
longer sufficient to investigate the hard drive of the victim’s personal computer as it may not be
possible to gather sufficient evidence for successful prosecution (Adelstein, 2006).
Digital evidence, static as well as ‘volatile’, is required for establishing the root cause of incidents. It
may be necessary to consider network activity, Internet activities, e-mails sent and received and
data on cell phones or other portable devices for a particular situation. Cyber-trained defence
attorneys require the investigator to link the attacker to the victim by analysing the additional
information in the chain of evidence (Stephenson, 2002).
1.2 BACKGROUND
Consider the following example:
“When a thief breaks into your home, you’re likely to feel victimized,
vulnerable, and confused. You may wonder: What was taken? Will the
house ever feel safe again? What can I do to protect myself from another
intrusion?
When malcontent breaks into, or cracks, your computer, your reactions are
likely to be very much the same. What was taken? What was left behind? Is
the computer safe to use? How can I keep my computer safer in the future?
Part 1: Background to Digital Forensics
1-3 | P a g e Chapter 1: Overview of thesis
While the latter question is important, the former three questions weigh
more heavily immediately after a break-in. The suits and the geeks want an
assessment as soon as possible, especially if the compromised system held
critical information or served a critical purpose” (Frye, 2005).
As the example demonstrated, organisations and individuals are exposed to cybercrime and the
incidents must be investigated. According to the CSI 2008 computer crime and security survey, the
most expensive incidence is financial fraud followed by dealing with ‘bot’ computers in a network.
The data loss categories (customer and proprietary information together) are the second largest
source of losses (Richardson, 2008).
However, when a security incident has taken place, many organisations do not have proper
guidelines to conduct a forensic investigation and often fail to bring the investigation to a productive
conclusion (Sinangin, 2002). Many organisations do not regard forensic investigations as a priority
item. The key role of computer forensics is the protection, adducing, and presentation of evidence.
The protection of evidence in all abuse cases is both critical and central to the organisation's ability
to investigate and take action against the abuser (Sheldon, 2004). It is essential to determine the
root cause of an incident and link the attacker to it.
Computer forensics is well established in the military and aviation industries, for example the
retrieval and examination of flight information from the ‘black box’ of an aeroplane after an
accident. However, digital forensics (DF) is a wider discipline than computer forensics, as shown by
definitions of the two concepts:
Computer forensics is considered to be the use of analytical and investigative techniques
to identify, collect, examine and preserve evidence/information which is magnetically
stored or encoded (Louwrens & von_Solms, 2005).
Digital forensics (DF) is the scientific thesis of the processes involved in the recovery,
preservation and examination of digital evidence, including audio, imaging and
communication devices (TC-11, 2006).
DF includes the acquisition of all types of digital evidence, for example cell phone content, volatile
memory content, static hard disk and optical disk content, audio files and images. DF is an emerging
discipline in the private sector that is becoming increasingly important to organisations.
The use of computers and other digital devices generates a wealth of digital information in the form
of, for example, log files, passwords, and timestamps by the normal operating processes. There is a
Part 1: Background to Digital Forensics
1-4 | P a g e Chapter 1: Overview of thesis
growing need for good evidence in organisations. According to Sommer (2005), the need for good
evidence manifests itself, for example, as evidence needed for disputed transactions, to prove
allegations of employee misbehaviour, to demonstrate legal and regulatory compliance and to
provide supporting evidence for insurance claims.
The application of DF tools and techniques are becoming the vehicle for organisations to acquire
useful and admissible evidence, using the available operational or stored information. DF tools
consist of forensic software tools with very specific guidelines and procedures (Guidance_Software,
2005).
The forensic specialist must be able to guarantee the accuracy of the evidence and results, which can
be done by the use of “time tested evidence processing procedures and through the use of multiple
software tools”, developed by separate and independent developers (Computer evidence defined,
2008). We will refer to these ‘time tested procedures’ as ‘frameworks’.
The current application of DF tools and technologies is for digital investigations, or as part of the
information security tool suite to determine vulnerabilities in the Info Sec architecture (Richardson,
2008). However, organisations also apply the use of DF tools for other purposes in other areas, for
example to retrieve evidence to prove compliance with legislation and to improve the information
technology (IT) governance frameworks (Nikkel, 2006).
The identified DF frameworks (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Forrester &
Irwin, 2007; Louwrens et al., 2006b) concentrate mainly on ‘post-mortem’ investigation, with limited
reference to live evidence acquisition and DF readiness aspects. They provide clear guidelines on
‘must do’s’ and ‘must not do’s’ during a forensic investigation, but do not consider the management
or establishment of a DF capability in an organisation (Nikkel, 2006). The next section discusses the
challenges to the management and implementation of a DF capability in an organisation.
1.3 CHALLENGES TO DIGITAL FORENSICS
From the literature studied (as indicated in the following paragraphs), we have identified the
following six challenges:
Part 1: Background to Digital Forensics
1-5 | P a g e Chapter 1: Overview of thesis
1.3.1 Challenge 1: Inadequate evidence
Organisations do not consider the pro-active collection of adequate, admissible evidence prior
to an incident, as the perception exists that it is too expensive (Rowlingson, 2004). However, if
the evidence is in place and the processes are well-defined, the cost and impact of an
investigation will be minimised (Louwrens et al., 2006b).
1.3.2 Challenge 2: Continuity strategies do not consider evidence or procedure
requirements
The incident response plan (IRP) often does not consider the handling and preservation of
evidence or ensure that the process followed is forensically sound (Sommer, 1999). The lack of
evidence compromises investigations. Whenever an incident occurs, adequate relevant and
legally admissible evidence is not available to successfully conduct and conclude an
investigation (Thomas, 2005).
1.3.3 Challenge 3: Need for live investigative frameworks
Traditional DF frameworks are no longer sufficient to investigate incidents effectively as active
or ‘live’ attacks are increasing. These attacks necessitate immediate action not only to contain
the incident or to stop attacks but also to acquire relevant volatile and essential evidence in real
time. Volatile or live evidence is becoming an essential part of investigations as incidents are
becoming more sophisticated and targeted. Criminals are using a network or the Internet to
launch their attacks.
Ieong and leung (2007) have noted the absence of a definition for live forensics, a lack of
standard procedures for live investigations and a problem with the certification and acceptance
of live evidence (Foster & Wilson, 2004; Grobler, 2009; Ieong & Leung, 2007; Payer, 2004; Ren &
Jin, 2005).
1.3.4 Challenge 4: Need for new DF tools and technologies
If one considers new technologies and software that are currently in use, traditional DF tools and
techniques are becoming inadequate. To demonstrate this: Windows® Vista Ultimate and
Enterprise editions have the Bitlocker® drive encryption capability. This is a full disk encryption
feature that uses the AES (advanced encryption standard) encryption algorithm in CBC (cypher-
Part 1: Background to Digital Forensics
1-6 | P a g e Chapter 1: Overview of thesis
block chaining) mode with a 128 / 256 bit key, combined with the elephant diffuser1 for
additional disk encryption specific security not provided by AES (TechNet, 2009). An additional
obstacle is that Bitlocker® has no backdoor, which makes it very difficult for an investigator to get
access to an encrypted drive (Wikipedia, 2009). Investigators have to wait for an appropriate
moment to investigate a suspect machine in a ‘live’ state when the content is decrypted. It is
therefore essential that organisations are aware of new technologies to ensure that they plan
and prepare themselves for such investigations.
It is also essential to consider the emerging legal debate about enforced “decryption” between
the United Kingdom and the United States of America as the investigator needs access to the
plain text based system.
1.3.5 Challenge 5: Use of DF tools and technologies for non-investigative purposes
The cliché that ‘you can only manage if you can measure’ may be applicable to IT and corporate
governance. It is essential to measure the effectiveness of internal and technical controls.
Corporate governance legislation and reports, for example Sarbanes-Oxley (Sarbanes-Oxley Act of
2002, 2002) and King III (King, 2009), require that management be able to prove the efficiency
and effectiveness of controls. DF tools and technologies can be applied to provide documented
proof to demonstrate due diligence with respect to good governance as evidence will be available
to provide the proof.
1.3.6 Challenge 6: Implementation of a DF capability
Nikkel (2006) has identified the following challenges that organisations face when establishing a
forensic capability:
1 “The Enterprize and Ultimate editions of Windows Vista contain a new feature called BitlockerTM Drive
Encryption which encrypts all the data on the system volume. Bit- Locker imposes some security requirements on the encryption algorithm that are not met by common encryption algorithms and modes. This creates a real problem: a new cipher cannot be trusted without many years of public review, and existing ciphers that satisfy the additional security requirements are either too slow or insufficiently analysed. We resolved this dilemma by combining a well-established cipher (AES in CBC mode) with a new component that we call the Elephant di®user. The basic encryption security is provided by AES-CBC, which has been widely reviewed and is generally used in the industry for encryption. The di®user layer adds some additional security properties that are desirable in the disk encryption setting but which are not provided by AES-CBC cipher methods. This combination gives us the best of both worlds. All the security properties traditionally provided by encryption algorithms are provided by AES-CBC, which is an accepted cipher. We only depend on the di®user for the additional security properties not provided by AES CBC. The AES-CBC + di®user approach is also faster than any of the alternatives, which is important for our application” FERGUSON, N. (2006). AES-CBC + Elephant di®user A Disk Encryption Algorithm for Windows Vista. Available from: http://pdos.csail.mit.edu/6.858/2011/readings/bitlocker.pdf (Accessed 20 February 2012).
Part 1: Background to Digital Forensics
1-7 | P a g e Chapter 1: Overview of thesis
Where and to whom does the DF team report? It must be determined if it must report
to the IT, risk management (corporate, IT or Info Sec), legal, and compliance
departments, or whether the function should be outsourced. The different degrees of
involvement from a forensics team in the organisation must also be defined, for example
a lead, consulting or assisting role.
Typical DF readiness challenges are to establish forensic resources, e.g., trained staff,
relevant tools, and a well-equipped forensic laboratory. Specific policies must be
formulated to enable DF investigations, for example, investigative access policies and
data retention policies.
Obtain management support and awareness. Management must buy into the need for a
DF unit in the organisation. DF awareness should be included in the workflows and
processes of the organisation. All employees must be aware of their responsibility in
terms of incidents and existence of the DF capability.
Formal contact channels must be established to ensure efficient communication with
the forensic team, and other internal and external stakeholders.
The forensic team should be trained so that the required skills exist to facilitate
successful investigations. It is also important to acquire efficient and relevant forensic
tools to conduct investigations.
The discussion in pars. 1.2 and 1.3 centres on how organisations begin to engage in the use of DF
tools and technologies in various areas of the organisation. The main use of DF is currently to
acquire evidence for specific scenarios and purposes (Nikkel, 2006) and to investigate incidents.
The legal status of forensic investigators is highly relevant when ensuing court proceedings. The
investigators should be aware of various privacy-related statutes when investigating a specific
incident. Should the investigator discover data for example, images, video, audio, text etc.
associated with a criminal activity. Investigators must be aware of their legal obligation and rights
in the situation as when the evidence is not related to the incident, it cannot be acquired, as they
had mandate to acquire the evidence.
The value that evidence availability and forensic sound procedures and processes can add to an
organisation is not yet known to organisations as the current DF frameworks concentrate on
investigating incidents and the focus is not on the use of DF to obtain good evidence for other
purposes, for example to measure compliance with legal or regulatory requirements. There is a
Part 1: Background to Digital Forensics
1-8 | P a g e Chapter 1: Overview of thesis
need for an implementation and management framework to enable organisations to implement
and apply a DF capability in all areas of business. The next section will present the problem
statement of the thesis.
1.4 PROBLEM STATEMENT
The challenges identified in par. 1.3 and literature studied demonstrate that no holistic DF
framework exists to manage and implement our Comprehensive DF (CDF) capability in an
organisation (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Casey, 2004; Forrester &
Irwin, 2007; Ieong, 2006; Louwrens et al., 2006b; Nikkel, 2006). The next section will discuss the
objective of the thesis.
1.5 OBJECTIVE OF THE THESIS
The objective of the thesis is to develop a holistic, theoretical DF
Management Framework (DFMF) to implement and manage an effective
CDF capability in an organisation.
Note to reader:
We use two abbreviations in the thesis: DF and DFMF
DF refers to digital forensics
DFMF refers to the holistic theoretical DF framework to manage and implement
DF in an organisation.
To achieve the above objective we have identified the following five supporting sub-objectives:
1.5.1 Sub-objective 1: Provide background to DF
Define DF
Discuss driving factors for DF
Discuss cybercrime and digital evidence
Propose our CDF capability.
Part 1: Background to Digital Forensics
1-9 | P a g e Chapter 1: Overview of thesis
1.5.2 Sub-objective 2: Provide background to our CDF capability
Identify, discuss and compare various DF frameworks
Use the comparison of the DF frameworks and views of DF readiness to propose the
formulation of a preparation (proactive) DF component (ProDF) with goals and steps
Use the comparison of the DF frameworks to propose the formulation of a post-incident
investigation (reactive) DF component (ReDF) with goals and steps
Use the comparison and investigate live and real-time investigative practices and
frameworks to formulate a live (active) DF component (ActDF) with DF goals and steps.
1.5.3 Sub-objective 3: Formulate our CDF capability
Expand on the identified phases and steps for each component to formulate our CDF
capability and identify to-do lists for the CDF capability
Discuss the relationship between the defined components of our CDF capability
Consolidate the to-do lists to assist management to implement the CDF capability.
1.5.4 Sub-objective 4: Construct our holistic, theoretical DF implementation and
management framework (DFMF)
The framework (DFMF) will assist organisations in managing and implementing our CDF
capability.
Use the consolidated to-do list as a basis for the formulation of the DFMF
Identify deliverables to implement and manage for each component of our CDF capability;
the deliverables will be used to formulate DFMF
Use the dimensions of DF to categorise the identified deliverables
Use the relationship between the dimensions of DF to construct the holistic, comprehensive
DF implementation and management framework (DFMF)
Ensure that our DFMF is easy to use as it should be able to provide management with a high-
level overview of ‘what to do, who should do it, how it should be done’.
1.5.5 Sub-objective 5: Identify challenges to DFMF and further research
Discuss potential challenges to the implementation of our DFMF and identify further
research opportunities.
The next section will discuss the approach to the thesis.
Part 1: Background to Digital Forensics
1-10 | P a g e Chapter 1: Overview of thesis
1.6 APPROACH TO ACHIEVING THE OBJECTIVES
We review the literature to provide a background to the thesis and ensure that all concepts are
clearly identified and defined. We will define DF, discuss the need for and application of DF in
organisations, discuss cybercrime, and define digital evidence. We will adopt the following approach
to develop the holistic, DF framework to managing and implementing our CDF capability.
1.6.1 Part 1: Background
The aim of this part of the thesis is to research existing DF frameworks to formulate our CDF
capability. We will identify various DF and computer investigation frameworks and best practices
for DF from literature. The investigation frameworks can be classified as supporting process-
oriented frameworks (Carrier & Spafford, 2003; Kruse & Heiser, 2004; Lee, Palmbach & Miller,
2001), composite process oriented frameworks (Barayumureeba & Tushabe, 2004; Beebe & Clark,
2005; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006; O'Ciardhuain, 2004), and a
role-based framework (Ieong, 2006).
We will compare the various composite process-oriented DF frameworks and a role-based DF
framework to determine the comprehensiveness of the identified DF frameworks. We will use
the comparison to define and formulate an initial draft of our CDF capability.
It will turn out that our CDF capability will consist of three distinct components: Proactive DF
(ProDF) for the preparation of organisations for investigations; Active DF (ActDF) that will
consider the acquisition and analysis of live evidence; and Reactive DF (ReDF) as the actual ‘post-
mortem’ forensic investigation. The incident is the main catalyst that will distinguish the
components. Figure 1.1 (below) is a graphical representation of our CDF capability.
We will investigate component-specific literature, using the initial draft of the individual
component and adding additional content to present each, namely ProDF (Chapter 4), ReDF
(Chapter 5) and ActDF (Chapter 6). We will combine, expand and consolidate the findings of the
ProDF (Chapter 4), ReDF (Chapter 5) and ActDF (Chapter 6) to formulate our CDF capability
(Chapter 7) in the next section.
Figure 1.1. Components of a DF capability (Grobler, Louwrens & von Solms, 2010b)
Part 1: Background to Digital Forensics
1-11 | P a g e Chapter 1: Overview of thesis
1.6.2 Part 2: Construction of our DFMF to implement our CDF capability
The aim of this part of the thesis is to formulate our CDF capability and propose a holistic DF
management framework (DFMF) to manage and implement our CDF capability in an organisation.
It is essential to consider the legal, regulatory and governance requirements relevant to the
investigation and the investigative team. To formulate our CDF capability we will:
confirm a definition and goals for each component
use the findings of the previous chapters and expand the ProDF elements or ActDF and ReDF
phases with steps
identify to-do lists for the CDF capability to enable us to determine what to consider when
we formulate the DFMF
discuss the relationship between the three distinct components: ProDF, ReDF and ActDF of
our CDF capability.
The next challenge is to determine how to structure an implementation and management
framework for our CDF capability. The framework must be practical and easy to use, and should
provide clear guidelines on how to implement and manage our CDF capability. We should ensure
that it supports Casey’s principles for a DF framework: acceptance, reliability, repeatability,
integrity, cause and effect, and documentation (Casey, 2004). The principles require that the
framework use professional methods and steps from literature, while the processes should be
repeatable, produce trusted evidence, and adhere to the Daubert or Frye requirements. The
result of the investigation should provide a logical connection between the suspected individual
events and evidence. The framework must support the recording of all testamentary evidence
during the investigation.
Management must have something to manage or implement. We identify to-do lists for each
component (ProDF, ReDF and ActDF) of our CDF capability. The to-do lists or deliverables are
tangible items that can be implemented, assessed, and managed. It will be difficult to implement
the list of deliverables, as there should be a structured approach (framework) for the
implementation. To establish a framework we will group together similar deliverables, for
example, relate the training and awareness to the ‘people area’ or dimension.
We will use the dimensions of DF (Grobler & Louwrens, 2006) as categories to formulate our
DFMF. The dimensions of DF were identified after the resources of various views on management
Part 1: Background to Digital Forensics
1-12 | P a g e Chapter 1: Overview of thesis
and governance frameworks (Guldentops, Hardy, Heschl & Stroud, 2005; Institute, 2000; Rudd,
2004), dimensions of Info Sec (Grobler & Louwrens, 2006), and the questions asked by Ieong
(Ieong, 2006) were compared. The six categories or dimensions are:
Category (dimension) 1: legal and judicial (answers the ‘why’ question, and deals with
compliance)
Category (dimension) 2: governance (answers the question ‘why’, considers facilities and
partners, and deals with risk management and operational risks)
Category (dimension) 3: people (answers the ‘who’ question, and deals with training and
awareness)
Category (dimension) 4: policy (answers the ‘what’, ‘when’ and ‘who’ questions)
Category (dimension) 5: process (answers the ‘what’, ‘when’, ‘how’, ‘where’ and ‘who’
questions). This dimension encapsulates all activities on an operational level.
Category (dimension) 6: technology (answers the ‘how’, ‘when’, and ‘where’ questions and
addresses which applications and technologies to use).
The dimensions cannot exist in isolation and must support each other to make a significant
contribution, for example, the legal and judicial dimension is the backdrop to all the other
dimensions as the legal framework provides the legal background against which an organisation
operates. The governance dimension is a subset of the legal dimension; the policy dimension is a
subset of the governance dimension. The process, people, and technology dimensions are
subsets of the policy dimension. Figure 1-2 (below) is a graphical representation of the
relationship between the dimensions of DF.
The next step will be to identify and categorise the consolidated list of our CDF capability from
Chapter 7, using the dimensions as categories. We will use the relationship between the
dimensions to construct our DFMF to manage and implement the DF capability effectively in an
organisation. The last chapter of this part will use the DFMF to demonstrate how the application
of our DFMF can add value to an organisation. We will explain how DFMF can be used to
implement and manage our CDF capability in an organisation.
Figure 1-2. Dimensions of DF (by author)
Part 1: Background to Digital Forensics
1-13 | P a g e Chapter 1: Overview of thesis
1.6.3 Part 3: Conclusion
The last part of the thesis will provide a summary of the results of the research to demonstrate
that we have met all its objectives. As our framework is a theoretical one, we will discuss
advantages of and challenges to DFMF, and identify potential future research.
1.7 THE STRUCTURE AND OVERVIEW OF THE THESIS
The thesis consists of three parts, graphically represented in Figure 1-3 (below).
The next section will provide a brief overview of the content of each part and related chapters of the
thesis.
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Chapter 7Comprehensive DF
capability
Chapter 8Construction of DFMF
Chapter 9Conclusion
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
LEGAL AND JUDICIARY
Evidence Process Infrastructure Other
GOVERNANCE
DF strategy InfrastructureRisk management/
Contingency strategy
POLICY
PROCESSEvidence
management
and handling
procedures
Incident
management
procedures
Infrastructure
procedures
Management
procedures
Risk
management
/ Contingency
procedures
General DF Policy
Evidence
management
and handling
policies
Risk management /
Contingency policies
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness
policy
PEOPLEEducation
and training
programmes
Awareness
programmes
Code of
Conduct
TECHNOLOGY
Operational
infrastructure
DFI
infrastructure
Management
of DF
capability
Evidence
management
plan
DF Education,
training and
awareness strategy
DFMF
Comprehensive DF capability
ProDF ActDFReDF
Figure 1-3. Outline of the thesis
Part 1: Background to Digital Forensics
1-14 | P a g e Chapter 1: Overview of thesis
1.8 PART 1: BACKGROUND
1.8.1 Chapter 1: Overview of thesis
The aim of the chapter will be to provide the reader with an overview of the thesis.
1.8.2 Chapter 2: Introduction to DF
The aim of this chapter is to provide a background to DF, with a definition and discussion as to
why it is becoming increasingly important for governments, organisations and individuals to
address cybercrime and new threats to security, and discuss the need for evidence in
organisations by considering factors that drive DF in organisations.
The chapter discusses the need to prepare organisations for DF investigations and to have the
ability to acquire volatile evidence during an on-going attack. The nature of contemporary
forensic evidence has changed from mostly paper-based evidence and physical evidence to digital
evidence. Digital evidence exists on computer hard drives, flash disks, cell phones, digital cameras
and audio devices. The chapter defines digital evidence, discusses types of digital evidence, and
Part 1: Background
The aim of Part 1 of the thesis will be to address sub-objectives 1 and 2 (pars. 1.5.1 and 1.5.2):
Sub-objective 1: Provide background to DF (Chapter 2).
We will:
define DF
discuss driving factors for DF
discuss cybercrime and digital evidence
propose our CDF capability.
Sub-objective 2: Provide background to our CDF capability (Chapters 3 – 6).
We will:
identify, discuss, and compare various DF frameworks (Chapter 3)
use the comparison of the DF frameworks and views of DF readiness to propose the formulation
of a preparation (proactive) DF component with ProDF goals and steps (Chapter 4)
use the comparison of the DF frameworks to identify goals and steps for a post-incident
investigation (reactive) DF component with steps (Chapter 5)
use the comparison and investigate live and real-time investigation practices and frameworks to
formulate a live (active) DF component goals and steps (Chapter 6).
Part 1: Background to Digital Forensics
1-15 | P a g e Chapter 1: Overview of thesis
refers briefly to admissibility requirements for digital evidence. It also coins a new term:
comprehensive digital evidence (CDE).
There is a need for a DF capability that will concentrate on ensuring digital evidence availability
and forensic sound processes in organisations, enable DF investigations, and cater for the
acquisition of live evidence. We propose a definition for a CDF capability:
Our CDF capability will consider the:
Reactive DF (ReDF) component, which concentrates on the investigation process after an
incident has happened. Most traditional DF frameworks are process models that
concentrate on reactive DF, as demonstrated by a number of authors (Barayumureeba &
Tushabe, 2004; Beebe & Clark, 2005; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,
2006b). The role-based model FORZA of Ieong will be included in the discussion of ReDF to
be discussed in more detail in Chapter 4 (Ieong, 2006).
Proactive DF (ProDF) component, which concentrates on the forensic preparation of the
organisation to enable successful investigations (Beebe & Clark, 2005; Carrier & Spafford,
2003; Louwrens et al., 2006b). Pro-active DF (ProDF) is the measure that organisations
should take to ensure they are DF-ready (Louwrens et al., 2006b) and make responsible use
of DF to demonstrate that organisations practice good IT governance. It is also important to
ensure that standard operating procedures are forensically sound. ProDF will be discussed in
detail in Chapter 5.
Active DF (ActDF) component, which concentrates on the acquisition of live and volatile
evidence, for example: Random Access Memory (RAM) content, registry information and
other session information are becoming more important for investigating certain cases of
cybercrime (Shipley & Reeve, 2006). The active DF (ActDF) component concentrates on
gathering of live evidence during real-time or on-going attacks to set the platform for a
successful DF investigation. ActDF will be discussed in detail in Chapter 6.
The chapter addresses sub-objective 1, par 1.5.1.
A comprehensive DF (CDF) capability consists of the combination of
reactive, active, and proactive DF components.
Part 1: Background to Digital Forensics
1-16 | P a g e Chapter 1: Overview of thesis
1.8.3 Chapter 3: Conventional approach to DF
The aim of this chapter is to identify various DF frameworks from literature to identify goals and
steps for the formulation of our CDF capability. As the traditional DF frameworks concentrate on
reactive investigations, the chapter will identify a comprehensive set of phases and steps for
ReDF.
Traditionally, DF frameworks are process models (Barayumureeba & Tushabe, 2004; Beebe &
Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,
2006b; O'Ciardhuain, 2004) but Ieong (2006) has proposed a role-based framework. The chapter
will discuss the identified composite process frameworks and comment on each. The next section
uses a comparison of them to compile a comprehensive list of phases and steps.
Some of the identified process models have references to DF readiness or a preparation phase
and limited reference to the acquiring of live evidence. The chapter will identify the steps to
include in the ReDF, ProDF, and ActDF components that will be discussed in the following three
chapters.
The last section will describe the role-based framework of Ieong (2006) and compare it with the
identified process frameworks to identify potential missing steps or concepts of the
comprehensive list of steps in the proposed comprehensive part of the DF capability. The chapter
addresses sub-objective 2: par. 1.5.2.
1.8.4 Chapter 4: Proactive DF (ProDF)
The aim of the chapter will be to formulate goals and steps for ProDF. The conventional DF
frameworks in Chapter 3 do not cover the ProDF comprehensively. The chapter will use the steps
identified for DF readiness or preparation phases in Chapter 3, and other identified proactive and
DF readiness views from literature (Bradford, Brown & Perdue, 2007; Garcia, 2005; Rowlingson,
2004), to propose a comprehensive ProDF component for our CDF. It will also include some of the
identified needs in Chapter 2 to ensure that the organisation will be fully prepared for DF
investigations and have evidence available for non-investigative purposes.
Generally, DF readiness concentrates on evidence availability and the preparation of the
organisation in terms of infrastructure, people, and processes to ensure a cost-effective,
successful investigation (Rowlingson, 2004). The chapter will demonstrate that ProDF is more
Part 1: Background to Digital Forensics
1-17 | P a g e Chapter 1: Overview of thesis
comprehensive than DF readiness, as it includes the responsible use of DF tools and techniques to
enhance governance structures and to improve the efficiency of the implementation of controls.
It can also be a valuable tool to determine the return on investment for controls implemented in
organisations.
The chapter will define ProDF and propose goals and provisional elements for the ProDF
component. It addresses sub-objective 2: par. 1.5.2.
1.8.5 Chapter 5: Reactive DF (ReDF)
The aim of the chapter is to use the comparison in Chapter 3 to consolidate the ReDF component
of our CDF capability. The ReDF component considers the traditional post-incident DF
investigation. It will propose goals for ReDF and a protocol with phases and related steps for the
ReDF component. It addresses sub-objective 2: par. 1.5.2. The ReDF goals will be to successfully
investigate an incident whilst minimising the impact of the incident. T proposed ReDF protocol
consists of six phases: Incident response and confirmation, physical investigation, digital
investigation, incident reconstruction and presentation of findings, and finally incident closure
phase.
1.8.6 Chapter 6: Active DF (ActDF)
There is an increasing need to investigate certain crimes as they occur. Volatile evidence is also
becoming increasingly important in investigations. From the literature studied there is a need for
a framework that will provide technology-independent guidelines on the gathering and
acquisition of forensic sound evidence, as most of the identified frameworks concentrate on
intrusion detection technology to collect the evidence, or use tool-specific methodology, for
example EnCase Enterprise® for remote logging (Guidance Software, 2005).
The evidence acquired by live evidence acquisition tools is not yet fully acceptable in courts as
there is no guarantee that it has not been altered. The chapter will discuss challenges to ActDF
(Adelstein, 2006; Ieong & Leung, 2007).
The DF frameworks discussed in Chapter 3 include some live evidence-handling processes. The
chapter investigates and compares live or real-time frameworks (Grobler, 2009; Ieong & Leung,
2007). We will use the comparison and the identified live evidence-handling processes (from
Part 1: Background to Digital Forensics
1-18 | P a g e Chapter 1: Overview of thesis
Chapter 3) to propose goals and phases with associated steps for the ActDF component. The
chapter addresses sub-objective 2, par. 1.5.2.
1.9 PART 2: CONSTRUCTION OF OUR DFMF
This part consists of Chapters 8 and 9.
1.9.1 Chapter 7: CDF capability
The aim of the chapter is to consolidate the three identified components of a DF capability:
ProDF, ReDF, and ActDF by referring to the identified goals, phases and steps from the previous
three chapters. We will identify potential problem areas in the components, as defined in
literature and propose enhancement to formulate our CDF capability. The components cannot
exist in isolation and we will discuss the relationship between them. We will propose and
consolidate to-do lists for the different components to enable us to formulate the DFMF in the
next part of the thesis. The chapter addresses sub-objective 3, par. 1.5.3.
Part 2: Construction of our DFMF
The aim of Part 2 of the thesis will be to address sub-objectives 3 (par. 1.5.3) and 4 (par. 1.5.4):
Sub-objective 3: Formulate our CDF capability (Chapter 7). We will:
Expand on the identified phases and steps for each component to formulate our CDF capability
(Chapter 7).
Identify to-do lists for the CDF capability (Chapter 7).
Discuss the relationship between the components of a DF capability (Chapter 7).
Consolidate the to-do lists to assist management to implement the CDF capability (Chapter 7).
Sub-objective 4: Construct our holistic theoretical DF implementation and management framework
(DFMF) (Chapter 8). We will:
use the consolidated to-do list as a basis for the formulation of the DFMF (Chapter 8).
identify deliverables to implement and manage for each component of our CDF capability; the
deliverables will be used to formulate DFMF (Chapter 8).
use the dimensions of DF to categorise the identified deliverables (Chapter 8).
use the relationship between the dimensions of DF to construct the holistic, comprehensive DF
implementation and management framework (DFMF) (Chapter 8).
ensure that our DFMF is easy to use as it should be able to provide management with a high-level
overview of ‘what to do, who should do it, how it should be done’ (Chapter 8).
Part 1: Background to Digital Forensics
1-19 | P a g e Chapter 1: Overview of thesis
1.9.2 Chapter 8: Construction of the holistic CDF management framework (DFMF)
It is essential to note that our CDF capability describes the whole spectrum of potential
applications of DF in an organisation. The capability does not provide sufficient management
and implementation guidelines. Management is not concerned with the detailed investigation
protocols as defined by the ReDF and ActDF components, but rather with how to establish a DF-
friendly environment to ensure successful investigations and the application of DF tools and
technologies to enhance governance structures. The DF-friendly environment will be guided by
a DF strategy, supporting governance structures and policies, with processes, competent
employees and adequate technologies.
The chapter will use our to-do lists identified for the CDF capability components (Chapter 7) to
identify typical deliverables that should be implemented and managed. The deliverables will
enable management to obtain a clear understanding of what to consider when establishing or
managing a DF capability, for example what should be formulated (e.g., policies, procedures or
strategies), who should be involved and trained, and what should be acquired (e.g., DF tools).
We will use the to-do list to categorise similar deliverables, for example policies, processes, or
people-related deliverables. We described DF as a multi-dimensional discipline (Grobler &
Louwrens, 2006). We will use the dimensions of DF: legal and judicial, governance, people,
policy, process, and technology to categorise deliverables for our CDF capability. The
dimensions are related and we will use the relationship between the dimensions to construct
the DF implementation and management framework (DFMF) to implement and manage our
CDF capability in an organisation. The chapter addresses sub-objective 4, par. 1.5.4.
1.10 PART 3: CONCLUSION
Part 3: Conclusion.
The aim of Part 3 of the thesis is to address sub-objective 5 (par.1.5.5)
Sub-objective 5: Identify challenges to DFMF and further research. (Chapter 9). We will:
summarise the research conducted in the thesis (Chapter 9)
assess the CDF capability and DFMF using Casey’s criteria (Chapter 9).
identify the challenges to the implementation of our DFMF (Chapter 9).
Identify further research opportunities (Chapter 9).
Part 1: Background to Digital Forensics
1-20 | P a g e Chapter 1: Overview of thesis
1.10.1 Chapter 9: Conclusion
This chapter will summarise the research carried out in the thesis and identify possible areas for
further research.
1.11 RESEARCH RESULTS FROM THIS THESIS SO FAR
1.11.1 Articles presented and published
1.11.1.1 CDF Capability
“A multi-component view of Digital Forensics”, at the 3rd annual international Workshop for
Digital Forensics, (15-18 February 2010), in Krakow, Poland , published by IEEE Explore
(Grobler, Louwrens & von_Solms, 2010b).
“High-level overview of Digital Forensics” at the 7th annual Information Security South Africa
conference, (July 2009), Johannesburg, South Africa, published by conference organisers
(Grobler & Louwrens, 2009).
1.11.1.2 ProDF component
“A framework to guide the implementation of Pro-active Digital Forensics in organisations”
at the 3rd annual Workshop for Digital Forensics (15-18 February 2010), Krakow, Poland,
published by IEEE Explore (Grobler, Louwrens & von_Solms, 2010a).
1.11.1.3 Dimensions of DF
“Digital Forensics: a multi-dimensional discipline” at the Information Security South Africa
conference (5-7 July 2006), Sandton, South Africa, published by conference organisers
(Grobler & Louwrens, 2006).
1.11.1.4 Relationship between DF and Info Sec
“DF readiness, a component of Information Security best practice” at the IFIPSec conference
(May, 2007), Sandton, South Africa, published by Springer (Grobler & Louwrens, 2007).
1.11.1.5 Digital Evidence Plan
“Digital Evidence Management Plan” at the 8th annual Information Security South Africa
conference (August 2010), Sandton, South Africa, published by IEEE Explore (Grobler &
Louwrens, 2010).
Part 1: Background to Digital Forensics
1-21 | P a g e Chapter 1: Overview of thesis
1.11.2 Future articles
We intend to publish the following articles:
A framework to successfully implement a CDF capability in an organisation
Digital Forensics and corporate governance – does it make sense?
How can a CDF capability ensure good governance?
Assessing the completeness of the evidence set of an organisation.
1.12 SUMMARY
The chapter has provided an overview of the thesis. Organisations need digital evidence for various
reasons as identified in literature, and DF tools and techniques can assist with its acquisition.
To establish an effective DF capability in an organisation, it is essential that organisations prepare
themselves by considering early evidence-identification and the structuring of forensic sound
processes. The organisation must also have frameworks in place to acquire live and static evidence.
We propose that a DF capability consist of three components: ProDF, ReDF, and ActDF.
From the literature studied, most of the frameworks address the actual investigation with limited
references to forensic readiness and live evidence acquisition. Very little emphasis is placed on the
management of a DF capability in an organisation. We propose to develop a holistic CDF
management framework (DFMF) to manage and implement a CDF capability in an organisation. The
next chapter will provide a general background to DF.
Part 1: Background to Digital Forensics
22 | P a g e
PPAARRTT 11
BBAACCKKGGRROOUUNNDD
The aim of Part 1 of the thesis will be to address sub-objectives 1 and 2 (pars. 1.5.1 and 1.5.2):
Sub-objective 1: Provide background to DF (Chapter 2). We will:
define DF
discuss driving factors for DF
discuss cybercrime and digital evidence
propose our CDF capability.
Sub-objective 2: Provide background to our CDF capability. We will:
identify, discuss, and compare various DF frameworks (Chapter 3)
use the comparison of the DF frameworks and views of DF readiness to propose the formulation
of a preparation (proactive) DF component with ProDF goals and steps (Chapter 4)
use the comparison of the DF frameworks to identify goals and steps for a post-incident
investigation (reactive) DF component with steps (Chapter 5)
use the comparison and investigate live and real-time investigation practices and frameworks to
formulate a live (active) DF component goals and steps (Chapter 6).
Part 1: Background to Digital Forensics
2-23 | P a g e Chapter 2: Introduction
2 CHAPTER 2
IINNTTRROODDUUCCTTIIOONN TTOO DDIIGGIITTAALL FFOORREENNSSIICCSS
2.1 INTRODUCTION
Organisations, individuals, and governments are operating in cyberspace, which can be defined as a
global community (the virtual shared universe of the world's computer networks) with no physical
boundaries or real law and order (Unesco, 1997). People normally communicate in cyberspace using
networks or the Internet, which also provide the speed, anonymity, and effectiveness which criminal
elements in society use as a unique platform for their operations.
The importance of information has given rise to an increase in criminal activities. Similarly, the
introduction of computers as a criminal tool has enhanced the criminal’s ability to perform, hide, or
otherwise aid unlawful or unethical activity. In particular, the surge of technical expertise by the
general population, coupled with anonymity, seems to encourage criminals to use computer
systems, since there is a small chance of being prosecuted, let alone being caught (Reith, Carr &
Gunsch, 2002). These “cybercrimes” are not always new crimes, but traditional ones translated into
a cyber-world by exploiting computing power and accessibility of information.
Criminals tend to target specific sectors of the community, with the 2010/2011 CSI survey indicating
that 22% of respondents had experienced a targeted attack, defined as a malware attack, aimed
exclusively at the respondent’s organisation or at organisations within a small subset of the general
business population. The survey also indicates an increase in malware attacks and bots / zombies
within the organisation. Organisations were reluctant to provide a monetary value for financial
losses, but it ranges from small losses to $25 million (Richardson, 2012).
It is essential to investigate the incident, determine its root cause, and link the perpetrator to it. In
the early 1900s, Edmond Locard’s finding that whenever two objects come into contact a transfer of
material occurs became known as Locard’s Exchange Principle (FBI, 1999). These traces left by
material will be the basic elements that forensic science will utilise, and a similar principle of
evidence traces is applicable to the digital world.
Part 1: Background to Digital Forensics
2-24 | P a g e Chapter 2: Introduction
Among various definitions for forensics in literature are:
the application of science to legal problems (Louwrens & von_Solms, 2005)
the coherent application of methodical investigatory techniques to solve criminal cases
(Kruse & Heiser, 2004)
the science of finding out why something failed (Stephenson, 2003).
The process followed by the investigator is crucial, as it must be able to stand up to legal scrutiny.
The forensic sound process must maintain the chain of evidence and chain of custody at all times.
A forensically sound process will maintain the integrity of evidence, ensuring that the chain
of custody remains unbroken and that collected evidence will be admissible in a court of law
(Louwrens et al., 2006b).
The chain of evidence requires it not to have been altered at any stage (detectives in the
case study photograph and bag evidence).
The chain of custody is a system of recording who is responsible for the evidence at any point
of time from the moment it was collected until it is used in the court room (Foster & Wilson,
2004).
The forensic tools used are also important as their admissibility and acceptability will determine the
quality and validity of the acquired evidence and documentation of the investigation in a court of
law. Not all forensic investigation tools are acceptable in courts.
The chapter provides a background for DF, with Figure 2-1 (below) depicting the role of this chapter
within the overall thesis.
Figure 2-1. Role of the Chapter in the thesis
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Part 1: Background to Digital Forensics
2-25 | P a g e Chapter 2: Introduction
2.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of this chapter is to provide a background to DF. We will provide a brief case study and
correlate a typical physical investigation with a digital investigation. The chapter defines DF and
states why it is important to organisations. Cybercrime is a given in modern society. The Chapter will
define and briefly discuss cybercrime and digital evidence. We will also begin to explore what the
components of the eventual CDF capability will be. The chapter will:
provide a background by presenting a brief case study and general understanding of
differences between a traditional physical forensic investigation and a digital investigation
(par. 2.3)
define and discuss DF (par. 2.4)
discuss drivers for the use of DF tools in organisations (par. 2.5)
define and discuss cybercrime and new developments in security threats (par.2.6 )
define and discuss digital evidence (par. 2.7)
propose and describe our CDF capability (par. 2.8).
2.3 BACKGROUND
South Africa is a crime-ridden country with incidents committed daily; so many citizens are used to
the investigative procedures of law enforcement agencies (SAPS, 2011). The following hypothetical
case is used to demonstrate similarities and differences between a normal forensic investigation and
a digital forensic investigation.
2.3.1 Case study
The police department receives a frantic call from a neighbour to report several gunshots. As the
officers arrive on the scene they find a body on the kitchen floor of a house in a residential area secured
by a private security company (security complex).
The victim is a 40-year-old male, with a bullet wound to the head and lying on his stomach. The lounge
is in a mess, tables and chairs are scattered and there are clear signs of a struggle. There is a cell
phone next to the body on the floor.
The officers secure the crime scene and wait for the forensic investigators and the detectives to arrive.
The detectives arrive, scan the crime scene and find that the patio door leading to the lounge is open
and muddy footprints lead into the house from the garden. There are distinct fingerprints on the window
Part 1: Background to Digital Forensics
2-26 | P a g e Chapter 2: Introduction
of the patio door. The victim’s car is still in the garage and it is not clear if any items are missing from
the house. The detective will formulate an initial hypothesis for the incident.
The detectives continue with their investigation and start to identify evidence and potential leads to
determine the motive for the homicide. They will use ‘direct’ and ‘indirect’ evidence to establish a
motive. An example of ‘indirect’ evidence is the position of the body as it can tell a story of where the
suspect was when the shots were fired. The detectives photograph, bag, and document all potential
items of evidence, then take them to the forensic laboratory for analysis. These include fingerprints, hair
samples, blood samples, a cell phone, a laptop and the bullet casings found on the scene.
The security complex has installed several closed circuit television (CCTV) cameras in strategic points
of the complex to enable them to monitor the area. The footage of the camera and potential
eyewitnesses will be able to provide the detectives with valuable information of events prior to, during,
and after the incident.
It is essential that the detectives establish a motive for the incident. They will interview family,
neighbours, work colleagues, and friends to determine potential suspects and to establish a motive.
The neighbour identifies the body as John Smit, a single accountant who was living a flamboyant
lifestyle. He had regular visitors to his house and had a large Rottweiler in the back yard.
The lead detective will start to compile a case file, which can contain, for example the following:
Information, time, location of the incident
Detectives on the case
Who reported the incident (how and at what time)
First people on the scene
Preliminary hypothesis
Potential motives to support the hypothesis
List of forensic evidence from the crime scene with analysis reports
List of forensic evidence from the victim, e.g., time of death with analysis reports
Records of interviews with neighbours, family, work colleagues and friends
Record of interviews of potential suspects
Press releases if applicable
Authorisations to obtain additional evidence, for example, cell phone provider logs
Event reconstruction
Potential suspect list with profiles
Part 1: Background to Digital Forensics
2-27 | P a g e Chapter 2: Introduction
Case conclusion document.
The lack of evidence on a crime scene can make the establishment of a motive very difficult. The more
the detectives can learn about the victim and his lifestyle, any valuables missing from the crime scene,
and potential problems in the victim’s life, the easier it becomes for the detective to establish a motive. A
timeline of events leading towards and during the incident should be constructed as it can narrow down
the search and enable detectives to focus on a specific area. It is also essential that the detectives
gather as much evidence as possible about the potential suspect. Typically, profiling can be used to
determine the most possible suspect in terms of gender and the height of the suspect. The detectives
must start to think like the suspect.
We will now attempt to provide a correlation between the physical investigation and a digital
investigation (indicated in italics). We will compare the two scenarios by looking at the tasks of
the detectives or investigator. We propose the following five steps:
Step 1: Incident alert and response (par. 2.3.1.1)
Step 2: Secure the crime scene (par. 2.3.1.2)
Step 3: Acquire the evidence (par. 2.3.1.3)
Step 4: Analyse the evidence and reconstruct the incident (par. 2.3.1.4)
Step 5: Present the findings (par. 2.3.1.5).
2.3.1.1 Step 1: Incident alert and response
Physical investigation: An incident alert will trigger an investigation. In the case study, the
neighbour called the police to report a crime. A similar action takes place after a cybercrime
has been discovered.
Digital investigation: There will be an incident alert, which may be from an IDS or an employee
who reports a suspicious activity to the help desk. Unlike the case study, where the authorities
handle the investigation, the IR team will handle and contain the incident internally, and they
seldom involve the authorities early in investigations. According to the CSI security report, only
27% of respondents reported security incidents to the authorities (Richardson, 2012).
Part 1: Background to Digital Forensics
2-28 | P a g e Chapter 2: Introduction
2.3.1.2 Step 2: Secure the crime scene
Physical investigation: In the case study, the detectives secure the physical crime scene to
preserve all evidence. The physical crime scene is normally well-defined. The secured crime
scene in the case study is ‘shut down’ after the incident so no one can access it.
Digital investigation: The digital crime scene is not always well-defined as it may involve
various physical locations and virtual locations inaccessible to the investigator, and is easily
compromised. The digital crime scene may also be over various jurisdictions and countries,
which can complicate the investigation even further.
Organisations cannot always afford to shut down operations and will attempt to get
operations up and running as fast as possible to minimise the effect of the incident. However,
often very little thought is given to the preservation of evidence or how forensically sound the
process or procedures are following the incident, with the result that digital forensic
investigations are often compromised and evidence destroyed or contaminated by employees
(Sommer, 2005).
2.3.1.3 Step 3: Acquire the evidence
Physical investigation: The next step is to identify and acquire different types of evidence. The
detectives in the case study are competent and follow well-defined procedures to identify,
acquire, and preserve the evidence. The process followed will ensure that the evidence is
admissible in court.
The detectives in the case study gather different types of evidence, such as blood samples,
fingerprints and cell phone, each of which will be acquired in a different way and must be
handled differently.
The evidence gathered in the case study by the CCTV cameras and potential eyewitnesses,
even on the access records at the security gates of the security complex, can provide valuable
evidence for detectives before, during, and after the crime was committed.
The detectives in the case study will establish a motive as soon as possible, which will enable
them to profile the suspect and determine what evidence is required to prosecute him or her
successfully.
Part 1: Background to Digital Forensics
2-29 | P a g e Chapter 2: Introduction
The way in which the investigator handles the evidence will have an influence on the
admissibility of the evidence. In the case study, detectives photographed and bagged all
evidence according to predefined criteria.
Digital investigation: Well-defined DF frameworks (Barayumureeba & Tushabe, 2004; Beebe &
Clark, 2005; Casey, 2004; Ieong, 2006; Louwrens et al., 2006b) exist with phases and steps to
guide investigators on how to identify, acquire, and analyse evidence. However, very few
organisations have the structures (management, infrastructure and procedures) in place to
enable them to carry out cost-effective, low-impact and efficient digital investigations
(Sommer, 2005). As organisations tend to handle incidents internally, employees are often not
trained in or aware of digital evidence requirements, and the evidence is often contaminated.
Investigators can also gather different types of digital evidence. There is static digital evidence,
e.g., log file content; live digital evidence, e.g., register content; legacy digital evidence; and
audio evidence. The cell phone seized in the case study may have had digital information on it
that can be used as evidence in the case. The different types of evidence may require different
DF tools and should be acquired in a different way to ensure the integrity of the evidence.
These can be seen as proactive measures to gather evidence before and during incidents.
Organisations should consider how potential evidence could be gathered before and while an
incident is happening. The researched DF frameworks and DF readiness views include a
preparation phase that considers infrastructure and evidence availability. There is a need to
expand the research for live investigations (Ieong & Leung, 2007).
The investigators in a DF investigation will set a hypothesis as soon as possible. It is essential
that organisations become DF-ready. They should address the need to evaluate all business
scenarios to identify threats, vulnerabilities and potential evidence, should an incident arise.
However, some organisations are hesitant to include evidence requirements as it is seen to be
too expensive (Rowlingson, 2004).
The digital crime scene may be different from the case study; however, such items as cameras
and evidence bags are used for physical evidence. The digital evidence will be acquired either
by policy mandate or be prescribed by the content of the mandate. The acquisition of digital
Part 1: Background to Digital Forensics
2-30 | P a g e Chapter 2: Introduction
evidence on the hard disk will be carried out by the use of DF tools. The tools must be
accredited in a sense that the evidence acquired is admissible in court. Digital evidence is easily
contaminated or altered therefore the investigator must ensure its integrity.
2.3.1.4 Step 4: Analyse the evidence and reconstruct the incident
Physical investigation: The investigators will analyse the evidence to determine a motive and
to identify the suspect. The evidence gathered is submitted to type-specific forensic
laboratories, e.g., DNA and fingerprints. The investigation team will determine if the evidence
supports the hypothesis or motive, or if additional evidence should be acquired. The
detectives in the case study will compile a case file.
Digital investigation: The digital evidence will be analysed and the incident reconstructed. The
investigator will analyse the evidence in a DF investigation laboratory. The investigation team
will determine if it supports the hypothesis or motive, or if additional evidence is required.
The DF investigator will compile a case file. The thesis will propose potential content for the
case file. The DF tool used for the analysis and acquisition of the digital evidence has a
documentation facility.
2.3.1.5 Step 5: Present the findings
Physical investigation: In both instances, the investigation team will present the findings to
management or in the case study to the case leader or in court.
Digital investigation: Special precautions and preparation are required when presenting digital
evidence and cases in court, as one should prepare the documentation in a format that the
courts can understand.
The discussion above has provided a background to the similarities between a physical and digital
investigation and highlighted problem areas that exist, and actions followed when conducting a
digital investigation. The next section will discuss DF.
Part 1: Background to Digital Forensics
2-31 | P a g e Chapter 2: Introduction
2.4 DIGITAL FORENSICS
We are living in a technology-driven society, and communicate using cell phones, e-mail, or social
networks. Organisations depend heavily on computer applications and networks for their daily
operations. Electronic chips control various everyday devices, for example dishwashers and
televisions.
Cybercriminals exploit vulnerabilities of people and technology to launch attacks on society.
Traditionally, investigators used computer forensics to investigate computer-related incidents.
Various definitions for computer forensics exist:
The preservation, identification, extraction, documentation, and interpretation of
computer media for evidentiary and/or root cause analysis (Kruse & Heiser, 2004).
The process of identifying, preserving, analysing and presenting the digital evidence in a
manner that is legally accepted (Leighland & Krings, 2004).
The use of analytical and investigative techniques to identify, collect, examine and
preserve evidence and information which is magnetically stored or encoded (Louwrens &
von_Solms, 2005).
However, the format and nature of digital evidence and technology has changed and computer
forensics as defined above cannot always cope with the new needs. Digital forensics is more
comprehensive than computer forensics as it does not consider a single computer or device to
investigate any evidence digitally stored (not only magnetically). Various definitions for DF exist in
the literature:
“the use of scientifically derived and proven methods toward the preservation, collection,
validation, identification, analysis, interpretation, documentation, and presentation of
computer evidence derived from digital sources for the purpose of facilitation or furthering
the reconstruction of events found to be criminal, or helping to anticipate unauthorized
actions shown to be disruptive to planned operations” (Reith et al., 2002).
“The scientific study of the processes involved in the recovery, preservation and
examination of digital evidence, including audio, imaging and communication devices”
(TC-11, 2006).
Many investigators believe that digital forensics is about acquiring the evidence to identify the
perpetrator of a digital crime by putting together a case for prosecution. Stephenson suggests that
Part 1: Background to Digital Forensics
2-32 | P a g e Chapter 2: Introduction
digital forensics takes up one of two directions, namely to determine the root cause of the incident;
or to focus upon legal and law enforcement aspects of an incident (Stephenson, 2002).
We will use the definition of TC-11 as it provides a clear scope for DF:
A discipline should be supported by fundamental characteristics. It is well accepted that
confidentiality, integrity, and availability are fundamental characteristics of Information Security
(Info Sec). Ieong (2006) has identified the following DF fundamentals:
Reconnaissance: The DF investigator should use all tools and processes available to
recover all relevant evidence.
Reliability: Maintain the chain of evidence during extraction, analysis, storage, and
transportation of data. In general, the chain of evidence, time, integrity of evidence and
the person relationship with the evidence should be considered with a non-repudiation
feature of DF.
Relevancy: Usefulness and the weight of the evidence are linked to the relevancy of all
evidence related to the case.
These fundamental characteristics support all DF activities in organisations.
Traditionally, an organisation will conduct a DF investigation once a security breach has been
encountered, but it is essential that organisations consider the early identification of potential
evidence (proactive), and the acquisition of live evidence. To demonstrate, the investigators in the
case study conducted a reactive investigation (par. 2.3.1) as it happened after the incident. However,
some preparation took place to have evidence in place before an incident occurs, for example, the
CCTV camera images and potential gate access records. This can be viewed as a proactive
component that ensures that evidence is in place if required. The live CCTV camera images and
eyewitnesses can provide some ‘live’ evidence.
Often, when asked for specific digital evidence, most organisations do not have all the evidence
available (Clark, 2006). According to the Guide to Investigations and Evidence (Sommer, 2005), most
organisations underestimate the demand for evidence. To understand how organisations should
DF is the scientific study of all the processes, involved in the recovery,
preservation and examination of digital evidence, including audio, imaging
and communication devices (TC-11, 2006)
Part 1: Background to Digital Forensics
2-33 | P a g e Chapter 2: Introduction
prepare themselves we will identify and discuss driving factors behind the use of DF and evidential
needs in organisations.
2.5 DRIVING FACTORS FOR THE USE OF DF IN ORGANISATIONS
Nikkel (2006) has classified the driving factors behind digital evidence and the use of DF tools and
technologies as either external (par. 2.5.1) or internal (par. 2.5.2).
2.5.1 External factors
Nikkel (2006) has identified legal and regulatory requirements (par. 2.5.1.1) and industry best
practices (par.2.5.1.2) as two external factors that drive the need for DF in an organisation.
2.5.1.1 Factor 1: Legal and regulatory requirements
Different countries have different laws and regulations. Corporate governance reports and
legislation, for example: Sarbanes-Oxley (Sarbanes-Oxley Act of 2002, 2002), King II and King III
(King, 2003; 2009) demand that management be responsible and accountable for the IT
infrastructure, applications and information of the organisation. Management should provide
reasonable assurance to assess the efficiency of controls and compliance by having available
documented evidence of assessments and ‘good’ evidence (Parkinson & Baker, 2005).
Organisations should assess all relevant business processes, policies and procedures, for
example, changing management in the organisation to determine if it is reliable, effective, and
efficient. The Sarbanes-Oxley Act also specifies explicit penalties for deliberate destruction of
essential files (Sarbanes-Oxley Act of 2002, 2002).
IT systems are the foundation of accurate information that managers use to substantiate their
everyday decisions. The proactive application of DF tools and techniques are currently used to
support management by providing the required information (Nikkel, 2006).
Evidence is required to demonstrate good governance, as it can assist management to
measure performance or compliance. The King II and III reports on corporate governance
require that management pay special attention to risk management (King, 2003; 2009) by
ensuring that “a systematic, documented assessment of the processes and outcomes
surrounding key risks is undertaken”. It also states that the “board and executive management
Part 1: Background to Digital Forensics
2-34 | P a g e Chapter 2: Introduction
must provide strategic direction, ensuring that risks are managed appropriately and verifying
that the enterprise’s resources are used responsibly”. The King II report states that:
a) “The board should make use of generally recognised risk management and internal control
models and frameworks in order to maintain a sound system of risk management and internal
control to provide reasonable assurance regarding the achievement of organisational objectives
with respect to:
effectiveness and efficiency of operations
safeguarding of the company’s assets (including information)
compliance with applicable laws, regulations and supervisory requirements
supporting business sustainability under normal as well as adverse operating conditions
reliability of reporting
behaving responsibly towards all stakeholders.
b) The board is responsible for ensuring that a systematic, documented assessment of the processes
and outcomes surrounding key risks is undertaken, at least annually, for making its public
statement on risk management. It should, at appropriately considered intervals, receive and
review reports on the risk management process in the company. This risk assessment should
address the company’s exposure to at least the following:
physical and operational risks
human resource risks
technology risks
business continuity and disaster recovery
credit and market risks
compliance risks. (von_Solms & von_Solms, 2009)”.
A DF capability can provide organisations with a mechanism to focus upon legal and law
enforcement aspects of an incident (Stephenson, 2002), reasonably assuring assessment of
the efficiency of controls, compliance, and behaving responsibly, as required by point ‘a’ of
King II (discussed above). DF tools and techniques can assist management with the evidence of
the assessments to prove that the processes and outcomes surrounding key risk areas have
been undertaken, as required by point ‘b’ of King II (discussed above).
Different regulated industries, e.g., finance, healthcare, telecommunications and insurance,
have industry-specific requirements, for example Swiss ISP log retention (Nikkel, 2006). The
other external factor is industry best practices.
Part 1: Background to Digital Forensics
2-35 | P a g e Chapter 2: Introduction
2.5.1.2 Factor 2: Industry best practices
Several guidelines or best practices exist for IT governance, one of the most commonly used
‘best practices’ being CobiT (Control Objectives for Information and related Technology).
CobiT is a set of documents made available by ISACA, the Information Systems Audit and
Control Association (ITGI, 2000). The USA uses the Statement of Auditing Standards (SAS70) to
formulate the parameters for security audits (Wikipedia, 2012b).
Various industry best practices, e.g., ISO/IEC 27001 and ISO/IEC 27002 for Info Sec governance
(ISO/IEC17799, 2005) and the IAAC’s (Information Assurance Advisory Council) guidelines for
ensuring DF readiness (Sommer, 2005), require that corporations look at procedures to collect
evidence and to analyse incidents. It is essential to consider risk management and determine
the evidence requirements for identified risks. Best practices, for example the ISO/IEC 27001,
recognise that Info Sec architectures must look at digital evidence and digital evidence
preservation (ISO/IEC17799, 2005). There is a need for organisations to plan for DF
investigations and evidence availability.
IT Service Management (ITSM) refers to the management and provision of IT services in and to
an organisation. IT management hinges on the efficient use of four Ps: people, processes,
products (tools and technology) and partners (suppliers, vendors, and outsourcing
organisations) (Rudd, 2004). We will consider the Information Technology Infrastructure
Library (ITIL) as best practice when developing policies and processes for ITSM. It is essential
to consider potential needs for, and application of DF requirements, for example to ensure
that processes and standard operating procedures are DF sound and friendly.
The industry best practices consider the implementation of policies, controls, and procedures.
Sound management and good governance require organisations to be able to evaluate the
controls. DF can enable an organisation to acquire digital evidence that can demonstrate the
effectiveness of implemented controls or procedures. The next section will discuss the internal
factors that drive application for the use of DF.
2.5.2 Internal factors
There is a growing need for digital evidence and sound processes in organisations. The following
functional areas in an organisation will need a forensic capability in an organisation: Nikkel (2006)
has identified the following six areas (pars. 2.5.2.1 - 2.5.2.6):
Part 1: Background to Digital Forensics
2-36 | P a g e Chapter 2: Introduction
2.5.2.1 Factor 1 / functional area 1: Legal
The internal legal department in an organisation will need assistance with the
acquisition of evidence after an incident. It is also important to ensure compliance with
local laws and regulations.
2.5.2.2 Factor 2 / functional area 2: Internal audit
The internal audit department is required to use forensic tools as reflected by the ISACA
G28 (ISACA, 2004) guideline of forensics to advise on fraud and irregular use of IT
infrastructure. A DF capability can assist organisations to prove compliance of corporate
policies and procedures. Audit requirements and recommendations will also benefit
from DF, as it will be possible to obtain more and relevant evidence when required.
2.5.2.3 Factor 3 / functional area 3: Human resources
Human resources would use DF as a tool to recover evidence for internal hearings that
can result in the termination of service, to prove employee misconduct, and even in
extreme cases with evidence related to suicide or kidnapping.
2.5.2.4 Factor 4 / functional area 4: Other units, e.g. risk management
Other corporate units or bodies that can benefit are risk management and risk control to
investigate incidents.
2.5.2.5 Factor 5 / functional area 5: Intellectual property
The Intellectual Property (IP) in organisations is very important. DF will be able to assist
in investigating IP abuse or infringement. It will also be used when investigating
fraudulent websites and phishing attacks that pose a risk to the reputation of the
organisation.
2.5.2.6 Factor 6 / functional area 6: IT department
The IT department can use DF extensively to:
assess the security posture, for example, to assist with intrusion analysis
(Richardson, 2008)
investigate security breaches, IT policy violations, and IT infrastructure abuse or
misuse
use forensic tools and skills for legitimate but non-forensic purposes, for example, to
verify corporate disk-wiping procedures; verify disk or network encryption
implementation; data recovery from a crashed disk or from old and obsolete media;
legitimate password recovery requests; assistance with obscure troubleshooting;
and to improve the IT architecture of the organisation.
Part 1: Background to Digital Forensics
2-37 | P a g e Chapter 2: Introduction
The need for solid ‘good’ evidence and the application of DF tools is evident in most of the driving
factors as discussed. It is summarised by the common reasons listed in the next paragraph.
2.5.3 Common reasons (needs) for the application of DF in organisations
We analysed the needs and drivers as discussed in the previous section, and have identified the
following reasons to have evidence available and forensic sound processes in place:
2.5.3.1 Investigate incidents, fraud or employee behaviour (pars. 2.5.2.1 - 2.5.2.5)
2.5.3.2 Ensure the availability of good, admissible digital evidence (par. 2.5.2)
2.5.3.3 Assess effectiveness and efficiency of controls or procedures (par. 2.5.1.1)
2.5.3.4 Measure legal or regulatory compliance (pars. 2.5.1.1; 2.5.1.2)
2.5.3.5 Use DF tools for non-investigative purposes to improve IT and Info Sec governance
structures and performance (par. 2.5.2.6).
The identified reasons highlight the need to prepare organisations to identify evidence
proactively, before an incident; ensure that relevant processes and procedures exist, for example
a DF investigation protocol; and formulate clear policies and procedures for the use of DF tools.
DF readiness as defined in literature (Louwrens et al., 2006b; Rowlingson, 2004) will address
some of the purposes, as it concentrates on evidence availability, training of employees and
ensuring that the infrastructure and tools are available for investigating incidents. It does not
consider the use of DF tools for non-investigative purposes or the measuring of compliance.
From the discussion and identified purposes, it is clear that DF is no longer only an investigative
tool that organisations use after an incident has occurred. DF investigations will be carried out to
investigate incidents caused by cybercrime and cyber-criminals. The next section will provide a
short discussion of cybercrime to provide context for the thesis, as most investigations are
necessitated by a cybercrime incident.
2.6 CYBERCRIME
2.6.1 Definition of cybercrime
There are various descriptions of cybercrime, including:
Part 1: Background to Digital Forensics
2-38 | P a g e Chapter 2: Introduction
‘Cybercrime contains all criminal offences which are committed with the aid of
communication devices in a network. This can be for example the Internet, the
telephone line or the mobile network’ (Wikipedia, 2008).
‘Cybercrime is criminal activity done using computers and the Internet and can be
divided into 3 major categories:
Cybercrimes against persons
Cybercrimes against property
Cybercrimes against government’ (Babu & Parishat, 2004).
The 10th UN Congress on the Prevention of crime and the treatment of offenders (Commission on
Crime Prevention and Criminal Justice, 2001) has categorised cybercrimes into three categories:
Category 1: Crimes committed against the technologies and their users:
Unauthorised access to computers and computer systems
Unauthorised use of computer systems
Reading, copying or taking data without authorisation
Creating or propagating hostile programs
Computer espionage.
Category 2: Conventional crimes committed using computer or communications
technologies:
Offences involving offensive content
Internet-related abduction
Fraud
Commercial or industrial espionage
Intellectual property crimes
Gambling
Money laundering.
Category 3: Use of the technologies to support other criminal activities.
According to the South African Electronic Communications and Transactions Act (25 of 2002),
(2002) cybercrimes can be defined as:
intentional and unauthorised access to / or interception of data (S86.1)
intentional and unauthorised interference with data (S86.2)
possession of a device to unlawfully overcome security measures (S86.3)
Part 1: Background to Digital Forensics
2-39 | P a g e Chapter 2: Introduction
using a device to unlawfully overcome security measures (S86.4)
denial of service (S86.5)
extortion (S87.1)
fraud and forgery (S87.2)
attempting, aiding or abetting the above (S88).
(The S number indicates the corresponding section in the ECT act).
From the definitions of cybercrime, it is clear that most attacks focus on gaining unauthorised
access to commit the crime. Typical examples of attacks are system penetrations for theft of
proprietary information, malicious code (virus or worms), web page defacements, domain name
hijacking, transmission of child-pornography, denial of service attacks and financial fraud, cyber-
squatting, cyber-stalking, cyber-terrorism, information warfare, discrimination and harassment,
insider trading and copyright violations (Casey, 2011). Cyberwarfare occurs when a state or
nation is responsible for an attack on any business or governmental or public sector enterprise
for example the STUXNET attack. Cybercrimes are not necessarily new crimes but are very similar
to regular crimes committed outside the cyber arena, the main difference being that the criminal
uses the computer or digital device to commit the crime or to launch an attack on another digital
device.
2.6.2 Cybercriminals
Typical cybercriminals can be anyone, for example a disgruntled employee, intentional insider,
temporary employee, vendor, partner, intentional outsider, hacker, cracker, malicious code
writer, fraudster, unscrupulous competitor, terrorist, organised crime syndicate, disgruntled
customer, bored teenager or person engaged in industrial espionage.
The cybercriminal normally utilises attack tools to conduct attacks, examples of which are:
war diallers (software to dial all possible numbers to gain access to remote access
servers)
war driving (physically driving around looking for non-secure wireless networks)
password crackers (software to crack passwords), sniffing tools (software to find specific
data patterns)
key-loggers (technology to record all keystrokes), e-mail capture, Trojan horses (hidden
malicious code)
dumpster diving (physical examination of dustbins)
Part 1: Background to Digital Forensics
2-40 | P a g e Chapter 2: Introduction
social engineering techniques (luring people to leak relevant information) and software
tools.
The next section will discuss types of attack used by cybercriminals.
2.6.3 Types of attacks
The 2006 CSI/FBI survey (Gordon, Loeb, Lucyshyn & Richardson, 2006), 2007 CSI survey
(Richardson, 2007), and 2008 - 2011 CSI surveys (Richardson, 2008; Richardson, 2012) indicate
that cybercrime is increasing and costs organisations vast sums of money. The average loss per
respondent has increased from $168 000 in 2006 and $350 000 in 2007, to $288 618 in 2008
(Richardson, 2008). Types of attack reported included viruses; laptop or mobile theft; insider
abuse of Internet access; unauthorised access to information; theft of proprietary information;
financial fraud; telecommunication fraud; and phishing.
Cybercrime is a definite threat to the so-called ‘Information Society’, with various new types
having surfaced as the need for information is increasing with the development of the Internet
and associated applications. New risks are typically spam, spoofing, phishing, adware, spyware
and misleading applications (Pieterse, 2006; Turner, Entwisle & Denesiuk, 2007).
Whenever a cybercrime is committed or a threat has been manifested as an attack, it will be
declared as an incident. Organisations must have a formal investigation protocol in place to
ensure that the incident can be contained and successfully investigated. The forensic
investigation should have a seamless interaction with the IR, business continuity, disaster
recovery plans, audit, and legal divisions of the organisation.
Courts and internal investigations now require not only document-based evidence but also digital
or electronic-based evidence. Criminal investigations require solid, well-documented, acceptable
procedures and relevant, admissible evidence. DF tools and procedures should be able to
identify, extract, process and document accurate digital evidence. The next section will define
and briefly discuss digital evidence to provide a context for the thesis.
2.7 DIGITAL EVIDENCE
Good evidence is a business enabler, which organisations require to prove due diligence with respect
to corporate governance and to investigate and manage internal and external incidents (ISACA,
Part 1: Background to Digital Forensics
2-41 | P a g e Chapter 2: Introduction
2004). Internal and external forensic investigations hinge on it. Evidence in itself is not absolute but
is only valuable when it is used to establish the truth about a particular incident. The next section
uses the literature studied to propose a definition for digital evidence, types of digital evidence, and
characteristics of good evidence, and then proposes a new definition for comprehensive digital
evidence.
2.7.1 Definition of digital evidence
Chawki (2004) defines evidence as ‘something that tends to establish or disprove a fact. It can
include documents, testimony, and other objects’.
There are various types of evidence. The Scientific Working Group on Digital Evidence
(SWGDE/IOCE) standards classify evidence into three main categories: digital evidence, physical
evidence and data objects (SWGDE & IOCE, 2000):
Category 1: Digital evidence, e.g., e-mail messages, logging data, backups, forensically
recovered data and eavesdropped data (traffic and content) where the data is stored or
transmitted in electronic or magnetic form. Subtypes are:
Original digital evidence, for example files stored on a CD: physical items and the
data objects associated with such items at the time of acquisition or seizure (SWGDE
& IOCE, 2000).
Duplicate digital evidence, e.g., scanned document or backup copy of a file: an
accurate digital reproduction of all data objects contained on an original physical
item (SWGDE & IOCE, 2000).
Copy, for example of an encrypted MS Word® document: an accurate reproduction
of information contained on an original physical item, independent of the original
physical item (SWGDE & IOCE, 2000).
Live evidence, e.g., register content, swap files or RAM content of a specific target
machine (SWGDE & IOCE, 2000).
Category 2: Physical evidence, for example flash drives, where the digital information is
stored, or transmitted through a physical media (SWGDE & IOCE, 2000).
Category 3: Data objects, e.g., metadata, directory data, and configuration data where
the information is linked to physical items or digital evidence (SWGDE & IOCE, 2000).
From a legal perspective, various types of evidence exist. Chawki (2004) has identified three
categories:
Part 1: Background to Digital Forensics
2-42 | P a g e Chapter 2: Introduction
Category 1: Real or physical evidence, which consists of tangible objects.
Category 2: Testimonial evidence, where the testimony of a witness can be given during
a trial, based on a personal observation or experience.
Category 3: Circumstantial evidence, which is based on a remark, or observation of
realities that tends to support a conclusion, but not to prove it.
Casey (2004; 2011) adds the following legal category:
Category 4: Evidence is hearsay, in which a statement in court repeats a statement out
of court in order to prove the truth of the content of the out-of-court statement.
Similarly, evidence in a document is hearsay if the document is produced to prove
statements in court.
Other categories of evidence are:
Technical evidence: In which a forensic technician has carried out some procedures on
original or real evidence and has produced results. This evidence is not expert evidence
but can be viewed as opinion evidence (Sommer, 2005).
Expert evidence: The opinion of someone who is an expert in the particular field or
conclusions of the expert after an investigation (Sommer, 2005).
Derived evidence: For example, a chart or video, created from primary evidence to
illustrate how conclusions were drawn.
During the analysis phase of an investigation, digital evidence is categorised as:
Inculpatory evidence: Evidence that supports the theory.
Exculpatory evidence: Evidence that contradicts the theory.
Evidence of tampering: Evidence not related to the theory but indicating that the system
has been tampered with to avoid identification (Carrier, 2003b; Rowlingson, 2004).
For the purpose of this thesis, we will consider evidence to be digital evidence (includes static,
legacy and live digital evidence; and data objects) and physical evidence. Figure 2-2 (below) is a
graphical representation of evidence as used in the thesis.
Figure 2-2. Graphical representation of evidence (by author)
Part 1: Background to Digital Forensics
2-43 | P a g e Chapter 2: Introduction
Various definitions of digital evidence exist in the literature:
digital evidence of an incident ‘as digital data that contain reliable information that
support or refute a hypothesis about the incident being investigated’ (Carrier & Spafford,
2005).
digital evidence ‘as any information of probative value that is either stored or transmitted
in a binary form’. This field includes not only computers in the traditional sense but also
digital audio and video (SWGDE & IOCE, 2000).
digital evidence ‘as evidence that encompasses any and all digital data that can establish
that a crime has been committed, or can provide a link between a crime and its
perpetrator’ (Casey, 2004).
After considering the above-mentioned definitions, we propose the following definition:
The proposed definition requires that evidence must be ‘good’ and reliable. The next section
discusses characteristics for reliable or good digital evidence.
2.7.2 Characteristics of ‘good’ evidence
Various factors can determine the value, applicability, admissibility, and trustworthiness of
evidence. Digital evidence can easily be contaminated or compromised when handled incorrectly.
Failure to produce relevant and admissible evidence very often leads to financial losses and failed
investigations (Sommer, 2005).
There are specific requirements for digital evidence to be admissible in a court of law. Various
countries and judiciaries have different requirements. The Electronic Communications and
Transactions Act of South Africa (ECT) (2002) prescribes the following requirements for
determining the admissibility of a digital document or evidence in a court of law:
Digital evidence is any data stored or transmitted using a digital device
that tends to establish or disprove a fact. (Chawki, 2004). The data
stored or transmitted:
should be reliable information that supports or refutes a hypothesis and
can establish that a crime has been committed (Casey, 2004) or
can provide a link between a crime and its perpetrator (Casey, 2004).
Part 1: Background to Digital Forensics
2-44 | P a g e Chapter 2: Introduction
the reliability of the manner in which the record was communicated and stored
how the integrity of the data was maintained
the manner in which the originator / author of the record is identified
determination of whether the evidence was legally obtained.
Not all the information stored is necessarily useful evidence. DF tools can retrieve the evidence
required in a legally acceptable format, admissible in a court of law, and provide a chain of
evidence and custody. We propose a new term to encapsulate the requirements of ‘good’
evidence.
Investigators will use CDE to determine the root cause of the incident, link the attacker to the
incident and lead to a successful prosecution of the perpetrator in an investigation.
An increasing number of commercial organisations, law enforcement agencies, military and
government agencies and data recovery teams have a need for DF tools and technology. Each of
the mentioned entities has a different purpose for the application of DF. DF forensic tools and
technology are normally used to acquire evidence. Evidence is becoming a business enabler.
DF investigators normally compile an investigation framework to conduct an investigation or to
acquire relevant evidence by using published best practices. The success of an investigation can
be determined by the use of acceptable DF tools and procedures. It may be necessary to use
multiple tools to ensure accuracy of the result of the application of the relevant tools. The next
section will discuss the concept of our CDF capability.
2.8 COMPREHENSIVE DIGITAL FORENSIC CAPABILITY
Most of the researched DF frameworks consider three areas or components:
Component 1: Preparation to ensure DF readiness
Component 2: Live evidence acquisition
Component 3: Reactive forensic investigation
Comprehensive digital evidence (CDE) is digital evidence that will have
evidentiary weight in a court of law and that contains all the evidence necessary
(relevant and sufficient) to establish a fact or disprove a claim (by author).
Part 1: Background to Digital Forensics
2-45 | P a g e Chapter 2: Introduction
(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,
2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004).
We have identified three areas in the case study as discussed in par. 2.3.1:
The CCTV camera and gate access records are examples of proactive collection of
evidence and structuring of procedures (access control at gate) - PROACTIVE
Eyewitnesses and CCTV footage are examples of live evidence gathering - ACTIVE.
The actual investigation of the incident followed, using the evidence that is in place from
the proactive gathering and live sources - REACTIVE.
Note to reader:
We propose that our comprehensive DF (CDF) capability consists of three components:
Proactive DF (ProDF) component prepares organisations for DF investigations and
ensures digital evidence availability and forensic sound processes exist before an
incident.
Reactive DF (ReDF) component investigates the incident after an incident has
occurred.
Active DF (ActDF) component gathers live or additional evidence during an on-going
incident.
Figure 2-3 (below) is a graphical representation of our CDF capability.
The identification and definition of the individual components is essential for the formulation of
our CDF capability. The next section discusses each component of our CDF capability and provides
an initial definition for each component.
2.8.1 Reactive DF (ReDF) component
Most of the researched DF frameworks are reactive and focus on the DF investigation after an
incident has occurred. The frameworks involve the use of specified analytical and investigative
techniques to acquire evidence, analyse the evidence, establish the root cause of an incident, and
to present the evidence in court. ReDF investigations are often referred to as ‘dead’ forensics or
Figure 2-3. Graphical representation of our comprehensive DF capability (by author)
Part 1: Background to Digital Forensics
2-46 | P a g e Chapter 2: Introduction
conducting a ‘post-mortem’ (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &
Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain,
2004).
We used the definitions of the DF research workshop, Kruse & Heiser (2004), Reith et al (2002).,
Palmer (2001) and Rowlingson (2004) to compile the following definition for Reactive DF (ReDF):
ReDF will be discussed in more detail in Chapters 3 and 5 of the thesis.
2.8.2 Proactive DF (ProDF) component
ProDF will prepare organisations for investigations or make them DF-ready. It is essential to
determine the evidence required before an incident occurs and to have the evidence available in
an acceptable and admissible format. For example, applicable transaction and network logs
should be available when investigating a fraudulent transaction or to prove compliance.
DF readiness as discussed in literature ensures that organisations have the ability to maximise
their potential to use digital evidence whilst minimising the costs of an investigation (Rowlingson,
2004). DF readiness concentrates on readiness for post-incident investigations. However, the
driving factors (par. 2.5) demonstrate reasons organisations have the need to ensure evidence
availability and forensic sound processes (par. 2.5.3) to:
investigate incidents, fraud or employee behaviour
assess effectiveness and efficiency of controls or procedures
measure compliance
use DF tools for non-investigative purposes to improve IT governance structures
assess the security posture of the organisation.
DF readiness as discussed in literature partially addresses the first point above. The proposed
ReDF is an application of analytical and investigative tools and techniques for
the preservation, identification, extraction, documentation, analysis and
interpretation of digital media for evidentiary and/or root-cause analysis and
the presentation of digital evidence derived from digital sources for the
purpose of facilitation or furthering the reconstruction of incidents.
Part 1: Background to Digital Forensics
2-47 | P a g e Chapter 2: Introduction
ProDF component will enable an organisation to become DF-ready and use DF tools and
technologies to acquire evidence to demonstrate good Corporate and IT Governance.
Note to reader:
In this thesis, we claim that Pro-active DF is more complete than DF readiness. In general,
DF readiness concentrates on preparation of infrastructure, people, technology, and the
availability of digital evidence. The frameworks and viewpoints researched do not consider
the application of DF tools for non-investigative purposes, for example to enhance
governance structures (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Bradford
et al., 2007; Carrier & Spafford, 2003; Casey, 2004; Ieong, 2006; Louwrens et al., 2006b;
O'Ciardhuain, 2004; Rowlingson, 2004).
We propose the following initial definition for Proactive DF (ProDF):
Note to reader:
It is clear that ProDF will require that sufficient forensically sound processes, procedures,
technologies and operational infrastructure, trained staff and relevant admissible digital
evidence be in place to enable a successful investigation, with minimal disruption to
business activities, and the use of DF technology to enhance security posture of the
organisation and ensure good corporate governance.
ProDF will require that the legal authority must be determined to clearly define the role
and responsibility of an expert witness. Wikipedia (2012a) defines “An expert witness,
professional witness or judicial expert [as] a witness, who by virtue of education, training,
skill, or experience, is believed to have expertise and specialised knowledge in a particular
subject beyond that of the average person, sufficient that others may officially and legally
rely upon the witness's specialized (scientific, technical or other) opinion about an evidence
or fact issue within the scope of his expertise, referred to as the expert opinion, as an
assistance to the fact-finder. Expert witnesses may also deliver expert evidence about
ProDF is the forensic preparation of an organisation to ensure
successful, cost-effective investigations, with minimal disruption to
business activities, and the use of DF to establish and manage
governance programmes.
Part 1: Background to Digital Forensics
2-48 | P a g e Chapter 2: Introduction
facts from the domain of their expertise. At times, their testimony may be rebutted with
a learned treatise, sometimes to the detriment of their reputations”. ProDF will be
discussed in more detail in Chapter 4 of the thesis.
2.8.3 Active DF (ActDF) component
It is not possible to be 100% prepared for all incidents, and there is a need to be able to
investigate a new or on-going incident. An on-going incident is one that is in progress or is
happening in real time, a typical example being a phishing attack on an organisation or a person
accessing unauthorised information on a company network. The incident detection component of
the IRP will play its role. The need to acquire live evidence will activate the ActDF component to
gather live evidence and compile a solid evidence base or platform for a ReDF investigation to
continue. A new, unknown, or specific incident can trigger the ActDF component, which must
integrate seamlessly with the IRP of the organisation. We propose the following initial definition
for Active DF (ActDF):
We will discuss ActDF in detail in Chapter 6. The three components of our CDF capability cannot
exist in isolation, as there is a relationship between them. The next section discusses the
relationship.
2.8.4 Potential relationship between the components of a CDF capability
An incident alert will activate a forensic investigation, and will be the catalyst between the
components of our CDF capability:
ProDF will be concentrating on pre-incident activities, for example evidence
identification, process structuring, employee education and assessment of controls
ActDF will deal with the gathering of ‘live’ digital evidence during on-going incidents
ReDF will deal with the actual post-incident investigations.
There is an interaction between ActDF and ReDF as live evidence gathering is part of the ReDF
evidence acquisition protocol. Once the ActDF component has acquired the ‘live’ digital
evidence, the ReDF component will continue with the investigation. Figure 2-4 (below) is a
ActDF is the ability of an organisation to gather relevant digital evidence
whilst minimising the effect of the incident during an on-going incident to
facilitate a successful investigation.
Part 1: Background to Digital Forensics
2-49 | P a g e Chapter 2: Introduction
graphical representation of the expected relationship. We will investigate this relationship in the
next three chapters.
The ProDF component adds a different slant towards the application of DF in organisation as it
looks at the structuring of processes, internal systems and potentially the evaluation of controls
to prove due diligence and demonstrate good corporate governance.
The discussion above and the drivers for DF as identified in par. 2.5 demonstrate the shift in
application of DF tools and technologies. Stephenson has identified the following two directions.
DF can:
be used to determine the root cause that permitted the incident (Stephenson, 2002)
focus upon legal and law enforcement aspects of an incident (Stephenson, 2002).
We add the following two additional directions to DF:
ensure that relevant, adequate evidence, processes and procedures exist that are legally
admissible and acceptable to ensure cost-effective investigations (Rowlingson, 2004;
Sommer, 2005).
enable an organisation to demonstrate due diligence with respect to good corporate (IT)
governance by ensuring the availability of ‘good’ evidence to assess the effectiveness and
efficiency of controls (Hilley, 2006).
2.9 SUMMARY
This Chapter has provided a background to DF by defining it and briefly discussing the difference
between computer forensics and DF. DF is becoming increasingly important for governments,
organisations and individuals as the evidence needed for compliance, investigations and assessment
is increasing by referring to cybercrime and new developments in security threats. To provide
definitions for the remainder of the thesis, the chapter briefly discussed cybercrime, digital evidence
Figure 2-4. Relationship between components of CDF capability (by author)
Part 1: Background to Digital Forensics
2-50 | P a g e Chapter 2: Introduction
and digital evidence requirements. Due to the importance of the admissibility and quality of digital
evidence, we proposed a new definition for CDE (comprehensive digital evidence). DF is no longer a
reactive discipline and the last section proposed the concept of our CDF capability that consists of
ProDF, ActDF and ReDF. The next chapter will investigate conventional DF frameworks.
Part 1: Background to Digital Forensic
3-51 | P a g e Chapter 3: Conventional DF frameworks
3 CHAPTER 3
CCOONNVVEENNTTIIOONNAALL AAPPPPRROOAACCHH TTOO DDIIGGIITTAALL FFOORREENNSSIICCSS
3.1 INTRODUCTION
The way that digital forensic investigations and incident responses are handled is very important, as
it will determine the success of an investigation. Various frameworks exist to guide investigators to
solve cybercrime cases where computers and digital media have been involved. From the literature
studied, most of the traditional frameworks concentrate on the investigation after an incident has
occurred (ReDF) with limited reference to ‘live investigations’ (ActDF) and the preparation of
organisations for DF (ProDF).
From the literature studied, we have identified two types of framework:
Process frameworks: (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &
Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain,
2004)
A role-based framework (Ieong, 2006).
The process frameworks follow a ‘waterfall approach’ with typical phases of preparation, acquisition,
analysis, reconstruction, and presentation of the findings. There may be iterations between the
phases to gather more evidence to support the hypothesis. Ieong (2006) has proposed a holistic
role-based legal framework that concentrates on the legal environment and the different people
who should perform certain tasks.
This chapter discusses and compares various process frameworks, using the comparison to identify a
comprehensive set of phases with associated steps needed to formulate our CDF capability. During
the discussion and comparison of the various frameworks, it will identify the phases and steps in
terms of the proposed components of our CDF capability: ReDF, ActDF, and ProDF. The last section
discusses the role-based framework of Ieong (2006) and compares it to the process framework to
identify potential gaps and essential aspects that should be included in the formulation of our CDF
capability, or other aspects to consider in the formulation of the implementation and management
Part 1: Background to Digital Forensic
3-52 | P a g e Chapter 3: Conventional DF frameworks
DF framework (DFMF). This chapter is the cornerstone of the thesis as it provides a comprehensive
literature review of selected DF frameworks. The first version of our CDF capability derived from the
comparisons to be made in the chapter becomes the starting point for formulating each component
of the CDF capability. Figure 3-1 (below) depicts the role of this chapter within the overall thesis.
3.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of the chapter is to investigate current DF frameworks by:
discussing the identified process frameworks and identifying phases and steps inherent in
ProDF, ActDF and ReDF (par. 3.3) for the formulation of our CDF capability.
comparing the various composite process frameworks (par. 3.4) to establish the phases and
steps of our CDF capability.
proposing an initial draft of our CDF capability (par. 3.5).
discussing a role-based framework (par. 3.6).
comparing the role-based framework with the comprehensive process framework (par. 3.7).
The comparison will identify potential gaps in the phases and steps of our CDF capability.
Note to reader:
We have included a fold-out at the end of the chapter - par. 3.9, p. 3-91 to use as a map to
guide the reader. We suggest that this page be folded out at this stage to provide
context. It is also advised that it be referred to continuously to ensure that the context is
preserved.
Figure 3-1. Role of the chapter in the thesis
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Part 1: Background to Digital Forensic
3-53 | P a g e Chapter 3: Conventional DF frameworks
The next section will discuss process-oriented frameworks.
3.3 PROCESS-ORIENTED FRAMEWORKS
When an incident occurs, there are various courses of action that can be taken. The type of
organisation will determine the response to the incident:
Law enforcement will secure the crime scene as soon as possible and acquire potential
evidence.
Military operations and critical infrastructures will perform a risk identification and
elimination exercise as soon as possible, to enable speedy recovery and possible offensive
measures.
Business will try to contain the incident to minimise financial losses, restore systems as soon
as possible, and perform root cause analysis to determine the cause of the incident.
Most of the conventional process-oriented DF frameworks follow a linear (waterfall) approach
consisting of consecutive steps. The result of one step normally serves as the input to the next step.
Iteration structures exist between steps to enable the investigator to review and gather more
evidence that is relevant from a previous step, if required. Typical process framework steps are to
detect the incident, identify and acquire the evidence, analyse the acquired evidence, reconstruct
the incident and present the findings (Figure 3-2, below).
Figure 3-2 Typical process framework (by author)
A general trend in the development of DF frameworks is to use phases and steps of existing
frameworks to propose a new improved composite framework, for example the framework of
Séamuas Ó Ciardhuáin (2004), who has used those of Lee (2001), Palmer (2001) and Reith et al.
(2002) to propose his.
The next section provides a brief overview of the following seven composite frameworks:
Ó Ciardhuáin (2004), par. 3.3.1
Carrier and Spafford (2003), par. 3.3.2
Detect incidentAnalyse acquired
evidence
Identify and
acquire evidence
Reconstruct the
incident
Present the
findings
Part 1: Background to Digital Forensic
3-54 | P a g e Chapter 3: Conventional DF frameworks
Baryamureeba and Tushabe (2004), par. 3.3.3
Beebe and Clark (2005), par. 3.3.4
Louwrens et al (2006b), par. 3.3.5
Casey (2004), par. 3.3.6
Forrester and Irwin (2007), par. 3.3.7.
Note to reader:
We will apply the various definitions of ProDF, ActDF and ReDF as defined in Chapter 2, to
identify phases and steps for the formulation of each component for our CDF (par. 2.8.1 -
2.8.3) The proposed components are ProDF – to prepare organisations for the use of DF
tools and technologies to ensure evidence availability and DF sound processes; ReDF is the
traditional DF investigation after an incident and ActDF focus on live evidence acquisition
and analysis.
We will use tags to identify the phase or step that inherently belongs to a component. We will use
(REACTIVE) as a ReDF tag, and / or (PROACTIVE) as a ProDF tag and / or (ACTIVE) as an ActDF tag
when discussing the various frameworks.
3.3.1 FRAMEWORK 1: Ó Ciardhuáin (2004)
Séamuas Ó Ciardhuáin has proposed an extended framework for cybercrime investigations,
which provides a reference framework to support the development of tools, techniques, and
training. The framework concentrates on information flow during an investigation. Ó Ciardhuáin
has compared the frameworks of Lee (2001), Palmer (2001) and Reith et al. (2002) to propose his
framework. Most of these frameworks concentrate on the investigation and not on information
flows through an investigation. The framework concentrates on the post-incident investigation,
and proposed the following 13 steps:
3.3.1.1 Step 1: Awareness - Create awareness that an investigation is needed. (REACTIVE)
3.3.1.2 Step 2: Authorisation - Obtain authorisation from internal and external parties to
conduct the investigation. (REACTIVE)
3.3.1.3 Step 3: Planning – Determine the internal and external requirements (e.g., regulatory or
legal). (REACTIVE)
Part 1: Background to Digital Forensic
3-55 | P a g e Chapter 3: Conventional DF frameworks
3.3.1.4 Step 4: Notification - Notify concerned parties that an investigation is taking place. This
activity may not be appropriate if the possibility of destruction of evidence exists.
(REACTIVE)
3.3.1.5 Step 5: Search for and identification of evidence - Locate the source of evidence internally
and externally. (REACTIVE)
3.3.1.6 Step 6: Collection of evidence - Collection and preservation of evidence is a systematic
and legally acceptable process. (REACTIVE)
3.3.1.7 Step 7: Transport of evidence - Ensure that the way that evidence is transported will not
compromise its integrity. (REACTIVE)
3.3.1.8 Step 8: Storage of evidence - Preserve the integrity of the evidence. (REACTIVE)
3.3.1.9 Step 9: Examination of evidence - Use of acceptable tools and techniques to examine the
evidence. (REACTIVE)
3.3.1.10 Step 10: Formulate a hypothesis - Investigators formulate a hypothesis based on
evidence gathered. (REACTIVE)
3.3.1.11 Step 11: Presentation of hypothesis - Presentation of the hypothesis to relevant internal
and/or external parties will determine the cause of action to be taken. (REACTIVE)
3.3.1.12 Step 12: Proof / defence of hypothesis - Investigator needs to prove the hypothesis.
(REACTIVE)
3.3.1.13 Step 13: Dissemination of information - Disseminate the report / result of the
investigation to the relevant parties. (REACTIVE)
This framework proposes that an investigation will proceed in a waterfall fashion. There may be
situations in which feedback loops may exist between various steps of an investigation. The
framework concentrates on information flow from one-step to the next.
The framework also identifies the information flows to and from other parts of the organisation
that can have an impact on the investigation. This framework identifies the need to revise
organisational policies and consider the regulatory and legal requirements.
Note to reader:
The framework of Ó Ciardhuáin includes extra activities that were not included in the
supporting models, as well as the concept of information flows. The framework is still on an
abstract level and will have to be applied in the context of the organisation. The
framework identifies the need to revise organisational policies and the influence of legal
and regulatory requirements.
Part 1: Background to Digital Forensic
3-56 | P a g e Chapter 3: Conventional DF frameworks
3.3.2 FRAMEWORK 2: Carrier and Spafford (2003)
The framework of Carrier and Spafford used the following frameworks as a starting point: IR
process framework, DOJ crime scene investigation guide (Nolan, O'Sullivan, Branson & Waits,
2001), US Air Force framework and physical crime scene investigation (Carrier & Spafford, 2003).
This framework treats the physical computer as the primary crime scene and applies the physical
crime scene investigation techniques first. The digital crime scene is secondary to the physical
scene which will allow one to link the person to the digital crime. Carrier et al. (2003) introduced
the following terms:
Physical evidence is evidence that can establish that a crime has been committed, provide
a link between the crime and the victim, or provide a link between the crime and the
perpetrator, for example, hard disk, PDA, flash drive or cell phone.
Digital evidence is digital data that can establish that a crime has been committed or can
provide a link between a crime and the perpetrator, for example data in memory, on a
hard disk or in a cell phone linked to the suspect or crime.
Physical crime scene is the physical environment in which the physical evidence of a crime
or incident exists. The environment in which the crime or incident has originated will be
the primary crime scene and all the subsequent scenes will be secondary (Carrier &
Spafford, 2003; Lee et al., 2001). This size of this scene is determined by natural
boundaries.
Digital crime scene is the virtual environment created by hardware and software where
digital evidence of a crime exists.
The environment where the first criminal act occurs is the primary scene and all
subsequent scenes will be secondary.
The integrated digital investigation framework of Carrier and Spafford (2003) organises the
process into five groups:
3.3.2.1 GROUP 1: Readiness (Entire group is PROACTIVE)
3.3.2.1.1 Operational readiness refers to a fully trained human capacity.
3.3.2.1.2 Infrastructure readiness will ensure that evidence is available by employing the
relevant hardware and software to capture the data.
Part 1: Background to Digital Forensic
3-57 | P a g e Chapter 3: Conventional DF frameworks
3.3.2.2 GROUP 2: Deployment
3.3.2.2.1 Detection and notification phase will detect the incident and notify the relevant
party. (REACTIVE)
3.3.2.2.2 Confirmation and authorisation phase will confirm the incident and obtain the
required legal authorisation to continue with the investigation. (REACTIVE)
3.3.2.2.3 Sometimes it will be necessary to analyse the live system and to verify that an
incident has occurred. It is then essential to acquire the relevant evidence, e.g., root
kits or suspicious network activities. (ACTIVE)
3.3.2.2.4 It is essential to contain the incident and minimise its impact on the system.
(REACTIVE)
3.3.2.3 GROUP 3: Physical crime scene investigation
3.3.2.3.1 Preservation phase - Preserve the physical crime scene. (REACTIVE)
3.3.2.3.2 Survey phase - The investigator to walk through crime scene and identify potential
evidence. (REACTIVE)
3.3.2.3.3 Documentation phase - Taking of photographs, sketches, videos of crime scene and
physical evidence. (REACTIVE)
3.3.2.3.4 Search and collection phase - An in-depth search of the scene and collection of
evidence to obtain as much as possible prior to the digital investigation. This can
include the collection of live evidence. (REACTIVE), (ACTIVE)
3.3.2.3.5 Reconstruction phase - Organising the results from the analysis conducted so far and
developing a theory for the incident. (REACTIVE)
3.3.2.3.6 Presentation phase - Present the physical and digital evidence in a court of law or to
corporate management. (REACTIVE)
3.3.2.4 GROUP 4: Digital crime scene investigation (Entire group is REACTIVE)
3.3.2.4.1 Preservation phase - Preserves the digital crime scene so that evidence will be
preserved.
3.3.2.4.2 Survey phase - Investigator transfers all relevant data from the controlled venue to a
controlled location for investigations.
3.3.2.4.3 Documentation phase - Documents the evidence as it is found.
3.3.2.4.4 Search and collection phase - In-depth analysis of evidence by the use of software
tools. The investigator should reveal hidden, deleted, swapped and corrupted files
that were used, including the meta-data. Low-level time-lining can be performed to
trace the user activity.
3.3.2.4.5 Reconstruction phase - Uses all the evidence to develop an investigative hypothesis.
Part 1: Background to Digital Forensic
3-58 | P a g e Chapter 3: Conventional DF frameworks
3.3.2.4.6 Presentation phase - Presents the digital evidence found to the investigative team.
3.3.2.5 GROUP 5: Review – The investigator should review results to identify areas of
improvement. The result could, for example, be new policies and procedures or
additional training. (REACTIVE)
Note to reader:
This framework illustrates that DF is broader than evidence collection as it deals with
event reconstruction. It also describes the interaction between the physical and digital
investigations should an incident occur. The framework allows for the collection of data
from a ‘live’ system, but considers it as physical evidence.
The physical scene of the incident or crime acts as the central focus of the investigation.
The digital investigation results feed into the physical investigation results. This is a
potential problem as not all physical crime scenes are accessible, for example, if a crime
was committed over the Internet and therefore potentially no real physical crime scene
exists.
The framework includes readiness that is part of ProDF. The collection of ‘live evidence’
can be included in the ActDF component. These will be taken into consideration in Chapter
6.
3.3.3 FRAMEWORK 3: Baryamureeba and Tushabe (2004)
This framework is known as the ‘Enhanced Digital Investigation’ process framework. The authors
have considered the following frameworks: Electronic crime scene investigation - A guide to first
responders of the National Institute of Justice (Nolan et al., 2001), the framework of Reith et al.
(2002) and Carrier and Spafford (2003).
It is essential to define a physical crime scene and a digital crime scene investigation:
The physical crime scene is defined as the physical environment where physical evidence of a
crime or incident exists.
A digital crime scene is defined as the virtual environment created by hardware and
software where evidence of a digital crime or incident exists.
Part 1: Background to Digital Forensic
3-59 | P a g e Chapter 3: Conventional DF frameworks
Baryamureeba and Tushabe (2004) distinguish between physical and digital crime scene
investigations. The framework that Baryamureeba proposes has five phases:
3.3.3.1 PHASE 1: Readiness phase (two steps) (Entire phase is PROACTIVE)
3.3.3.1.1 Step 1: Operations readiness - ensure that human capacity is fully trained and
equipped to deal with an incident.
3.3.3.1.2 Step 2: Infrastructure readiness - ensure that infrastructure is adequate and
sufficient to deal with incidents to come.
3.3.3.2 PHASE 2: Deployment phase (five steps) (Entire phase is REACTIVE)
Provide a mechanism for an incident to be detected and confirmed. This can be done at the
place where the crime was committed (five steps):
3.3.3.2.1 Step 1: Detection and notification.
3.3.3.2.2 Step 2: Physical crime scene investigation and identification of potential digital
evidence. The physical crime scene investigation has five sub-steps.
Preservation - preservation of physical scene so that evidence can be later identified
and collected by trained personnel. It will also involve identifying, removing and
separating witnesses from the crime scene.
Survey - investigator walks through the crime scene, identifies potential pieces of
physical and potential evidence, determines the extent of the search, develops a
preliminary theory and documents a narrative.
Documentation - capture as much information as possible by using, for example,
videos and photographs so that the details of the crime scene are preserved.
Search and collect - in-depth search of the scene to identify additional evidence and
allow the digital investigation to begin.
Presentation - all identified digital evidence is transported and delivered to the
digital investigation team.
3.3.3.2.3 Step 3: Digital crime scene investigation - an electronic examination of the scene and
digital evidence is obtained with the possible extent of the impact of the damage. A
digital crime scene investigation has four sub-steps:
Preservation - preserve the digital crime scene so that evidence can be
synchronised. Make forensic copies of the evidence.
Survey - identify potential evidence from the imaged data set.
Part 1: Background to Digital Forensic
3-60 | P a g e Chapter 3: Conventional DF frameworks
Search and collection - an in-depth analysis of digital evidence using software tools,
fusion, correlation, graphing, mapping and time-lining data to develop various
investigative hypotheses.
Documentation - document the digital evidence as it is found.
3.3.3.2.4 Step 4: Confirmation - the incident is confirmed and authorisation has been obtained
from regulatory and legal authorities.
3.3.3.2.5 Step 5: Submission - presenting physical and digital evidence to legal entities or
corporate management.
3.3.3.3 PHASE 3: Trace-back phase (two steps) (Entire phase is REACTIVE)
During this phase, the perpetrator’s physical crime scene of operations is tracked down,
leading to the identification of the devices used to perform the act.
3.3.3.3.1 Step 1: Digital crime scene investigation – use clues from the previous phases to
identify the primary crime scene.
3.3.3.3.2 Step 2: Authorisation phase - obtain authorisation from local authorities to permit
further investigations.
3.3.3.4 PHASE 4: Dynamite phase (four steps) (Entire phase is REACTIVE)
The aim of this phase is to investigate the primary crime scene, as well as to collect and
analyse items found at the primary crime scene to obtain further evidence that the crime
originated there. It will help to identify potential perpetrators.
3.3.3.4.1 Step 1: Physical crime scene investigation
3.3.3.4.2 Step 2: Digital crime scene investigation
3.3.3.4.3 Step 3: Reconstruction
3.3.3.4.4 Step 4: Communication - present to a court of law or corporate management the
final interpretations and conclusions about physical and digital evidence that have
been investigated.
3.3.3.5 PHASE 5: Review phase (REACTIVE)
The aim of this phase is to review the result of the investigation and apply lessons learned.
This framework proposes an iterative process that will consider the primary and secondary crime
scenes.
Part 1: Background to Digital Forensic
3-61 | P a g e Chapter 3: Conventional DF frameworks
Note to reader:
This framework makes a clear distinction between the physical and digital crime scenes,
but provides clear guidelines to merge the digital and physical investigation. This will
ensure that all aspects of the investigation are covered.
A problem within the framework is that there must be a physical crime scene before a
digital investigation can be concluded (see Trace-back phase). A further constraint is that
all digital evidence must be collected from the physical crime scene and transported to the
DF investigation laboratory to be investigated, however this is not always feasible or
possible.
The definition of the physical crime scene can pose a problem when an attack is launched
from a remote location, for example over the Internet. Legislative requirements of the
particular countries involved must be abided by.
The framework includes readiness as a component of ProDF. These will be taken into
consideration in Chapter 6. ActDF is not considered as it concentrates mainly on post-
incident investigations.
3.3.4 FRAMEWORK 4: Beebe and Clark (2005)
Beebe and Clark propose a hierarchical objectives-based framework for the digital investigative
process. They have used the frameworks of Palmer (2001), DOJ (Nolan et al., 2001), Reith et al.
(2002), Carrier and Spafford (2003), Beebe and Clark (2005). This hierarchical framework consists
of six high-level phases with sub-phases, each of which has principles and objectives. The phases
and sub-phases are distinct, discrete steps in the process that are normally in a sequential
sequence. The framework considers the following six first tier phases:
3.3.4.1 PHASE 1: Preparation phase (Entire phase is PROACTIVE)
Keep in mind steps to maximise digital evidence availability in support for deterrence,
detection, investigation, and prosecution related to security incidents:
3.3.4.1.1 Assess the risk by considering vulnerabilities, threats, loss and exposure
3.3.4.1.2 Develop an information retention plan (pre- and post-event)
Part 1: Background to Digital Forensic
3-62 | P a g e Chapter 3: Conventional DF frameworks
3.3.4.1.3 Develop or augment an IRP (including policies, procedures, staff assignments,
technical requirements)
3.3.4.1.4 Develop technical capabilities
3.3.4.1.5 Train staff
3.3.4.1.6 Prepare host and network devices
3.3.4.1.7 Develop evidence preservation and handling procedures
3.3.4.1.8 Document the result of activities
3.3.4.1.9 Develop a legal activity coordination plan.
3.3.4.2 PHASE 2: Incident response phase (Entire phase is REACTIVE)
3.3.4.2.1 Detect a suspicious activity
3.3.4.2.2 Report the suspicious activity to the relevant authority
3.3.4.2.3 Validate as an incident
3.3.4.2.4 Assess the damage to or impact on the organisation
3.3.4.2.5 Develop a strategy regarding containment, eradication, recovery, and investigation
considering business, legal, technical and political factors and goals
3.3.4.2.6 Coordinate all the resources by including managerial, human, and legal resources
3.3.4.2.7 Formulate an initial investigative plan for data collection and analysis.
3.3.4.3 PHASE 3: Data collection phase
3.3.4.3.1 Collect evidence to support response strategy and investigative plan (REACTIVE)
(ACTIVE)
3.3.4.3.2 Complete the ‘live response’ data collection (ACTIVE)
3.3.4.3.3 Obtain network-based evidence (REACTIVE) (ACTIVE)
3.3.4.3.4 Obtain host-based evidence (REACTIVE)
3.3.4.3.5 Obtain removable media (REACTIVE)
3.3.4.3.6 Install an active monitoring capability (PROACTIVE)
3.3.4.3.7 Ensure high integrity and authenticity of evidence (REACTIVE) (ACTIVE)
3.3.4.3.8 Package, transport, and store digital evidence. (REACTIVE) (ACTIVE)
3.3.4.4 PHASE 4: Data analysis phase (Entire phase is REACTIVE)
The purpose is to confirm suspicion and/or to reconstruct the incident
Part 1: Background to Digital Forensic
3-63 | P a g e Chapter 3: Conventional DF frameworks
3.3.4.4.1 Transform large volumes of data into manageable size
3.3.4.4.2 Conduct initial data survey to determine skill level of suspect
3.3.4.4.3 Employ data extraction techniques
3.3.4.4.4 Examine, analyse and reconstruct the incident.
3.3.4.5 PHASE 5: Presentation of findings phase
Communicate findings to different audiences, e.g., management, legal authorities and technical
staff. (REACTIVE)
3.3.4.6 PHASE 6: Incident closure phase (Entire phase is REACTIVE)
3.3.4.6.1 Conduct a critical review of the entire process to identify and apply lessons learned
3.3.4.6.2 Make and act upon decisions
3.3.4.6.3 Dispose of evidence, if legally permissible
3.3.4.6.4 Collect and preserve all information related to incident.
Beebe and Clark define the digital investigative principles. The principles are overarching
procedures, guidelines and methodological steps that represent goals and objectives throughout
the process. The principles are applicable to all digital investigations and should be included in
the formulation of our CDF capability and the DF implementation and management framework
(DFMF).
3.3.4.7 Digital investigation principles
The two principles are evidence preservation and documentation. These principles apply to all
the phases of the investigation process and cannot be linked to certain phases only.
3.3.4.7.1 Principle 1: Evidence preservation is to:
maximise the availability and quality, and maintain the integrity of the evidence.
ensure that adequate, relevant evidence is gathered during the preparation phase
so that it is available should it be needed.
preserve live evidence during the acquisition process.
collect the evidence in a forensically sound way; for example, calculate check sums
and hashes during the data analysis phase and use of environmental protections.
Part 1: Background to Digital Forensic
3-64 | P a g e Chapter 3: Conventional DF frameworks
During the data analysis phase, the investigator should create forensic copies of the
evidence.
provide evidence that the chain of evidence and chain of custody have been
maintained during the presentation phase by the investigator and process.
employ evidence disposition measures during the incident closure phase.
3.3.4.7.2 Principle 2: Documentation
The principle of documentation is to capture enough evidence during the investigation
process to maintain the chain of evidence and chain of custody throughout the process.
The validity of the procedure followed can determine the legal acceptability of the
investigation.
The framework also considers various levels of abstraction (Beebe & Clark, 2005; Carrier,
2003a). Each layer will consider, for example, physical media, media management system, file
system, applications, and network.
Each of the above phases will have a second tier or sub-layer with specific objectives linked to
it. The data analysis phase can have, for example, the following sub-layers:
Survey sub-phase: facilitate data extraction
Extract sub-phase: keyword searches, mining for hidden data
Examine sub-phase: answers to who, what, when, where, why and how.
Note to reader:
This framework does not specifically incorporate the physical investigation leg of an
investigation as Carrier has suggested. A complete framework includes a detailed Pro-
active part with a preparation and a pre-incident detection phase. We will use these
aspects as part of the ProDF component of our CDF capability. The framework includes a
more comprehensive list of activities of ProDF. These will be taken into consideration in
Chapter 4. It has also identified explicit components of ActDF, which will be used in
Chapter 6.
The ‘Examine’ sub-phase provides a hint as to who should do what and when. We will include it
when we discuss the dimensions of DF in Part 2.
Part 1: Background to Digital Forensic
3-65 | P a g e Chapter 3: Conventional DF frameworks
3.3.5 FRAMEWORK 5: Louwrens et al. (2006b)
The framework proposes a reference framework that is similar to the CobiT framework (2000) as
it proposes control objectives as a basis that enables users to employ a structured process for the
investigation of an incident. This framework proposes four phases of the DF process, each of
which has DF control objectives (DFCO) and detailed DF control objectives (DDFCO).
3.3.5.1 PHASE 1: Planning and preparation phase (Entire phase is PROACTIVE)
3.3.5.1.1 Group 1: DF Readiness (4 DFCOs and 21 DDFCOs) (Entire group is PROACTIVE)
a. DFCO 1: Retain information
Define business scenarios that require digital evidence
Identify available sources and types of evidence
Determine evidence collection requirement
Establish policy for secure storage and handling of evidence
Establish a capability of securely gathering legally admissible evidence
Time synchronization of all relevant devices and systems
Systematically gather potential evidence
Prevent anonymous activities.
b. DFCO 2: Plan the response
Ensure monitoring is targeted to deter and detect incidents
Implement an IDS
Specify circumstances when to escalate to a full investigation
Establish a Computer Emergency Response Team (CERT)
Establish capabilities and response times for external DF investigation professionals.
c. DFCO 3: DF Training
Train staff for incident awareness
Develop in-house DF capabilities
Enhance capability of evidence retrieval.
d. DFCO 4: Accelerate the investigation
Document and validate DF protocol against best practices
Acquire appropriate DF tools
Ensure legal review to facilitate further action
Clear definition of CERT and DF investigation teams
Part 1: Background to Digital Forensic
3-66 | P a g e Chapter 3: Conventional DF frameworks
Define circumstances when to engage professional external digital forensic
investigation (DFI) services.
3.3.5.2 PHASE 2: Incident response phase
3.3.5.2.1 Group 2: Evidence preservation (4 DFCOs and 13 DDFCOs)
a. DFCO 1: Incident response (REACTIVE)
Initiate IRP (REACTIVE)
Activate CERT (REACTIVE)
Secure Evidence. (REACTIVE) (ACTIVE)
b. DFCO 2: Secure physical environment of the crime scene
Secure all relevant logs and data (REACTIVE)
Secure volatile evidence (ACTIVE)
Secure hardware (REACTIVE) (ACTIVE)
Label and seal all exhibits (REACTIVE)
Preserve chain of evidence. (REACTIVE) (ACTIVE)
c. DFCO 3: Transport evidence (Entire step is REACTIVE))
Securely transport evidence
Preserve chain of custody in transport.
d. DFCO 4: Store evidence
Store evidence in a safe custody room (REACTIVE)
Control access to evidence (PROACTIVE)
Preserve chain of custody in storage. (REACTIVE)
3.3.5.3 PHASE 3: Investigation phase
3.3.5.3.1 Group 3: Forensic acquisition (5 DFCOs and 8 DDFCOs)
a. DFCO 1: Ensure integrity of evidence
Follow established DF investigation protocols (REACTIVE) (ACTIVE)
Write protect all media. (REACTIVE)
b. DFCO 2: Acquire evidence
Acquire evidence in order of volatility (ACTIVE)
Acquire non-volatile evidence. (REACTIVE)
c. DFCO 3: Make a forensic copy of all evidence (REACTIVE) (ACTIVE)
d. DFCO 4: Authenticate evidence
Part 1: Background to Digital Forensic
3-67 | P a g e Chapter 3: Conventional DF frameworks
Authenticate all evidence to be identified as original (REACTIVE) (ACTIVE)
Timestamp all copies of authenticated evidence. (REACTIVE) (ACTIVE)
e. DFCO 5: Document acquisition process (consider the chain of custody) (REACTIVE)
(ACTIVE)
3.3.5.3.2 Group 4: Forensic analysis (6 DFCOs and 14 DDFCOs)
a. DFCO 1: Plan investigation (REACTIVE)
Review all available information regarding the incident
Identify expertise required
Identify suitable DF tools to be utilised.
b. DFCO 2: Develop hypothesis (REACTIVE)
Develop hypothesis to cover most likely scenarios
Define criteria to prove / disprove the hypothesis.
c. DFCO 3: Acquire the evidence (REACTIVE) (ACTIVE)
Acquire evidence by using the most suitable DF tool
Analyse evidence by means of most suitable tool
Conform to the requirements of best evidence rule.
d. DFCO 4: Test hypothesis (REACTIVE)
Reconstruct sequences of events
Compare evidence to known facts.
e. DFCO 5: Make findings that are consistent with all evidence (REACTIVE)
Reconstruct sequences of events
Compare evidence to known facts.
f. DFCO 6: Document finding (REACTIVE)
Document the case
Document all aspects of the case
Enter documentation in safe custody.
3.3.5.4 PHASE 4: Juridical / evidentiary phase (REACTIVE)
3.3.5.4.1 Group 5: Evidence presentation (3 DFCOs and 10 DDFCOs)
a. DFCO 1: Prepare case (REACTIVE)
Determine the target audience
Assemble all evidence required for presentation
Prepare expert witnesses
Part 1: Background to Digital Forensic
3-68 | P a g e Chapter 3: Conventional DF frameworks
Prepare exhibits
Prepare presentation aids
Preserve chain of custody.
b. DFCO 2: Present case (REACTIVE)
Present the evidence in a logical, understandable way to indicate the relevance of
the evidence to the case
Use graphical / physical examples to demonstrate difficult concepts
Ensure a DF expert is available to assist in provision of expert evidence.
c. DFCO 3: Preserve all the evidence after the case has been presented. (REACTIVE)
Note to reader:
The framework is a high-level comprehensive conceptual one that provides control
objectives with sub-objectives. These objectives can be used to guide the DF
implementation in an organisation. The framework refers to the physical crime scene, but
concentrates on the digital investigation process. The framework includes aspects of
ProDF. We will use these aspects in Chapter 6 to define the ProDF component of our CDF
capability.
3.3.6 FRAMEWORK 6: E Casey (2004)
The framework that Casey proposed encourages a complete, rigorous investigation, ensures proper
evidence handling, and reduces potential mistakes. The framework proposes the following twelve
steps:
3.3.6.1 STEP 1: Incident alert or accusation – determine crime or policy violation. (REACTIVE)
3.3.6.2 STEP 2: Determine the assessment of worth.
One needs to prioritise or choose to determine if it is a real incident. It will result in
either one of two categories: no further activities or continue with the investigation.
(REACTIVE)
3.3.6.3 STEP 3: Incident / crime scene protocols - actions at scene including real and virtual
actions. (REACTIVE) (ACTIVE)
3.3.6.4 STEP 4: Identification and seizure of evidence - recognition and proper packaging.
(REACTIVE) (ACTIVE)
Part 1: Background to Digital Forensic
3-69 | P a g e Chapter 3: Conventional DF frameworks
3.3.6.5 STEP 5: Preservation - ensure the integrity of evidence – ensure that modification is not
possible (REACTIVE) (ACTIVE)
3.3.6.6 STEP 6: Recovery - collect all evidence by including hidden and deleted evidence or
evidence not available (REACTIVE) (ACTIVE)
3.3.6.7 STEP 7: Harvesting - gather all data and metadata about the incident (REACTIVE)
3.3.6.8 STEP 8: Reduction - analyse the evidence and eliminate the evidence that is not relevant
to the case (REACTIVE)
3.3.6.9 STEP 9: Organisation and search - prepare relevant evidence to focus the analysis of the
incident (REACTIVE)
3.3.6.10 STEP 10: Analysis (REACTIVE)
The analysis phase is a detailed scrutiny of the data or evidence identified in the previous
step. The step includes the following four sub-steps:
Assess the content and context of the evidence. The evidence must be human readable.
Use the evidence to determine means, motivation and opportunity. (REACTIVE)
Experiment by using different tools and techniques while analysing the evidence.
(REACTIVE)
Often evidence alone will not provide the lead to the incident and data from different
sources should be combined to provide positive leads (apply fusion and correlation
techniques). It is essential to determine the chronological order of events and indicate
how the data from the different sources is related. (REACTIVE);
Validate the result of the analysis done so that it will be admissible and acceptable in a
court. (REACTIVE)
Casey stresses that the investigator must adhere to principles for handling of
digital evidence:
Do not change any data that might be used as evidence
Only competent people should handle data to ensure that it can be used in
court
Create a verifiable audit trail to record all processes applied to digital
evidence
Ensure that no law or any of the above principles is violated.
Part 1: Background to Digital Forensic
3-70 | P a g e Chapter 3: Conventional DF frameworks
3.3.6.11 STEP 11: Reporting of the findings of the incident
Provide a transparent view of the investigative process and reports. Include all steps,
methods used to seize, document, collect, preserve, recover, reconstruct, organise and
search for key evidence. (REACTIVE)
3.3.6.12 STEP 12: Persuasion and testimony - translate the result of the investigation into an
understandable narrative for discussion with the decision-makers. (REACTIVE)
It is important to manage each case and activities in a proper way. The framework can be perceived
as a linear progression of events, but there will be a need to revisit some previous steps to arrive at a
more complete investigation result. However, the output of the one-step will be used as input into
the next step.
Note to reader:
The framework concentrates on the investigation of an incident. No reference is made to
preparation for the investigation as part of the framework and no distinction is made
between physical or digital crime scenes.
3.3.7 FRAMEWORK 7: Forrester and Irwin (2007)
The framework that the above authors present has been focussing on providing an investigative
framework for business organisations. They have used the frameworks of Carrier and Spafford
(2003), Palmer (2001) and electronic crime scene investigation – first responders guide (Nolan et al.,
2001) as supporting frameworks to construct their framework. The framework proposes the
following eight steps:
3.3.7.1 STEP 1: Readiness (PROACTIVE)
Preparation of organisation for investigation in terms of:
training of the people
formulating relevant policies and procedures
having the technical infrastructure available.
3.3.7.2 STEP 2: Deployment (REACTIVE)
Identify and assess the incident to determine the scope of the incident.
Part 1: Background to Digital Forensic
3-71 | P a g e Chapter 3: Conventional DF frameworks
3.3.7.3 STEP 3: Incident evaluation (REACTIVE)
Evaluate the incident to gain an understanding of who is affected by the incident, e.g.,
systems, users and data. The result of the evaluation will determine:
the course of action (REACTIVE)
which live system analysis tools can be used to analyse the affected systems (ACTIVE)
if it will be a formal or informal investigation. (REACTIVE) (ACTIVE)
3.3.7.4 STEP 4: Scene preservation (REACTIVE)
Secure and search the physical area around the digital crime scene
Secure the sources of evidence of digital crime scene.
3.3.7.5 STEP 5: Interaction of investigation and service restoration (REACTIVE)
The investigator will try to determine the sequence of events but at the same time will
interact with the systems restoration phase to minimise downtime of the systems.
3.3.7.6 STEP 6: Reporting (REACTIVE)
The findings of the investigation are properly documented and presented.
3.3.7.7 STEP 7: Decision on what course of action to be taken
3.3.7.8 STEP 8: Incident review to identify possible areas of improvement to prevent future
incidents.
Note to reader:
This framework is a very high-level overview with little detail of the processes involved.
The notion of interaction between investigation and service restoration has not been
covered by any of the other frameworks and we will consider the inclusion of this
interaction in the formulation of our CDF. The framework acknowledges the need to
prepare an organisation and live investigations, and we will include the aspects in the
components for ProDF (Chapter 4) and ActDF (Chapter 6).
The next section will compare the discussed frameworks to identify common elements (phases with
steps) to formulate each component of our CDF capability.
Part 1: Background to Digital Forensic
3-72 | P a g e Chapter 3: Conventional DF frameworks
3.4 COMPARISON OF PROCESS–ORIENTED FRAMEWORKS
During the discussion of the various DF frameworks in the previous paragraph we have tagged the
phases and steps as being (REACTIVE), and / or (PROACTIVE) and / or (ACTIVE). We will organise the
overlapping and missing elements (phases and steps) of the various DF frameworks in terms of the
three proposed DF components: ProDF, ActDF and ReDF of our CDF capability.
Table 3.1 (below) is a comparison of the ProDF elements
Table 3.2 (below) is a comparison of the ActDF elements
Table 3.3 (below) is a comparison of the ReDF elements as identified in the previous
paragraph (par.3.3).
We have included the paragraph number of the various DF frameworks as reference to substantiate
the existence of the component.
Note to reader:
The different authors of the discussed frameworks have used the terms Groups, Phases,
and Steps as synonymous. We will the use the terms ‘Phases with related Steps’ for the
ReDF and ActDF components. The ReDF and ActDF components follow a typical process
model where the result of one phase leads to the next phase. The ProDF component
however concentrates on ‘elements’ that must be implemented to prepare organisations for
the application of DF. We will refer to the different elements when describing the ProDF
component.
Part 1: Background to Digital Forensic
3-73 | P a g e Chapter 3: Conventional DF frameworks
Table 3.1. Comparison of Proactive (ProDF) elements (by author)
Element Description of Seven Elements Carrier Par.
Baryamueeba Par.
Beebe Par.
Louwrens Par.
Casey Par.
Forrester Par.
1 Infrastructure: 3.3.7.1
Operational 3.3.3.1.2 3.3.4.1.6 3.3.5.1.1 a
Investigative 3.3.3.1.2 3.3.4.1.4 3.3.5.1.1 d
2 Assess risks for business scenarios 3.3.4.1.1 3.3.5.1.1 a
3 Information retention plan: 3.3.4.1.2
evidence identification 3.3.5.1.1 a
evidence collection requirements 3.3.5.1.1 a
o legal and regulatory requirements
o technical requirements
evidence handling 3.3.5.1.1 a
systematic gathering of evidence 3.3.4.3.6 3.3.5.1.1 a
4 Develop policies / procedures for: 3.3.5.1.1 3.3.6.3 3.3.7.1
evidence handling 3.3.4.1.7 3.3.5.1.1 a
evidence preservation 3.3.4.1.7
incident response 3.3.4.1.3
prevention of anonymous activities 3.3.5.1.1 a
secure storage 3.3.5.1.1 a
5 IR preparation: To
IRP – plan response 3.3.4.1.3 3.3.5.1.1 b
staff assignment (establish CERT) 3.3.4.1.3 3.3.5.1.1 b 3.3.6.3
implementation of IDS 3.3.5.1.1 b
incident / crime scene protocols 3.3.5.1.1 d
determination of when to accelerate investigation
3.3.5.1.1 b
Part 1: Background to Digital Forensic
3-74 | P a g e Chapter 3: Conventional DF frameworks
6 DF training and awareness 3.3.3.1.1 3.3.3.1.1 3.3.4.1.5, 3.3.4.1.4
3.3.5.1.1 c 3.3.7.1
7 Develop legal coordination action plan 3.3.4.1.9 3.3.5.1.1 d
Table 3.2. Comparison of Active (ActDF) phases and steps (by author)
Phases Description of Four Phases Carrier Par.
Baryamueeba Par.
Beebe Par.
Louwrens Par.
Casey Par.
Forrester Par.
1 Acquire relevant live evidence 3.3.2.2.3 3.3.4.3.2, 3.3.4.3.3, 3.3.4.3.4
3.3.5.3.1 b 3.3.5.3.2 c
3.3.6.4 3.3.7.3
Secure live evidence 3.3.5.2.1 b
Consider the order of volatility 3.3.5.3.1 a 3.3.6.4
Use acceptable live evidence acquisition protocol
3.3.5.3.1 a
Ensure integrity 3.3.4.3.7
3.3.5.3.1
2 Preserve acquired evidence / forensic copy
3.3.5.3.1 c 3.3.6.5
Ensure that competent people use reliable tools
3.3.5.3.2 a, c
Secure evidence 3.3.4.3.8
Authenticate – timestamp the evidence
3.3.4.3.7 3.3.5.3.1 c, d
3 Document live acquisition process 3.3.5.3.1 e
4 Analyse live evidence 3.3.5.3.2 c
Part 1: Background to Digital Forensic
3-75 | P a g e Chapter 3: Conventional DF frameworks
Table 3.3. Comparison of Reactive (ReDF) phases and steps (by author)
Phase Phases and steps descriptions O’ Ciarduain
Par.
Carrier &
Spafford
Par.
Barayumureeba
Par.
Beebe
and Clark
Par.
Louwrens
et.al.
Par.
Casey
Par.
Forrester
Par.
.1 PHASE 1: Incident Response and confirmation
Initiate IRP from Info Sec 3.3.5.2.1 a 3.3.6.1
Detect activity 3.3.1.1 3.3.2.2.1 3.3.3.2.1 3.3.4.2.1 3.3.7.2
Report incident 3.3.2.2.1 3.3.4.2.2
Determine assessment of worth o Validate incident relevance o Assess damage and impact of the incident o Confirm the incident o Determine the nature of investigation
(formal / informal)
3.3.2.2.2 3.3.3.2.4 3.3.4.2.3 3.3.4.2.4
3.3.6.2 3.3.7.3 3.3.7.3
Obtain authorisation – internal and external 3.3.1.2 3.3.2.2.2
Determine incident containment strategy 3.3.2.2.4 3.3.4.2.5
Coordinate resources 3.3.1.3 3.3.4.2.6
Formulate investigation plan 3.3.4.2.7
Accelerate investigation
Notification of investigation 3.3.1.4 3.3.3.2.5
.2 PHASE 2: Physical Investigation (if relevant)
Preserve physical crime scene 3.3.2.3.1 3.3.3.2.2 3.3.7.4
Survey crime scene for potential evidence 3.3.2.3.2 3.3.3.2.2 3.3.5.2.1 b 3.3.7.4
Document – capture enough information to preserve details of the crime scene
3.3.2.3.2 3.3.3.2.2 -
Acquire all evidence 3.3.3.2.2 -
Search, collect and secure potential physical evidence
3.3.2.3.4 3.3.3.2.2 - 3.3.3.2.3
3.3.5.2.1 b
3.3.7.4
Identify and secure possible digital evidence Including live evidence and static evidence – to be sent to the digital investigation team
3.3.1.5 3.3.2.3.4 3.3.3.2.2 3.3.4.2.1 3.3.6.4
Label and seal all evidence 3.3.5.2.1 b
Part 1: Background to Digital Forensic
3-76 | P a g e Chapter 3: Conventional DF frameworks
Phase Phases and steps descriptions O’ Ciarduain
Par.
Carrier &
Spafford
Par.
Barayumureeba
Par.
Beebe
and Clark
Par.
Louwrens
et.al.
Par.
Casey
Par.
Forrester
Par.
Reconstruction of the incident 3.3.2.3.5
Transport evidence 3.3.3.2.2 3.3.5.2.1 c
Storage of evidence Determine the storage requirements: safe custody room, access control, chain of custody
3.3.3.4 3.3.5.2.1 d
.3 PHASE 3: Digital Investigation 3.3.3.3
3.1 Sub-phase 1: Secure the Digital Evidence
Preserve digital crime scene 3.3.2.4.1 3.3.2.4.2
Ensure integrity 3.3.4.3.7 3.3.5.3.1 a 3.3.6.5
Follow established DF investigation protocols
3.3.5.3.1 a 3.3.6.3
Write protect all media 3.3.5.3.1 a
3.2 Sub-phase 2: Acquire the Evidence
Acquire or recover relevant evidence 3.3.1.6 3.3.2.4.4 3.3.3.2.3 3.3.4.3 3.3.5.3.1 b
Collect all evidence – volatile and non-volatile, hidden and deleted evidence or evidence not available
3.3.2.4.4 3.3.3.2.3 3.3.4.3.1 3.3.4.3.3 3.3.4.3.4 3.3.4.3.5
3.3.5.3.1 b 3.3.6.6
Harvesting - gather all data and metadata about the incident
3.3.2.4.4 3.3.6.7
Preservation of evidence by making a forensic copy
3.3.1.6 3.3.2.4.1 3.3.3.2.3 3.3.4.3.7 3.3.4.3.8
3.3.5.3.1 c
Authenticate the evidence as original by applying a timestamp
3.3.2.4.2 3.3.4.3.7 3.3.5.3.1 d
Transport the evidence 3.3.1.7 3.3.2.4.2 3.3.4.3.8
Store the evidence 3.3.1.8 3.3.4.3.8
Document acquisition process 3.3.2.4.3 3.3.3.2.3 3.3.5.3.1 e
Part 1: Background to Digital Forensic
3-77 | P a g e Chapter 3: Conventional DF frameworks
Phase Phases and steps descriptions O’ Ciarduain
Par.
Carrier &
Spafford
Par.
Barayumureeba
Par.
Beebe
and Clark
Par.
Louwrens
et.al.
Par.
Casey
Par.
Forrester
Par.
.3.3 Sub-phase 3: Analysis
Revisit investigation plan Consider available information, look at tools and expertise and ensure evidence is human readable
3.3.2.4.4 3.3.5.3.2 a
Develop a hypothesis (define hypothesis and criteria to prove hypothesis)
3.3.1.10 3.3.5.3.1 b
Prepare evidence - (Segment large volumes of data to manageable size)
3.3.4.4.1 3.3.6.9 3.3.6.10
Analyse evidence 3.3.4.4 3.3.5.3.2 c
Examine evidence – best evidence 3.3.1.11 3.3.6.10
Reduction - Analyse the evidence and eliminate the evidence that is not relevant to the case
3.3.2.4.4 3.3.6.8 3.3.6.9
Assessment – determine means motivation, opportunity and skill level of suspect
3.3.6.10
Experimentation - use different tools 3.3.6.10
Reconstruct event (fusion and correlation) 3.3.2.4.5 3.3.3.2.3 3.3.4.4.4 3.3.6.10
Test hypothesis 3.3.4.4.3 3.3.5.3.2 d
Validate the results of analysis 3.3.5.3.2 e 3.3.6.10
Document findings 3.3.5.3.2 f
Secure documentation 3.3.5.3.2 f
.3.4 Sub-phase 4: Service Restoration
Interaction with IS BCP team to restore services
3.3.7.5
.4 PHASE 4: Incident Reconstruction 3.3.2.4.6
Consolidate physical investigation and digital 3.3.2.4.5
Part 1: Background to Digital Forensic
3-78 | P a g e Chapter 3: Conventional DF frameworks
Phase Phases and steps descriptions O’ Ciarduain
Par.
Carrier &
Spafford
Par.
Barayumureeba
Par.
Beebe
and Clark
Par.
Louwrens
et.al.
Par.
Casey
Par.
Forrester
Par.
investigation findings
.5 PHASE 5: Present Findings to Management / Authorities
3.3.1.11 3.3.1.12
3.3.3.4.4 3.3.4.5 3.3.5.4.1 3.3.6.11
3.3.7.6
Prepare case 3.3.5.4.1 a
Determine target audience 3.3.5.4.1 a
Assemble all evidence required for presentation
3.3.5.4.1 a
Prepare expert witness 3.3.5.4.1 a
Prepare exhibits 3.3.5.4.1 a
Use appropriate presentation aids 3.3.5.4.1 a
Preserve chain of custody 3.3.5.4.1 a
Present case 3.3.5.4.1 b 3.3.6.12
Preserve evidence 3.3.4.6.4 3.3.5.4.1 c
.6 PHASE 6: Dissemination of Result of Investigation or Incident Closure
3.3.1.13
Review to identify and apply lessons learned 3.3.2.5 3.3.4.6.1 3.3.4.6.2 3.3.4.6.2
3.3.7.8
Dispose / return / preserve evidence 3.3.4.6.3 3.3.4.6.4
Part 1: Background to Digital Forensic
3-79 | P a g e Chapter 3: Conventional DF frameworks
Thee comparison in tables 3.1, 3.2 and 3.3 demonstrates that not one of the identified DF
frameworks includes all elements of ProDF or phases with associated steps for the ReDF and ActDF
components. Most of the identified frameworks:
concentrate on the actual post-incident investigation (ReDF component) by referring to
the identification, collection, analysis, and presentation of evidence
include some aspects of readiness (ProDF component) by considering awareness,
training, preparation of operations and infrastructure
include some aspects of live evidence gathering (ActDF component).
We used the comparison of the identified DF frameworks to identify common elements, re-
organised similar phases or steps, and included missing phases or steps to propose the three
components for our CDF capability, as demonstrated by Figure 3-3 (below):
Based on the comprehensive analysis in the previous paragraphs we will formulate a draft version of
our CDF capability.
3.5 DRAFT VERSION OF OUR CDF CAPABILITY
Our CDF capability has three potential components.
Note to reader:
The ProDF component will consist of a set of elements and the ReDF and ActDF
components will have phases with related steps.
3.5.1 ProDF component
From the comparison in Table 3.1 we have proposed the following list of seven elements:
3.5.1.1 ELEMENT 1: Ensure DF-ready infrastructure
The operational infrastructure must be prepared (Beebe & Clark, 2005; Forrester & Irwin,
2007; Louwrens et al., 2006b). Organisations must ensure that an investigation
infrastructure is in place if they want to investigate incidents internally (Barayumureeba &
Figure 3-3. Comprehensive DF capability (also Figure 2-3) (by author)
Part 1: Background to Digital Forensic
3-80 | P a g e Chapter 3: Conventional DF frameworks
Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007;
Louwrens et al., 2006b). Configure the infrastructure to prevent anonymous activities and
anti-forensic activities (Louwrens et al., 2006b).
3.5.1.2 ELEMENT 2: Assess risks for all business scenarios (Beebe & Clark, 2005; Louwrens et al.,
2006b)
It is essential to consider all business scenarios to identify potential risks, to enable the
proactive identification of potential evidence.
3.5.1.3 ELEMENT 3: Develop an information retention plan (Beebe & Clark, 2005)
The plan should consider evidence identification (Louwrens et al., 2006b), legal, judicial,
regulatory and technical evidence collection and handling requirements, and ensure the
systematic gathering of evidence (Beebe & Clark, 2005; Louwrens et al., 2006b).
3.5.1.4 ELEMENT 4: Develop DF policies and procedures (Casey, 2004; Forrester & Irwin, 2007;
Louwrens et al., 2006b)
Typical policies and procedures to develop are: evidence handling (Beebe & Clark, 2005;
Casey, 2004; Louwrens et al., 2006b), evidence preservation (Beebe & Clark, 2005), IR
(Beebe & Clark, 2005), prevention of anonymous activities (Louwrens et al., 2006b), and
prevention of anti-forensic activities (Louwrens et al., 2006b).
3.5.1.5 ELEMENT 5: Prepare for incident response
Organisations have IRPs as part of their contingency plans. It is essential to consider DF
requirements when planning the response to ensure that evidence is not destroyed. (Beebe
& Clark, 2005; Louwrens et al., 2006b). The IRP should prescribe the establishment of a CERT
by assigning specific employees to the team (Beebe & Clark, 2005; Louwrens et al., 2006b).
Louwrens recommends the implementation of an IDS and the formulation or augmenting of
existing incident or crime scene protocols (Louwrens et al., 2006b). After incident evaluation,
it is essential to activate the incident containment strategy and to determine when to
accelerate the investigation (Beebe & Clark, 2005; Louwrens et al., 2006b). It is also essential
to establish when to engage with external DF investigation (DFI) services (Louwrens et al.,
2006b).
Part 1: Background to Digital Forensic
3-81 | P a g e Chapter 3: Conventional DF frameworks
3.5.1.6 ELEMENT 6: Establish DF training and awareness programmes (Barayumureeba &
Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007;
Louwrens et al., 2006b)
3.5.1.7 ELEMENT 7: Document and validate a DF protocol against best practice (Louwrens et
al., 2006b).
3.5.2 ActDF component
We have identified the following four phases using Table 3.2:
3.5.2.1 PHASE 1: Acquire relevant live evidence (Beebe & Clark, 2005; Carrier & Spafford, 2003;
Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b)
To acquire live evidence it is essential to use an acceptable live evidence acquisition protocol
and to consider the order of volatility (Beebe & Clark, 2005; Louwrens et al., 2006b).
3.5.2.2 PHASE 2: Ensure integrity (Beebe & Clark, 2005; Louwrens et al., 2006b)
To establish integrity means that the investigator must ensure that the evidence acquired
does not change in any way, and preserve the acquired evidence by making a forensic copy
of the evidence (Casey, 2004; Louwrens et al., 2006b). It is also essential to ensure that
competent people use reliable tools (Forrester & Irwin, 2007; Louwrens et al., 2006b). The
evidence and forensic copies must be secured, authenticated and time-stamped to
guarantee the integrity (Beebe & Clark, 2005; Louwrens et al., 2006b).
3.5.2.3 PHASE 3: Document the live acquisition process (CP Louwrens et al., 2006a)
Documentation is essential during the entire live evidence acquisition process to maintain
the chain of custody and evidence.
3.5.2.4 PHASE 4: Analyse the live data (CP Louwrens et al., 2006a)
The acquired evidence is analysed to determine if the required evidence has been acquired
to either enable the investigator to determine the root-cause of the incident or to start a
meaningful investigation.
Part 1: Background to Digital Forensic
3-82 | P a g e Chapter 3: Conventional DF frameworks
3.5.3 ReDF component
From the comparison in Table 3.3 we have identified the following six phases:
3.5.3.1 PHASE 1: Incident response and confirmation phase (ten steps)
3.5.3.1.1 Step 1: Initiate the IRP from Info Sec or the corporate contingency plan (Casey, 2004;
Louwrens et al., 2006b).
3.5.3.1.2 Step 2: Detect an activity (Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester &
Irwin, 2007; O'Ciardhuain, 2004).
3.5.3.1.3 Step 3: Report the incident (CP Louwrens et al., 2006a).
3.5.3.1.4 Step 4: Determine the assessment of worth of the incident (Beebe & Clark, 2005;
Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007).
The incident must be evaluated to determine if it is a valid incident; the incident
responder must assess the damage that the incident can cause or impact of the
incident on the organisation. The next step will be to confirm the incident or to
declare it as ‘no incident’. It is essential to determine relevance and nature of
investigation. This will determine if it will be a formal or informal investigation.
3.5.3.1.5 Step 5: Obtain the relevant internal and external authorisation (Carrier & Spafford,
2003; O'Ciardhuain, 2004).
3.5.3.1.6 Step 6: Activate the incident containment strategy (Beebe & Clark, 2005; Carrier &
Spafford, 2003).
3.5.3.1.7 Step 7: Coordinate all the resources (Beebe & Clark, 2005; Louwrens et al., 2006b).
3.5.3.1.8 Step 8: Formulate an investigation plan (Beebe & Clark, 2005).
3.5.3.1.9 Step 9: Depending on condition set out by policy, accelerate the investigation
(Louwrens et al., 2006b).
3.5.3.1.10 Step 10: Notify the relevant parties of the investigation (Forrester & Irwin, 2007;
O'Ciardhuain, 2004).
3.5.3.2 PHASE 2: Physical investigation phase (if relevant) (six steps)
3.5.3.2.1 Step 1: Secure the physical crime scene (Barayumureeba & Tushabe, 2004; Carrier &
Spafford, 2003; Forrester & Irwin, 2007).
3.5.3.2.2 Step 2: Survey the crime scene for potential evidence (Barayumureeba & Tushabe,
2004; Carrier & Spafford, 2003; Louwrens et al., 2006b).
3.5.3.2.3 Step 3: Acquire physical evidence (Barayumureeba & Tushabe, 2004).
The investigator must survey the crime scene, search for and collect potential
evidence, using an acceptable procedure, for example, photograph, bag, label, and
document the individual evidential items. The investigator must identify different
Part 1: Background to Digital Forensic
3-83 | P a g e Chapter 3: Conventional DF frameworks
types of evidence, e.g., fingerprint or digital to ensure that it will be analysed by the
relevant forensic laboratory (Barayumureeba & Tushabe, 2004; Carrier & Spafford,
2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).
3.5.3.2.4 Step 4: Reconstruct the incident (Barayumureeba & Tushabe, 2004).
3.5.3.2.5 Step 5: Transport the evidence to a relevant investigation laboratory whilst ensuring
the chain of custody (Barayumureeba & Tushabe, 2004; Louwrens et al., 2006b).
3.5.3.2.6 Step 6: Store the evidence in a secure facility.
Determine the storage requirements by considering a safe custody room, access
control, and requirements to maintain the chain of custody (Barayumureeba &
Tushabe, 2004; Louwrens et al., 2006b).
3.5.3.3 PHASE 3: Digital investigation phase
This phase consists of four sub-phases:
3.5.3.3.1 Sub-phase 1: Secure the digital evidence (three steps) (Carrier & Spafford, 2003)
Step 1: Preserve the digital crime scene (O'Ciardhuain, 2004).
Step 2: Ensure the integrity of the evidence (Beebe & Clark, 2005; Casey, 2004;
Louwrens et al., 2006b). The investigators must follow established DFI protocol
(Casey, 2004; Louwrens et al., 2006b) and write protect all media (Louwrens et al.,
2006b).
Step 3: Preserve and make a forensic copy of the potential evidence
(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Louwrens et al., 2006b).
3.5.3.3.2 Sub-phase 2: Acquire the evidence (five steps)
Step 1: Acquire the relevant evidence (Barayumureeba & Tushabe, 2004; Beebe &
Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b). To do so
it is essential to recover or collect static, live, hidden, and deleted evidence. Harvest
all data and metadata relevant to the incident.
Step 2: Authenticate the evidence by applying verification algorithms (e.g. hashing)
to ensure originality. Investigators should timestamp all evidence to enable time
lining (Carrier & Spafford, 2003; Louwrens et al., 2006b).
Step 3: Transport the evidence to the relevant laboratory whilst ensuring the chain
of custody (Carrier & Spafford, 2003; O'Ciardhuain, 2004).
Step 4: Store the evidence in a secure facility (Beebe & Clark, 2005; O'Ciardhuain,
2004).
Part 1: Background to Digital Forensic
3-84 | P a g e Chapter 3: Conventional DF frameworks
Step 5: Consolidate the documentation of the acquisition process (Barayumureeba &
Tushabe, 2004; Carrier & Spafford, 2003; Louwrens et al., 2006b).
3.5.3.3.3 Sub-phase 3: Analyse the evidence (nine steps)
Step 1: Revisit the initial investigation plan. Consider the available information,
consider the tools and expertise allocated to the team and ensure that the evidence
is human readable (Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b;
O'Ciardhuain, 2004).
Step 2: Develop a hypothesis and criteria to prove it (Louwrens et al., 2006b;
O'Ciardhuain, 2004).
Step 3: Prepare the evidence for analysis. It may be necessary to convert large
volumes of data to a manageable size (Beebe & Clark, 2005; Casey, 2004; Louwrens
et al., 2006b).
Step 4: Analyse the available evidence (Beebe & Clark, 2005; Louwrens et al.,
2006b).
Examine evidence to establish the best evidence (Casey, 2004; Louwrens et al.,
2006b; O'Ciardhuain, 2004). The investigator must apply reduction techniques to
eliminate the evidence that is not relevant to the case (Carrier & Spafford, 2003;
Casey, 2004). It will be useful to assess the results to determine means, motivation,
and opportunity, as well as the skill level of the suspect. The investigator should use
more than one DF tool to analyse the evidence.
Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004; Beebe & Clark,
2005; Carrier & Spafford, 2003; Casey, 2004).
Step 6: Test the hypothesis by applying fusion and correlation techniques (Beebe &
Clark, 2005; Casey, 2004; Louwrens et al., 2006b). Test the hypothesis by using the
criteria set.
Step 7: Validate the analysis results (Louwrens et al., 2006b).
Step 8: Document the findings (Casey, 2004; Louwrens et al., 2006b).
Step 9: Secure the documentation (Louwrens et al., 2006b).
3.5.3.3.4 Sub-phase 4: Restore the services
Interact with the organisational (Info Sec) BCP team to restore services as soon as possible
to minimise the interruption to business activities (Forrester & Irwin, 2007).
Part 1: Background to Digital Forensic
3-85 | P a g e Chapter 3: Conventional DF frameworks
3.5.3.4 PHASE 4: Incident reconstruction
Consolidate physical investigation and digital investigation findings and determine if the
consolidated evidence acquired supports the hypothesis (Carrier & Spafford, 2003).
3.5.3.5 PHASE 5: Presentation of findings (three steps)
Present findings to management and/or authorities (Barayumureeba & Tushabe, 2004;
Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007;
Louwrens et al., 2006b; O'Ciardhuain, 2004).
3.5.3.5.1 Step 1: Prepare case
To present a case successfully, it is essential to prepare properly. The investigator should
determine who the target audience is, use appropriate presentation aids, assemble all
evidence required, and prepare exhibits. If one needs to use an expert witness2 during
the presentation, prepare the witness. When preparing the evidence and exhibits the
chain of custody should be preserved at all times (Louwrens et al., 2006b).
3.5.3.5.2 Step 2: Present the case (Casey, 2004; Louwrens et al., 2006b)
3.5.3.5.3 Step 3: Preserve the evidence (Louwrens et al., 2006b)
3.5.3.6 PHASE 6: Incident closure (two steps)
Disseminate the result of the investigation and incident closure (Beebe & Clark, 2005; Carrier
& Spafford, 2003; O'Ciardhuain, 2004);
3.5.3.6.1 Step 1: Review the result to identify and apply lessons learned (Beebe & Clark, 2005;
Forrester & Irwin, 2007).
3.5.3.6.2 Step 2: Dispose / return / preserve applicable post-investigation evidence (Beebe &
Clark, 2005).
Note to reader:
We have identified overlapping and unique elements from the comparison to formulate a
draft version of the three components of our CDF capability: ProDF, ActDF, and ReDF. We
will use the draft version as a foundation to refine each component in more detail in
Chapters 4, 5, and 6. We will add component-specific viewpoints, for example Rowlingson’s
2 The investigator can be the expert witness. An expert witness may also be a subject matter expert, for
example a Microsoft Windows 7 operating system expert as an adjunct expert depending on the case requirements.
Part 1: Background to Digital Forensic
3-86 | P a g e Chapter 3: Conventional DF frameworks
viewpoint on DF readiness, to expand on the content of the ProDF component (Rowlingson,
2004) in Chapter 4. We have not included the component-specific viewpoints in the
comparisons in this Chapter, as we have only considered frameworks that cover the entire
DF investigation process.
As indicated in par. 1.8.3, we have identified two types of DF frameworks: Process and Role-
based DF frameworks. The next section discusses a role-based framework by Ieong (2006).
3.6 ROLE BASED FRAMEWORK: FORZA (IEONG, 2006)
The FORZA (FORensic framework based on ZAchman framework) framework is a technical
independent framework that aims to break the barrier between technologists, legal practitioners
and investigators. It has been developed using the Zachman framework to include legal advisors and
prosecutors in the wider perspective. The Zachman framework for enterprise architecture proposes
the following roles: a Planner, Owner, Designer, Builder, and Subcontractor. The FORZA framework
proposes the following roles:
Case leader: planner and orchestra of entire digital investigation process. He / she should
lead the case and determine whether the investigation should continue or not.
System / business owner: owner of system to be inspected. He / she can be the victim /
suspect or the sponsor of the case.
Legal advisor: the first legal advisor that the case leader will contact for legal advice.
Security / system architecture / auditor: these people understand the controls and security
architecture and can provide the case leader with an estimate of the scope of the event and
the security controls implemented.
DF specialist: plans the entire DF investigation process. This is not a static process, but will
provide a strategy for the investigation.
DF investigator / system administrator / operator: the person who will carry out the actual
investigation – data collection, extraction, preservation and storage of evidence.
DF analyst: analyses the evidence, proves the hypothesis.
Legal prosecutor.
Figure 3-4 (below) is a diagrammatic representation of the proposed process flows between the
roles.
Part 1: Background to Digital Forensic
3-87 | P a g e Chapter 3: Conventional DF frameworks
These layers are interrelated through a set of six questions: what? (data attributes), why?
(motivation), how? (procedure), who? (people), where? (location) and when? (time). Table 3.4
(above) is a high level view of the FORZA framework (Ieong, 2006).
Note to reader:
This framework is a role-based framework that includes a process component (how?). The
process component correlates with the phases and steps (process view) of the various
components of our CDF capability as identified in par. 3.4. The framework adds value by
answering the questions of why? who? where? when? how? and what? The process
framework covers the questions implicitly, but we want to use it to formulate our
framework to implement and manage DF in an organisation: DFMF. There is an intuitive
overlap between the FORZA framework’s Why, How, Where, When, What and Who
questions, and the identified dimensions that we intend to use in the formulation of the
management component of the proposed DFMF.
The next section will compare the process- and role-based frameworks.
Case leader
Contextual
investigation layer
System owner: Contextual layer
Legal advisor: Legal Advisory layer
Security architect: Conceptual security
architecture layer
DF specialists: Technical presentation layer
DF investigators: Data acquisition layer
DF analysts: Data analysis layer
Legal Prosecutor: Legal presentation layer
Figure 3-4 Diagrammatic representation of the proposed process flows between roles (Ieong, 2006)
Part 1: Background to Digital Forensic
3-88 | P a g e Chapter 3: Conventional DF frameworks
Table 3.4. High-level view of the FORZA framework (Ieong, 2006)
Role Why (Motivation)
What (Data) How (Function) Where (Network)
Who (People) When (Time)
Case leader Contextual investigation layer
Investigation objectives
Event nature Request initial investigation
Investigation geography
Initial participant Investigation timeline
System owner Contextual layer
Business objectives
Business and event nature
Business and system process framework
Business Geography
Organisation and participants relationship
Business and incident timeline
Legal advisor Legal advisory layer
Legal objectives Legal background and preliminary issues
Legal procedure for further investigations
Legal geography Legal entities and participants
Legal timeframe
Security architect Conceptual security layer
Security controls objectives
Security information and security control framework
Security mechanisms
Security domain and network infrastructure
Users and security entity framework
Security timing and sequencing
DF specialist Technical presentation layer
DF investigation strategic objectives
Forensic data framework
Forensic strategy design
Forensic data geography
Forensic entity framework
Hypothetical forensic event timeline
DF investigator Data acquisition layer
Forensic acquisition objectives
On-site forensic data observation
Forensic acquisition / seizure procedures
Site network forensic data acquisition
Participants interviewing and hearing
Forensic acquisition timeline
DF analyst Data analysis layer
Forensic examination objectives
Event data reconstruction
Forensic analysis procedures
Network address extraction and analysis
Entity and evidence relationship analysis
Event timeline reconstruction
Legal prosecutor Legal presentation layer
Legal presentation objectives
Legal presentation attributes
Legal presentation procedures
Legal jurisdiction location
Entities in litigation process
Timeline for entire event presentation
Part 1: Background to Digital Forensic
3-89 | P a g e Chapter 3: Conventional DF frameworks
3.7 COMPARISON OF ROLE-BASED AND PROCESS FRAMEWORKS
A comparison of the process and role-based frameworks as discussed in this chapter reveals that the
process frameworks:
concentrate on the how (function).
make limited references to the who, when, where and what aspect of the FORZA
framework. Beebe and Clark refer to an examination sub-phase that refers to answers to
‘who’, ‘what’, ‘when’, ‘where’, ‘why’ and ‘how’ (see par. 3.3.4) (Beebe & Clark, 2005).
follow a step-by-step waterfall approach with some iteration between steps and phases,
whereas the role-based framework provides a high-level plan based on who should do what,
when, where, how and at which level.
do not prescribe the roles or level of performance.
do not include comprehensive legal requirements as indicated by the role of the legal
prosecutor.
The FORZA model does not add value in a sense that it adds additional steps to the content of the
components of our CDF capability. However, the roles and the questions asked (who, when, where,
how, where and why) of the Ieong’s framework will be included in the formulation of our DF
management framework in Part 2 to implement and manage our CDF capability. It will provide us
with aspects to consider, for example, on who must do what, why, when and how, if an incident
arises or we need evidence. We will map the questions of the FORZA framework to the identified
dimensions of DF: governance, people, process, policy, and technology (par. 3.6) when formulating
our DFMF in Chapter 8.
3.8 SUMMARY
We have researched and discussed the identified conventional composite process DF frameworks
and a role-based framework. The discussed frameworks have been compared and we have used the
comparison to identify elements for the ProDF and phases with steps for the ReDF, and ActDF
components of our CDF capability. We have used tags (PROACTIVE, ACTIVE and REACTIVE) to classify
the different phases and steps during the discussion of each framework. The comparisons made in
paragraph 3.4 indicate that not one of the discussed DF frameworks is comprehensive as no
framework includes all three components with the identified phases with steps. We have identified a
Part 1: Background to Digital Forensic
3-90 | P a g e Chapter 3: Conventional DF frameworks
draft version of our CDF capability in par. 3.4. This will be the starting point for formulating more
comprehensive components of our CDF capability.
The next three chapters (4, 5, and 6) will formulate each component of the comprehensive
capability. The DF frameworks researched in this chapter focus on the preparation for investigations,
however, as indicated in Chapter 2, evidence is also required in organisations for non-investigation
purposes, for example to prove compliance (paragraph 1.3.5). In the next chapter, we will evaluate
other views on DF readiness and ProDF to obtain a comprehensive view of the ProDF component.
The ReDF component of our CDF capability has been well researched and we will consolidate the
views of the various authors and the role-based DF framework to propose a single comprehensive
view of this component in Chapter 5. The ActDF component will be formulated in Chapter 6.
Part 1: Background to Digital Forensic
3-91 | P a g e Chapter 3: Conventional DF frameworks
3.9 FOLD-OUT FOR CHAPTER 3
Conventional DF frameworks
Framework 1:Ó Ciardhain
Framework 2:Carrier and Spafford
Chapter 3
Par. 3.3.1
Par. 3.3.2
Framework 3:Baryamureeba and Tushabe
Par. 3.3.3
Par. 3.3.4
Framework 4: Beebe and Clark
Par. 3.3.5
Par. 3.3.7
Par. 3.6
Par. 3.3.6
Framework 7: Forrester and irwin
Role-based framework:Ieong
Framework 6:Casey
Framework 5: Louwrens et. al
3.5.1.1 Element 1: Ensure DF ready infrastructure;3.5.1.2 Element 2: Assess risks for all business scenarios;3.5.1.3 Element 3: Develop Information retention plan3.5.1.4 Element 4: Develop DF policies and procedures;3.5.1.5 Element 5: Prepare for incident response3.5.1.6 Element 6: Establish DF training and awareness programmes3.5.1.7 Element 7: Document and validate a DF protocol against best practice
Par 3.5.2 ActDF
3.5.2.1 Phase 1: Acquire relevant live evidence;3.5.2.2 Phase 2: Ensure integrity;3.5.2.3 Phase 3: Document live acquisition process;3.5.2.4 Phase 4: Analyse the live data
Par. 3.5.3 ReDF
3.5.3.1 Phase 1: Incident response and confirmation3.5.3.2 Phase 2: Physical investigation3.5.3.3 Phase 3: Digital investigation3.5.3.4 Phase 4: Incident reconstruction3.5.3.5 Phase 5: Presentation of findings3.5.3.6 Phase 6: Incident closure
3.5
Firs
t Dra
ft o
f com
preh
ensi
ve D
F Ca
pabi
lity
Par. 3.2
Par. 3.6
Role-based framework
Process oriented Frameworks
Par. 3.4
Comparison of process frameworks
Conventional DF frameworksChapter 3
Par 3.5.1 ProDF
Part 1: Background to Digital Forensics
4-92 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4 CHAPTER 4
PPRROOAACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((PPrrooDDFF))
4.1 INTRODUCTION
“Whoever quipped, ‘An ounce of prevention is worth a pound of cure‘ must
have been a system administrator. Many system problems can best be
solved by preventing them from occurring. However, because not all
problems can be prevented, the next best practice is preparation. Indeed,
The Coroners Toolkit (TCT) documentation says, ‘TCT probably won’t help
you out unless you’ve already looked at it, played with it, and know what
tools do, as well as what to expect from them‘ (Frye, 2005).
Info Sec aims to protect the organisation against attacks and misuse. Controls are designed to deter
and prevent attacks but do not consider evidence and process requirements for admissible and
suitable evidence and processes. Traditionally DF is applied as a reactive discipline that concentrates
on the investigation of an incident. However, the application of DF in organisations is changing as DF
is changing from an investigation and response mechanism to a powerful pro-active measure.
DF tools are used by organisations to:
collect digital evidence in a legally acceptable format
audit an organisation’s networks and structure
validate policies and procedures
assist in identifying and prioritising major risks
provide access to an organisation’s most valuable data during an investigation
provide training in first response to avoid the contamination of evidence (Nikkel, 2006).
The CSI 2010/2011 computer crime and security survey (Richardson, 2012) has revealed that 43.2%
of respondents are using forensic tools as part of their security technology suite. DF examinations
Part 1: Background to Digital Forensics
4-93 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
and tools are becoming indispensable for law enforcement, corporate security and intelligence
gathering (Allen, 2005).
We have identified that our CDF capability has a proactive component in Chapter 2 par. 2.8.2 and
Chapter 3 par. 3.5.1. Being proactive is defined as ‘creating or controlling a situation rather than just
responding to it’ (Soanes & Hawker, 2005).
The researched literature on DF readiness concentrates on evidence identification, handling and
storage, first line incident response, DF investigation infrastructure and tool availability and training
requirements (Barayumureeba & Tushabe, 2004; Carrier & Spafford, 2003; Garcia, 2005; Louwrens
et al., 2006b; Rowlingson, 2004). It does not consider the proactive inclusion of DF requirements to
enhance corporate governance structures and specifically IT governance structures, for example to
acquire digital evidence to assess and validate controls, procedures, and policies, as discussed in par.
2.5.
The chapter will use the elements of the ProDF component identified in Chapter 3 par. 3.5.1 and
examine other specific views on proactive forensics (Bradford et al., 2007) and DF readiness (Garcia,
2005; Rowlingson, 2004) to determine the relationship between ProDF and DF readiness. We will
establish that DF readiness is a subset of ProDF.
We will propose a comprehensive ProDF component for our CDF capability. The ProDF component
will enable an organisation to take the initiative by implementing adequate measures to become DF-
ready, demonstrate due diligence for good corporate governance and specifically IT governance, and
provide a mechanism to assess IT Governance frameworks and therefore improve the frameworks
(Chapter 2, par. 2.8.2). Figure 4-1 (below) depicts the role of this chapter within the overall thesis.
Part 1: Background to Digital Forensics
4-94 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
4.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of the chapter is to discuss and refine the ProDF component (as identified in Chapter 3, par.
3.5.1) of our CDF capability. The chapter will:
provide a brief background to ProDF (par. 4.3)
define and discuss DF readiness (par. 4.4)
compare the elements of the ProDF component (Chapter 3, par. 3.5.1) and DF readiness
viewpoints of Garcia (2005) and Rowlingson (Rowlingson, 2004) (par. 4.4)
illustrate inadequacies in current DF readiness frameworks to meet the need for a ProDF
component (Table 4.3)
demonstrate that DF readiness is a subset of ProDF (Table 4.3)
formulate the ProDF component by defining the component, propose, and briefly discuss
proposed goals and supporting elements for ProDF (par. 4.5).
Note to reader:
We have included a fold-out in par. 4.7, p. 4-115. We suggest that this page be folded out
at this stage to provide context. It is also advised that the fold-out be referred to
continuously, as it ensures that the context of reading is preserved.
Figure 4-1 Role of the Chapter in the thesis (by author)
Part 1: Background to Digital Forensics
4-95 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.3 BACKGROUND: WHY PRODF?
We are living in the knowledge age where information and knowledge are the most sought after
commodities. Criminals, competitors, and even employees exploit loopholes in current security
architectures, use anti-forensic techniques and tools to hide their traces and apply forensic tools and
techniques to obtain the required information to commit cybercrimes.
Organisations spend much time, money, and effort in planning for incidents, natural disasters, or
security breaches. They draft incident response, disaster recovery and business continuity plans.
These plans identify potential threats or incidents and prescribe the best way to recover and to
continue with the business as quickly as possible as Info Sec, and contingency plans focus on the
prevention of, detection of, containment of, and recovery from security breaches or attacks. Very
little thought is given to the identification and preservation of evidence or the correct structuring of
processes for possible prosecution. The result is that investigations fail due to the lack of ‘good
evidence’ or inadequate procedures being followed.
Various driving factors for the use of DF in organisations have been discussed in Chapter 2, par. 2.5.
Organisations need CDE (comprehensive digital evidence) as defined in par. 2.7.2 . Organisations use
DF to:
investigate incidents, fraud or employee behaviour (pars. 2.5.2.1; 2.5.2.2; 2.5.2.3; 2.5.2.4;
2.5.2.5)
assess effectiveness and efficiency of controls or procedures (par. 2.5.1.1)
assess legal, regulatory and best practice compliance (pars. 2.5.1.1; 2.5.1.2)
use DF tools for non-investigative purposes or, for example, to improve IT and Info Sec
governance structures and performance (par.2.5.2.6).
Evidence is not only information stored but can also be logs generated by business processes,
snapshots of systems, cell phone records, and access control records. Different business units or
areas will have different evidence requirements. It will be necessary for organisations proactively to
determine what evidence the different business units may require.
Corporate Governance reports and legislation, for example Sarbanes-Oxley (Sarbanes-Oxley Act of
2002, 2002), King II and King III (King, 2003; 2009), demand that management be responsible and
accountable for the IT infrastructure, applications and information of the organisation, provide
Part 1: Background to Digital Forensics
4-96 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Evidence
preservation (severe
penalties for
destruction
reasonable assurance to assess the efficiency of controls and prove compliance by having
documented evidence of assessments and ‘good’ evidence available.
Sarbanes-Oxley requires that companies review their policies and
procedures closely regarding internal investigations, and implement the
necessary processes and tools to react quickly and effectively to reports of
fraudulent activities (Patzakis, 2003).
The application of DF tools and techniques can enable management to retrieve evidence, if the
organisation has planned their evidence requirements properly. Sarbanes-Oxley (SOX) requires an
internal computer investigation after an incident has been confirmed. The development of a whistle-
blowing policy to report any fraudulent activities is essential (Patzakis & Limongelli, 2004) . Figure
4-2 (below) is an adapted diagrammatic representation of internal computer investigation
requirements (required by SOX) as presented by Patzakis and Limongelli (2004).
Figure 4-2 Adapted diagrammatic representation of internal computer investigations SOX requirements (Patzakis &
Limongelli, 2004)
Organisations are aware of the corporate governance requirements, but few realise the value that
the application of DF can add. The DF protocols and tools can be used to acquire evidence to assess
the effectiveness of controls. The tools can provide documented proof of the assessment to
demonstrate due diligence with respect to good governance. It is therefore essential that
organisations prepare themselves for the use and application of DF.
The frameworks discussed and compared in Chapter 3 (par. 3.5.1) identified the need to prepare for
investigations or to become DF-ready. We have identified seven elements for a ProDF component in
Chapter 3. We will use the identified elements and existing views on DF readiness to determine if the
proposed ProDF component is the same as DF readiness. The next section will identify and
consolidate needs for ProDF.
Section 806,
1107
Protection
and
encouragem
ent
Section 301
Complaints
and
allegations of
fraud
Section 802
Evidence
preservation
duty
Internal investigation infrastructureInternal investigations enterprise computer
forensic best practice
Section 302
CEOs evaluate internal
controls and disclose
internal fraud
Section 409
Timely reporting
Section 404
Effective internal controls required
Part 1: Background to Digital Forensics
4-97 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.3.1 ProDF needs
We have identified and compiled the following list of eleven needs using the discussion in
Chapter 2, par. 2.5 and the ProDF elements identified in Chapter 3 (par. 3.5.1):
1. Identify, gather and manage potential evidence with minimal business interruption
(Beebe & Clark, 2005; Louwrens et al., 2006b; Nikkel, 2006; Rowlingson, 2004).
2. Minimise the cost and impact of an investigation (Louwrens et al., 2006b).
3. Establish training and awareness programmes (Barayumureeba & Tushabe, 2004; Beebe
& Clark, 2005; Carrier & Spafford, 2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).
4. Demonstrate that organisations practice good corporate governance by demonstrating
due diligence through the application of DF tools, techniques and processes (par.
2.5.1.1).
5. Assess compliance to legal, regulatory and best practice requirements (Nikkel, 2006).
6. Assess effectiveness and efficiency of controls to enhance the IT governance and Info
Sec governance frameworks of the organisation (Louwrens & von_Solms, 2005; Nikkel,
2006).
7. Incorporate DF evidence and process requirements in the contingency plans, policies
and procedures. The IRP should include criteria to prescribe when to activate trigger
events for predetermined incidents to gather live evidence (Louwrens et al., 2006b).
8. Apply DF tools using an acceptable protocol or process to ensure admissible evidence,
and a successful investigation (Louwrens et al., 2006b).
9. Ensure that the operational and investigation infrastructure can support the application
of DF tools and technologies.
10. Enable forensic activities by designing DF-friendly systems and processes. Organisations
should structure the relevant processes as forensically sound and design software
systems in such a way that makes future DF investigations easier (Bradford et al., 2007).
11. Disable anti-forensic activities (Louwrens et al., 2006b).
The list of needs may be incomplete, but we will use the above-mentioned eleven needs to
determine if ProDF is more comprehensive than DF readiness. We have identified the following
definitions for proactive forensics from literature:
Proactive computer systems forensics is the design, construction and configuration of
systems to make them most amendable to DF analysis in the future (Bradford et al.,
2007).
Part 1: Background to Digital Forensics
4-98 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Proactive forensics is the ability to ‘catch’ or detect a crime as it occurs (Orebaugh,
2006).
The proactive mode of DF ensures that all necessary processes, procedures and
technologies are in place to enable action when required. (Louwrens, von_Solms &
Kannelis, 2006a).
The current views and definitions of ProDF refer to DF readiness and include some aspects of
structuring of systems to enable DF investigations (Bradford et al., 2007).
Note to reader:
The definitions above do not meet the expectations of the industry and governance
reports, such as Sarbanes-Oxley (Sarbanes-Oxley Act of 2002, 2002) and King II and III
(King, 2003; 2009), as they do not cover:
any assessment of controls or make provision for the documented proof of
assessment
assessment of controls for the enhancement of Governance (IT and Info Sec)
frameworks
the prevention of anti-forensic activities (Louwrens et al., 2006b).
We have proposed the following definition for ProDF in Chapter 2: (par. 2.8.2).
The next section will investigate DF readiness as discussed in the literature. We will compare
elements of the identified ProDF component from Chapter 3 (par. 3.5.1) with other specific
views on DF readiness. The purpose of the comparison is to determine if ProDF is already
contained in the current views on DF readiness, or if DF readiness is a subset of ProDF.
ProDF is the forensic preparation of an organisation to ensure successful,
cost-effective investigations, with minimal disruption to business activities,
and the use of DF to establish and manage governance programmes.
Part 1: Background to Digital Forensics
4-99 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.4 RELATIONSHIP BETWEEN DF READINESS VIEWS AND PRODF
We have compared various DF frameworks (Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,
2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004) in Chapter 3. Most of the
mentioned frameworks included a ‘preparation’ or ‘DF readiness’ component and have proposed
different elements to implement DF readiness in organisations.
We have identified the following definitions for DF readiness from literature:
Rowlingson defines DF readiness as the ability of an organisation to maximise its potential to
use digital evidence whilst minimising the costs of an investigation (Rowlingson, 2004).
Garcia defines DF readiness as the ‘art of maximising the environment’s ability to collect
credible evidence’ (Garcia, 2005).
We propose the following definition for DF Readiness – adapted from Rowlingson (2004):
Note to reader:
We have identified different goals for DF readiness from literature and will compare the
goals to propose those for DF readiness. We will then identify and compare elements
(phases and/or steps) of DF readiness from literature to propose a comprehensive list of
elements for DF readiness. We identify the goals and elements to determine if DF
readiness as defined in literature addresses the ProDF needs (par. 4.3.1).
We have not referred to any goals for various elements in the frameworks discussed in
Chapter 3. We will now identify the goals for DF readiness of the frameworks discussed in
Chapter 3 (Beebe and Clark; Louwrens; Barayumureeba; and Tushabe) as well as the goals
for DF readiness as identified by Garcia and Rowlingson.
We have not included Rowlingson (2007) and Garcia (2005) in Chapter 3 as their views
concentrate on DF readiness and not on the entire investigation process of incidents.
DF readiness is the ability of an organisation to maximise its potential
to use comprehensive digital evidence whilst minimising the costs of
an investigation.
Part 1: Background to Digital Forensics
4-100 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.4.1 DF Readiness goals
4.4.1.1 DF readiness (preparation) goals as identified by the frameworks discussed in Chapter 3
The various authors (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier &
Spafford, 2003; Louwrens et al., 2006b) have formulated different goals for their preparation
or readiness phases. We have identified three goals:
4.4.1.1.1 Goal 1: The goal of the readiness or preparation phase is to ensure that operations
and infrastructure fully support an investigation (Barayumureeba & Tushabe, 2004;
Carrier & Spafford, 2003).
4.4.1.1.2 Goal 2: The goal of the preparation phase is to keep in mind steps to maximise
digital evidence availability in support, for deterrence, detection, investigation, and
prosecution related to security incidents (Beebe & Clark, 2005).
4.4.1.1.3 Goal 3: The goal of the planning and preparation phase is to provide guidance on
planning and preparation of DF by referring to information retention, response
planning, DF training, cost-effective investigations, and how to accelerate an
investigation (Louwrens et al., 2006b).
Garcia and Rowlinson proposed the following goals for DF readiness:
4.4.1.2 DF Readiness goals of Garcia (2005)
Garcia has proposed a DF readiness framework that concentrates on continuity (incident
response) readiness with four goals.
4.4.1.2.1 Goal 1: Prepare the incident response capabilities.
4.4.1.2.2 Goal 2: Prepare an incident response team by defining proper processes and training
programmes.
4.4.1.2.3 Goal 3: Prepare systems and networks.
4.4.1.2.4 Goal 4: Prepare for containments.
4.4.1.3 DF Readiness goals of Rowlingson (Rowlingson, 2004)
Rowlingson proposes five goals:
4.4.1.3.1 Goal 1: Gather admissible evidence legally and without interfering with business
processes.
4.4.1.3.2 Goal 2: Gather evidence by targeting the potential crimes and disputes that may
have an adverse impact an organisation.
4.4.1.3.3 Goal 3: Allow an investigation to proceed at a cost in proportion to the incident.
4.4.1.3.4 Goal 4: Minimise interruption to the business from any investigation.
Part 1: Background to Digital Forensics
4-101 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.4.1.3.5 Goal 5: Ensure that evidence makes a positive impact on the outcome of any legal
action.
4.4.1.4 Our proposed DF readiness goals (four goals)
We have compared, re-organised and consolidated the various goals identified to propose four
goals for DF readiness in Table 4.1 (below) (Barayumureeba & Tushabe, 2004; Beebe & Clark,
2005; Carrier & Spafford, 2003; Garcia, 2005; Louwrens et al., 2006b; Rowlingson, 2004). The
number in the table refers to the corresponding paragraph number.
Table 4.1. Comparisons of goals for DF readiness (by author)
We summarise four DF readiness goals from Table 4.1 as:
Goal 1: Maximise CDE availability (Beebe & Clark, 2005; Louwrens et al., 2006b;
Rowlingson, 2004).
Goal 2: Ensure that operations and infrastructure fully support an investigation
(Barayumureeba & Tushabe, 2004; Garcia, 2005; Louwrens et al., 2006b)
Goal 3: Prepare responsible and competent employees (Barayumureeba & Tushabe,
2004; Garcia, 2005; Louwrens et al., 2006b).
Goal 4: Ensure a cost-effective investigation (Louwrens et al., 2006b; Rowlingson,
2004).
Goal Barayumureeba Carrier Par.
Beebe and Clark Par.
Louwrens et. Al. Par.
Garcia Par.
Rowlingson Par.
.1 Maximise CDE availability 4.4.1.1.2 4.4.1.1.3 4.4.1.3.1 4.4.1.3.2 4.4.1.3.5
.2 Ensure that operations and infrastructure fully support an investigation
4.4.1.1.1 4.4.1.1.3 4.4.1.2.1 4.4.1.2.3 4.4.1.2.4
.3 Prepare a responsible, competent human resource capability
4.4.1.1.1 4.4.1.1.3 4.4.1.2.2
.4 Ensure cost-effective investigations
4.4.1.1.3 4.4.1.3.3 4.4.1.3.4
Part 1: Background to Digital Forensics
4-102 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Note to reader:
The various authors who we reference in this section use ‘steps’ or ‘phases with related
steps’ to discuss what is covered by their DF readiness or preparation component. The
authors did not discriminate between the terms ‘phases’ and ‘steps’.
We will now compare phases and/or steps of the identified authors to identify elements of
DF readiness. The elements should support the identified goals of DF readiness. There is
no explicit correlation between individual goals and the supporting phases and/or steps
(elements).
4.4.2 DF Readiness elements
We will compare the identified elements of ProDF from Chapter 3 (par. 3.5.1) and phases or
steps proposed by Garcia (2005) and Rowlingson (2004) to propose a set of elements for DF
readiness.
4.4.2.1 Garcia (2005)
Garcia has suggested the following four phases:
4.4.2.1.1 Phase 1: Prepare the incident response capabilities
Laboratory: ensure that there is an isolated network, forensic servers, short- and long-
term servers, isolated systems and disk servers
Availability of a jump bag: blank media, disk duplicators and networking gear
Availability of relevant forensic tools.
4.4.2.1.2 Phase 2: Prepare an incident response team
Define forensic sound processes: consider crime scene procedures, how to maintain the
chain of custody and legalities
Provide forensic tool training: these tools can include commercial or free tools,
operating systems, applications, hardware and physical devices
Include real life case training in the training programmes.
4.4.2.1.3 Phase 3: Prepare systems and networks
Utilise and maximise logging capabilities
Use profiling
Use periodical auditing
Part 1: Background to Digital Forensics
4-103 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Analyse forensic data
Use forensic friendly file systems
Use good practices for file system separation
Enable remote logging.
4.4.2.1.4 Phase 4: Prepare for containments
Consider the network by using good practices for network design and choke points
Set up host-based firewalls
Have a restricted investigative team.
4.4.2.2 Rowlingson (2004)
Rowlingson proposed ten steps:
4.4.2.2.1 Step 1: Define the business scenarios that will require digital evidence
4.4.2.2.2 Step 2: Identify available sources and different types of potential evidence
4.4.2.2.3 Step 3: Determine the evidence collection requirements
4.4.2.2.4 Step 4: Establish a capability to securely gather legally admissible evidence
4.4.2.2.5 Step 5: Establish a policy for secure storage and handling of evidence and write up a
secure evidence policy
4.4.2.2.6 Step 6: Ensure that monitoring and auditing is targeted to detect and deter major
incidents
4.4.2.2.7 Step 7: Specify the circumstances of when to escalate to a full formal investigation
4.4.2.2.8 Step 8: Train staff in incident awareness, including their role in the investigation
process and the legal requirements of evidence
4.4.2.2.9 Step 9: Document an evidence-based case describing the incident and its impact
4.4.2.2.10 Step 10: Ensure legal review to facilitate action in response to the incident.
4.4.2.3 Proposed DF readiness elements
We have consolidated, re-organised, and compared the preliminary elements of the
proposed ProDF component as identified in Chapter 3 (par. 3.5.1), phases of Garcia (par.
4.4.2.1), and the steps by Rowlingson (par. 4.4.2.2) for DF readiness in Table 4.2 (below) to
propose five elements for DF readiness.
Part 1: Background to Digital Forensics
4-104 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
Table 4.2. Comparison of DF readiness elements (by author)
Element DF readiness element Chapter 3 Par.
Garcia Par.
Rowlingson Par.
.1
Develop an information retention plan
3.5.1.2 3.5.1.3 3.5.1.4
4.4.2.2.1 4.4.2.2.2 4.4.2.2.3 4.4.2.2.5
.2 Prepare the infrastructure
Operational Infrastructure (including incident response capabilities)
DF investigation infrastructure
3.5.1.1 3.5.1.5
4.4.2.1.1 4.4.2.1.2 4.4.2.1.3 4.4.2.1.4
4.4.2.2.4 4.4.2.2.6 4.4.2.2.7
.3 Develop a DF training and awareness programme 3.5.1.6 4.4.2.2.8
.4 Establish DF management capability 3.5.1.5 3.5.1.7
4.4.2.2.10
.5 Document and validate a DFI protocol against best-practice Documented evidence-based cases describing the incident and its impact available
3.5.1.4 3.5.1.5
4.4.2.2.9
We propose the following five DF readiness elements from Table 4.2:
4.4.2.3.1 Element 1: Develop an information retention plan (pars. 3.5.1.2 - 3.5.1.4; 4.4.2.2.2;
4.4.2.2.3; 4.4.2.2.5)
Define the business scenarios that will require digital evidence during risk assessment
(pars. 3.5.1.2; 4.4.2.2.1).
Identify available sources and different types of potential evidence (pars. 3.5.1.2,
3.5.1.3; 4.4.2.2.2).
Determine the evidence collection requirement; include legal, regulatory, and technical
requirements (pars. 3.5.1.3; 4.4.2.2.3; 4.4.2.2.4).
Establish relevant policies and procedures; for example, secure storage, handling of
evidence, evidence preservation policy to preserve the chain of custody (pars. 4.4.2.2.5;
3.5.1.4)
Establish a capability to gather evidence systematically (par.3.5.1.3).
Ensure monitoring and auditing is targeted to detect and deter major incidents (par.
4.4.2.2.6).
This element supports DF readiness goal 2: maximise CDE availability.
4.4.2.3.2 Element 2: Prepare the infrastructure (pars. 3.5.1.1; 4.4.2.1.3)
We discriminate between the operational and investigation infrastructure:
Prepare the operational Infrastructure by preparing systems and networks (pars. 3.5.1.1;
4.4.2.1.3). Organisations should:
Part 1: Background to Digital Forensics
4-105 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
establish a capability to systematically gather legally admissible evidence, for
example, turn on and maximise logging capabilities and periodical auditing (par.
4.4.2.1.3). Implement an IDS to ensure the early detection of incidents (par. 3.5.1.5)
by using, for example, profiling (par. 4.4.2.1.3).
enable remote logging (par. 4.4.2.1.3) for live evidence acquisition.
configure relevant devices, for example time synchronization of all relevant devices
and systems, to prevent anonymous activities and the use of anti-forensic strategies,
for example, data destruction, manipulation, or data hiding (pars. 3.5.1.1; 3.5.1.4).
design systems to enable forensic activities, for example, use forensic friendly file
systems and use good practices for file system separation (pars. 4.3 (10); 4.4.2.1.3).
augment the IRP (including policies, staff assignments, and technical responsibilities
(par.3.5.1.5). Specify circumstances when to escalate to a full formal investigation
(pars. 3.5.1.5; 4.4.2.2.7) and augment or develop incident response policies and
procedures (pars. 3.5.1.5; 4.4.2.1.1). It is essential to develop strategies to contain
incidents (par. 4.4.2.1.4).
Create and prepare a DF investigation infrastructure.
Ensure the availability of a fully equipped DF investigation laboratory to ensure there is
available an isolated network, forensic servers, short- and long-term servers, and
isolated systems (pars. 3.5.1.1; 4.4.2.1.1).
The laboratory must have available blank media, disk duplicators, networking gear and
appropriate forensic tools (par. 4.4.2.1.1). Ensure there are the relevant tools and
technologies available to acquire and analyse live, static, and legacy evidence (par.
4.4.2.1.1).
This element supports DF readiness goal 1: Ensure that operations and infrastructure fully
support an investigation.
4.4.2.3.3 Element 3: Develop DF education, training and awareness programmes to prepare
responsible and competent employees
It will be essential to establish different education, training and awareness programmes
(pars. 3.5.1.6; 4.4.2.1.2), for example, forensic tool training or first-responder’s training and
awareness programmes for the employees.
This element supports DF Readiness goal 3: Prepare a responsible competent human
resource capability.
Part 1: Background to Digital Forensics
4-106 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.4.2.3.4 Element 4: Establish a DF management capability
To manage the application of DF in an organisation, it is essential to define roles,
responsibilities, and a clear strategy on how to apply DF in the organisation. We have
identified the following:
Establish a CERT (pars. 3.5.1.5; 3.5.1.7; 4.4.2.1.2; 4.4.2.1.4)
Clearly define responsibilities and authority for the CERT and DFI teams (par. 3.5.1.5)
Define circumstances when it would be necessary to engage professional DFI services
(par. 3.5.1.5)
Establish capabilities and response times for external digital forensic investigation (DFI)
professionals (pars. 3.5.1.5; 4.4.2.1.2)
Ensure legal review to facilitate action in response to the incident (par. 4.4.2.2.10).
This element supports DF readiness goal 1: Ensure that operations and infrastructure fully
support an investigation and goal 4: Ensure cost-effective investigation.
4.4.2.3.5 Element 5: Document and validate a DFI protocol against best practice (pars.
3.5.1.4; 3.5.1.5; 4.4.2.2.10)
Organisations will be able to conduct successful investigations and documented evidence-
based cases describing the incident and its impact on the organisation (par. 4.4.2.2.9) will be
available.
This element supports DF readiness goal 1: ensure that operations and infrastructure fully
support an investigation, and goal 4: ensure cost-effective investigation.
4.4.3 DF Readiness versus ProDF
The above five elements of DF readiness concentrate on proactive identification, handling,
preservation and acquisition evidence, an acceptable protocol for the handling of incidents,
training, some aspects of the management of DF in organisations, and infrastructure readiness.
We have indicated that the five elements fully support the four goals of DF readiness as
identified in par. 4.4.1.4.
To determine if DF readiness is the same as the proposed ProDF component, we will now
compare the identified needs for ProDF as identified in par.4.3.1 and the five elements of DF
readiness.
We have identified a list of reasons organisations should themselves prepare (needs for ProDF -
par.4.3.1) to ensure evidence availability and DF sound processes. Table 4.3 (below) maps the
Part 1: Background to Digital Forensics
4-107 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
needs with the identified elements of DF readiness to determine if ProDF is more comprehensive
than DF readiness.
Table 4.3. Relationship between ProDF needs and DF readiness (by author)
ProDF needs (par.4.3.1) Status of ProDF need DF readiness
element
1. Identify, gather and manage potential evidence with
minimal business interruption (Beebe & Clark, 2005;
Louwrens et al., 2006b; Rowlingson, 2004)
Fully met
Element 1
2. Minimise the cost and impact of an investigation
(Louwrens et al., 2006b; Rowlingson, 2004)
Partially met
Element 4
3. Establish DF training and awareness programme
(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005;
Carrier & Spafford, 2003; Forrester & Irwin, 2007;
Louwrens et al., 2006b)
Fully met
Element 3
4. Demonstrate that organisations practice good corporate
governance by through due diligence with the use of DF
tools, techniques and processes (Rowlingson, 2004)
Not met
5. Assess compliance to legal and regulatory requirements
(Nikkel, 2006)
Not met
6. Assess the effectiveness and efficiency of controls and
processes to enhance the IT governance and Info Sec
governance frameworks of the organisation (Louwrens &
von_Solms, 2005; Nikkel, 2006)
Not met
7. Incorporate DF evidence and process requirements in the
contingency plans, policies and procedures. The IRP should
include criteria to prescribe when to activate trigger events
for predetermined incidents to gather live evidence
(Louwrens et al., 2006b)
Partially met
Elements 2, 4
8. Application of DF tools using an acceptable protocol or
process to ensure admissible evidence and a successful
investigation (Louwrens et al., 2006b)
Fully met Elements 1, 4,
5
9. Ensure that the operational and investigation
infrastructure can support the application of DF tools and
technologies
Fully met Element 2
Part 1: Background to Digital Forensics
4-108 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
ProDF needs (par.4.3.1) Status of ProDF need DF readiness
element
10. Enable forensic activities by designing DF-friendly systems
and processes. Organisation should structure the relevant
processes to be forensically sound and design software
systems in such a way to facilitate future DF investigations
(Bradford et al., 2007)
Partially met
Element 2
11. Disable anti-forensic activities (Louwrens et al., 2006b) Fully met Element 2
The elements for DF readiness fully address needs 1, 3, 8, 9; 11 and partially address needs 2, 7
and 10. The needs 4, 5, and 6 have not been addressed.
We propose including the partially covered need 7: to activate an ActDF investigation into DF
readiness phase 3: Prepare infrastructure. Organisations can configure the infrastructure and
incident response procedures to incorporate criteria as to when to start an ActDF investigation.
The needs not fully addressed by DF readiness phases (Table 4.3 above) are:
Minimise the cost and impact of an investigation (need 2)
Use DF to demonstrate good corporate and / or IT governance (need 4)
Demonstrate compliance (need 5)
Enhance the security posture and IT governance frameworks (need 6)
Incorporate DF evidence and process requirements in the contingency plans, policies
and procedures. The IRP should include criteria to prescribe when to activate trigger
events for predetermined incidents to gather live evidence (need 7)
Enable forensic activities in organisations (need 10).
Note to reader:
DF readiness as discussed in the researched literature in this chapter is therefore a
subset of ProDF.
Now that we have determined that DF readiness is a subset of our intended ProDF component, we
can proceed to define and propose goals with supporting elements for the ProDF component of our
CDF capability. The next section proposes a ProDF plan for our ProDF component.
Part 1: Background to Digital Forensics
4-109 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.5 PROPOSED PRODF PLAN FOR THE PRODF COMPONENT
Sommer (2005) suggests that organisations should have a DF readiness plan, however, we are
convinced that organisations need more than this as DF readiness is a subset of ProDF. We propose
extending the DF readiness plan to a ProDF plan with GOALS and associated elements for the ProDF
component of our CDF capability. The next section provides a definition for ProDF, and proposes
goals for the ProDF component.
4.5.1 ProDF definition
We have compared different definitions for ProDF in par. 4.3.1 and will use the proposed
provisional definition for ProDF from Chapter 2 (par. 2.8.2):
Note to reader:
It is our opinion that the focus of ProDF is on having DF sound processes, prepared
employees and infrastructure, well-defined policies, and trained staff, the use of trusted
DF tools and acceptable and trustworthy evidence available.
4.5.2 ProDF goals
We use the identified needs for ProDF (par. 4.3.1 and Table 4.3) to identify two goals for ProDF:
ProDF Goal 1: Become DF-ready (needs 1, 2, 3, 7, 8, 9, 10, 11 )
ProDF Goal 2: Implement and manage DF to improve governance programmes (IT and
Info Sec) (needs 4, 5, and 6).
The nature of ProDF goal 2 necessitates moving element 4: Establish a DF Management
capability (par. 4.4.2.3.4) of DF readiness to ProDF goal 2. The next section will briefly discuss
each of the two goals identified above to provide an overview of the ProDF component.
ProDF is the forensic preparation of an organisation to ensure successful, cost-
effective investigations, with minimal disruption to business activities, and the
use of DF to establish and manage governance programmes
Part 1: Background to Digital Forensics
4-110 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.5.2.1 ProDF Goal 1: Become DF-ready
The chapter has proposed the following four sub-goals for DF readiness in (par. 4.4.1.4):
4.5.2.1.1 Sub-goal 1: Prepare the infrastructure
Prepare the operational and DF investigation infrastructure (element 2 of DF readiness).
4.5.2.1.2 Sub-goal 2: Maximise CDE availability
Develop an information retention plan (element 1 of DF readiness).
4.5.2.1.3 Sub-goal 3: Prepare a responsible, competent employees
Develop relevant DF education, training and awareness programmes (element 3 of DF
readiness).
4.5.2.1.4 Sub-goal 4: Ensure a cost-effective investigation
To ensure a cost-effective investigation it is essential to determine the impact of the incident
on the organisation (partially element 4 of DF readiness), document and validate a DFI
protocol against best practice (element 5 of DF readiness).
4.5.2.2 ProDF Goal 2: Implement and manage DF to improve governance programmes
Organisations have in place governance programmes to enable them to achieve organisational
objectives. The governance programmes (including IT and Info Sec) of the organisation can be
improved by the implementation of our CDF capability to ensure CDE availability. It will ensure
that management can demonstrate due diligence with respect to good governance as
documented assessments can be available to prove the effectiveness of controls measured
against business objectives (IT and Info Sec objectives).
Governance programmes generally must be established, implemented, managed and reviewed.
The managing and review processes will be recursive. We will discuss how the incorporation of
DF can improve governance programmes.
We have identified two sub-goals:
4.5.2.2.1 Sub-goal 1: Establish a DF management capability
The first step that organisations should consider is to augment the organisational structure
to include DF (with roles and responsibilities to deal with DF in the organisation) (Nikkel,
2006).
Part 1: Background to Digital Forensics
4-111 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
There should be a clear segregation of duties between the DF, Risk management, CERT, and
Info Sec teams. Investigations are often compromised when these roles and responsibilities
are not clearly defined or segregated (par. 4.4.2.3.4).
The decision when to engage with professional DFI services (outsource) should be clearly
defined; and legal services should be available to facilitate action in response to the incident
(par. 4.4.2.3.4).
4.5.2.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of
organisational objectives
DF requirements for evidence and processes should be included in the accepted risk
management and control frameworks to provide reasonable assurance regarding the
achievement of organisational objectives to:
safeguard the organisation’s assets (including information).
It is essential that the board of directors guarantee the integrity of all documents (Hilley,
2006). Section 802 of Sarbanes-Oxley indicates that there are criminal penalties if
documents are altered. DF procedures must adhere to legal requirements for evidence;
therefore, it will be possible to prove that the information is original and has not been
altered.
DF tools and techniques can be applied to acquire evidence to investigate the misuse of
equipment. It is also essential to develop a whistle-blowing policy (Patzakis & Limongelli,
2004). The Info Sec team should incorporate DF techniques in the IT auditing
procedures, as this will enable a more accurate audit trail so that the evidence acquired
can stand up to legal scrutiny.
assess compliance with applicable laws, regulations, industry and supervisory
requirements.
DF readiness can assist organisations by the proactive identification of information as
potential evidence on the corporate network. The evidence can be used to prove
compliance.
support business sustainability under normal as well as adverse operating conditions.
Under normal operating conditions, DF can be applied to assess key risk areas. The risk
assessment should address the company’s exposure to, at least: physical and
operational risks; human resource risks; technology risks; business continuity and
disaster recovery; credit and market risks; and compliance risks.
IT and Info Sec governance frameworks in organisations will have weak points.
Organisations apply DF tools for penetration tests to determine the vulnerabilities
Part 1: Background to Digital Forensics
4-112 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
(Richardson, 2008). Organisations should evaluate all emerging technologies to
determine the risks involved and whether the current DF tools will be adequate to
investigate an incident.
The responsible use of DF tools can improve the effectiveness and efficiency of the
application of technology in an organisation. DF tools and techniques can be applied to
assist in data recovery (crashed hard disk), wiping of hard disk before the disposal of
equipment and retrieval of lost passwords. Operations can resume after the application
of the tools and interruption to business operations can be minimised.
It is necessary to consider DF requirements when formulating the IT Governance
controls, policies, and processes. We researched the literature and propose that the
following CobiT (ITGI, 2000) controls should be covered (Guldentops et al., 2005;
Louwrens & von_Solms, 2005). All the controls in Table 4.4 (below) should consider
DF requirements.
Table 4.4. CobiT controls to include DF requirements (by author)
In adverse conditions, it is essential to consider the revision or augmentation of
contingency plans and policies and procedures (incident response, disaster recovery and
business continuity) to ensure minimum business interruption and impact on the
PO: Planning and organisation AI: Acquisition and implementation
PO1, Define strategic plan PO2, Define the information architecture PO3, Determine technological direction PO4, Define IT processes, organisation and relationships PO6, Communicate management aims and direction PO8, Manage quality PO9, Assess risks and manage IT risks
AI1, Identify automated resources AI2, Acquire and maintain application software AI3, Acquire and maintain technology / infrastructure AI4, Enable operations and use AI5, Procure IT resources AI6, Manage changes AI7, Install and accredit solutions and changes
DS: Delivery and Support M: Monitor and evaluate
DS1, Define and manage service levels DS2, Manage third party services DS3, Manage performance and capacity DS4, Ensure continuous service DS5, Ensure system security DS6, Identify and allocate cost DS7, Educate and train users DS8, Manage service desk and incidents DS9, Manage configuration DS10, Manage problems DS11, Manage data DS12, Manage physical environment DS13, Manage operations
M1, Monitor and evaluate IT performance M2, Monitor and evaluate internal control M3, Ensure regulatory compliance M4, Provide IT governance
Part 1: Background to Digital Forensics
4-113 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
operations of the organisation (some aspects have been covered by DF readiness sub-
goal 1).
ensure reliability of reporting
The application of DF tools, techniques and frameworks can enable the board to meet
the King II requirement (von_Solms & von_Solms, 2009) that stipulates that
‘the board is responsible for ensuring that a systematic, documented assessment of
the processes and outcomes surrounding key risks is undertaken annually, for the
purpose of making a public statement on risk management. Should an incident arise
and an investigation is completed the organisation should provide a report
describing the incident; its impact and review report should be available’.
The incorporation of DF techniques in auditing procedures will ensure more credible
audit results. Management should receive regular reports on the risk management
process in the organisation as well as regular updates on an investigation progress.
encourage responsible behaviour towards all stakeholders. (King, 2003)
Management will be able to use the documented assessments to prove that regular
checks have been performed. It is essential to demonstrate transparency and
responsibility towards the stakeholders to communicate impact of the incident on the
organisation, the root cause of the incident and the result of an investigation.
Figure 4-3 (below) is a graphical representation of the ProDF component.
Figure 4-3. Graphical representation of the ProDF component (by author)
The chapter has discussed the need for a ProDF component, compared current DF readiness
frameworks and ProDF viewpoints. We have formulated a ProDF framework with two goals and
associated sub-goals. We will use the ProDF framework for the ProDF component of our CDF
capability in Chapter 7.
ProDF
ProDF goal 1: Become DF-readyProDF goal 2: Implement and manage DF
to improve governance programmes
Sub-goal 1:
Prepared
infrastructure
Sub-goal 4:
Ensure a
cost-effective
investigation
Sub-goal 3:
Prepare
responsible,
competent
employees
Sub-goal 2:
Maximise
CDE
availability
Sub-goal 1:
Establish a DF
management
capability
Sub-goal 2:
Apply DF to provide
reasonable assurance
regarding the achievement of
organisational objectives
Part 1: Background to Digital Forensics
4-114 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.6 SUMMARY
DF is no longer a reactive discipline, but plays a distinct proactive role in organisations. In the
chapter, we have argued and demonstrated that ProDF is more than readiness. DF readiness
concentrates on evidence identification and management, training of staff, incident response and
infrastructure readiness.
The ProDF component is concentrating on the wider application of DF requirements for digital
evidence availability and process formulation to meet requirements as set out by corporate
governance reports. The evidence can be used to enhance governance frameworks by assessing the
effectiveness and efficiency of controls and to prove compliance.
ProDF also considers other factors that can influence DF investigations, for example, prevention of
anti-forensic strategies and tools that can contaminate or delete potential evidence. It is essential
when preparing organisations for digital investigations to design and implement systems that will
enable forensic activities.
The chapter proposed a ProDF plan (par. 4.5) with goals and steps that will be used in the
consolidation of the ProDF component of our CDF capability in Chapter 7. The next chapter will
consolidate the ReDF component of our CDF capability.
Part 1: Background to Digital Forensics
4-115 | P a g e Chapter 4: Proactive Digital Forensics (ProDF)
4.7 FOLD-OUT FOR CHAPTER 4
Proactive DF
(ProDF)
Background: Why
ProDF?
Relationship
between DF-
readiness and
ProDF
Proposed
ProDF plan for
the ProDF
component
ProDF definition
Chapter 4
Par. 4.3
Par. 4.4
Par. 4.5
Par. 4.5.1
Par. 4.5.2
ProDF goals
Goals of DF-
Readiness
4.4.1.1 DF-Readiness
goals form chapter 3
4.4.1.3 DF-Readiness
goals of Rowlingson
4.4.1.2 DF-Readiness
goals of Garcia
ProDF needs
DF-Readiness
elements
4.4.1.4 Our proposed
DF-Readiness goals
4.4.2.1 Garcia
4.4.2.2
Rowlingson
4.4.2.3
Our proposed 7
DF-Readiness
elements
4.4.3.2.3.1 Element 1: Develop
information retention plan
4.4.2.3.4 Element 4: Establish a
DF management capability
4.4.2.3.3 Element 3: Develop a
training and awareness strategy
4.4.2.3.2 Element 2: Prepare the
infrastructure
4.4.2.3.5 Element 5: Document
and validate DFI protocol
GOAL 1: Ensure that operations and infrastructure fully support an investigationGOAL 2: Maximise CDE availability GOAL 3: Prepare a responsible, competent human resource capability GOAL 4: Ensure a cost effective investigation
Par. 4.3.1
Par. 4.4.1
Par. 4.4.2
4.5.2.1
ProDF goal 1:
Become DF-
ready
4.5.2.2
ProDF goal 2:
Implement DF to
enhance
governance
programmes
4.5.2.1.1 Sub-goal 1: Prepare
infrastructure
4.5.2.1.2 Sub-goal 2: Maximise
CDE availability
4.5.2.1.3 Sub-goal 3: Prepare a
responsible, competent HR
capability
4.5.2.1.4 Sub-goal 4: Ensure
cost-effective investigation
4.5.2.2.1 Sub-goal 1: Establish
DF management capability
4.5.2.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of organisational objectives
Proactive DFChapter 4
Part 1: Background to Digital Forensics
5-116 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5 CHAPTER 5
RREEAACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((RReeDDFF))
5.1 INTRODUCTION
In a perfect world there would be no need for forensic investigations, but incidents happen, cyber-
attacks are launched and disgruntled employees can destroy data. Organisations must determine
how the incident happened, who was responsible, and what damage was caused.
Comprehensive digital evidence (CDE) will be required to provide management with the answers
however, forensics is a very specific discipline, operating in a well-defined legal and regulatory
environment. Rules and requirements for admissible evidence exist and procedures must be
designed to be DF sound (Louwrens et al., 2006a). Most of the DF investigation frameworks are very
specific and provide a systematic framework by what should be done and how.
The ReDF component is well researched and we have compared various frameworks in Chapter 3.
We used the comparison to identify a comprehensive list of six phases with associated steps for the
ReDF component as none of the frameworks contained all the phases and steps, as indicated in
Table 3.3. The purpose of this chapter is to consolidate the ReDF component as identified in Chapter
3. Figure 5-1 (below) depicts the role of this chapter within the overall thesis.
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Figure 5-1. Role of the chapter in the thesis
Part 1: Background to Digital Forensics
5-117 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of the chapter is to consolidate the ReDF component of our CDF capability as identified in
Chapter 3. It will:
confirm the definition of ReDF (par.5.3)
propose goals for the ReDF component as the identified frameworks discussed in
Chapter 3 did not include explicit goals for ReDF (par. 5.4)
consolidate an ReDF protocol with a comprehensive list of phases with related steps for
the ReDF component as proposed in Chapter 3 (par. 5.5)
Evaluate the phases and steps of the ReDF component (par.5.6).
Note to reader:
There is a large amount of repetition in this chapter from Chapter 3, in which the ReDF
phases and steps were proposed. However, we have included them to provide a clear
overview of the content of the ReDF component.
The next section will confirm the definition of ReDF.
5.3 DEFINITION OF REDF
No organisation is fully prepared for all incidents. ReDF as defined by us concentrates on the
traditional DF investigation (dead forensics) that will take place after an incident is detected and
confirmed. It is essential that organisations, specifically first responders and DF investigators, should
use an acceptable and proven DF investigation protocol to conduct the investigation (Louwrens et
al., 2006b). We have proposed a provisional definition for ReDF in par. 2.8.1 as:
An ReDF component is application of analytical and investigative techniques for the
preservation, identification, extraction, documentation, analysis, and interpretation of
digital media, for evidentiary and/or root cause analysis and the presentation of
comprehensive digital evidence derived from digital sources for the purpose of
facilitation or furthering the reconstruction of incidents (Kruse & Heiser, 2004; Palmer,
2001; Reith et al., 2002; Rowlingson, 2004).
Part 1: Background to Digital Forensics
5-118 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
The identified DF frameworks in Chapter 3 did not explicitly state goals for ReDF investigations. The
next section will propose goals of ReDF.
5.4 GOALS OF REDF
The ReDF component will be activated after an incident has been detected. We have used the
definitions for DF and the frameworks discussed in Chapter 3 to propose the following two goals of
ReDF (investigations) (Kruse & Heiser, 2004; Palmer, 2001; Reith et al., 2002; Rowlingson, 2004):
ReDF Goal 1: Successfully investigate an incident
To achieve this goal it is essential to acquire the relevant CDE and to determine the root
cause of the incident, link the perpetrator to the incident, and present the case successfully.
ReDF Goal 2: Minimise the impact of an incident.
The ReDF protocol will support the above-mentioned goals. The protocol has a list of phases
with related steps. The next section consolidates the protocol with six phases and associated
steps as identified in par. 3.5.3, p. 3-82 for the ReDF component.
5.5 REDF PROTOCOL
We have already proposed the following phases with steps in Chapter 3, par. 3.5.3:
5.5.1 PHASE 1: Incident response and confirmation phase
This phase consists of ten steps:
5.5.1.1 Step 1: Initiate the IRP from Info Sec or the corporate contingency plan (Casey, 2004;
Louwrens et al., 2006b)
5.5.1.2 Step 2: Detect an activity (Beebe & Clark, 2005; Carrier & Spafford, 2003; Forrester &
Irwin, 2007; O'Ciardhuain, 2004)
5.5.1.3 Step 3: Report the incident (Louwrens et al., 2006b)
5.5.1.4 Step 4: Determine the assessment of worth of the incident (Beebe & Clark, 2005; Carrier
& Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007)
Part 1: Background to Digital Forensics
5-119 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
The incident must be evaluated to determine if it is valid. The first responder must
assess the damage that the incident can cause or its impact on the organisation. The
next step will be to confirm the incident or to declare it as ‘no incident’. It is essential to
determine the relevance and nature of the investigation, and whether it will be a formal
or informal investigation.
5.5.1.5 Step 5: Obtain the relevant internal and external authorisation (Carrier & Spafford, 2003;
O'Ciardhuain, 2004)
5.5.1.6 Step 6: Activate the incident containment strategy (Beebe & Clark, 2005; Carrier &
Spafford, 2003)
5.5.1.7 Step 7: Coordinate all the resources (Beebe & Clark, 2005; Louwrens et al., 2006b)
5.5.1.8 Step 8: Formulate an investigation plan (Beebe & Clark, 2005)
5.5.1.9 Step 9: Depending on condition set out by policy, accelerate the investigation (Louwrens
et al., 2006b)
5.5.1.10 Step 10: Notify the relevant parties of the investigation (Forrester & Irwin, 2007;
O'Ciardhuain, 2004).
5.5.2 PHASE 2: Physical investigation phase (if relevant)
This phase consists of seven steps:
5.5.2.1 Step 1: Secure the physical crime scene (Barayumureeba & Tushabe, 2004; Carrier &
Spafford, 2003; Forrester & Irwin, 2007)
5.5.2.2 Step 2: Survey the crime scene for potential evidence (Barayumureeba & Tushabe, 2004;
Carrier & Spafford, 2003; Louwrens et al., 2006b)
5.5.2.3 Step 3: The investigator must search for, and collect potential evidence.
5.5.2.4 Step 4: Acquire the physical evidence
The investigator should use an acceptable procedure, for example, photograph, bag,
label, and document the individual evidence items The investigator must identify
different types of evidence, e.g., fingerprint or digital, to ensure that the evidence will be
analysed by the relevant forensic laboratory (Barayumureeba & Tushabe, 2004; Carrier
& Spafford, 2003; Forrester & Irwin, 2007; Louwrens et al., 2006b).
5.5.2.5 Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004)
5.5.2.6 Step 6: Transport the evidence to a relevant investigation laboratory whilst ensuring the
chain of custody is maintained (Barayumureeba & Tushabe, 2004; Louwrens et al.,
2006b)
Part 1: Background to Digital Forensics
5-120 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5.5.2.7 Step 7: Store the evidence in a secure facility
Determine the storage requirements by considering a safe custody room, access
control, and requirements to maintain the chain of custody (Barayumureeba &
Tushabe, 2004; Louwrens et al., 2006b).
5.5.3 PHASE 3: Digital investigation phase
This phase consists of four sub-phases:
5.5.3.1 Sub-phase 1: Securing the digital evidence (four steps) (Carrier & Spafford, 2003)
5.5.3.1.1 Step 1: Preserve the digital crime scene (O'Ciardhuain, 2004)
5.5.3.1.2 Step 2: Ensure the integrity of the evidence (Beebe & Clark, 2005; Casey, 2004;
Louwrens et al., 2006b):
The investigators must follow established DFI protocol (Casey, 2004; Louwrens et al.,
2006b) and write-protect all media (Louwrens et al., 2006b)
5.5.3.1.3 Step 3: Preserve the evidence by making a forensic copy of the potential evidence
(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Louwrens et al., 2006b)
5.5.3.1.4 Step 4: Document all activities to ensure the chain of evidence and chain of custody.
5.5.3.2 Sub-phase 2: Evidence acquisition (five steps)
5.5.3.2.1 Step 1: Acquire the relevant evidence (Barayumureeba & Tushabe, 2004; Beebe &
Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Louwrens et al., 2006b):
To acquire the relevant evidence, it is essential to recover or collect static, live,
hidden, and deleted evidence. Harvest all data and metadata relevant to the
incident.
5.5.3.2.2 Step 2: Authenticate the evidence by applying verification algorithms to ensure
originality:
Investigators should timestamp all evidence to enable time-lining (Carrier &
Spafford, 2003; Louwrens et al., 2006b).
5.5.3.2.3 Step 3: Transport the evidence to the relevant laboratory whilst ensuring the chain
of custody is maintained (Carrier & Spafford, 2003; O'Ciardhuain, 2004)
5.5.3.2.4 Step 4: Store the evidence in a secure facility (Beebe & Clark, 2005; O'Ciardhuain,
2004)
5.5.3.2.5 Step 5: Document the acquisition process (Barayumureeba & Tushabe, 2004; Carrier
& Spafford, 2003; Louwrens et al., 2006b).
Part 1: Background to Digital Forensics
5-121 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5.5.3.3 Sub-phase 3: Analysis (nine steps)
5.5.3.3.1 Step 1: Revisit the initial investigation plan:
Consider the available information, consider the tools and expertise allocated to the
team and ensure that the evidence is human readable (Carrier & Spafford, 2003;
Casey, 2004; Louwrens et al., 2006b; O'Ciardhuain, 2004).
5.5.3.3.2 Step 2: Develop a hypothesis and criteria to prove the hypothesis (Louwrens et al.,
2006b; O'Ciardhuain, 2004)
5.5.3.3.3 Step 3: Prepare the evidence for analysis:
It may be necessary to convert large volumes of data to a manageable size whilst
protecting the evidential integrity (Beebe & Clark, 2005; Casey, 2004; Louwrens et
al., 2006b)
5.5.3.3.4 Step 4: Analyse the available evidence (Beebe & Clark, 2005; Louwrens et al.,
2006b):
Examine evidence to establish the best evidence (Casey, 2004; Louwrens et al.,
2006b; O'Ciardhuain, 2004). The investigator must apply reduction techniques to
eliminate the evidence that is not relevant to the case (Carrier & Spafford, 2003;
Casey, 2004).
It will be useful to assess the results to determine means, motivation, and
opportunity, as well as the skill level of suspect. The investigator should use different
DF tools to analyse the evidence.
5.5.3.3.5 Step 5: Reconstruct the incident (Barayumureeba & Tushabe, 2004; Beebe & Clark,
2005; Carrier & Spafford, 2003; Casey, 2004)
5.5.3.3.6 Step 6: Test the hypothesis by applying fusion and correlation techniques (Beebe &
Clark, 2005; Casey, 2004; Louwrens et al., 2006b):
Test the hypothesis by using the criteria set.
5.5.3.3.7 Step 7: Validate the analysis results (Louwrens et al., 2006b)
5.5.3.3.8 Step 8: Document the findings (Casey, 2004; Louwrens et al., 2006b)
5.5.3.3.9 Step 9: Secure the documentation (Louwrens et al., 2006b).
Part 1: Background to Digital Forensics
5-122 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5.5.3.4 Sub-phase 4: Service restoration
Interact with the organisational (Info Sec) business continuity team to restore services as
soon as possible, and thus minimise the interruption to business activities (Forrester &
Irwin, 2007).
5.5.4 PHASE 4: Incident reconstruction phase
Consolidate physical investigation and digital investigation findings and determine if the
consolidated evidence acquired supports the hypothesis (Carrier & Spafford, 2003).
5.5.5 PHASE 5: Presentation of findings phase
Present findings to management or the authorities (Barayumureeba & Tushabe, 2004; Beebe &
Clark, 2005; Carrier & Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al.,
2006b; O'Ciardhuain, 2004) (three steps):
5.5.5.1 Step 1: Prepare case
To present a case successfully, it is essential to prepare the presentation of it properly. The
investigator should determine the target audience, use appropriate presentation aids, assemble
all evidence required, and prepare exhibits for the presentation. If you need to use an expert
witness during the presentation, prepare him or her. When preparing the evidence and exhibits
ensure that you preserve the chain of custody at all times (Louwrens et al., 2006b).
5.5.5.2 Step 2: Present the case (Casey, 2004; Louwrens et al., 2006b)
5.5.5.3 Step 3: Preserve the evidence (Louwrens et al., 2006b).
5.5.6 PHASE 6: Incident closure phase
Disseminate the result of the investigation or incident closure (Beebe & Clark, 2005; Carrier &
Spafford, 2003; O'Ciardhuain, 2004) (two steps):
5.5.6.1 Step 1: Review the result to identify and apply lessons learned (Beebe & Clark, 2005;
Forrester & Irwin, 2007)
5.5.6.2 Step 2: Dispose of / return / preserve applicable post-investigation evidence (Beebe &
Clark, 2005).
Figure 5-2 (below) is a graphical representation of the six ReDF phases.
Part 1: Background to Digital Forensics
5-123 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
5.6 EVALUATION OF THE SIX PHASES OF THE REDF COMPONENT
The six phases with related steps of the ReDF protocol of the ReDF component follow a waterfall
approach with some iteration between the phases and steps. To demonstrate, the investigator can
start with an investigation by entering a physical crime scene then formulate an initial hypothesis.
Evidence will be acquired and potential digital evidence identified. The evidence gathered during the
physical investigation will be documented and analysed, then used to provide a motive for the
incident, determine its cause and identify the perpetrator. The investigator will forward the different
types of evidence to different specialised forensic investigation units, for example, bullet shells to
ballistics, fingerprints to the fingerprint unit, blood to the forensic pathology laboratory and digital
evidence to the DF investigators.
The DF investigation team will acquire the evidence, analyse it, reconstruct the incident, and
determine its root cause. It may be necessary to combine the physical evidence recovered from the
crime scene to reconstruct the incident and to link the perpetrator to it. If evidence is lacking the
investigators will repeat the evidence identification, acquisition, and analysis steps until they can
reconstruct the incident and have the evidence in place to support the hypothesis. The result of the
investigation will be a case file with supporting evidence. The case will be prepared and presented to
Phase 1:
Incident
response and
confirmation
Phase 2:
Physical
investigation
Phase 3: Digital investigation
Phase 4: Incident
reconstruction
Phase 5:
Presentation of
findings
Phase 6: Incident
closure
ActDF
Sub-phase 2:
Evidence acquisition
Sub-phase 3: Analysis
Sub-phase 4: Service
restoration
Sub-phase 1: Securing
the evidence
Figure 5-2 Graphical representation of the six phases of ReDF component (by author)
Part 1: Background to Digital Forensics
5-124 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
the relevant authorities. Once the investigation is complete, the case file and supporting evidence
must be preserved.
The outcome of an investigation should be communicated back to the risk management and Info Sec
departments of the organisation to ensure that the incident cannot happen again, as controls can be
adapted or ones implemented.
The ReDF component and traditional contingency plans of an organisation should integrate
seamlessly. Normally, the IDS or an employee will alert the authorities to a suspicious activity. The
incident response team will react to assess the suspicious activity and determine whether or not it is
an incident. The ReDF component is activated after an incident has been detected.
The actions of the incident response team and first responders are important, as they need to
incorporate DF process requirements for DF sound processes and the identification and preservation
of evidence requirements. There is an overlap of activities of incident response in DF and Info Sec as
both handle the response to an incident. We propose that organisations should augment current
contingency plans with associated policies and procedures to ensure that the relevant procedures
are DF sound and that evidence is preserved.
The incorporation of DF requirements in the incident response, disaster recovery and business
continuity plans of organisations are not always well accepted. The reason is that organisations want
to resume business as quickly as possible to provide a remedy for the security breach or incident,
and evidence identification can cause delays. The 2010/2011 CSI computer survey states that 23.9%
of respondents attempted to identify the perpetrator with their own resources, and 62.3%
attempted to patch the security holes as soon as possible (Richardson, 2012). Organisations
therefore realise that they should balance the need to identify the perpetrator and to patch the
security breach.
The ReDF component needs a well-accepted DF investigation protocol, policies and procedures,
trained competent staff, relevant DF tools and technologies, a prepared operational and
investigation infrastructure. The ProDF component should define the mentioned requirements.
Should live evidence be required for an investigation, the ReDF components will not acquire the live
or volatile evidence, but the ActDF component will be activated. We have proposed a separate
Part 1: Background to Digital Forensics
5-125 | P a g e Chapter 5: Reactive Digital Forensics (ReDF)
component for the acquisition of live evidence in par. 2.8.3. The live DF investigation protocols,
evidence acquisition and handling, and tools and technologies are different. Once the live evidence
has been gathered, the ReDF component will receive the acquired evidence and continue with the
ReDF investigation, as discussed in par. 2.8.4.
5.7 SUMMARY
Once an incident has been detected, it is essential that organisations decide whether or not they
want to investigate. If they do, an ReDF investigation protocol should be in place. We have identified
goals and consolidated a comprehensive list of phases with associated steps for the ReDF
component of our CDF capability.
Due to the close relationship between the DF incident detection and the incident detection and
response phase of the traditional contingency plan, organisations must include DF evidence and
process requirements in the relevant contingency plans (risk assessment, incident response,
business impact analysis, business continuity, and disaster recovery plans) and augment the relevant
policies and procedures.
The next Chapter will discuss the ActDF component of the capability. The ActDF component is
essential due to the change in the nature of evidence.
Part 1: Background to Digital Forensic
6-126 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6 CHAPTER 6
AACCTTIIVVEE DDIIGGIITTAALL FFOORREENNSSIICCSS ((AAccttDDFF))
6.1 INTRODUCTION
During the discussion of conventional DF frameworks in Chapter 3, we identified a need for ‘live
evidence’ acquisition and handling. Investigations require important, relevant, live evidence, for
example, volatile evidence (memory (RAM) content), swap files and network processes, to
determine the root cause of an incident and successfully prosecute the perpetrator. A famous
example is the ‘code red worm’, where one can only conduct a ’live’ investigation as the worm is
memory-resident and never writes to the disk. Many real-time systems cannot be powered down
and investigations must be made into the live systems (Adelstein, 2006; Sremack, 2005).
The intrusion detection system (IDS) of an organisation will detect an incident and activate the
incident response (IR) protocol of the organisation. It is however becoming essential to integrate live
forensic investigation protocols with the IR protocol to ensure that relevant and admissible live CDE
is available if required for investigatory purposes. IR protocols do not consider the importance of
evidence identification, gathering and preservation of live data (Sommer, 1999).
According to Ioeng and Leung (2007), live forensic investigations are hampered by the following
factors:
missing definitions of live forensics
absence of standard procedures in live investigations
certification of live evidence.
Various tools and frameworks exist to conduct live investigations, but as it is a new field it faces
numerous challenges, for example, to prove the trustworthiness of the tools and therefore the
admissibility of the gathered evidence. The tools must also demonstrate that they do not have an
unacceptable impact on the system performance (Garfinkel, 2010). Traditional ReDF investigation
frameworks will ensure that no changes will be made to the evidence and the seized content. By
using live investigation software tools, changing data is unavoidable; therefore, the live investigative
Part 1: Background to Digital Forensic
6-127 | P a g e Chapter 6: Active Digital Forensics (ActDF)
process must be documented in a forensic sound manner to maintain the chain of custody and
evidence.
The purpose of this chapter is to use the identified phases of Chapter 3 (par. 3.5.2) to formulate the
ActDF protocol for the ActDF component of a DF capability (ActDF). The chapter identifies live and
real-time investigation tools, techniques, and frameworks and proposes potential phases, steps that
can be included in an ActDF component to assist us to formulate the comprehensive view of our CDF
capability. Figure 6-1 (below) depicts the role of this chapter within the overall thesis.
6.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of the chapter is to discuss and define the ActDF component of our CDF capability. The
chapter will:
discuss the need for an ActDF component (par.6.3)
discuss the relationship between IDS, incident response, and live DF (par.6.4)
discuss live investigation tools and techniques (par. 6.5)
evaluate existing ‘live’ DF frameworks (par.6.6)
use the phases identified in Chapter 3 (par. 3.5.2) to compare the phases or steps of the
identified ‘live’ DF frameworks to formulate the ActDF component (par. 6.7)
consolidate phases with related steps for the ActDF component (par.6.7.3).
Note to reader:
We have included a fold-out page at the end of the chapter (par. 6.9, p. 6-157). We suggest
that this page be folded out at this stage to provide context. It is also advised that the
Chapter 2 Introduction to DF
Chapter 1 Introduction
Chapter 3 Conventional approach to DF
Chapter 4 Proactive DF (ProDF)
Chapter 5 Reactive DF (ReDF)
Chapter 6 Active DF (ActDF)
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Figure 6-1 Role of the Chapter in the thesis (by author)
Part 1: Background to Digital Forensic
6-128 | P a g e Chapter 6: Active Digital Forensics (ActDF)
fold-out be referenced when every paragraph is read, as it ensures that the context of
reading is preserved.
The next section will discuss the need for active or live investigations.
6.3 NEED FOR ACTIVE OR LIVE INVESTIGATIONS
At the 2006 Digital Forensic Research Workshop, the FBI advocated that live forensic investigations
become one of the standard steps in performing DF investigations (Ieong & Leung, 2007). Some of
the motivating factors were:
that the systems may not be powered down due to the nature of the system or the cost
of shutting down and therefore need real-time investigations
the increased need for obtaining live evidence, for example volatile data, by the
investigator due to the nature of incidents
the need to detect a crime as it occurs (Orebaugh, 2006)
the need to investigate or monitor a suspect but without him or her being aware of the
investigation.
According to Carrier (2006), the only difference between using live and dead analysis tools (ReDF
tools) and techniques is the reliability of the results. The reason is that live analysis tools rely on
applications that can modify evidence. The most common source of false data is from root kits, also
described as “Trojan horse backdoor tools” that modify existing operating systems software so that
the attacker can hide on a machine.
Rootkits insert a filter in the data flow of the normal processing of an application, which will then
hide the file or process from the investigator so the intruder can continue with his/her activities.
There are counter-measures to deal with root kits, for example, the use of trusted tools on a CD that
cannot be modified or tools that do not use the Trojan libraries. During the development of live
forensic applications it is important to eliminate standard system calls and writes (Campia, 2012;
Wikipedia, 2009).
It is neither practical nor feasible to acquire all live data (e.g., memory dumps, and network logs) due
to the volume of the data. It is important to acquire only relevant data when needed as evidence for
Part 1: Background to Digital Forensic
6-129 | P a g e Chapter 6: Active Digital Forensics (ActDF)
a live investigation of a potential incident. The result is that the evidence is normally like a snapshot
of the current state of a machine or protocol stack.
It is also important to note that the evidence gathered from using live investigation tools will not
necessarily meet the evidence requirement of reproduction or repeatability. However, as standards
are developed, the courts are beginning to accept evidence generated by live analysis tools.
There is also a need to develop tools and techniques to deal with real-time systems, which include
all systems in which time constraints exist for the completion of events that must be satisfied with
acceptable predictability (Sremack, 2005). These systems require fast, deterministic execution of
instructions to ensure that they perform their tasks properly. Examples are power-grid monitoring
systems, enterprise routers, life-sustaining medical devices and emergency call centres (Sremack,
2005). These systems are very structured and operate to very rigid timelines. In the past, they
operated in an isolated environment, reliability being the most important criteria, while security and
investigation of incidents did not receive much attention.
However, industry has started to consolidate real-time systems with other devices and users. This
poses a huge threat, as current investigation techniques are unsuitable for real-time investigations.
New techniques will have to be developed to deal with the challenge posed by real-time systems, as
data is stored in a unique way on these devices. It is very difficult to access and retrieve volatile data
and there is a lack of system logs. There is a need to adapt current real-time systems to include
security measures and proactively consider potential evidence sources.
Organisations must identify, assess, and contain an incident as soon as possible to prevent further
damage. It is not enough that tools and techniques for active investigations exist in the organisation,
but a proper framework should exist to guide the use of tools and behaviour of investigators or first
responders. The IT and Info Sec governance processes, policies and procedures, for example Incident
Response, must be developed in such a way that clear guidance exists on what to do should an
incident occur, when to continue with a live investigation, and when to terminate the live
investigation and start with a formal reactive investigation.
There is an intuitive overlap between Incident Response and live investigations. The next section will
discuss the relationship between IR, IDS, and the live investigations.
Part 1: Background to Digital Forensic
6-130 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.4 INCIDENT RESPONSE (IR), INTRUSION DETECTION SYSTEM (IDS) AND LIVE
INVESTIGATIONS
Incident detection normally relies either on human or automated systems. It can be an alert from an
employee, customer or even an outsider of a system malfunction or a wrong transaction. The
network administrator can detect a malfunction on the network, for example slow network
performance.
The help desk normally identifies an unusual event and then classifies it as an incident. Mechanisms
that can detect potential incidents are IDS (host-based and network-based), firewalls and virus
detection software (Whitman & Mattord, 2009). The aim of an IDS is to detect incidents. Typical
outcomes are:
timely reaction to prevent substantive damage by manual or automatic intervention
timely reaction to mitigate substantive damage
identification of whether activity is a precursor of a more serious event
identification of the perpetrator
discovery of new attack patterns
provision of additional protection to systems
collection of evidence.
Various automated IDSs exist. An IDS can have some or all of the proactive methods or tools built
into it. Various proactive methods and techniques are available to detect an incident as it occurs
(Orebaugh, 2006):
Active monitoring systems, which can be human or automated.
Design, construction, and configuration of systems to facilitate future forensic
investigations. This concept will span all activities in the organisation.
Use of digital fingerprinting for proprietary information. A digital fingerprint is a unique
label, assigned to an individual, which is inserted into a document or content before
distribution. The document can be traced and the fingerprint can identify users who
want to use the data for unauthorised use.
Employment of process forensics. This is a merger between intrusion detection and
checkpoint technologies. These checkpoints are periodic snapshots of running programs
or processes and can be used for investigations.
Part 1: Background to Digital Forensic
6-131 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The IDS that is in use will have a direct impact on the strategy and methodology employed by the
organisation for a live DF investigation.
Most IDSs can be categorised as either misuse or anomaly detections. ‘Misuse’ usually refers to
systems that utilise some form of fingerprinting to determine if a process is part of an intrusion.
‘Anomaly’ refers to systems that attempt to define ‘normal’ behaviour, to classify a process as a
normal or intrusive process. The main challenge is to define ‘normal’. Foster proposes that the
system of determining normal behaviour use incremental check-pointing to build a normal profile
(Foster & Wilson, 2004). Profiling is important with the detection of incidents in an organisation.
As soon as the incident has been evaluated and confirmed, the current IRP will dictate whether it
should be investigated. Factors that should be considered are the severity of the incident, its impact,
type (intentional or criminal), reliability of the alert and the profile of the attacker. However, the cost
of powering systems down can also play a major role. There is an increasing need to be able to
investigate live systems. The organisation can decide on different plans of action.
The organisational risk policy and IR programme will determine whether or not to investigate, allow
an incident to continue or to terminate all incidents, and when to terminate an investigation. A
specific incident detection or investigation policy will be required so that it can prescribe a desired
action.
Some organisations will only investigate if there is a potential significant monetary or financial loss,
loss of intellectual property or a potential loss of public profile, whilst other organisations will
investigate all incidents, as small incidents can be a ‘smoke signal’ of a larger problem.
IDSs collect data to assist with the incident detection, however, it is important to note that they are
not designed to collect or protect the integrity of data as valid, admissible evidence (Sommer, 1999).
Typical evidence comprises system logs, audit logs, application logs, network management logs,
network traffic capture, and manual entries.
The logs can lack sufficient details, be incomplete for a specific period, and may not be able to
distinguish between legitimate and unwanted access or to identify the perpetrator in a useful way.
The logs must be tamperproof so that they may not have been compromised prior to, during or even
after the collection phase. It is sometimes necessary to process this primary data (derived data) to
Part 1: Background to Digital Forensic
6-132 | P a g e Chapter 6: Active Digital Forensics (ActDF)
make it easier to analyse and understand. However, this poses a problem as the evidence can be
compromised.
Sommer has proposed the following points to enable IDS to be a source of evidence (Sommer,
1999):
The value of an IDS depends on the extent to which timely and accurate information can
be supplied regarding the likelihood of an incident so that evasive action can be taken
Evidence acquisition should be a separate, but related process
Single streams of evidence may not be enough, and multiple independent streams
should be able to corroborate each other
The multiple evidence streams should be synchronised
Logging information should be done by a trusted tool
Logging evidence must adhere to the rules of admissibility of evidence
It must be ensured that evidence collection during logging cannot be compromised
It must be ensured that raw logs are always available
There should be maintenance of the chain of custody or continuity of evidence from
source to court
Addition of additional procedures or products should concentrate on evidence collection
and preservation.
Note to reader:
We accept that an IDS is in place that will be able to detect a potential incident when
formulating our CDF capability as well as the proposed DFMF.
However, a ‘NEW’ (zero day) incident may bypass all the security barriers and manifest itself in a
specific way. When the new incident is detected, the organisation may suddenly realise that it is not
prepared for the incident. The next section will briefly discuss current live investigation tools and
techniques.
Part 1: Background to Digital Forensic
6-133 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.5 LIVE INVESTIGATION TOOLS AND TECHNIQUES
ReDF investigations involve ‘dead’ analysis techniques, which use no software that exists on a
system during the timeframe of the investigation (Carrier, 2006). Proactive tools and techniques do
not include investigation techniques, but they prepare all systems, processes and procedures to
capture CDE by having appropriate tools, processes and procedures in place.
Live analysis is often associated with IR and IDSs but is auxiliary to the Info Sec programmess. Virus
software is an example of a live analysis tool. Most of the live investigation tools and techniques are
software-based, however current research is considering the use of hardware devices to acquire
evidence.
Live forensic investigations are currently being carried out by using remote forensic preservation and
acquisition tools, e.g., EnCase® Enterprise edition and ProDiscover® (Casey & Stanley, 2004). These
tools use live analysis techniques that will use software that pre-exists on the system during the
timeframe being investigated (Carrier, 2006). The target machine is monitored from a remote site
and evidence can be acquired in a forensic sound way with the aid of a tool. Typical activities include
keyword searches, and copying and extraction of files and records from the live remote site. The
user is not aware of the process and an investigation can continue without him/her being aware of
it. The investigator can acquire evidence in a live production environment. Remote forensic
investigations focus more on transforming ReDF examination procedures into live, production
environments.
Other software techniques of gathering live evidence identified by Carrier and Grand (2004) include:
Physical memory devices, where the operating system provides access to physical
memory, for example Unix®, have the /dev/mem device. Disadvantages are that
attackers can abuse the device and it is difficult to analyse the image of the physical
memory.
Sparc OpenBoot® firmware by Sun® systems uses Sparc architecture to dump physical
memory to a storage device. The first responder will suspend the running system by
using an L1-A (STOP A) key, and by typing the sync command the application copies the
memory and registers to a preconfigured device (possibly a swap file on hard disk). The
disadvantage of this technique is that it destroys the content of the swap file area as it
uses it to dump the physical memory.
Part 1: Background to Digital Forensic
6-134 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Process pseudo-file system in UNIX® systems can allow one to identify a suspect process
and obtain the physical memory content related to the specific process. By running the
/proc/ command one will be able to acquire the relevant physical memory, but by
running the command, one will overwrite swap files and therefore potential evidence.
Similar tools, e.g., pcat tool of Coroner’s toolkit® uses the ‘pctrace()’ system call to save
process memory.
A virtual machine, e.g., VMware®, is an application that emulates a computer
environment where, for example, multiple server, operating system, and applications
can execute inside it. The operating system and applications of a virtual machine are not
aware that they operate in a virtual environment. If a virtual machine is compromised,
the content of the machine can be copied seamlessly to another machine to enable the
investigator to acquire evidence.
Hibernation, where servers are equipped with standby power management features
that will save the memory content to the hard drive before finally powering down. This
feature is not readily available.
All of the above techniques are software-based and rely on the operating system, specifically the
operating system kernel that is not a trusted resource as it can be a malicious kernel. This poses a
threat to the reliability of the evidence. A second problem is that the operating system must execute
a command and therefore will have to write to memory. It will therefore also destroy evidence in
the process.
Carrier and Grand (2004) have proposed a hardware-based memory acquisition procedure, that is f a
hardware expansion card pre-installed in a PCI bus that will gather volatile evidence and write it to
external storage device. As soon as the card is switched on the CPU execution is halted and the card
will activate direct memory access (DMA) to copy the content of the physical memory to an external
non-volatile storage device, for example a memory card or IEEE394 (fire wire) hard disk. Once the
memory has been successfully copied, the CPU resumes and the operating system continues with
execution. This procedure has been tested and a patent is pending.
The investigator can also use network forensics to identify sources of live network evidence. It is not
possible to log all activities on a network, but it is essential during a live investigation to identify
potential sources, for example DNS and ‘whois’ servers, websites, FTP servers, local Ethernet servers,
Bluetooth piconets, database servers, chat servers, network routing tables or reply messages of
Part 1: Background to Digital Forensic
6-135 | P a g e Chapter 6: Active Digital Forensics (ActDF)
SOAP servlets (Nikkel, 2005). Evidence that can be gathered includes, for example, slanderous web
pages, illegal files, traffic from port scans, routing tables, wireless signal strength and direction.
The rationale of the various techniques differs as remote online forensic investigations capture data
disregarding the order of volatility (Ieong & Leung, 2007). The other live investigation techniques will
consider the order of volatility of the evidence.
Volatile forensic investigations concentrate on the collection of volatile evidence and should
consider the order of volatility of the evidence. The more volatile evidence must be collected first,
followed by the non-volatile evidence by using traditional reactive DF tools and techniques.
McDougal has discussed the volatility of the evidence in terms of a volatility model, of which Figure
6-2 (below) is a graphical representation (Ieong & Leung, 2007).
From this model and work carried out by Ieong and Leung (2007), the following categories of
volatility emerged:
Highly volatile: physical memory and virtual memory
Medium volatility: network connection, current processes and open files and systems
databases
Low volatility: network status and current user information
Not volatile: system configuration, user account information, pre-set list of processes
and services, event logs and files and directories.
Physical memory
Virtual memory
NetworkCurrent
processes
Open files
and systems
database
Network
status
Current user
information
System
configuration
Use account
informationEvent logs
Preset list of processes and
services
Files and
directories
Most
volatile
Least
volatile
Not
volatile
Figure 6-2 McDougal model of volatility (Ieong & Leung, 2007)
Part 1: Background to Digital Forensic
6-136 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The argument for splitting network connection and status is that the former will change, as will
current processes, open files, and systems databases, as there is normally a direct interaction
between the three groups. Network status and user account information is volatile but less likely to
change during an acquisition process. System configuration, user account information, and pre-set
lists of processes and services are not volatile and traditional ReDF tools and techniques can acquire
the evidence. Although event logs, files, and directories are indicated as ‘not volatile’, it is important
to note that they can be changed if live forensic investigation tools are executed.
One of the goals of proactive DF as defined by Taylor (Orebaugh, 2006) is to: ‘Detect (catch) a crime
as it occurs’. The objective is to use human and system behavioural patterns to detect an incident as
it occurs and to be able to support the investigation as it is happening.
Bradford has developed a model to automatically detect certain events (Bradford et al., 2007). This
is not an IDS, but rather a model that will make it possible to generate appropriate data to provide
good investigation leads and focus search activities by concentrating on trends. There is a great need
to automate the IDS process, but the expert systems must be extended or improved. The expert
system must not only detect the incident but also determine if it is necessary to collect additional
evidence. This expectation has been highlighted by the proposed model of Taylor (Orebaugh, 2006).
The chapter will bear in mind the differences of the tools and techniques when defining the ActDF
component. The next section will evaluate some identified live investigation frameworks as
discussed in the literature.
6.6 LIVE INVESTIGATION FRAMEWORKS
We have identified the following five live or “Active” investigation frameworks. We have not
included the following frameworks in the discussion in Chapter 3, as they concentrate on live
investigations and evidence acquisition and not on the entire DF investigation:
Framework 1: Payer (2004) (par. 6.6.1)
Framework 2: Ren and Jin (2005) (par. 6.6.2)
Framework 3: Foster and Wilson (2004) (par. 6.6.3)
Framework 4: Grobler (2009) (par. 6.6.4)
Framework 5: Ieong and Leung (2007) (par. 6.6.5).
Part 1: Background to Digital Forensic
6-137 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The next section will provide a brief overview of the mentioned frameworks and compare them to
enable us to formulate the ActDF component of our CDF capability.
6.6.1 FRAMEWORK 1: Payer (2004)
Payer (2004) proposed a framework based on stack-based network IDS (NIDS). The prototypes
developed include the integration of IDS mechanisms into the network stack using existing state
transitions, memory content, header information, and packet payload.
Traditional approaches to NDIS include signature-based detection and anomaly detection, based
on heuristic rules. A stack-based stateful mechanism is used to introduce intelligent decisions by
looking for conspicuous patterns. Real-time behaviour requires strict timing constraints and must
therefore use small signatures and fast scanning mechanisms.
The model uses the state rather than transition between states as the indicator for an intrusion.
Unique state transitions can then be stored as a sequence in a database as a state-based
signature. The goal is to analyse state transition behaviour and not content. The scanner can then
scan all states for a defined signature associated with a specific intrusion.
This framework integrates state-based detection mechanisms into the network stack. All
protocols up to application layer are viewed as application protocol machines and state
transitions due to application events.
The framework uses the state-driven layered NDIS approach to find signatures and collect the
required forensic evidence. The IDS is used by Payer to collect the evidence for an active attack,
despite conflicting views from Sommer (1999). The framework proposes that the operating
system, rather than humans, should react in appropriate time and preserve the evidence
methodically, carefully, and deliberately.
It is proposed that the set of detection mechanisms deal with IP spoofing, operating system
detection, blinding of the network stack and shell code and polymorph shell code detection.
Part 1: Background to Digital Forensic
6-138 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Note to reader:
This framework views a network intrusion detection system (NIDS) as an additional
mechanism to secure the organisation. It will gather vast amounts of evidence and must
specify a way to maintain the chain of custody when transferring the evidence to remote
servers. Although not yet tested or implemented, this framework uses a type of checkpoint
technology and can be very useful in capturing additional information not normally captured
by the log files of an IDS.
This framework is useful as it provides guidance on the configuration of the operational
infrastructure to acquire live evidence. There are no guidelines on how to conduct an active
investigation that will support the overall investigation as a forensic sound process in a
court of law.
6.6.2 FRAMEWORK 2: Ren and Jin (2005)
Ren and Jin (2005) have proposed a Honeynet®-based adaptive forensic and real-time
investigation. Honeynet® systems will lure attackers to provide information of themselves and
computer misuse. A network forensic system is used to analyse and reconstruct attack
behaviour.
During an active attack, the purpose of the framework is to capture network and log data
effectively and efficiently and to analyse the traffic and log data according to user needs. A
forensic system includes:
A network forensic server that integrates forensic evidence and analyses it, captures
behaviour on the network monitor, and launches the investigation program as a
response to attacks.
A network forensic agent, which is a program to gather evidence, ensures secure
transportation of the evidence, and provides a digital signature to the evidence. It is
employed on the network and monitors hosts and networks, and includes a packet
capture machine that will capture network traffic.
A network investigator, which is a survey machine that provides the mapping topology
and actively investigates the target when the server requests.
Part 1: Background to Digital Forensic
6-139 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The architecture is represented in Figure 6-3 (below). It has two LAN’s: A monitored Honeynet®
LAN and a secure high speed forensic LAN.
There are four methods of Honeynet® employment, for example: deception services, weakened
systems, hardened systems (known as patches and applied to operating system to secure
system), and user mode servers (functional servers nested within the application space of the
host operating system). In a hardened system, user mode servers, the IDS and the firewall are
integrated.
The network forensic server will, inter alia, integrate the log and audit data and IDS alerts into a
database. Data mining techniques are applied to analyse the data. The server will need a large
amount of storage space, therefore the data to be stored must be carefully selected, e.g., the
source / origin, destination, serviced port, duration, and bytes transferred for every TCP
connection. One can eliminate unnecessary traffic by applying a filter. The server has the ability
to adapt the collection policy, depending on the network traffic. The result of the analysis will be
used to build a profile of the attacker. This framework mainly uses deception technology.
Note to reader:
The framework and architecture requires a separate secure network with the complete
installation of the various specialised servers, however, it does allow the investigator to
conduct the investigation on CDE.
Firewall
C A B
D
Agent
Console
WAN
Monitored Honeynet® LAN
Forensic LAN (SSL)
A: Network monitor B: Network investigator C: Host to be monitored D: Network forensic server
Figure 6-3 Architecture of Ren and Jin (2005)
Part 1: Background to Digital Forensic
6-140 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The application of a filter can create ‘completeness issues’ in a court of law so it is
essential to document the filter criteria, rationale and process to ensure that the
completeness of the evidence set can be proved.
This framework is useful as it provides guidance on the infrastructure required to acquire
live evidence. There are no guidelines on how to conduct an active investigation, which will
support the investigation as a forensic sound process in a court of law.
6.6.3 FRAMEWORK 3: Foster and Wilson (2004)
Foster and Wilson introduced process forensics to enable the capturing of volatile evidence for
digital investigations to supplement reactive investigations, as well as real-time or active
investigations. Process forensics utilise check-point technology. Check-pointing is a technique of
storing a running process’s state in such a way that a process can be restarted from the point
when it was created (Foster & Wilson, 2004).
A check-point is created by stopping the execution of a process and capturing the process
address space and kernel space to a file, and then continuing with the execution of the process.
The creation of a check-point does not alter with the running process, but only requires
additional secure storage space. There are two types of check-pointing, incremental and
terminal. The former creates check-points in regular intervals during the execution of the
process; the latter is created just before the termination of the process and other related
processes.
All programs and actions running on a digital device constitute a process. Processes contain vital
information on the current activities. Every process has a process identification (PID) number,
linked to a workstation. The PID has a parent PID (PPID) and can have ‘children’ or ‘sibling’
processes. The relationship between PIDs and PPIDs is not captured in log files. The process
address space also contains information about the process peripherals, which contain, for
example, opened files, pipes, socket connections, or indications of the intruder’s objective and/or
attempts to cover tracks and/or to isolate the damage done.
The most important aspect of creating the checkpoint is timing. When an alert is issued by the
IDS, the first action of a systems administrator can be to kill all the related processes, but this will
result in the loss of all volatile evidence, vital for the success of the investigation. It will also alert
Part 1: Background to Digital Forensic
6-141 | P a g e Chapter 6: Active Digital Forensics (ActDF)
the attacker that the attack has been discovered. The immediate action must include the
collection of evidence, specifically process forensic data, by using incremental check-points.
General aspects of the check-point files are that they should maintain the chain of evidence and
custody, by, for example, storage as encrypted files in a secure location and in a standardised
format.
Foster and Wilson (2004) also suggests that the IDS must alert the administrator to an incident,
but at the same time activate the check-pointing application. This will allow the IDS to focus on
detection rather than evidence collection.
Note to reader:
Process forensics can be a very valuable tool for active and reactive attacks and should be
included as a component in the formulation of our CDF capability.
This framework is useful as it provides guidance on the configuration of the operational
infrastructure to acquire live evidence. Foster includes no guidelines on how to conduct a
live investigation that would support the investigation as a forensic sound process in a
court of law.
6.6.4 FRAMEWORK 4: Grobler (2009)
Grobler proposed a model for live forensic acquisition - the Liforac model, which is multi-
dimensional with related sub-dimensions and components. The dimensions are the legal and
regulatory, scope, timeline and knowledge (Figure 6-4, below).
Knowledge Scope
Timeline
Legal and regulatory
Figure 6-4 Graphical representation of Liforac model (Grobler, 2009)
Part 1: Background to Digital Forensic
6-142 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.6.4.1 Dimension 1: Legal and regulatory
The legal and regulatory dimension is the foundation of the model, as forensic investigations
have to consider the legal and judicial environment of the incident and the investigation. The
dimension has the following four sub-dimensions:
6.6.4.1.1 Sub-dimension 1: Common crime laws applicable to cybercrime
6.6.4.1.2 Sub-dimension 2: Specific cyber laws
6.6.4.1.3 Sub-dimension 3: Court cases and precedents
6.6.4.1.4 Sub-dimension 4: Definition of court admissibility.
6.6.4.2 Dimension 2: Timeline
The timeline view is the process view of the model, indicating the sequence of actions
(steps) that should be performed by the investigator. Grobler (2009) has adapted and used
O’Ciardhuain’s (2004) process framework. The Liforac model proposed the following
components for the timeline dimension:
6.6.4.2.1 Component 1: Implied processes
Typical implied processes are specific processes, for example, how to ensure integrity of
evidence. These processes will not have a direct positive impact on a successful timeline.
6.6.4.2.2 Component 2: Explicit processes
The explicit processes are processes that will have a direct impact on a successful
completion of this dimension, for example, awareness, authorisation, planning,
notification, search for and identification of evidence, examination, hypothesis and the
dissemination of information (based on O’ Ciardhuain’s framework).
6.6.4.2.3 Component 3: Before an investigation
This component considers the identification of all possible activities before the
acquisition starts, typically, awareness, authorisation and planning. The sub-components
include determining the power status of the target machine (on or off); selecting an
investigation mode (overt or covert); deciding whether to isolate the target machine or
to secure it; and lastly, acquiring the evidence locally or remotely.
6.6.4.2.4 Component 4: During the investigation
All possible activities during the acquisition process should be determined. Typically,
notification, search and identify, and examination activities should be considered.
Part 1: Background to Digital Forensic
6-143 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.6.4.2.5 Component 5: After the investigation
Provide full coverage of all possible activities after the acquisition, for example,
hypothesis, information dissemination, and controls. The activities include updating the
chain of custody, securing all evidence, transporting and storing the evidence, analysing
the evidence with forensic sound tools (software), and producing a written report.
6.6.4.3 Dimension 3: Knowledge
The knowledge dimension indicates different stages of awareness and understanding of
investigators. This dimension incorporates the requirements that investigators must meet:
who must be involved, and what skills will be required. If they lack the required skills, they
should receive applicable training. The seven identified components are:
6.6.4.3.1 Component 1: Computer science
The investigators need a sound IT knowledge base to be able to understand the context,
implication and extent of a specific incident.
6.6.4.3.2 Component 2: World trends and events
Awareness of current trends in cybercrime and how to combat the latest crimes will
ensure that the investigator is up to date.
6.6.4.3.3 Component 3: Information systems
Information systems are collections of practices, algorithms, and methodologies that
transform data into useful information. An understanding of information systems will be
useful for the investigator in determining the location of information or data as potential
evidence.
6.6.4.3.4 Component 4: Social sciences
Knowledge of social science can assist the investigator in building a profile of the cyber-
criminal.
6.6.4.3.5 Component 5: Forensic science
Forensic science is a well-defined discipline with solid principles. It is necessary for the
investigator to relate the fundamental forensic principles to DF.
6.6.4.3.6 Component 6: Law
DF and the law are two intertwined disciplines. The investigators need legal and
regulatory knowledge.
Part 1: Background to Digital Forensic
6-144 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.6.4.3.7 Component 7: New technology
New technologies will have an influence on DF investigations. The investigators must
ensure that they keep up to date with new software and hardware.
6.6.4.4 Dimension 4: Scope
The scope dimension addresses typical problems that investigators will face related to live
investigations. The five components are:
6.6.4.4.1 Component 1: Access to the machine
The investigator should determine the legal requirements to gain access to the targeted
machine. It may require, for example, a search warrant or cooperation from a suspect to
obtain a password or encryption keys.
6.6.4.4.2 Component 2: Dependency on operating system
Each operating system and forensic practice interacts differently.
6.6.4.4.3 Component 3: Data modification
Processes modify data during acquisition with the result that the live evidence acquired
is inadmissible according to legal requirements.
6.6.4.4.4 Component 4: Demonstrate authenticity of evidence
Evidence must be authenticated, it being essential to prove that the evidence presented
in a court is the actual evidence acquired.
6.6.4.4.5 Component 5: Court acceptance
Determine what is required to ensure that the evidence acquired meets the legal
requirements.
Note to reader:
This framework is the only one discussed that provides guidance on the actual live evidence
acquisition. We will use it to propose the ActDF component’s phases.
Dimension 1: Legal and regulatory dimension corresponds to the legal and judicial
dimension that will be used to formulate the holistic DF framework DFMF to
implement and manage our CDF capability in an organisation. The content should
be included in the ProDF component.
Part 1: Background to Digital Forensic
6-145 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Dimension 2: Timeline components will be incorporated in the ProDF, ActDF, and
ReDF components of our CDF capability.
Dimension 3: Knowledge. This dimension adds value in the identification of
potential awareness and training requirements in the ProDF component that
should be considered when we formulate the holistic implementation and
management framework DFMF.
Dimension 4: Scope. We will include aspects of this dimension when formulating
the ActDF component.
6.6.5 FRAMEWORK 5: Ieong and Leung (2007)
Ieong and Leung (2007) have extended the role-based FORZA model (Ieong, 2006) as discussed in
Chapter 3 (par. 3.6) to propose a conceptual framework for live investigations. We have not
included this extension in Chapter 3 as it concentrates on the live investigations and is more
suitable for inclusion in this chapter. It proposes different roles and layers, which are contextual
investigation, contextual, technical preparation, compliance, conceptual security, collection,
analysis, and presentation. The layers and roles are linked to answers to the questions of what?
(the data attributes), why? (motivation), how? (procedure), who? (people), where? (location) and
when? (time). Ieong has demonstrated his model by asking questions as to the layer to identify
how a live investigation should be carried out (Ieong & Leung, 2007).
The evidence acquired during live investigations must adhere to the following criteria:
completeness, time required to successfully acquire, importance, case dependency,
reasonableness, verifiability, integrity, accuracy, repeatability and order of volatility (Ieong &
Leung, 2007). One should consider completeness, time required, importance, and case
dependency leads when selecting data. It is important to determine the likeliness of the
applicability of the evidence, which should be gathered in order of volatility. A reference order of
data collection process is represented in Figure 6-5 (below).
Part 1: Background to Digital Forensic
6-146 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Ieong and Leung (2007) provide a conceptual framework for live investigations that is not linked
to specific live evidence investigative tools or techniques. It does not provide any links with
ProDF, but indicates some links to ReDF investigations as identified in Table 6.1 (below) by layers
1 and 2. We will utilise the questions: who, where, why, where and how to link to the different
dimensions of DF: legal and judicial, governance, process, policy, people, and technology.
Note to reader:
Table 6.1 (below) is a comparison of the frameworks of Ieong and Leung (2007) and Grobler
(2009). We have correlated similar areas and have added an additional one to identify
overlapping areas with the ReDF component and potential content for the ActDF
component.
Start acquisition
Network – from
machine
Physical and virtual
memory collection
Open files and
registtry
Current process
information
System configuration
information
Use information
Current user
information
Network – from
network
Event log
File and directory
information
Preset services list
Preset process list
Completion
Figure 6-5. A reference order of data collection process in live forensic investigations (Ieong & Leung, 2007)
Part 1: Background to Digital Forensic
6-147 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Table 6.1. List of specific questions for live investigations – based on FORZA (Ieong & Leung, 2007)
Ieong and Leung Grobler Author comment
Role Layer Concept (Question) Relation to ReDF component
Case leader or
investigator
1 Contextual
Investigation
What is rational of the operation? (Why?)
What is the nature of the case? / what information is that of interest
(What?)
How urgent is the operation? When did it happen? (When?)
What preliminary actions were performed for collecting the current state of
the target machine (What?)
Determine if local or remote case? (Where?)
Who is involved? Who can permit actions to be performed? (Who?)
6.6.4.2.3
6.6.4.4.1
6.6.4.2.3
Most of the questions are
addressed during the incident
and confirmation step of the
ReDF component
Include the location of evidence
in the evidence collection
procedure
System or
business owner
2 Contextual Why do we need to investigate? Type of case: Internal, civil, or criminal?
(Why?)
What type of data? Sensitivity of the data (What?)
Extent of the disruption to business? (When?)
Can you minimise the effect to the current infrastructure? (How?)
All of the questions covered in
the ReDF framework
Part 1: Background to Digital Forensic
6-148 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Ieong and Leung Grobler Author comment
Role Layer Concept (Question) Relation to ReDF component
Digital Forensics
specialists
3 Technical
preparation
Based on type of incident, what information must you collect? (What?)
What information is required: volatile, non-volatile, network process, or file
access? (What?)
Is memory critical? (What?)
Determine the limitation of the proposed live procedure (How?)
Based on a hypothesis, determine who is involved (Whom?)
Determine where target machine is and other remote machines will be
affected (Where?)
Propose time required in operation (When?)
Derive or reorder information collection procedure (How?)
6.6.4.2.4
6.6.4.4.1
6.6.4.4.2
All the questions should be
included in the ActDF
framework
Legal advisor 4 Compliance
advisory level
Confirm with case legal which legal strategy (civil, internal, or criminal) must
apply (Why?)
What is necessary and sufficient information to meet objective? (What?)
Determine the admissibility of evidence acquired (How?)
Determine the limitation of live investigation tools to guarantee the
admissibility of evidence (How?)
Determine if investigative procedure is forensically sound (How?)
6.6.4.4.5
The how questions should be
included, for example,
admissibility of live evidence,
limitation of live investigative
tools and a forensic sound live
investigative process as defined
by the ProDF component
Security Auditor
/ Systems
architect
5 Conceptual
security level
Any other system-specific volatile evidence? (What?)
Any specific induced volatile information (What?)
Any time limitation induced to non-volatile information. (What?)
All the questions should be
included in the ActDF
framework
Part 1: Background to Digital Forensic
6-149 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Ieong and Leung Grobler Author comment
Role Layer Concept (Question) Relation to ReDF component
Digital forensic
investigator
6 Collection Determine what tools to use. (What?)
Determine live or remote investigation. (What?)
Implement automatic live investigation with procedure? (How?)
Any urgent requirement list confirmed? (What?)
Confirm and collect all volatile data? Determine missing external storage
Any network, router, or firewall information? (What?)
Any specific information search? (What?)
6.6.4.2.4
6.6.4.4.1
6.6.4.4.2
6.6.4.4.3
6.6.4.4.4
All the questions should be
included in the ActDF
framework
DF investigator /
Forensic analyst
7 Analysis Determine if live investigation interrupt or affect evidence collection (How?)
Extract and consolidate forensic evidence for analysis (What?)
6.6.4.2.4
All the questions should be
included in the ActDF
framework
Legal prosecutor 8 Presentation Determine if live investigation is forensically sound (How?)
Determine if collectable evidence id admissible and if any evidence has been
altered (What?)
All the questions should be
included in the ActDF
framework
Part 1: Background to Digital Forensic
6-150 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The next section will use the ActDF phases identified in Chapter 3 and elements of the frameworks
discussed in pars. 6.6.1 to 6.6.4 to formulate the ActDF component by proposing goals and phases
with associated steps.
Note to reader:
The first three frameworks use automated IDS to identify and acquire evidence. Ren and
Jin (2005) use the data to predict the behaviour of the perpetrator. Profiling techniques
can be included in the proposed framework to assist with the compilation of behaviour
patterns. Foster indicates the need to have a separate checkpoint application that will
enable the capturing of checkpoint data as the purpose of the IDS is to detect the
incident, not to capture the CDE.
Forensic sound tools and technology should be employed to guarantee CDE. The discussed
frameworks focus on a tool or technology and do not consider a forensic sound process to
follow, should one engage in a live forensic investigation.
Grobler and Ieong and Leung (2009; 2007) provide tool and technology-independent forensic sound
frameworks. We will use aspects of both frameworks and an analogy of the phases of the ReDF
component to propose the ActDF component. We will also demonstrate the relationship between
the ActDF and ReDF component of our CDF capability.
6.7 ACTDF COMPONENT OF OUR CDF CAPABILITY
From the discussion in the previous section, and the identified phases for the ActDF protocol in
Chapter 3 (par. 3.5.2), we have shown that there is a need for live investigations. However, the
current perceptions and rationale of ‘live’ investigations differ and there is therefore a need to
formalise them (Ieong & Leung, 2007).
Note to reader:
We propose that ActDF include current live forensic tools and techniques, real-time
investigations as well as remote investigations. We do not include the ability to fix the
problem or to facilitate a full-blown investigation, but to provide a platform to gather
required live evidence required by the ReDF component.
Part 1: Background to Digital Forensic
6-151 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.7.1 ActDF definition
We accept the proposed definition for ActDF component in Chapter 2 (par. 2.8.3) as:
6.7.2 Goals for ActDF
To provide a high-level context for the ActDF component we will propose goals. We have used
the identified phases for ActDF in Chapter 3 (par. 3.5.2) and layers and types of questions asked
in Table 6-1 to propose the following three goals for ActDF:
Goal 1: Acquire and analyse relevant live CDE in a live system or production
environment by using appropriate tools and technologies (Table 6.1, layers 2 – 7;
3.5.2.1 - 3.5.2.4).
Goal 2: Minimise the effect and impact of an on-going incident (Table 6.1, layers 2c,
2d).
Goal 3: Provide a meaningful starting point for a reactive investigation within the
parameters of the risk control framework of the organisation (Table 6.1, layers 7b, 8).
There is a need for a framework to guide investigators conducting live investigations (Ieong &
Leung, 2007). The framework must provide clear guidelines to gather additional required CDE
during an on-going incident and must consider all the legal requirements in terms of processes
followed during the investigation as set out by the ReDF framework (Grobler & von Solms, 2009).
This framework must be included in the ActDF component of our CDF capability of the
organisation.
The ActDF framework must contain policies and procedures to guide behaviour and decision-
making after the need to gather live evidence has been detected. The framework must interlink
with the IDS, traditional IRP, business continuity plan (BCP), and disaster recovery plan (DRP) of
the organisation. The IDS can play a major role in the evidence collection and assistance with
profiling the attacker. The IRP and BCP of the organisation must provide guidelines on the
containment of the incident, preservation of evidence and, if, when and how to proceed with an
investigation.
Active DF is the ability of an organisation to gather (identify, collect and
preserve) Comprehensive Digital Evidence in a live environment to facilitate a
successful investigation.
Part 1: Background to Digital Forensic
6-152 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The decision whether to stop the incident and affected systems or allow them to continue in a
contained environment will be the responsibility of the risk manager of the organisation. This
decision can be influenced by various factors, for example cost of investigation, severity of
incident, and ‘loss of public profile’. It is advisable that Info Sec and DF experts participate in the
decision-making to allow the manager to make an informed decision on the IR.
It is essential that this framework consider the chain of evidence and chain of custody
requirements at all times, to ensure that no one tampers with the evidence. It is therefore
essential to create a culture of documenting all activities during the entire active investigation.
Active investigations will normally be conducted over a network. Various frameworks exist to
conduct real-time investigations, but all of the frameworks are concentrated on utilizing the
network traffic logs as captured by the network operating system and the IDS.
Note to reader:
We combine the dimensions of Grobler and Louwrens (2006), and layers with associated
questions of Ieong and Leung (2007) (Table 6.1) and phases identified in Chapter 3 (par.
3.5.2) to propose phases with associated steps for the ActDF protocol of the ActDF
component independent of any tools and technologies.
We propose the following ActDF framework or protocol for the ActDF component. The protocol
consists of phases and associated steps. Investigators can apply the protocol to acquire live
evidence.
6.7.3 ActDF protocol
We propose the following four phases with associated steps:
6.7.3.1 PHASE 1: Incident response and confirmation phase
Augment the ReDF component as formulated in par. 5.5.1 to include the following ActDF
requirements:
6.7.3.1.1 Step 1: Incident detection and confirmation (par. 3.5.3.3.2; 6.6.4.2.2)
Part 1: Background to Digital Forensic
6-153 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Determine the rationale of the operation. The nature of the case will determine the
urgency of the operation as it must establish when the incident started.
Investigators must also determine the power status of the target machine (on or off),
selecting an investigation mode (overt or covert), whether to isolate the target machine
or to secure it, and lastly to acquire the evidence locally or remotely.
6.7.3.1.2 Step 2: Minimise the impact of the incident (par. 6.6.4.2.3)
Allow incident to continue in a controlled environment when activating the containment
strategy of the organisation. The aim is to minimise the impact of the incident on the
current infrastructure.
6.7.3.2 PHASE 2: ActDF investigation phase
6.7.3.2.1 Sub-phase 1: Acquire the live evidence (pars. 3.5.2.1; 6.6.4.2.2; 6.6.4.2.3; 6.6.4.2.4)
Step 1: Evidence identification
Determine which live evidence must be acquired to successfully investigate the incident.
Based on the type of incident, determine what evidence to collect. Consider the
sensitivity and volatility of the evidence. Include other system-specific volatile evidence,
specific induced volatile information, and time limitation induced to non-volatile
information.
The type of operating system will influence the identification of the evidence (par.
6.6.4.4.2). Determine the limitations of the proposed live acquisition procedure, the
proposed time required for the operation, where the target machine is and which other
remote machines will be affected (par. 6.6.4.2.3).
Step 2: Acquire live evidence
Acquire additional evidence lacking, using appropriate tools, technologies, or
applications that will be required to profile the attacker and acquire the evidence (par.
3.5.2.1 and Table 6.1: layers 4d, 6a – 6e).
It is important to automate the appropriate evidence collection tools, technology or
applications as soon as possible and activate as soon as possible (it can be immediately
after an incident alert has been issued and initiated by a trigger event).
Use acceptable live evidence acquisition protocol (par.3.5.2.1), (Table 6.1: layer 4e).
Apply the following data acquisition baseline (Ieong & Leung, 2007):
Impose minimal user intervention
All actions performed should be necessary and minimal intrusive
Part 1: Background to Digital Forensic
6-154 | P a g e Chapter 6: Active Digital Forensics (ActDF)
Minimal modification of static digital evidence
Data acquisition should follow the order of volatility and priority of digital evidence
collection (par. 3.5.2.1) (Table 6-1: layers 5a – 5c)
Acquire non-priority or volatile evidence through traditional evidence collection
Copying or extraction of data should only be performed when original data and
timestamp is unaffected (pars.3.5.2.2, 6.6.4.4.4).
To ensure the integrity of the acquired live evidence (pars. 3.5.2.2; 6.6.4.4.3; 6.6.4.4.4)
hash all the extracted data and record of actions immediately after collection process
and duplicate before analysis to preserve evidence (par.3.5.2.2) (Table 6.1: layer 8a). It is
essential to document all activities at all times to ensure the integrity of the live
evidence and processes. The reliability of the results must be ensured at all times and
false data eliminated (par. 3.5.2.3).
6.7.3.2.2 Sub-phase 2: Analyse evidence (pars.3.5.2.4; 6.6.4.2.5)
Analyse preliminary evidence to determine if sufficient evidence (Table 6.1: layers 7a,
7b) has been gathered and that which will support the hypothesis.
6.7.3.3 PHASE 3: Limited incident reconstruction phase (par. 3.5.2.4)
Use the results of the ActDF investigation phase to determine if the required live evidence has
been acquired. If more live evidence is required, it will be necessary to repeat the ActDF
investigation phase to acquire more live evidence. Various factors can determine if the
investigation can continue, for example, the risk management framework of the organisation
can prescribe that the impact on the business operations or the cost is too high.
6.7.3.4 PHASE 4: ActDF investigation closure (par. 6.6.4.2.5)
Prepare case files for reactive investigation team to complete the investigation.
Phase 1 supports goal 2 to minimise the effect and impact of an on-going incident; phase 2 and 3
supports goal 1 to acquire and analyse relevant live CDE in a live system or production
environment by using appropriate tools and technologies; and phase 4 supports goal 3 to provide
a meaningful starting point for a reactive investigation within the parameters of the risk control
framework of the organisation.
Part 1: Background to Digital Forensic
6-155 | P a g e Chapter 6: Active Digital Forensics (ActDF)
The ActDF component will be activated by the ReDF component or when live evidence is needed
to investigate the incident (par. 5.5.3.2.1). Once the required evidence has been acquired, control
will be returned to the ReDF team to continue with the investigation (par. 6.7.3.4). Figure 6-6
(below) is a graphical representation of the phases of the ActDF component of our CDF capability.
Figure 6-6. Graphical representation of the ActDF component (by author)
The ActDF framework will do very limited incident reconstruction, as the purpose of this phase is to
determine if the live evidence required for a successful investigation has been captured. The reactive
component will continue to analyse and reconstruct the incident to conclude the investigation.
6.8 SUMMARY
The chapter has discussed the need for an ActDF capability. There are various definitions and
perceptions of live, remote and real-time investigations. It has defined ActDF to include all types of
‘live’ investigations.
There is a close relationship between the IDS, IRP, and active investigations. The chapter has
provided a brief overview of IDS and the shortcomings to provide an explanation of why the data
gathered by IDS is insufficient to support a successful investigation.
There is a definite need for a framework to assist with active DF investigations. Various tools and
techniques exist, but no common procedure to guide organisations. IDS can provide some data, but
ReDF component as proposed in
Chapter 5 Figure 5-2
Common phase
ReDF
ReDF Phase 2:
Physical
investigation
ReDF Phase
3: Digital
investigation
ReDF Phase 4: Incident
reconstruction
ReDF Phase 5: Presentation of
findings
ReDF Phase 6: Incident closure
ActDF
Phase 2: ActDF digital
investigation
Sub-phase 1:
Evidence acquisition
Sub-phase 2:
Analysis
Phase 1:
Incident
response and
confirmation
Phase 4:
Incident closure
Phase 3:
Incident
reconstruction
Part 1: Background to Digital Forensic
6-156 | P a g e Chapter 6: Active Digital Forensics (ActDF)
investigators cannot always use it as evidence. The chapter has highlighted the need to change IDS
so that data collected can also be used as admissible, relevant evidence.
The identified frameworks in par 6.6 are slanted towards IDS and concentrate on the collection and
analysis of the live evidence using specific technology, but do not provide any guidance on the
forensic process that must be followed. Ieong and Leung’s framework (2007) provides a role-based
overview but not a forensic sound process to follow. Grobler (2009) provides some guidance on the
forensic process, but also additional aspects, for example laws and regulatory knowledge scope to
consider when formulating our CDF capability.
The next chapter will consolidate the various components identified for ProDF (Chapter 4), ReDF
(Chapter 5) and ActDF (Chapter 6) of the thesis.
Part 1: Background to Digital Forensic
6-157 | P a g e Chapter 6: Active Digital Forensics (ActDF)
6.9 FOLD-OUT FOR CHAPTER 6
Active Digital
Forensics
(ActDF)Framework 1:
Payer
Framework 2:
Ren and Jin
Chapter 6
Par. 6.6.1
Par. 6.6.2
Framework 3:
Foster and
Wilson
Par. 6.6.3
Par. 6.6.4
Framework 4:
Grobler and von
Solms
Par 6.7.3 ActDF protocol
3.5.2.1 Phase 1:
Incident Response and confirmation;
3.5.2.2 Phase 2:
ActDF investigation;
3.5.2.3 Phase 3:
Limited incident reconstruction;
3.5.2.4 Phase 4:
Investigation closure;
Framework 5:
Ieong and Leung
Par. 6.6.5
6.6
Live investigation
frameworks
Live investigations
tools and
techniques
Relationship
between IDS and
live investigations
Par. 6.4
Par. 6.5
Need for ActDF
Par. 6.3
Active DFChapter 6
ActDF definition
Par. 6.7.1
Goals for ActDF
Par. 6.7.2
ActDF component
Par. 6.7
Part 2: Construction of our DFMF
6-158 | P a g e
PPAARRTT 22
CCOONNSSTTRRUUCCTTIIOONN OOFF OOUURR DDFFMMFF
The aim of Part 2 of the thesis will be to address sub-objectives 3 (par. 1.5.3) and 4 (par. 1.5.4):
Sub-objective 3: Formulate our CDF capability (Chapter 7).
We will:
expand on the identified phases and steps for each component to formulate our CDF
capability
identify to-do lists for the CDF capability
discuss the relationship between the components of a DF capability
consolidate the to-do lists to assist management to implement the CDF capability.
Sub-objective 4: Construct our holistic theoretical DF implementation and management
framework (DFMF) (Chapter 8).
We will:
use the consolidated to-do list as a basis for the formulation of the DFMF
identify deliverables to implement and manage for each component of our CDF capability;
the deliverables will be used to formulate DFMF
use the dimensions of DF to categorise the identified deliverables
use the relationship between the dimensions of DF to construct the holistic, comprehensive
DF implementation and management framework (DFMF)
ensure that our DFMF is easy to use as it should be able to provide management with a high-
level overview of ‘what to do, who should do it, how it should be done’.
Part 2: Construction of our DFMF
7-159 | P a g e Chapter 7: CDF capability
7 CHAPTER 7
COMPREHENSIVE DF CAPABILITY
7.1 INTRODUCTION
We have identified the need for our CDF capability that will cover the preparation for the use of DF
tools and technologies, live evidence acquisition, and the actual reactive investigation with post-
investigation activities (par. 2.8). We have investigated and compared various DF frameworks and
viewpoints in the previous chapters (3, 4, 5 and 6) to define three components of our CDF capability,
as shown in Figure 7-1 (below):
The aim of this Chapter is to consolidate the findings of Chapters 4, 5, and 6, to suggest
improvements to the consolidated findings and to provide a high-level view of our CDF capability.
The DF frameworks discussed in the previous chapters provide guidelines for the actions to be taken
to conduct a DF investigation. There are very few explicit references to the strategies, policies and
procedures that must be formulated to support the investigations. To address the shortcomings, we
identify typical actions in the form of a to-do list for each component of the CDF capability, thus
providing an idea of what should be done by the organisation when implementing or using the CDF
capability.
The to-do lists contain typical actions that must be performed, for example, to establish legal and
regulatory requirements, and to formulate strategies, investigation protocols, policies and
procedures, and to determine education, training, infrastructure and technology requirements. It is
also essential to manage the CDF capability. We include typical management duties in the to-do lists.
The chapter will also provide a discussion of the relationship between the components. Figure 7-2
(below) depicts the role of this chapter within the overall thesis.
Figure 7-1 CDF capability (also Figure 2-3) (by author)
Part 2: Construction of our DFMF
7-160 | P a g e Chapter 7: CDF capability
7.2 AIM AND STRUCTURE OF THIS CHAPTER
The aim of this chapter is to consolidate the views of ProDF, ActDF, and ReDF, as discussed in the
previous chapters. We will include improvements to specific stages or steps when we:
consolidate the ProDF component (par. 4.5); confirm the definition, goals, sub-goals and
elements (par. 7.3); and identify to-do lists (pars. 7.3.1.2; 7.3.1.4; 7.3.1.6; 7.3.1.8,
7.3.2.3)
consolidate the ReDF component (pars. 5.3 - 5.5); confirm the definition, goals, phases
and steps (par. 7.4); and identify a to-do list (par. 7.4.7)
consolidate the ActDF component (par. 6.7); confirm the definition, goals, phases and
steps (par.7.5); and identify a to-do list (par. 7.5.5)
discuss the relationship between the ProDF, ActDF and ReDF components (par. 7.6)
consolidate the to-do lists to be used in the next chapter to construct the DFMF (par.
7.7).
Note to reader:
There is a substantial amount of repetition in this chapter, however, we are not merely
repeating content but rather adding additional content to the different components to
ensure the comprehensiveness of our CDF capability.
We have included a fold-out for ProDF, ReDF and ActDF at the end of the chapter (par.
7.8, p. 7-204, par. 7.9 p. 7-205, and par. 7.10 p. 7-206) respectively, for use as a map.
Chapter 8Construction of DFMF
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Chapter 7Comprehensive DF
capability
Figure 7-2 Role of the chapter in the thesis (by author)
Part 2: Construction of our DFMF
7-161 | P a g e Chapter 7: CDF capability
We suggest that the ProDF page (par. 7.8, p. 7-204) be folded out at this stage to provide
context. It is also advised that the fold-out be referenced when every paragraph is read,
as this ensures that the context of reading is preserved. We label the various paragraphs
with a corresponding number, e.g., on the fold-out.
The next section will suggest improvements and consolidate the ProDF component as discussed in
Chapter 4.
7.3 PROACTIVE DF (PRODF) COMPONENT
The saying ‘prevention is better than cure’ is applicable to organisations in which the digital evidence
requirements for organisations are increasing. A ProDF capability, as discussed, refers to the forensic
preparation of an organisation to ensure successful, cost-effective digital investigations with minimal
business activity disruption and ensuring that comprehensive digital evidence (CDE) and forensic
sound processes are in place and available. The evidence may be needed for an investigation or
during the normal flow of business to demonstrate due diligence with respect to good governance.
From the literature studied, most of the current DF models include a ‘preparation’ or a ‘DF
readiness’ step (Beebe & Clark, 2005; Casey, 2004; Louwrens et al., 2006b; Rowlingson, 2004). We
have provided the following definition (par. 4.4):
We proposed a definition for ProDF in Chapter 4 (par.4.5.1) but wish to refine it as:
DF readiness is the ability of an organisation to maximise its potential
to use comprehensive digital evidence whilst minimising the costs of an
investigation.
ProDF is the forensic preparation of an organisation to ensure
successful, cost-effective investigations, with minimal disruption to
business activities, and the use of DF to establish and manage
governance programmes.
Part 2: Construction of our DFMF
7-162 | P a g e Chapter 7: CDF capability
We proposed two goals for ProDF in Chapter 4:
ProDF Goal 1: Become DF-ready (par. 4.5.2.1)
ProDF Goal 2: Implement and manage DF to improve governance programmes (par.
4.5.2.2).
Figure 7-3 (below) is a graphical representation of the ProDF component:
ProDF
ProDF goal 1: Become DF-readyProDF goal 2: Implement and manage DF
to improve governance programmes
Sub-goal 1:
Prepared
infrastructure
Sub-goal 4:
Ensure a
cost-
effective
investigation
Sub-goal 3:
Prepare
responsible,
competent
employees
Sub-goal 2:
Maximise
CDE
availability
Sub-goal 1:
Establish a DF
management
capability
Sub-goal 2:
Apply DF to provide
reasonable assurance
regarding the achievement of
organisational objectives
The next section consolidates each ProDF goal with the associated elements. Having discussed the
goals in Chapter 4 (par.4.5.2) to gather live evidence we will rearrange steps to propose
improvements to certain elements of the ProDF component.
7.3.1 ProDF Goal 1: Become DF-ready. See on the ProDF fold-out
DF readiness is the ability of an organisation to maximise its ability to use CDE whilst minimising
the costs of an investigation (par. 4.4). DF readiness is supported by four sub-goals (par. 4.5.2.1,
p. 4-110):
Sub-goal 1: Ensure a prepared infrastructure (par. 7.3.1.1)
Sub-goal 2: Maximise CDE availability (par. 7.3.1.3)
Sub-goal 3: Prepare a responsible, competent human resource capability by the
development of a DF education, training and awareness strategy with supporting
programmes (par. 7.3.1.5)
Sub-goal 4: Ensure a cost-effective investigation (par. 7.3.1.7).
The next section will expand and clarify the four sub-goals of DF readiness.
Figure 7-3 ProDF component of CDF capability (also Figure 4-3)
Part 2: Construction of our DFMF
7-163 | P a g e Chapter 7: CDF capability
7.3.1.1 DF readiness sub-goal 1: Ensure a prepared infrastructure (two elements) (par. 4.5.2.1.1,
p. 4-110). See on the ProDF fold-out.
The prepared infrastructure includes operational and DF investigation infrastructure (par.
4.4.2.3.2). It is essential to determine the legal and judicial requirements regarding acquisition,
configuration and management of the infrastructure. These requirements include the
configuration of hardware or software to ensure the admissibility of evidence produced by the
infrastructure. It is also essential to acquire investigation tools and techniques that will be
acceptable to the legal and judicial community. The infrastructure should be managed and
organisations should have the management structures necessary to ensure the availability of a
prepared infrastructure. We will now consider what should be done to prepare the operational
infrastructure.
7.3.1.1.1 Element 1: Prepare operational infrastructure (par. 4.4.2.3.2)
The entire operational infrastructure of an organisation should be evaluated to
determine where changes might be necessary to enable DF in an organisation.
Organisations should identify business processes, applications, and infrastructure to
become DF-ready. It is essential to design, construct, and configure relevant systems to
enable future forensic investigations. This concept can span all the activities in the
organisation and is not limited to Info Sec and IT systems. To demonstrate:
Include digital evidence and forensic process requirements during the systems
development life cycle when designing new applications or systems
Design, configure, implement and manage the operational infrastructure (with
relevant policies and procedures) to:
prevent anti-forensic activities
prevent anonymous activities
include a capability to ensure the systematic gathering of potential evidence
by enabling logging capabilities
apply good practices to ensure forensic friendly file systems, for example,
file system separation
use profiling techniques to identify attacks or perpetrators; apply periodical
auditing; use digital fingerprinting to ensure the integrity of proprietary
information
include the capability to collect live / volatile evidence, for example, enable
remote logging
Part 2: Construction of our DFMF
7-164 | P a g e Chapter 7: CDF capability
time-synchronise all relevant devices and systems for the time-lining of
events during an investigation
implement and configure an IDS to ensure that incidents are detected as
early as possible.
7.3.1.1.2 Element 2: Establish, manage and equip a DF investigation (DFI) infrastructure (par.
4.4.2.3.2)
Management should identify and allocate a dedicated secure venue (DFI laboratory) with
a secure storage area in which to store all case documentation and evidence.
Organisations must ensure the availability of an investigation infrastructure, for example
an isolated network; forensic servers, short- and long-term servers, and other
equipment, for example, disk duplicators, digital cameras, jump bags, and networking
gear. The DFI laboratory must be equipped with appropriate, admissible forensic tools to
acquire, analyse, evaluate, and present legally admissible digital evidence (static, live,
legacy and post-investigation). The laboratory should have the necessary stationary
available during an investigation, for example, blank media, gloves and physical evidence
bags.
To manage the DFI laboratory, it is necessary to formulate a policy and procedure to
control the use of the laboratory, use of tools and access to the laboratory (this can
include logbooks for access control).
Note to reader:
We add backup policies and procedures for the DFI laboratory, which must include
the backup of tools, case files, and evidence to ensure that all versions of tools are
available if one needs to re-open a case (by author).
7.3.1.2 To-do list
Organisations must:
determine the legal and regulatory requirements applicable to the operational and
investigation infrastructure. Consider requirements related to evidence, processes,
admissibility of investigation tools, and the configuration of the operational and
investigation infrastructure (par. 7.3.1.1)
Part 2: Construction of our DFMF
7-165 | P a g e Chapter 7: CDF capability
establish the relevant management structures to ensure the availability of facilities
(DFI laboratory, and operational infrastructure), hardware, software and equipment
to ensure a successful investigation (par. 7.3.1.1)
formulate policies and procedures to manage the preparation, use and maintenance
of the operational and investigation infrastructure (pars. 7.3.1.1.1; 7.3.1.1.2)
only consider the acquisition and application of acceptable and admissible forensic
tools, technologies and equipment (par. 7.3.1.1.2).
7.3.1.3 DF readiness sub-goal 2: Maximise CDE availability (par. 4.5.2.1.2, p. 4-110). See on
the ProDF fold-out.
It is essential that organisations put in place measures and controls to identify and manage the
identified digital evidence. Beebe and Clark (2005) recommend the establishment of an
information retention plan.
Note to reader:
We are convinced that organisations need more than an information retention plan, notably
an evidence management plan (EMP) to maximise CDE availability. The information retention
plan as identified in Chapter 4 (par. 4.4.2.3.1) requires the identification of potential CDE
and the development of evidence management policies and procedures.
The EMP should concentrate on the management of required CDE in an organisation. This
includes the identification, legal gathering, preservation, handling, retrieval, retention, and
archiving of CDE. Managing evidence requires the ability of managers to measure the
completeness of the evidence set related to the risks to the organisation.
We therefore include an EMP in the ProDF component, and propose four steps to establish and
manage the EMP:
EMP Step 1: Identify potential CDE proactively for specific risk or scenario (par.
4.4.2.3.1)
EMP Step 2: Organise the CDE by compiling an evidence index, adapted from Casey’s
evidence map (Casey, 2007), and establishing a network evidence map (NEW by
author)
Part 2: Construction of our DFMF
7-166 | P a g e Chapter 7: CDF capability
EMP Step 3: Evaluate the evidence status of known assessed risks or scenarios in
terms of the comprehensiveness of the CDE set of the risk or scenario (NEW by
author)
EMP Step 4: Develop and augment evidence-related policies and procedures to
ensure that evidence sets have the highest CDE rating (par. 4.4.2.3.1). The CDE
rating will be an indication of the comprehensiveness of an evidence set associated
with a specific risk or scenario.
We will now discuss each step to explain the content of the EMP.
7.3.1.3.1 EMP Step 1: Identify potential CDE
It is essential to identify all potential business scenarios that will require digital evidence.
Several authors suggest identifying potential evidence during the risk assessment
process (Beebe & Clark, 2005; Louwrens et al., 2006b; Rowlingson, 2004).
During the business impact analysis (BIA), organisations normally compile a threat or
attack profile. The threat profile includes general information about the identified risk,
for example, the risk description or indications, controls applied and policies linked to
the risk (Whitman & Mattord, 2009).
Note to reader:
We suggest expanding the threat profile by adding two columns, one for required evidence
elements for the identified risk or scenario, the other a CDE rating column to indicate the
comprehensiveness of the evidence set related to the risk or scenario. We, therefore,
propose renaming the adapted threat profile as a ‘risk profile’.
To compile the risk profile the organisation must consider the following four sub-steps:
Sub-step 1: Determine all risks or scenarios during BIA that may need evidence
Sub-step 2: Complete the risk profile
Sub-step 3: Identify the evidence elements that will be required to investigate the
risk or scenario. This will address Louwrens et al.’s requirement that monitoring and
auditing be targeted to detect and deter major incidents (Louwrens et al., 2006b)
Part 2: Construction of our DFMF
7-167 | P a g e Chapter 7: CDF capability
Sub-step 4: The last field to be completed in the risk profile is the CDE rating field to
the risk profile. This field is an indication of the completeness and potential
admissibility of the evidence set related to the potential risk or scenario. We cannot
calculate the CDE rating for the specific evidence set before we have assigned a
certainty rating to the individual evidence elements.
The next step is to organise the identified evidence elements in the risk profile.
7.3.1.3.2 EMP Step 2: Organise the evidence
It is inevitable that the same evidence elements are required for different scenarios or
risks. Casey proposes the construction of a digital evidence map that will contain all the
information about the evidence, i.e., category, location, retention time, and reference
procedures to collect and retrieve evidence (Casey, 2007).
Note to reader:
We suggest expanding Casey’s map by adding certainty ratings and special requirements to
the evidence map. This expanded map will be referred to as a ‘digital evidence index’.
We propose the following seven sub-steps to organise the CDE into a digital evidence
index:
Sub-step 1: Classify or categorise the evidence element as being physical or digital
(static, live, legacy) evidence
Sub-step 2: Determine the technical requirements to acquire the evidence element
Sub-step 3: Determine the legal and regulatory requirements to ensure that the
identified evidence elements will be admissible in court and have evidentiary weight
Sub-step 4: Assign a certainty rating to each evidence element. We propose using
Casey’s certainty scale C0 - incorrect, C1 - highly uncertain C2 - somewhat uncertain
C3 - possible C4 - probable, C5 - almost certain C6 - certain to evaluate the evidence
(Casey, 2004)
Sub-step 5: Include any special requirements
Sub-step 6: Indicate the location of the evidence element in the information
architecture of the organisation
Sub-step 7: Compile the digital evidence index.
Part 2: Construction of our DFMF
7-168 | P a g e Chapter 7: CDF capability
Once all the potential evidence elements have been identified and organised, we need
to augment the information architecture of the organisation and determine the
potential impact of the additional evidence elements on the architecture.
It will be useful to provide a visual representation of the location of the evidence
elements. We propose that the organisation map the evidence elements to its network
diagram. The next step will be to complete the risk profile by evaluating the CDE rating
for each risk or scenario.
7.3.1.3.3 EMP step 3: Evaluate the evidence status and complete the risk profile
We propose using the Upgrader matrix as defined by Arthur, Olivier and Venter (2007)
to calculate the CDE rating and CDE flag colour for the evidence set [E1; E2; …. ;En]
associated with riski or scenarioi. The risk management department should determine
the specific certainty combinations of an evidence set that will be acceptable for the
organisation. We propose to colour code the Upgrader matrix by using three colours
(Figure 7-4) (below).
Cmax
Cmin
C0 C1 C2 C3 C4 C5 C6
C0 C0 C0 C0 C0 C0 C1 C1
C1 C1 C1 C1 C1 C2 C2
C2 C2 C2 C2 C3 C3
C3 C3 C3 C4 C4
C4 C4 C5 C5
C5 C5 C6
C6 C6
Key: C0; C1 R (red) C2 ;C3;C4 O (orange) C5;C6 G (green)
Figure 7-4 Adapted ugrader matrix (by author)
To interpret the matrix:
G Green (C5; C6 ) excellent CDE can result in a successful investigation
O Orange (C2 ; C3; C4 ) average CDE
R Red (C0; C1) insufficient or bad CDE.
Part 2: Construction of our DFMF
7-169 | P a g e Chapter 7: CDF capability
Organisations need to determine if the orange O rating is red R or green G. If
evidence is required for an internal hearing the orange O rating may be reclassified as
green G, but if it is for external investigation purposes the orange O may be red R.
This means that orange O is equivalent to G depending on the organisational criteria.
The definition of CDE requires that the evidence have an evidentiary weight, be complete
and relevant (par. 2.7.2). The linking of the evidence element to the scenario or risk
addresses the relevance requirement; determining the evidence elements associated with
each risk or scenario in the risk-profile addresses completeness. We accept that the
evidence acquired will be in an admissible format within the legal operating environment
of the organisation. We will use completeness and Casey’s certainty rating (for
admissibility) to determine the CDE rating for an identified riski or scenarioi.
The combination of the certainty ratings (Ci) of the individual evidence elements (Ei) of
the evidence set related to a risk or scenario rating will have an influence on the CDE
rating of the evidence set. We use Cmin – lowest certainty rating and Cmax – highest
certainty rating and the adapted upgrader matrix to determine the CDE rating of the
evidence set related to a specific riski or scenarioi. The algorithm has been discussed in
the paper presented: Evidence Management Plan (Grobler & Louwrens, 2010). The last
step is to update the CDE rating field in the Risk profile.
The risk profile is now complete and organisations can obtain a high-level view of their
evidence status.
Note to reader:
The organisation can have a very good idea of their evidence status when they view the
risk profile. There is scope for further research to expand this assessment to include
more parameters to compute the CDE rating, for example, the number of evidence items,
admissibility rating (including relevance, legality, integrity, whether producible)
requirements and certainty.
The last step to complete the EMP is to create, update, or augment policies and procedures
related to evidence.
Part 2: Construction of our DFMF
7-170 | P a g e Chapter 7: CDF capability
7.3.1.3.4 EMP step 4: Develop and augment evidence management policies and procedures
Policies and procedures guide behaviour and actions in the organisation. Typical policies
and procedures to consider are:
Evidence handling (evidence identification, acquisition, handling, preservation,
authentication, transport, and storage) for static, live and legacy digital evidence.
Post-investigation evidence handling (retention, returning or archiving).
Augmentation of the traditional risk management strategy and contingency plans,
policies and procedures. The IRP, business continuity (BCP) and disaster recovery
(DRP) plans contain policies and procedures, for example, incident detection,
confirmation, containment, escalation, and recovery. The policies must recognise
the importance of CDE identification; preservation and all the relevant procedures
must be forensically sound. All the policies and procedures must ensure the
preservation of the chain of evidence and chain of custody. There should be
development of a containment strategy (including live systems) with supporting
policies and procedures. This may not be a complete list of policies, but serves as an
example of typical policies and procedures to consider.
7.3.1.4 To-do list
Organisations must establish an EMP to manage the evidence, and:
identify evidence for potential risks or scenarios (par. 7.3.1.3.1)
identify the technical, legal and regulatory requirements applicable to digital and
physical evidence (par. 7.3.1.3.2)
determine the completeness of an evidence set associated with a risk or scenario
(par. 7.3.1.3.3)
formulate policies and procedures to manage digital and physical evidence (par.
7.3.1.3.4)
augment the risk management strategy and contingency plans (IRP, BCP and DRP) of
the organisation with supporting policies and procedures to include evidence and
process requirements (par. 7.3.1.3.4).
Part 2: Construction of our DFMF
7-171 | P a g e Chapter 7: CDF capability
7.3.1.5 DF readiness sub-goal 3: Prepare responsible and competent employees by the
development of a DF education, training and awareness strategy with supporting
programmes (par. 4.5.2.1.3, p. 4-110). See on the ProDF fold-out.
The aim of this strategy is to develop a preservation culture in the organisation to preserve all
evidence (digital and non-digital). The strategy should also support the importance of doing the
right thing in a correct way.
The DF training and awareness strategy should cover education, training, and awareness
programmes for organisation and must include technical, legal, judicial, and regulatory
requirements in all programmes. It is necessary to create a DF awareness programme to ensure
that employees are aware of DF requirements and the importance of evidence in the
organisation. The strategy will be supported by a DF education, training and awareness policy and
procedure to guide the establishment, implementation, and management of education, training
and awareness programmes.
A successful awareness programme will ensure that employees are aware of the importance of
evidence and following the correct procedures as stipulated by policies and standard operational
procedures. It is important to note that awareness programmes should target specific users, as
different roles require different levels of awareness, for example, a normal data-capturer versus a
network administrator. The goal is to develop a culture of preserving evidence.
Qualification authorities, for example the South African Qualifications Authority (SAQA) or other
certification bodies or authorities should accredit the training programmes. Accredited training
and education programmes can provide assurance on the standard of content. It is advisable to
enable employees to obtain industry certification. The admissibility of evidence acquired during
an investigation by a qualified investigator would thus not easily be questioned, as the courts
could expect that the correct procedures were being followed.
Note to reader:
We have identified two elements in pars. 4.5.2.1.3 and 4.4.2.3.3, but add a third to
encompass the issue of responsible and ethical behaviour.
Part 2: Construction of our DFMF
7-172 | P a g e Chapter 7: CDF capability
7.3.1.5.1 Element 1: Create or source different education and training programmes to address
different needs in the organisation. These will provide the following:
Technical training. Develop an in-house DFI capability (if required) by providing
training in the use of forensic tools. These would include training on commercial or
freeware tools for digital (static, live and legacy) and physical evidence acquisition
and analysis. The training must include the preservation and effective retrieval of
evidence from legacy software applications or hardware that uses proprietary
formats, incompatible disk drives, or obsolete operating systems. The training
programmes should include real-life cases to ensure a practical component that
assesses competence.
Training for first responders. This should establish a capability for securely gathering,
preserving, handling, and effectively retrieving CDE. Clear policies and procedures
must exist to guide the staff on what, when and how to do, whenever an incident
alert is issued.
General user training. Apart from the general awareness programme, users (general
and managerial) must be trained, on a need-to-know basis, about the importance of
evidence, processes, and legal implications of specific actions on different levels of
the organisation. These programmes will address the DF requirements for different
roles and positions.
Expert witness training. This would ensure that testimony is admissible.
7.3.1.5.2 Element 2: Establish an awareness programme
Similar to the DF education and training programmes, organisations will be required to use
current issues to design awareness programmes. These will ensure that employees are
aware of important issues and know what is expected from them in certain situations.
Typically, it is issues related to evidence preservation during incident response.
7.3.1.5.3 Element 3: Formulate a code of conduct for the use of DF tools and techniques
Due to the nature of DF tools and technologies, it is essential to create a code of conduct
for various roles, to ensure that the tools and technologies will be used for ethical
purposes.
Part 2: Construction of our DFMF
7-173 | P a g e Chapter 7: CDF capability
7.3.1.6 To-do list
Organisations must:
formulate a DF education, training and awareness strategy to ensure that the people
in the organisation will be prepared and competent (par. 7.3.1.5)
establish a policy and procedure to guide the establishment, implementation and
management of education, training and awareness programmes (par. 7.3.1.5)
determine the technical, legal, judicial and regulatory requirements to accredit
education and training programmes and certify staff as competent (par. 7.3.1.5)
develop selective education, training and awareness programmes (par. 7.3.1.5.1,
7.3.1.5.2)
establish a policy to prescribe the training requirements associated with specific
roles in the organisation to ensure the admissibility of evidence in court (pars.
7.3.1.5; 7.3.1.5.1)
formulate a code of conduct for the use and application of DF in the organisation
(par. 7.3.1.5.3).
The last sub-goal for DF readiness will now be discussed.
7.3.1.7 DF Readiness sub-goal 4: Ensure a cost-effective investigation (three elements) (par.
4.5.2.1.4, p. 4-110). See on the ProDF fold-out.
The researched DF frameworks fail to specify how to ensure a cost-effective investigation
(Beebe & Clark, 2005; Garcia, 2005; Louwrens et al., 2006b; Rowlingson, 2004). We have
combined the following elements to rectify this omission (pars. 4.4.2.3.5; 4.5.2.1.4).
7.3.1.7.1 Element 1: Ensure that a well-documented and validated DF investigation protocol is
in place
Document and validate a DF investigation (DFI) protocol (active as well as reactive)
against best practice (par. 4.4.2.3.5). The protocol is accompanied by supporting policies
and processes to ensure that all employees are aware of why, what, when, where and
how they need to act.
7.3.1.7.2 Element 2: Establish a procedure to ensure that an investigation proceeds at a cost
in proportion to the incident (par. 4.5.2.1.4)
The procedure must include relevant factors for the calculation of the cost of an
investigation (Whitman & Mattord, 2008). The factors are the estimated personnel
hours spent; the loss of revenue due to service interruption; and value of any trade
Part 2: Construction of our DFMF
7-174 | P a g e Chapter 7: CDF capability
secrets (CERT®_Coordination_Center, 2004). There is a need to develop an algorithm for
cost of incident versus cost of investigation, to justify the cost of preparation for an
investigation.
Note to reader:
The cost of an incident can be a vital tool when one has to present a request for new
Info Sec controls or other relevant controls to improve governance.
One of the goals of ProDF is to minimise the cost of an incident. If one takes the cost
of the incident before the ProDF implementation and can demonstrate the cost saving
after the implementation of ProDF, it will make business sense to consider the
implementation of ProDF for the organisation and will address the business objective
of minimising the (financial) impact of an incident on services.
7.3.1.7.3 Element 3: Minimise interruption to the business from any investigation (pars.
4.4.2.3.4; 4.4.2.3.5)
If the infrastructure is ready, evidence and processes are in place when required for an
investigation, or to prove compliance. The evidence will be available and can be
acquired with minimal interruption to the daily operations of the organisation. It is
essential to augment and integrate the risk management, business continuity strategy
and supporting plans, policies and procedures to ensure that DF evidence and process
requirements are in place. A clearly defined containment strategy must be formulated to
minimise the impact of the incident.
7.3.1.8 To-do list
Organisations must:
Document and validate a DFI protocol that includes reactive and active
investigations to ensure that investigations are conducted in an organised way (par.
7.3.1.7.1)
Ensure that all the policies and procedures required by the ReDF and ActDF
protocols exist for a successful investigation (par. 7.3.1.7.1)
Create or augment the risk management and business continuity strategy, plans (IR,
BCP and DRP), policies and procedures of the organisation to include DF evidence
Part 2: Construction of our DFMF
7-175 | P a g e Chapter 7: CDF capability
and process requirements, and follow a DF-friendly containment strategy and plan
to minimise the impact of an incident whilst maximising the availability of the
evidence (par. 7.3.1.7.3)
Ensure that policies and procedures exist to manage the cost of the investigation
and incident (par. 7.3.1.7.3).
The next section will discuss ProDF Goal 2.
7.3.2 ProDF Goal 2: Implement and manage DF to improve governance programmes (two
sub-goals). See on the ProDF fold-out.
We have identified two sub-goals for this goal (par. 4.5.2.2, p. 4-110):
Sub-goal 1: Establish a DF management capability to support the DF strategy (par.
4.5.2.2.1)
Sub-goal 2: Provide reasonable assurance regarding the achievement of the
organisation’s objectives (par. 4.5.2.2.2).
The effective utilization of DF tools and techniques can enable management to enhance the
governance structures of the organisation by proving (assessing) the effectiveness of controls,
measured against IT and Info Sec objectives (related to business objectives).
Note to reader:
We propose that organisations define a formal DF strategy that will prescribe where
and how DF tools and technologies may be applied. The strategy may specify, for
example, that DF tools and technologies only be used for the investigation of fraud
and security incidents.
7.3.2.1 Sub-goal 1: Establish a DF management capability to support the DF strategy (par.
4.5.2.2.1, p. 4-110). See on the ProDF fold-out.
This strategy will prescribe where and when DF tools and technologies may be applied in the
organisation (four elements):
7.3.2.1.1 Element 1: Management must augment the organisational structure to include DF
(with roles and responsibilities to deal with DF in the organisation).
7.3.2.1.2 Element2: There should be a clear segregation of duties between the DF, risk
management, CERT, and Info Sec teams. Investigations are often compromised when
these roles and responsibilities are not clearly defined or segregated.
Part 2: Construction of our DFMF
7-176 | P a g e Chapter 7: CDF capability
7.3.2.1.3 Element 3: The outsourcing of a DF investigation must also be outlined by a well-
defined outsourcing policy and procedures. It is essential to consider the evidence
and process requirements when formulating the Service Level Agreements.
7.3.2.1.4 Element 4: Ensure that a legal review exists to facilitate action in response to the
incident.
7.3.2.2 Sub-goal 2: Apply DF to provide reasonable assurance regarding the achievement of
organisational objectives (par. 4.5.2.2.2, p. 4-111). See on the ProDF fold-out.
Policies and procedures should be formulated to guide the application of DF tools and
technologies to provide reasonable assurance regarding the achievement of organisational
objectives with respect to the following five elements:
7.3.2.2.1 Element 1: Safeguarding of the company’s assets (including information)
Organisations must ensure that the integrity of information is maintained. Section 802 of
Sarbanes-Oxley indicates that there are criminal penalties for altering documents. The
board of directors should guarantee the integrity of all documents. DF tools and
techniques can be applied to prove that the information is in its original form.
DF tools and techniques can be applied to acquire evidence to investigate the misuse of
equipment and organisational resources. It is also essential to develop a whistle-blowing
policy (Patzakis & Limongelli, 2004). The Info Sec team should incorporate DF techniques
in the IT auditing procedures, thus enabling more accurate audit trails.
7.3.2.2.2 Element 2: Assessing compliance with applicable laws, regulations, industry and
supervisory requirements.
7.3.2.2.3 Element 3: Supporting business sustainability under normal as well as adverse
operating conditions.
Under normal operating conditions, DF can be applied to assess key risk areas. The risk
assessment should address the company’s exposure to at least: physical and operational
risks; human resource risks; technology risks; business continuity and disaster recovery;
credit and market risks; and compliance risks.
Organisations apply DF tools for penetration tests to determine the vulnerabilities
(Richardson, 2008). They should evaluate all emerging technologies to determine the
risks involved and whether the current DF tools will be adequate to investigate an
incident. There must be monitoring and control of the use of removable or portable
devices to minimise or prevent cybercrimes. Typically, new technologies, e.g., smart
Part 2: Construction of our DFMF
7-177 | P a g e Chapter 7: CDF capability
phones, can be used to acquire company-specific information, for example intellectual
property.
The responsible use of DF tools can improve the effectiveness and efficiency of the
application of technology in an organisation. DF tools and techniques can be applied to
assist in data recovery (crashed hard disk), wiping of hard disk before the disposal of
equipment and retrieval of lost passwords. Operations can resume after the application
of the tools and interruption to business operations can be minimised.
It is necessary to consider DF requirements when formulating the IT governance
controls, policies, and processes. We researched the literature and propose a list of
CobiT (Institute, 2000) controls to be covered (Guldentops et al., 2005; Louwrens &
von_Solms, 2005) (see Table 4.4).
In adverse conditions, it is essential to augment the contingency plans, policies and
procedures (IR, disaster recovery and business continuity) to minimise the impact on the
operations of the organisation (DF readiness sub-goal 1 has included some aspects).
7.3.2.2.4 Element 4: Reliability of reporting
It is necessary to make available the reliable reports that, based on CDE, can enable
management to meet the King II requirement (von_Solms & von_Solms, 2009), stipulating
that “the board is responsible for ensuring that a systematic, documented assessment of the
processes and outcomes surrounding key risks is undertaken annually” and can make a
public statement on risk management.
Should an incident arise and an investigation is completed the organisation should provide a
report describing the incident, and its impact and review report should be available. The
incorporation of CDE in audit trails can result in more continuous accurate audit results and
compliance tests. The incorporation of DF techniques in auditing procedures will lead to
more credible audit results.
Management should receive regular reports on the risk management process in the
organisation and regular updates on investigations in progress.
7.3.2.2.5 Element 5: Behaving responsibly towards all stakeholders (King, 2003)
Organisations must demonstrate due diligence with respect to good governance.
Management will be able to provide documented assessments to prove that regular checks
have been performed. It is essential to demonstrate transparency and responsibility towards
the stakeholders to communicate the impact of the incident on the organisation, its root-
cause, and the result of an investigation.
Part 2: Construction of our DFMF
7-178 | P a g e Chapter 7: CDF capability
ProDF addresses the need to prepare organisations for DF investigations and to have relevant
digital evidence available by being DF-ready, and the responsible application of DF tools and
techniques to establish and manage governance frameworks in organisations.
7.3.2.3 To-do list
Organisations must:
Formulate a DF strategy to manage the application DF in an organisation (par.
7.3.2.1)
Formulate policies and procedures to support the DF strategy to ensure that clear
directives exist to manage DF for investigative and non-investigative purposes in the
organisation. Policies to establish a DF capability in the organisation (pars 7.3.2.1.1 -
7.3.2.2.5) must be included.
Incidents will happen and should be investigated. The next section consolidates the ReDF
component.
Note to reader:
We suggest that the ReDF page (par. 7.9 p. 7-205) be folded out at this stage to
provide context. It is also advised that the fold-out is referenced when every
paragraph is read, as it ensures that the context of reading is preserved. We label
the various paragraphs with a corresponding number, e.g. on the fold-out.
7.4 REACTIVE DF (REDF) COMPONENT
No organisation is fully prepared for all possible incidents. ReDF, as defined by this thesis,
concentrates on the traditional DF investigation (dead forensics) that will take place after an incident
has been detected and confirmed. In anticipation of an incident occurring, there should be an
acceptable proven DF investigation protocol in place as specified by ProDF on how to conduct the
investigation (Louwrens et al., 2006b).
Part 2: Construction of our DFMF
7-179 | P a g e Chapter 7: CDF capability
We proposed a definition for ReDF as (par. 5.3, p. 5-117) and will use it as our formal ReDF
definition:
We have identified two goals for ReDF in Chapter 5 (par. 5.4) as:
ReDF Goal 1: Successfully investigate an incident
To achieve this goal it is essential to acquire the relevant CDE to determine the root
cause of the incident, link the perpetrator to the incident, and present the case
successfully.
ReDF Goal 2: Minimise the impact of an incident.
We have proposed a ReDF component with phases and related steps in Chapter 5 (par. 5.5, p. 5-
118), which distinguishes between a physical and digital investigation. It is therefore essential that
we define a physical and digital crime scene, and accept the following definitions from Chapter 3
(par. 3.3.2, 3.3.3) (Barayumureeba & Tushabe, 2004; Carrier & Spafford, 2003):
A physical crime scene is the physical environment in which physical evidence of
a crime or incident exists.
A digital crime scene is the virtual environment created by hardware and
software in which evidence of a digital crime or incident exists.
We have proposed an ReDF protocol with six phases and related steps in Chapter 5 (par. 5.5, p. 5-
118) of the ReDF protocol for ReDF component, with the related paragraph number from Chapter 5
in parenthesis:
Phase 1: Incident response and confirmation phase (par. 5.5.1)
Phase 2: Physical investigation phase (par. 5.5.2)
Phase 3: Digital investigation phase (par. 5.5.3)
Phase 4: Incident reconstruction phase (par. 5.5.4)
A ReDF component is application of analytical and investigative techniques for
the preservation, identification, extraction, documentation, analysis, and
interpretation of digital media, for evidentiary, and/or root cause analysis and
the presentation of comprehensive digital evidence derived from digital sources
for the purpose of facilitation or furthering the reconstruction of incidents;
(Kruse & Heiser, 2004; Palmer, 2001; Reith, Carr & Gunsch, 2002; Rowlingson,
2004).
Part 2: Construction of our DFMF
7-180 | P a g e Chapter 7: CDF capability
Phase 5: Presentation of findings phase (par. 5.5.5)
Phase 6: Incident closure phase (par. 5.5.6).
Figure 7-5 (below) is a graphical representation of the proposed phases of the ReDF protocol.
The next section will consider the consolidation and streamlining of the steps within each phase of
the ReDF protocol.
7.4.1 ReDF Phase 1: Incident Response and confirmation phase. See on the ReDF fold-
out.
We have identified ten steps in Chapter 5 par. 5.5.1, p. 5-118 for phase 1. We have combined some
steps and included additional steps that support the forensic principles of evidence preservation and
documentation (par. 3.3.4.7) to consolidate phase 1 into eight steps. Figure 7-6 (below) indicates
Phase 1: Incident response and confirmation in the ReDF component (eight steps).
Step 1:Detect the incident
Step 2:Initiate incident response plan
Step 3:Confirm the incident
Step 4:Formulate initial DFI plan
Step 5:Obtain authorisation
Step 6:Evaluate incident to determine to accelerate investigation
Step 7:Notify relevant parties
Step 8:Document all activities
Phase 1:
Incident response
and confirmation
phase
Phase 1:
Incident
response and
confirmation
Phase 2:
Physical
investigation
Phase 3: Digital investigation
Phase 4: Incident
reconstruction
Phase 5:
Presentation of
findings
Phase 6: Incident
closure
ActDF
Sub-phase 2:
Evidence acquisition
Sub-phase 3: Analysis
Sub-phase 4: Service
restoration
Sub-phase 1: Securing
the evidence
Figure 7-5 Proposed phases of the ReDF protocol of the ReDF component (by author) – this is a copy of Figure 5-2
Figure 7-6 Phase 1 of the ReDF protocol (by author)
Part 2: Construction of our DFMF
7-181 | P a g e Chapter 7: CDF capability
7.4.1.1 Step 1: Detect the incident (combined step 2 and 3 of par. 5.5.1)
The IDS will detect suspicious activity (par. 5.5.1.2) and notify the relevant party (par.
5.5.1.3) of the potential incident. Some incident alerts will fire a trigger event to
activate the ActDF component as soon as the incident has been detected, to gather
required live evidence (by author).
7.4.1.2 Step 2: Initiate IRP (steps 1 and 6 of par. 5.5.1)
Activate the CERT, IRP and a containment strategy for the specific incident to minimise
its impact. The IRP and containment strategy must consider business, legal, technical
and political factors and goals (par. 5.5.1.6). Investigators must ensure that forensic
sound procedures are followed and that the evidence is preserved at all times.
7.4.1.3 Step 3: Confirm the incident (step 4 of par. 5.5.1)
Once the incident has been detected, we must determine the assessment of worth (par.
5.5.1.4). Organisations must validate the incident, assess the potential damage or
impact of the incident, and confirm the incident.
The decision to investigate must be made. It is necessary to determine the relevance
and nature of the investigation, for example, if it will be a formal or informal
investigation. The result is either one of two categories: NO incident - no further
activities – or CONFIRMED incident - continue with the investigation or do not
investigate at all (incident pre-defined).
7.4.1.4 Step 4: Formulate initial DF investigation plan (DFI plan) for data collection and analysis
(step 7, 8 of par. 5.5.1)
The formulation of the DFI plan (par. 5.5.1.8) will coordinate all the resources to
conduct the investigation (par. 5.5.1.7) and indicate whether the investigation or partial
investigation must be outsourced if the organisation does not have adequate internal
resources available.
Note to reader:
We propose to formulate an initial hypothesis when evaluating the initial indicators of
the incident.
The DFI plan must include an initial hypothesis, which should cover the most likely
scenarios. It is essential to define criteria to prove or disprove the hypothesis and to
Part 2: Construction of our DFMF
7-182 | P a g e Chapter 7: CDF capability
determine which evidence must be acquired to investigate the incident successfully by
consulting the risk profile and digital evidence index.
7.4.1.5 Step 5: Obtain the legal internal and/or external authorisation (par. 5.5.1.5) to continue
with the investigation (step 5 of par. 5.5.1)
7.4.1.6 Step 6: Evaluate the incident to determine if the investigation must be accelerated (par.
5.5.1.9) (step 9 of par. 5.5.1)
7.4.1.7 Step 7: Notify relevant parties of the investigation (par. 5.5.1.10) (step 10 of par. 5.5.1)
7.4.1.8 Step 8: Document all activities of IR and confirmation phase (by author – apply the
principle of Beebe – documentation) (Beebe & Clark, 2005).
7.4.2 ReDF Phase 2: Physical investigation phase (par.5.5.2). See on the ReDF fold-out.
There may be no physical crime scene available and this phase will then be ignored. We have
identified seven steps in Chapter 5 par. 5.5.2, p. 5-118, have combined some and included
additional ones that support the forensic principles of evidence preservation and documentation
(par. 3.3.4.7). Figure 7-7 (below) indicates this phase in the ReDF component (eight steps).
7.4.2.1 Step 1: Secure and preserve the physical crime scene (par. 5.5.2.1) (step 1 of par. 5.5.2)
7.4.2.2 Step 2: Survey and search the crime scene to identify potential evidence (par. 5.5.2.2,
5.5.2.3) (combined step 2 and 3 of par. 5.5.2)
The investigator walks through crime scene to survey it and identifies potential
evidence; it involves the taking of photographs, sketches, and videos of the crime scene
and the identification of potential physical and digital evidence.
Phase 2:
Physical
investigation
phase
Step 1:Secure and preserve the physical crime scene
Step 2:Survey the crime scene
Step 3:Acquire the evidence
Step 4: Analyse evidence
Step 5: Reconstruct incident
Step 6:Make a finding and compile investigation report
Step 7: Transport the evidence
Step 8:Store the evidence
Figure 7-7 Phase 2 of the ReDF protocol (by author)
Part 2: Construction of our DFMF
7-183 | P a g e Chapter 7: CDF capability
7.4.2.3 Step 3: Acquire evidence (par. 5.5.2.4) (step 4 of par. 5.5.2)
Use an acceptable procedure to acquire the potential evidence. Typical actions are to
photograph, bag, label, and document the individual evidence items. Be sure to
document all actions to maintain the chain of custody.
7.4.2.4 Step 4: Analyse the evidence (by author)
The investigator must identify different types of evidence, e.g., fingerprints, or digital to
ensure that the evidence is analysed by the relevant forensic laboratory.
7.4.2.5 Step 5: Reconstruct the incident (par. 5.5.2.5) (step 5 of par. 5.5.2)
The investigator will use the physical evidence available to make a limited
reconstruction of the incident to determine if the evidence supports the initial
hypothesis.
7.4.2.6 Step 6: Make a finding and compile a physical investigation report with supporting case
file documentation (by author)
The investigator will use the available evidence to make a preliminary finding and
compile an investigation case file with all supporting documentation. The
documentation will supply the chain of evidence and custody for the case.
7.4.2.7 Step 7: Transport the evidence to a relevant investigation laboratory (par. 5.5.2.6) (step 6
of par. 5.5.2)
It is important to preserve chain of custody in transportation of the evidence.
7.4.2.8 Step 8: Store the evidence in a secure facility (par. 5.5.2.7) (step 7 of par. 5.5.2)
Store the physical evidence in a safe custody room and ensure that there is adequate
access control to the evidence and custody room. It is essential to preserve chain of
custody in storage.
7.4.3 ReDF Phase 3: Digital investigation phase (par. 5.5.3). See on the ReDF fold-out.
Figure 7-8 (below) depicts phase 3 in the ReDF component.
Part 2: Construction of our DFMF
7-184 | P a g e Chapter 7: CDF capability
This phase has four sub-phases as identified in pars. 3.5.3.3 and 5.5.3:
Sub-phase 1: Secure the digital evidence
Sub-phase 2: Acquire the evidence
Sub-phase 3: Analyse the evidence
Sub-phase 4: Restore the service.
We have identified four steps for sub-phase 1 in par. 5.5.3.1, p. 5-120, and have consolidated
them into three to provide focus to the steps.
7.4.3.1 Sub-phase 1: Secure the digital evidence sub-phase (par. 5.5.3.1) (three steps). See on
the ReDF fold-out.
7.4.3.1.1 Step 1: Preserve the digital crime scene (par. 5.5.3.1.1) (step 1 of par. 5.5.3.1)
Preserve the digital crime scene so that evidence will be preserved. When preserving the
crime scene, adhere to evidence-handling principles (par. 3.3.4.7.1).
7.4.3.1.2 Step 2: Identify and preserve potential digital evidence (pars. 5.5.3.1.2, 5.5.3.1.3
(step 2 and 3 of par. 5.5.3.1)
Consult the risk profile and CDE index to determine what evidence is needed to
investigate the incident. Activate the ActDF component to acquire live evidence.
Figure 7-8 Phase 3 of the ReDF protocol (by author)
Phase 3:
Digital
investigation
phase
Sub-phase 1:
Secure the
digital
evidence
Sub-phase 3:
Analyse the
evidence
Sub-phase 4:
Restore the
Service
Sub-phase 2:
Acquire the
evidence
Step 1:
Preserve the digital
crime scene
Step 2:
Identify and ensure
integrity of potential
evidence
Step 3:
Preserve the evidence
Step 1:
Acquire digital
evidence
Step 2:
Authenticate evidence
Step 3:
Transport evidence
Step 4:
Store evidence
Step 5:
Document the
acquisition process
Step 1:
Revisit investigation
plan
Step 2:
Examine and prepare
the evidence
Step 3:
Analyse the evidence
Step 4:
Reconstruct incident
Step 5:
Document the analysis
process
Step 6:
Secure documentation
and CDE
Step 1:
Restore activities
Part 2: Construction of our DFMF
7-185 | P a g e Chapter 7: CDF capability
The investigator must follow established DF investigation protocols. To ensure the
integrity of the evidence write-protect all the media, isolate the relevant systems or
power down the relevant systems. Preserve the potential evidence by making a forensic
copy.
If you have to handle physical evidence to acquire digital evidence, for example a hard
drive, document the entire procedure to preserve the chain of evidence before and after
making a forensic copy of the relevant digital evidence. Document all activities to
maintain the chain of custody.
7.4.3.1.3 Step 3: Document all activities (par. 5.5.3.1.4) (step 4 of par. 5.5.3.1)
It is important that only competent people work with the media, to create a verifiable
audit trail by documenting all processes applied to digital evidence to ensure that the
evidence can be used in court.
7.4.3.2 Sub-phase 2: Acquire the evidence sub-phase (par. 5.5.3.2). See on the ReDF fold-out.
7.4.3.2.1 Step 1: Acquire digital evidence (par. 5.5.3.2.1)
To acquire the evidence apply recovery, harvesting, reduction principles. Recovery will
ensure that the investigator will collect all evidence – including hidden and deleted
evidence. Harvesting will gather all data and metadata about the incident. This step will
use the evidence to determine whether it supports the hypothesis. Reduction will
analyse the evidence and eliminate evidence that is not relevant to the case.
Use different and relevant DF tools to reveal hidden, deleted, swapped, and corrupted
files that were used, as well as the related meta-data. Obtain evidence from removable
media as well as network-based evidence and host-based evidence. Use digital evidence
bags (DEB) to store evidence (Turner, 2007). A DEB storage format is a universal
container for digital evidence from any source.
7.4.3.2.2 Step 2: Authenticate all evidence (par. 5.5.3.2.2)
The investigator will authenticate the forensic copy of the acquired evidence by applying
a hashing algorithm. Finally, timestamp all copies of authenticated evidence.
7.4.3.2.3 Step 3: Transport of evidence (par. 5.5.3.2.3)
If the evidence was acquired outside the DFI laboratory, be sure to preserve the chain of
custody during transport to the DF investigation laboratory.
Part 2: Construction of our DFMF
7-186 | P a g e Chapter 7: CDF capability
7.4.3.2.4 Step 4: Storage of evidence (par. 5.5.3.2.4)
Store the acquired evidence in the safe custody room. Access to the safe custody room
must be controlled, and apply controls to preserve chain of custody in storage.
7.4.3.2.5 Step 5: Document the acquisition process (par. 5.5.3.2.5)
Document the evidence as found and all actions to maintain the chain of custody.
We have identified nine steps for sub-phase 3 in par. 5.5.3.1, and converted them to six:
7.4.3.3 Sub-phase 3: Analyse the evidence sub-phase (the purpose is to confirm suspicion)
and/or to reconstruct the incident) (six steps). See on the ReDF fold-out.
7.4.3.3.1 Step 1: Revise the investigation plan (par. 5.5.3.3.1) (step 1, 2 of par. 5.5.3.3)
Before you start with the analysis of the evidence, it is necessary to revise the initial
investigation plan. You should review all available information regarding the incident;
determine if you have the expertise required and suitable analysis DF tools to be
utilised; and revisit the hypothesis to determine if still applicable (par. 5.5.3.3.2).
7.4.3.3.2 Step 2: Examine and prepare the evidence (step 3 of par. 5.5.3.3)
Conduct an initial data survey to determine skill level of suspect. Prepare the evidence,
for example, transform large volumes of data into manageable size units (par. 5.5.3.3.3),
or ensure that the evidence is human readable. This ensures that encrypted data can be
analysed.
7.4.3.3.3 Step 3: Analyse the evidence (par. 5.5.3.3.4) (step 4 of par. 5.5.3.3)
The analysis step will be a detailed scrutiny of the evidence identified in the previous
sub-phase. Apply data extraction techniques to examine the evidence. The investigator
will-perform time-lining to trace user activity. The analysis should include the following
sub-categories:
Assessment (content and context). It must be human readable. It will also be used to
determine means, motivation and opportunity as well as the skill level of the
suspect.
Experimentation: use different tools and techniques in analysis.
Fusion and correlation: Often evidence alone will not provide the lead to the
incident and data from different sources should be combined to provide positive
leads. It is essential to determine the chronological order of events and indicate how
the data from the different sources is related.
Part 2: Construction of our DFMF
7-187 | P a g e Chapter 7: CDF capability
Validation: It is essential to validate the result of the analysis so that it will be
admissible and acceptable in a court.
Conform to the requirements of best evidence rule.
Document the analysis process.
7.4.3.3.4 Step 4: Reconstruct the incident (par. 5.5.3.3.5) (steps 5, 6 and 7 of par. 5.5.3.3)
Reconstruct the sequence of events and test the hypothesis (par. 5.5.3.3.6) by
comparing the evidence to known facts and the criteria set. Validate the analysis results
(par. 5.5.3.3.7).
7.4.3.3.5 Step 5: Document all actions during the analysis process (par. 5.5.3.3.8) (step 8 of
par. 5.5.3.3)
Document findings and consolidate the evidence of the analysis sub-phase to ensure
chain of evidence and custody.
7.4.3.3.6 Step 6: Secure the documentation and CDE (par. 5.5.3.3.9) (step 9 of par. 5.5.3.3)
The case file generated by the analysis tool will contain the case details, log file of all
analysis activities, and CDE relevant to the case. The case file with associated CDE and
analysis tools used must be backed up and stored in a secure area.
7.4.3.4 Sub-phase 4: Restore the service sub-phase (par. 5.5.3.4) (one step). See on the ReDF
fold-out.
7.4.3.4.1 Step 1: Restore activities
Interact with business continuity team to restore services as soon as possible to
minimise the interruption to business.
7.4.4 ReDF Phase 4: Incident reconstruction phase (par. 5.5.4) (three steps). See on
the ReDF fold-out.
Figure 7-9 (below) illustrates the phase in the ReDF component. This phase has three steps:
Part 2: Construction of our DFMF
7-188 | P a g e Chapter 7: CDF capability
7.4.4.1 Step 1: Consolidate the physical investigation and digital investigation findings.
7.4.4.2 Step 2: Validate the consolidated findings by determining if they support the hypothesis.
7.4.4.3 Step 3: Compile an incident or investigation report.
Include all findings and supporting CDE that will provide a transparent view of the
investigative process and reports. Include documentation of all steps, methods used to
seize, collect, preserve, recover, reconstruct, organise, and search for key evidence.
7.4.5 ReDF Phase 5: Presentation of findings phase (par. 5.5.5). See on the ReDF fold-
out.
This phase has four steps. We have added an additional step 3 to enable an appeal process to the
steps identified in par. 5.5.5. Figure 7-10 (below) illustrates phase 5 of ReDF protocol.
7.4.5.1 Step 1: Prepare to present the case (par. 5.5.5.1) (step 1 of par. 5.5.5)
To prepare a solid presentation, determine who the target audience are. The presentation
aids and software must be applied to build a relevant presentation for the specific audience.
Assemble all evidence required for the presentation and prepare all the exhibits. If an expert
witness must testify, prepare the expert witness. Ensure that you preserve chain of custody
during this step.
Phase 5:
Presentation
of findings
Step 1:Prepare case
Step 2:Present case
Step 3:Enable the appeal process
Step 4:Preserve and store the CDE
Figure 7-9 Phase 4 of the ReDF protocol (by author)
Figure 7-10 Phase 5 of the ReDF protocol (by author)
Phase 4:
Incident
reconstruction
Step 1: Consolidate the physical and digital investigation
Step 2:Validate the consolidated findings
Step 3:Compile the report
Part 2: Construction of our DFMF
7-189 | P a g e Chapter 7: CDF capability
7.4.5.2 Step 2: Present the case (par. 5.5.5.2) (step 2 of par. 5.5.5)
Use the relevant presentation to communicate the findings to different audiences, e.g.,
management, legal authorities, risk management, Info Sec, and technical staff.
Present the evidence in a logical, understandable way to indicate its relevance to the case.
Use graphical / physical examples to demonstrate difficult concepts and ensure a DF expert
is available to assist in the provision of expert evidence.
Note to reader:
We propose including an appeal procedure to enable a person to exercise his or her
rights to contest a result of an investigation.
7.4.5.3 Step 3: Enable an appeal procedure (by author)
7.4.5.4 Step 4: Preserve and store CDE (par. 5.5.5.3) and case documentation (step 3 of par.
5.5.5).
7.4.6 ReDF Phase 6: Incident closure phase (par. 5.5.6). See on the ReDF fold-out.
Figure 7-11 (below) indicates the incident closure phase in the ReDF component. This phase has
two steps:
7.4.6.1 Step 1: Review result to identify and apply lessons learned (par. 5.5.6.1)
Review results to identify areas of improvement. The result could be new or augmented
policies or procedures, and additional training.
7.4.6.2 Step 2: Dispose or return or preserve evidence and the case file (par. 5.5.6.2)
The case file and evidence supporting the investigation should be handled and preserved for
later purposes. It is essential to consider legal requirements, for example, evidence retention
time when formulating the post-investigation evidence handling policy.
Figure 7-11 Phase 6 of the ReDF protocol (by author)
Phase 6:
Incident
closure
Step 1:Review the result
Step 2:Dispose or return or preserve evidence and the case file
Part 2: Construction of our DFMF
7-190 | P a g e Chapter 7: CDF capability
The discussed phases and steps can be perceived as a linear progression of events, but there may be
a need to revisit some previous steps to gather more evidence or to analyse the evidence further, to
arrive at a more complete investigation result. However, the output of the one step will be used as
input into the next step.
7.4.7 To-do list
Organisations must do the following:
Manage and conduct the reactive DF investigation by using the predefined ReDF
protocol. Apply all the policies and procedures required by the ReDF protocol to ensure
a successful investigation.
Identify the legal and judicial requirements for the specific incident.
The next section will consolidate the definition, goals, and steps of the ActDF component as
identified in Chapter 6, par. 6.7.
Note to reader:
We suggest that the ActDF page (par. 7.10 p. 7-206) be folded out at this stage to
provide context. It is also advised that the fold-out is referenced when every
paragraph is read, as it ensures that the context of reading is preserved. We label
the various paragraphs with a corresponding number, e.g., on the fold-out.
7.5 ACTIVE DF (ACTDF) COMPONENT
The need for live evidence is increasing. Traditional DF investigation protocols, tools, and techniques
cannot handle the acquisition of live evidence due to the volatile nature of the evidence.
When an incident occurs, the IDS of an organisation will detect it and the IR protocol of the
organisation will be activated. It is however becoming essential to integrate live forensic
investigation protocols with the IR protocol to ensure that relevant and admissible live CDE is
available, if required for investigatory purposes. IR protocols do not consider the importance of
evidence identification, gathering and preservation of live data (Sommer, 1999).
Part 2: Construction of our DFMF
7-191 | P a g e Chapter 7: CDF capability
Traditional ReDF investigation methodologies will ensure that no changes are made to the evidence
and the seized content. Live investigators use software tools that make unavoidable changes to data
acquired. The live investigative process must be documented in a forensically sound manner to
maintain the chain of custody, so that the evidence gathered will be admissible in a court of law.
Live forensic investigations are currently being made by using remote forensic preservation and
acquisition tools, for example EnCase® Enterprise edition and ProDiscover® (Casey, 2011; Casey &
Stanley, 2004). These tools use live analysis techniques and software that pre-exist on the system
during the timeframe being investigated (Carrier, 2006). The target machine is monitored from a
remote site and data can be acquired in a forensic sound way with the aid of a tool. Remote forensic
investigations focus more on transforming ReDF examination procedures onto live, production
environments.
We have researched current live, remote and real-time methodologies that will consolidate the
methodologies in the ActDF component (Foster & Wilson, 2004; Ieong & Leung, 2007; Payer, 2004;
Ren & Jin, 2005). We have proposed the ActDF component in Chapter 6. We proposed the following
definition for ActDF (par. 6.7.1, p. 6-151):
We have identified and proposed three goals for the ActDF component in Chapter 6 (par.6.7.2, p. 6-
152):
ActDF Goal 1: Collect relevant live CDE (including volatile evidence) in a live system or
production environment by using appropriate tools and technologies
ActDF Goal 2: Minimise the effect and impact of an on-going incident
ActDF Goal 3: Provide a meaningful starting point for a reactive investigation within the
parameters of the risk management framework of the organisation.
The goals will support the efficient acquisition of live evidence. The ActDF protocol will support the
ActDF goals. We have proposed four phases with associated steps in Chapter 6 (par. 6.7.3, p. 6-152)
for the ActDF protocol:
Active DF is the ability of an organisation to gather (identify, collect and
preserve) Comprehensive Digital Evidence in a live environment to facilitate a
successful investigation.
Part 2: Construction of our DFMF
7-192 | P a g e Chapter 7: CDF capability
Phase 1: Incident response and confirmation phase (par. 6.7.3.1)
Phase 2: ActDF investigation phase (par. 6.7.3.2)
Phase 3: Limited incident reconstruction phase (par. 6.7.3.3)
Phase 4: ActDF investigation closure phase (par. 6.7.3.4).
Note to reader:
The ReDF component can activate the ActDF component in two ways. We have identified in
par. 7.4.1.1 that the ActDF component can be activated during the ReDF phase 1: Incident
response and confirmation phase when a trigger event is fired. The in Figure 7-12
(below) indicates this activation. The second activation is during ReDF phase 3 (sub-phase
2), evidence acquisition, when live evidence is required for the investigation (par. 7.4.3.1).
We indicate the live evidence acquisition request by in Figure 7-12.
We have proposed four phases with supporting steps that are independent of any tool or technology
(par. 6.7.3). Phase 1: Incident response and confirmation is a common phase between the ReDF
and ActDF protocols. Phase 1 of the ReDF component must be augmented to include the ActDF
incident response criteria. We have indicated the overlap and relationship between the two
protocols. Figure 7-12 (below) is an adapted graphical representation of the proposed phases for
ActDF as presented in Chapter 6 (Figure 6-6).
Figure 7-12 Graphical representation of the ActDF protocol (adapted from Figure 6-6) (by author)
ReDF
ReDF Phase 2:
Physical
investigation
ReDF Phase 3:
Digital
investigation
ReDF Phase 4: Incident
reconstruction
ReDF Phase 5: Presentation of
findings
ReDF Phase 6: Incident closure
ActDFPhase 2: ActDF digital
investigation
Sub-phase 1:
Evidence acquisition
Sub-phase 2:
Analysis
Phase 1:
Incident
response and
confirmation
Phase 4:
Incident closure
Phase 3:
Incident
reconstruction
1
2
Please note:
Phase 1: Incident response and
confirmation is a common phase
between ReDF and ActDF
Part 2: Construction of our DFMF
7-193 | P a g e Chapter 7: CDF capability
The next section will combine and summarise the phases with related steps identified in Chapter 6
(par. 6.7.3).
7.5.1 ActDF Phase 1: Incident response and confirmation phase. See on the ActDF
fold-out.
We have identified two steps in Chapter 6 par. 6.7.3.1. The Incident response and confirmation
phase of ReDF and ActDF protocols are the same. It is however essential to include ActDF
specific requirements in the individual steps. We have used the same eight steps for the phase 1
of the ReDF protocol (pars. 6.7.3.1, 7.4.1 and Figure 7-13).
Step 1:Detect the incident
Step 2:Initiate incident response plan
Step 3:Confirm the incident
Step 4:Formulate initial DFI plan
Step 5: Obtain authorisation
Step 6:Evaluate incident to determine to accelerate investigation
Step 7:Notify relevant parties
Step 8:Document all activities
Phase 1:
Incident response
and confirmation
phase
7.5.1.1 Step 1: Detect the Incident (par. 7.4.1.1) (step 1 of par. 6.7.3.1)
The IDS will detect suspicious activity (par. 6.7.3.1) and notify the relevant party (par.
5.5.1.3) of the potential incident. Some incident alerts will fire a trigger event (indicated by
in Figure 7-12) to activate the ActDF component as soon as the incident has been
detected, to gather required live evidence (by author).
7.5.1.2 Step 2: Initiate IRP (pars. 7.4.1.2, 6.7.3.1.2)
Notify the CERT and obtain the legal internal and / or external authorisation (par. 5.5.1.5) to
continue with the investigation. Activate the IRP and a containment strategy for the specific
incident to respond and contain it and so minimise its impact. Depending on the policy,
allow the incident to continue, but contain it in a controlled environment, to minimise its
impact. The aim is to minimise the effect of the incident on the current infrastructure and
operations.
The IRP and containment strategy must consider business, legal, technical and political
factors and goals (par.5.5.1.6). Investigators must ensure that forensic sound procedures are
followed and that the chain of evidence and custody is preserved at all times.
Figure 7-13 Phase 1 of the ActDF protocol (by author)
Part 2: Construction of our DFMF
7-194 | P a g e Chapter 7: CDF capability
7.5.1.3 Step 3: Incident confirmation (par. 6.7.3.1.1)
Once the incident has been detected, we must determine the assessment of worth.
Organisations must validate the incident, assess its potential damage or impact, and confirm
it. The decision whether to investigate must be made. It is necessary to determine the
relevance and nature of the investigation.
7.5.1.4 Step 4: Formulate an ActDF investigation plan (identified by author)
Investigators will formulate an investigation plan at this stage of the ActDF component. We
propose to formulate an ActDF investigation (ActDFI) plan to coordinate all the resources to
conduct the live investigation (par. 5.5.1.7) and indicate that the investigation or partial
investigation must be outsourced if the organisation does not have adequate internal
resources available.
The ActDFI plan must include an initial hypothesis, which should cover the most likely
scenarios. It is essential to define criteria to prove or disprove the hypothesis and to
determine which evidence must be acquired to investigate the incident successfully. This is
done by consulting the risk profile and digital evidence index.
Investigators must also determine the power status of the target machine (on or off),
selecting an investigation mode (overt or covert), whether to isolate the target machine or
to secure it, and, lastly, to acquire the evidence locally or remotely.
7.5.1.5 Step 5: Obtain the legal internal and/or external authorisation (par. 7.4.1.5)
7.5.1.6 Step 6: Evaluate the incident to accelerate the investigation (par. 7.4.1.6)
7.5.1.7 Step 7: Notify relevant parties of the investigation (par. 7.4.1.7)
7.5.1.8 Step 8: Document all activities of incident response and confirmation phase (pars.
7.4.1.8, 3.3.4.7 – apply the principle of Beebe – documentation) (Beebe & Clark, 2005).
Note to reader:
The reason for the inclusion of the incident response and confirmation phase is that
different policies, procedures, and activities for the acquisition of live evidence are
applicable.
Part 2: Construction of our DFMF
7-195 | P a g e Chapter 7: CDF capability
7.5.2 ActDF Phase 2: ActDF investigation phase (par. 6.7.3). See on the ActDF fold-out.
The phase has two sub-phases with related steps. Figure 7-14 illustrates phase 2 of the ActDF
protocol:
7.5.2.1 Sub-phase 1: Acquire relevant live evidence sub-phase (par. 6.7.3.2.1) (four steps). See
on the ActDF fold-out.
We have expanded the two steps in par. 6.7.3.2.1, and have included typical steps that will be
part of this sub-phase from the ReDF component.
7.5.2.1.1 Step 1: Identify live evidence
Determine which live evidence must be acquired to investigate the incident by
consulting the risk profile and digital evidence index. The type of incident will determine
what evidence to collect. Consider the sensitivity and volatility of the evidence. Include
other system-specific volatile evidence, specific induced volatile information, and time
limitation induced to non-volatile information.
The type of operating system will influence the identification of the evidence (par.
6.6.4.4.2). Determine the limitations of the proposed live acquisition procedure, the
proposed time required for the operation, where the target machine is and which other
remote machines will be affected.
Figure 7-14 Phase 2 of the ActDF protocol (by author)
Phase 2:
ActDF
investigation
phase
Sub-phase 2:
Analyse the
evidence
Sub-phase 1:
Acquire the
live evidence
Step 1:Identify live evidence
Step 2:Acquire relevant live evidence
Step 3:Authenticate evidence
Step 5:Transport and store the evidence
Step 4: Document the acquisition process
Step 1:Revisit investigation plan
Step 2:Analyse the evidence
Step 3:Document the analysis process
Part 2: Construction of our DFMF
7-196 | P a g e Chapter 7: CDF capability
7.5.2.1.2 Step 2: Acquire relevant live evidence (pars. 3.5.2.1, 6.7.3.2.1)
Acquire live evidence using appropriate tools, technologies, or applications that will be
required to profile the attacker and acquire the evidence. It is important to automate
the appropriate evidence collection tools, technology or applications and activate them
as soon as possible (this can be immediately after an incident alert has been issued or
initiated by a trigger event).
Use acceptable live evidence acquisition protocol. Apply the following data acquisition
baseline (Ieong & Leung, 2007):
Impose minimal user intervention
All actions performed should be necessary and as least intrusive as possible
Modification of static digital evidence should be minimal
Data acquisition should follow the order of volatility and priority of digital
evidence collection
Acquire non-priority or volatile evidence through traditional evidence collection
Copying or extraction of data should only be performed when original data and
timestamp is not affected.
7.5.2.1.3 Step 3: Authenticate evidence (par. 6.7.3.2.1)
Due to the nature of the live evidence, it is essential to secure and authenticate all the
extracted data by performing a hashing function immediately after collection process.
The next step is to make a forensic copy of the acquired evidence before analysis starts.
7.5.2.1.4 Step 4: Document all activities to ensure the integrity of all evidence and processes
at all times while acquiring live evidence (par. 3.3.4.7)
7.5.2.1.5 Step 5: Transport the acquired evidence and store in a secured area if necessary
It is essential to record all actions during the acquisition process to prove the
authenticity of the evidence and process. The documentation will provide the chain of
evidence and chain of custody.
7.5.2.2 Sub-phase 2: Analyse evidence sub-phase (par. 6.7.3.2.2) (three steps). See on the
ActDF fold-out.
We have formulated three steps for this sub-phase:
7.5.2.2.1 Step 1: Review ActDF investigation plan (by author)
The investigator must review requirements from the ReDF component and ActDF
investigation plan to identify expertise required, and identify suitable analysis tools.
Part 2: Construction of our DFMF
7-197 | P a g e Chapter 7: CDF capability
7.5.2.2.2 Step 2: Analyse the live evidence to determine if sufficient evidence has been
gathered (par. 6.7.3.2.2)
Analyse preliminary evidence to determine if sufficient evidence has been gathered to
support the hypothesis. The reliability of the results must be ensured and false data
eliminated.
7.5.2.2.3 Step 3: Document the analysis process
Due to the lack of acceptance of live evidence acquisition tools and procedures by courts
(Ieong & Leung, 2007), it is essential to document all actions to maintain the chains of
evidence and custody, and ensure the validity of processes followed when analysing the
live data (par. 3.3.4.7).
7.5.3 ActDF Phase 3: Limited incident reconstruction phase (par. 6.7.3.3) (two steps)
(Figure 7-15 - below). See on the ActDF fold-out.
Phase 3: Incident
reconstruction
phase
Step 1:Use the results to do limited reconstruction
Step 2:ActDF termination
7.5.3.1 Step 1: Use the results from the analysis step to make a limited reconstruction of the
incident
The aim is to determine if the missing or live required evidence has been acquired. It is
essential to determine if the requirements from ReDF have been met. If more live
evidence is required, it will be necessary to repeat the ActDF investigation phase to
acquire more live evidence.
Various factors can determine if the investigation can continue, for example, the risk
management framework of the organisation can indicate whether the impact on the
business operations or the cost is too high.
7.5.3.2 Step 2: ActDF termination
Determine if you should terminate the ActDF protocol. The termination conditions will
be prescribed by the Risk Management Framework, for example, cost too high; enough
CDE; impact of continued acquisition reassessed. Repeat phase 2 if live evidence is still
lacking.
Figure 7-15 Phase 3 of the ActDF protocol (by author)
Part 2: Construction of our DFMF
7-198 | P a g e Chapter 7: CDF capability
7.5.4 ActDF Phase 4: ActDF investigation closure phase (par. 6.7.3.4). See on the ActDF
fold-out.
This phase has two steps. Figure 7-16 (below) illustrates phase 4 of the ActDF protocol:
Phase 4:
ActDF investigation
closure phase
Step 1:Prepare documented case files
Step 2:Return control to ReDF component
7.5.4.1 Step 1: Prepare documented case files with CDE for reactive investigation team to
complete investigation
It is essential to compile an investigation report that includes all relevant documentation
that will be required by the ReDF investigation team.
7.5.4.2 Step 2: Return control to the ReDF component to continue with the investigation
Control will be returned to Phase 3 digital investigation phase of the ReDF component.
7.5.5 To-do list
Organisations must do the following:
Manage and conduct the active or live DF investigation by using the predefined ActDF
protocol. Apply all the policies and procedures required by the ActDF protocol to ensure
a successful investigation.
Identify the legal and judicial requirements for the specific incident.
The discussion above has indicated some interaction between the three components of our CDF
capability. The next section will briefly discuss the relationship between the components.
7.6 RELATIONSHIP BETWEEN PRODF, REDF AND ACTDF
Using the definitions and goals of ProDF, ReDF, and ActDF it is clear that the different components of
DF are dependent on each other. The ProDF component will prepare the organisation for the
application of DF tools and technologies. Both ActDF and ReDF depend on the quality and availability
of CDE; the soundness of operational processes; well-defined DF investigation protocols (active and
reactive) with associated policies and procedures; competency of investigators and employees; and
Figure 7-16 Phase 4 of the ActDF protocol (by author)
Part 2: Construction of our DFMF
7-199 | P a g e Chapter 7: CDF capability
the availability of acceptable tools, technologies, and infrastructure, which is determined by the
ProDF component.
The need for live evidence will be established during the incident response and confirmation phase
and digital investigation phase (evidence acquisition) (pars. 7.4.1.1; 7.4.3.1) of the ReDF component.
The ActDF component will identify, acquire, analyse, and prepare the live evidence so that the ReDF
component can use it to complete the investigation. The findings as discussed confirm the
anticipated relationship between the components of our CDF capability. Figure 7-17 (below) is a
high-level graphical representation of the relationship between the three components (presented as
Figure 2-4).
Our CDF capability ensures that organisations will be prepared and protocols for active and reactive
investigations as defined by the ReDF and ActDF components provide clear directives of the phases
and steps that organisations must perform when an incident is detected and needs to be
investigated.
7.7 SUMMARY
The chapter has consolidated the definition, goals, sub-goals and elements for the ProDF component
(using Chapters 3, 4), definitions, goals and a protocol with phases and related steps for the ReDF
component (using Chapters 3, 5) and ActDF component (using Chapters 3, 6) of the thesis to propose
our CDF capability.
Our CDF capability will address the reasons (needs) for the application of DF in organisations as
identified in Chapter 2 (par. 2.5.3, p. 2-37). Table 7.1 (below) provides a summary of the needs and
an explanation of how we have addressed them:
Figure 7-17 Relationship between components of our CDF capability (also Figure 2-4) (by author)
Part 2: Construction of our DFMF
7-200 | P a g e Chapter 7: CDF capability
Table 7.1 Needs addressed by the CDF capability (par. 2.5.3) (by author)
Needs How can we address the need
Investigate incidents, fraud or employee
behaviour (par.2.5.3.1)
Apply the ActDF and ReDF protocol with supporting policies and
procedures to acquire the evidence and link the perpetrator to the
incident (pars. 7.4, 7.5).
Ensure the availability of adequate resources in terms of competent
staff, prepared infrastructure and availability of tools and
technologies (par. 7.3.1).
Establish DF management capability in the organisation (par.7.3.2).
Ensure the inclusion of legal and regulatory requirements in the
applicable structures of the organisation (7.3.1).
Ensure the availability of CDE (par.
2.5.3.2);
Establish an EMP (par. 7.3.1.3).
Assess effectiveness and efficiency of
controls or procedures (par. 2.5.3.3)
DF strategy (par. 7.3.2);
Acquire the required CDE using the ReDF or ActDF protocols (pars.
7.4, 7.5).
Measure legal or regulatory compliance
(par. 2.5.3.4)
DF strategy (par. 7.3.2);
Acquire the required CDE using the ReDF or ActDF protocols (pars.
7.4, 7.5).
Use of DF tools for non-investigative
purposes to improve IT and Info Sec
governance structures and performance
(par. 2.5.3.5).
DF strategy (par. 7.3.2);
Acquire the required CDE using the ReDF or ActDF protocols (pars.
7.4, 7.5).
The ReDF and ActDF components are well defined with clear definitions, goals and investigation
protocols. Investigators can use the protocols for investigations. The ProDF component should
ensure that the organisation is DF-ready and can apply DF to establish and manage governance
frameworks. However, there is no explicit implementation guideline on what should be developed in
terms of policies, strategies or processes. It is therefore necessary to re-structure the ProDF
component to provide clear guidelines on what must be considered in terms of legal, judicial and
regulatory requirements, strategies, plans, policies and processes, training of employees, technology
and infrastructure requirements.
To implement the CDF capability we have consolidated the to-do lists identified in the Chapter in
Table 7.2 (below).
Part 2: Construction of our DFMF
7-201 | P a g e Chapter 7: CDF capability
Table 7.2 Consolidated to-do list to implement the CDF capability (by author)
To-do list – actions CDF component
reference
1 Determine the legal and regulatory requirements applicable to the operational and
investigation infrastructure. Consider requirements related to evidence, processes,
admissibility of investigation tools, and the configuration of the operational and
investigation infrastructure (par. 7.3.1.1).
ProDF par. 7.3.1.2
2 Establish the relevant management structures to ensure the availability of facilities (DFI
laboratory, and operational infrastructure), hardware, software and equipment to
ensure a successful investigation (par. 7.3.1.1).
ProDF par. 7.3.1.2
3 Formulate policies and procedures to manage the preparation, use and maintenance of
the operational and investigation infrastructure (pars. 7.3.1.1.1, 7.3.1.1.2).
ProDF par. 7.3.1.2
4 Only consider the application and use of acceptable and admissible forensic tools and
technologies (par. 7.3.1.1.2).
ProDF par. 7.3.1.2
5 Identify the technical, legal and regulatory requirements applicable to digital and
physical evidence (par. 7.3.1.3.2).
ProDF par. 7.3.1.4
6 Establish an EMP to manage the evidence:
Identify potential evidence for a risk or scenario (par. 7.3.1.3.1) and set up a risk profile
Organise the evidence into a digital evidence index (par. 7.3.1.3.2)
Determine the comprehensiveness of a specific evidence set for a risk or scenario (par.
7.3.1.3.3).
ProDF par. 7.3.1.4
7 Formulate policies and procedures to manage digital and physical evidence (par.
7.3.1.3.4).
ProDF par. 7.3.1.4
8 Augment the risk management strategy and contingency plans (IRP, BCP and DRP) of
the organisation with supporting policies and procedures to include evidence and
process requirements (par. 7.3.1.3.4).
ProDF par. 7.3.1.4
9 Formulate a DF education, training and awareness strategy to ensure that the people in
the organisation will be prepared and competent (par. 7.3.1.5).
ProDF par. 7.3.1.6
10 Establish a policy and procedure to guide the establishment, implementation and
management of education, training and awareness programmes (par. 7.3.1.5).
ProDF par. 7.3.1.6
11 Determine the technical, legal, judicial and regulatory requirements to accredit
education and training programmes and certify staff as competent (par. 7.3.1.5).
ProDF par. 7.3.1.6
12 Develop selective education, training and awareness programmes (par. 7.3.1.5.1,
7.3.1.5.2).
ProDF par. 7.3.1.6
13 Establish a policy to prescribe the training requirements associated with specific roles in
the organisation to ensure the admissibility of evidence in court (par. 7.3.1.5.1).
ProDF par. 7.3.1.6
Part 2: Construction of our DFMF
7-202 | P a g e Chapter 7: CDF capability
To-do list – actions CDF component
reference
14 Create a code of conduct for the use and application of DF in the organisation (par.
7.3.1.5.3).
ProDF par. 7.3.1.6
15 Document and validate a DFI protocol that includes reactive and active investigations to
ensure that investigations are conducted in an organised way (par. 7.3.1.7.1).
ProDF par. 7.3.1.8
16 Ensure that all the policies and procedures required by the ReDF and ActDF protocols
exist to ensure a successful investigation (par. 7.3.1.7.1).
ProDF par. 7.3.1.8
17 Ensure that policies and procedures exist to manage the cost of the investigation and
incident (pars. 7.3.1.7.2; 7.3.1.7.3).
ProDF par. 7.3.1.8
18 Create or augment the risk management and business continuity strategy, plans,
policies and procedures of the organisation to include DF evidence and process
requirements and that a DF-friendly containment strategy and plan exists to minimise
the impact of an incident whilst maximising the availability of the evidence (par.
7.3.1.7.3).
ProDF par. 7.3.1.4
ProDF par. 7.3.1.8
19 Formulate a DF strategy to manage the application of DF in an organisation (par. 7.3.2). ProDF par. 7.3.2.3
20 Formulate policies and procedures to support the DF strategy to ensure that clear
directives exist to manage DF for investigative and non-investigative purposes in the
organisation. Be sure to include policies to establish a DF capability in the organisation
(pars. 7.3.2.1 - 7.3.2.2.5).
ProDF par. 7.3.2.3
21 Manage and conduct the reactive DF investigation by using the predefined ReDF
protocol. Apply all the policies and procedures required by the ReDF protocol to ensure
a successful investigation (par. 7.4).
ReDF par. 7.4.7
ProDF par. 7.3.1.8
22 Manage and conduct the active or live DF investigation by using the predefined ActDF
protocol. Apply all the policies and procedures required by the ActDF protocol to ensure
a successful investigation (par. 7.5).
ActDF par. 7.5.5
ProDF par. 7.3.1.8
23 Identify the legal and judicial requirements for the specific incident (pars. 7.4; 7.5). ReDF par. 7.4.7
ActDF par. 7.5.5
We will use the to-do list in the next chapter to propose a DF framework to implement and manage
the CDF capability.
Part 2: Construction of our DFMF
7-203 | P a g e Chapter 7: CDF capability
Note to reader:
Management is not interested in the detail of investigation protocols, but in
successful investigations. It is their responsibility to be concerned with what they
need to have in place to ensure successful investigations or to apply DF to establish
and manage more effective governance frameworks.
Our CDF capability does not provide an explicit framework on the formulation of
strategies, policies, procedures, and training programmes or the infrastructure that
should be in place.
We will use the to-do lists of our CDF capability to formulate a DF implementation
and management framework DFMF. This is not another investigation framework, but a
holistic framework that concentrates on the implementation of a CDF capability in an
organisation.
We will use the consolidated to-do list to formulate the DFMF in the next chapter.
Part 2: Construction of our DFMF
7-204 | P a g e Chapter 7: CDF capability
7.8 FOLD-OUT FOR ProDF
ProDF
component
ProDF goal 1:
Become DF-ready
ProDF goal 2:
Implement and manage DF to improve governance programs
DF-Readiness sub-
goal 1:
Prepared
Infrastructure
DF-Readiness sub-
goal 2:
Maximise CDE
availability
Establish an EMP
DF-readiness sub-
goal 3:
Prepare
responsible
competent
employees
DF-Readiness sub-
goal 4:
Ensure cost-
effective
investigations
Sub-goal 1:
Establish a DF
management
capability to
support the DF
strategy
Sub-goal 2:
Apply DF to provide
reasonable
assurance
regarding achieving
organisational
objectives
7.3.1.1.1 Element 1:
Prepare operational infrastructure
7.3.1.1.2 Element 2:
Establish and manage DF
investigation infrastructure
7.3.1.2.1 EMP step 1:
Evidence identification – compile
risk profile
7.3.1.2.2 EMP step 2:
Organise the evidence: Evidence
index
7.3.1.2.3 EMP step 3:
Evaluate evidence status
7.3.1.2.4 EMP step 4:
Establish and augment evidence
policies and procedures
7.3.1.3.1 Element 1:
Create education and training
programmes
7.3.1.3.2 Element 2:
Establish awareness programme
7.3.1.3.3 Element 3:
Formulate a code of conduct
7.3.1.4.1 Element 1:
Ensure well documented DFI
protocols exist
7.3.1.4.2 Element 2:
Establish procedure to calculate
cost of investigation
7.3.1.4.3 Element 3:
Minimise interruption to business
7.3.2.1.1 Element 1:
Augment organisational structure
7.3.2.1.2 Element 2:
Clear segregation of duties
7.3.2.2.1 Element 1:
Safeguard company’s assets
7.3.2.2.2 Element 2:
Compliance
7.3.2.2.3 Element 3:
Support business sustainability
7.3.2.2.4 Element 4:
Reliability of reporting
7.3.2.2.5 Element 5:
Behave responsible towards
stakeholders
Par.7.3
Par. 7.3.1
Par. 7.3.1.4
Par. 7.3.1.1
Par. 7.3.1.2
Par. 7.3.1.3
Par. 7.3.2.2
Par. 7.3.2.1
7.3.2.1.3 Element 3:
Outsourcing
7.3.2.1.4 Element 4:
Ensure legal review
ProDFcomponent
Chapter 7
1
2
3
4
5
7
8
Par. 7.3.26
Part 2: Construction of our DFMF
7-205 | P a g e Chapter 7: CDF capability
7.9 FOLD-OUT FOR ReDF
ReDF
component
Phase 1:
Incident
response and
confirmation
Phase 2:
Physical
investigation
Phase 3:
Digital
Investigation
7.4.2.1 Step 1: Secure and preserve physical crime scene
7.4.2.2 Step 2: Survey and search the crime scene
7.4.2.3 Step 3: Acquire evidence
7.4.2.4 Step 4: Analyse the evidence
7.4.2.5 Step 5: Reconstruct the incident
7.4.2.6 Step 6: Make a finding and compile an investigation report
7.4.2.7 Step 7: Transport the evidence
7.4.2.8 Step 8: Store the evidence
Sub-phase 2:
Evidence acquisition
Sub-phase 3:
Analysis
7.4.5.1 Step 1: Prepare the case
7.4.5.2 Step 2: Present the case
7.4.5.3 Step 3: Enable an appeal procedure
7.4.5.4 Step 4: Preserve and store CDE
7.4.1.1 Step 1: Incident detection
7.4.1.2 Step 2: Initiate incident response plan
7.4.1.3 Step 3: Incident confirmation
7.4.1.4 Step 4: Formulate initial investigation plan
7.4.1.5 Step 5: Obtain authorisation
7.4.1.6 Step 6: Evaluate the incident to accelerate the investigation
7.4.1.7 Step 7: Notify relevant parties
7.4.1.8 Step 8: Document all activities
7.4.3.2.4 Step 1: Acquire relevant evidence
7.4.3.2.5 Step 2: Authenticate all evidence
7.4.3.2.6 Step 3: Transport the evidence
7.4.3.2.7 Step 4: Storage of evidence
7.4.3.2.8 Step 5: Document the acquisition process
7.4.3.3.1 Step 1: Revise investigation plan
7.4.3.3.2 Step 2: Examine and prepare evidence
7.4.3.3.3 Step 3: Analyse evidence
7.4.3.3.4 Step 4: Reconstruct the incident
7.4.3.3.5 Step 5: Document analysis process
7.4.3.3.6 Step 6: Secure Documentation
7.4.3.4.1 Step 1: Restore activities
7.4.6.1 Step 1: Review result to identify lessons learned
7.4.6.2 Step 2: Dispose / Return / preserve evidence and
case files
Par.7.4
Par. 7.4.1
Par. 7.4.2
Par. 7.4.3.2
Par. 7.4.3
Phase 4:
Incident
reconstruction
Par. 7.4.4
Par. 7.4.5
Par. 7.4.6
Phase 5:
Present case
Phase 6:
Incident
closure
Par. 7.4.3..3
Par. 7.4.3..4
Sub-phase 4:
Service restoration
7.4.4.1 Step 1: Consolidate the findings
7.4.4.2 Step 2: Validate the finding
7.4.4.3 Step 3: Compile incident or investigation report
Sub-phase 1:
Secure digital evidence
Par. 7.4.3.1
7.4.3.1.1 Step 1: Preserve the digital crime scene
7.4.3.1.2 Step 2: Preserve digital evidence
7.4.3.1.3 Step 3: Document all activities
ReDF component
Chapter 7
ReDF protocol
1
6
5
4
3
2
10
9
8
7
Phase 1:
Incident response
and confirmation
Phase 2:
Physical
investigation
Phase 3:
Digital investigation
Phase 4:
Incident
reconstruction
Phase 5:
Presentation of
findings
Phase 6:
Incident closure
ActDF
Sub-phase 2:Acquire the
evidence
Sub-phase 3: Analyse
the evidence
Sub-phase 4: Restore
the service
Sub-phase 1: Secure the
evidence
Part 2: Construction of our DFMF
7-206 | P a g e Chapter 7: CDF capability
7.10 FOLD-OUT FOR ActDF
ActDF
component
Phase 1:
Incident response
and confirmation
Phase 2:
ActDF investigation
Sub-phase 1:
Acquire live
evidence
Sub-phase 2:
Analysis
7.5.4.1 Step 1: Prepare documented case files;
7.5.4.2 Step 2: Return control to ReDF component;
7.5.1.1 Step 1: Incident detection;
7.5.1.2 Step 2: Initiate IRP;
7.5.1.3 Step 3: Incident confirmation;
7.5.1.4 Step 4: Formulate ActDF investigation plan;
7.5.1.5 Step 5: Obtain authorisation;
7.5.1.6 Step 6: Evaluate incident to accelerate investigation
7.5.1.7 Step 7: Notify relevant parties;
7.5.1.8 Step 8: Document all activities.
7.5.2.1.1 Step 1: Evidence Identification;
7.5.2.1.2 Step 2: Acquire live evidence;
7.5.2.1.3 Step 3: Authenticate evidence;
7.5.2.1.4 Step 4: Document all activities;
7.5.2.1.5 Step 5: Transport the evidence and store
in secure area
7.5.2.2.1 Step 1: Review ActDF investigation plan;
7.5.2.2.2 Step 2: Analyse live evidence;
7.5.2.2.3 Step 3: Document the analysis process;
Par. 7.5
Par. 7.5.1
Par. 7.5.2.1
Par. 7.5.2
Phase 3:
Limited incident
reconstruction
Par. 7.5.3
Par. 7.5.4
Phase 4:
ActDF investigation
closure
Par. 7.5.2.2
7.5.3.1 Step 1: Use results to do reconstruction;
7.5.3.2 Step 2: ActDF termination ;
ActDF component
Chapter 7
6
5
3
1
2
4
ReDF
ReDF Phase 2:
Physical
investigation
ReDF Phase
3: Digital
investigation
ReDF Phase 4: Incident
reconstruction
ReDF Phase 5: Presentation of
findings
ReDF Phase 6: Incident closure
ActDFPhase 2: ActDF digital
investigation
Sub-phase 1:
Evidence acquisition
Sub-phase 2:
Analysis
Phase 1:
Incident
response and
confirmation
Phase 4:
Incident closure
Phase 3:
Incident
reconstruction
1
2
Please note:
Phase 1: Incident response and
confirmation is a common phase
between ReDF and ActDF
Part 2: Construction of our DFMF
8-207 | P a g e Chapter 8: Construction of our holistic DFMF
8 CHAPTER 8
CONSTRUCTION OF OUR HOLISTIC DF MANAGEMENT FRAMEWORK (DFMF)
8.1 INTRODUCTION
The previous chapter formulated our CDF capability, the components of which are distinct but
dependent on each other. If an organisation wishes to implement our CDF capability they must do so
in a structured way.
The ReDF and ActDF components are the investigation components. Investigators can apply the
proposed protocols when investigating incidents, however it is essential that organisations prepare
for the application of the protocols and formulate policies and procedures, train staff, and ensure
that the appropriate tools, technologies and infrastructure are in place to facilitate the
investigations.
The ProDF component provides guidance for organisations to establish management structures,
formulate policies and processes, configure infrastructure and apply tools and technology by
considering the legal and regulatory requirements of the organisation. We have identified typical to-
do lists (Table 7.2, p. 7-201) to assist organisations with implementation of the CDF capability.
However, it is necessary to structure the to-do list, as different activities are dependent on each
other. A structured to-do list will ease the identification, formulation and implementation of the
activities. To demonstrate, organisations must determine the legal and judicial requirements of
evidence handling before they engage in the establishment of the EMP and related evidence
handling policies and procedures, as well as the training and awareness programmes and technology
needed.
The legal and judicial environment of the organisation is the backdrop of all the activities in an
organisation. The governance or management frameworks (corporate and IT) will dictate the
development of policies needed, which will drive the relevant processes, guidelines and procedures.
Part 2: Construction of our DFMF
8-208 | P a g e Chapter 8: Construction of our holistic DFMF
The implementation and use of DF tools and technologies must be managed in any organisation. The
success of evidence availability and successful investigations hinges on knowledgeable and
competent individuals who can apply admissible DF tools and technologies.
The to-do list does not provide a detailed list of legal and judicial requirements to identify, nor
exactly which strategies, policies and procedures to formulate. None of the DF frameworks as
discussed in Chapters 3, 4, 5, and 6 prescribes exactly what must be in place to implement a CDF
capability. We will use the to-do list actions (Table 7.2, p. 7-201) to identify specific deliverables that
must be implemented. A deliverable is a tangible output that organisations can implement. A policy,
procedure and training programme are examples of typical deliverables. We will use the dimensions
of DF (par.1.9.2) to categorise the deliverables in the consolidated to-do list (Table 7.2, p. 7-201).
The categorised to-do list and the relationship between the dimensions are the foundation of our
high-level DF implementation and management framework, DFMF. Figure 8-1 (below) depicts the
role of this chapter within the overall thesis:
8.2 AIM AND STRUCTURE OF THE CHAPTER
The aim of the chapter is to propose a holistic DF implementation and management framework
(DFMF), to implement and manage our CDF capability. This chapter will:
identify and categorise the deliverables of to-do list (par. 8.3)
construct DFMF step by step and provide a graphical representation for the category
with the supporting groups of deliverables (par. 8.4)
consolidate the deliverable categories using the first level deliverables to demonstrate a
high-level view of our DFMF (par. 8.5).
Chapter 8Construction of DFMF
Part 1: Background
Part 2: Construction
of DFMF
Part 3: Conclusion
Chapter 7Comprehensive DF
capability
Figure 8-1 Role of the Chapter in the thesis (by author)
Part 2: Construction of our DFMF
8-209 | P a g e Chapter 8: Construction of our holistic DFMF
The next section will use the consolidated to-do list as a starting point to construct the concept
DFMF and categorise the to-do list. We will use the categorised list for the formulation of the DFMF.
8.3 CATAGORISE THE TO-DO LIST
We will use the dimensions of DF, legal and judicial, management or governance, policy, process,
people and technology related activities or deliverables (Grobler & Louwrens, 2006) to categorise
the individual actions.
The dimensions cannot exist in isolation but interdependent. The legal and judicial dimension is the
backdrop to all the other dimensions. The legal, regulatory and judicial requirements of the country
or operating environment will influence all activities of the organisation. The governance dimension
is a subset of the legal and judicial dimension. The policy dimension is a subset of the governance
dimension and the people, process and technology dimensions are subsets of the policy dimension.
There is continuous interaction between people, process, and technology during the implementation
of DF in an organisation. We will use the relationship between the dimensions as a basis for the
relationship between the deliverable categories. Figure 8-2 (below) is a graphical representation of
the relationship:
We have categorised and re-organised the individual actions in the to-do list in par. 7.7 (Table 7.2),
by using the six identified dimensions in Table 8.1 (below). We will use abbreviations to reference
the individual activities when constructing the DFMF in the next section by referring to dimension
numbers, for example, Gi for different Governance, Li for Legal and Judicial, PPi for Policy and
Process, Ti for Technology and Pi for People activities; the i refers to the number of the action.
Potential deliverables are highlighted (printed bold) in the table below.
Figure 8-2 Relationship between the dimensions (also Figure 1-2) (by author)
Part 2: Construction of our DFMF
8-210 | P a g e Chapter 8: Construction of our holistic DFMF
Table 8.1 Categorised TO-DO list (by author)
Dimension
number
Dimension To-do list – actions or deliverables Table 7.2,
p. 7-201
number
CDF
component
reference
G1 Governance Establish the relevant management structures to ensure the
availability of facilities (DFI laboratory, and operational
infrastructure), hardware, software and equipment to ensure a
successful investigation (par. 7.3.1.1).
2 ProDF
par. 7.3.1.2
G2 Governance Establish an EMP to manage the evidence:
Identify potential evidence for a risk or scenario (par. 7.3.1.3.1)
and set up a risk profile
Organise the evidence into a digital evidence index (par.
7.3.1.3.2)
Determine the comprehensiveness of a specific evidence set for
a risk or scenario (par. 7.3.1.3.3).
6 ProDF
par. 7.3.1.4
G3 Governance Augment the risk management strategy and contingency plans
(IRP, BCP and DRP) of the organisation with supporting policies
and procedures to include evidence and process requirements
(par. 7.3.1.3.4).
8 ProDF
par. 7.3.1.4
G4 Governance Formulate a DF education, training and awareness strategy to
ensure that the people in the organisation will be prepared and
competent (par. 7.3.1.5).
9 ProDF
par. 7.3.1.6
G5 Governance Document and validate a DFI protocol that includes reactive
and active investigations to ensure that investigations are
conducted in an organised way (par. 7.3.1.7.1).
15 ProDF
par. 7.3.1.8
G6 Governance Create or augment the risk management and business
continuity strategy and plans of the organisation to include DF
evidence and process requirements, and ensure that a DF-
friendly containment strategy and plan exists to minimise the
impact of an incident whilst maximising the availability of the
evidence (par. 7.3.1.7.3).
18 ProDF
par. 7.3.1.4
ProDF
par. 7.3.1.8
G7 Governance Formulate a DF strategy to manage the application DF in an
organisation (par. 7.3.2).
19 ProDF
par. 7.3.2.3
L1 Legal and
Judicial
Determine the legal and regulatory requirements applicable to
the operational and investigation infrastructure. Consider
requirements related to evidence, processes, admissibility of
investigation tools, and the configuration of the operational and
investigation infrastructure (par. 7.3.1.1).
1 ProDF
par. 7.3.1.2
L2 Legal and
Judicial
Identify the legal and regulatory requirements applicable to
digital and physical evidence (par. 7.3.1.3.2).
5 ProDF
par. 7.3.1.4
Part 2: Construction of our DFMF
8-211 | P a g e Chapter 8: Construction of our holistic DFMF
Dimension
number
Dimension To-do list – actions or deliverables Table 7.2,
p. 7-201
number
CDF
component
reference
L3 Legal and
Judicial
Determine the technical, legal, judicial and regulatory
requirements to accredit education and training programmes
and certify staff to be competent (par. 7.3.1.5).
11 ProDF
par. 7.3.1.6
L4 Legal and
Judicial
Identify the legal and judicial requirements for the specific
incident (par. 7.4, 7.5).
23 ReDF
par. 7.4.7
ActDF
par. 7.5.5
P1 People Develop selective education, training and awareness
programmes (pars. 7.3.1.5.1, 7.3.1.5.2).
12 ProDF
par. 7.3.1.6
P2 People Create a code of conduct for the use and application of DF in
the organisation (par. 7.3.1.5.3).
14 ProDF
par. 7.3.1.6
PP1 Policy and
Procedure
Formulate policies and procedures to manage the preparation,
use and maintenance of the operational and investigation
infrastructure (pars. 7.3.1.1.1, 7.3.1.1.2).
3 ProDF
par. 7.3.1.2
PP2 Policy and
Procedure
Formulate policies and procedures to manage digital and
physical evidence (par. 7.3.1.3.4).
7 ProDF
par. 7.3.1.4
PP3 Policy and
Procedure
Establish a policy and procedure to guide the establishment,
implementation and management of education, training and
awareness programmes (par. 7.3.1.5).
10 ProDF par.
7.3.1.6
PP4 Policy and
Procedure
Establish a policy to prescribe the training requirements
associated with specific roles in the organisation to ensure the
admissibility of evidence in court (pars. 7.3.1.5, 7.3.1.5.1).
13 ProDF
par. 7.3.1.6
PP5 Policy and
Procedure
Ensure that all the policies and procedures required by the
ReDF and ActDF protocols exist to ensure a successful
investigation (par. 7.3.1.7.1).
16 ProDF
par. 7.3.1.8
PP6 Policy and
Procedure
Ensure that policies and procedures exist to manage the cost of
the investigation and incident (par. 7.3.1.7.3).
17 ProDF
par. 7.3.1.8
PP7 Policy and
Procedure
Create or augment the risk management and business
continuity (IR, BCP and DRP) policies and procedures of the
organisation to include DF evidence and process requirements
and ensure that DF-friendly containment policies and
procedures exist to minimise the impact of an incident whilst
maximising the availability of the evidence (par. 7.3.1.7.3).
18 ProDF
par. 7.3.1.4
ProDF
par. 7.3.1.8
PP8 Policy and
Procedure
Formulate policies and procedures to support the DF strategy
to ensure that clear directives exist to manage DF for
investigative and non-investigative purposes in the organisation.
Be sure to include policies to establish a DF capability in the
organisation (pars. 7.3.2.1 - 7.3.2.2.5).
20 ProDF
par. 7.3.2.3
Part 2: Construction of our DFMF
8-212 | P a g e Chapter 8: Construction of our holistic DFMF
Dimension
number
Dimension To-do list – actions or deliverables Table 7.2,
p. 7-201
number
CDF
component
reference
PP9 Policy and
Procedure
Manage and conduct the reactive DF investigation by using the
predefined ReDF protocol. Apply all the policies and procedures
required by the ReDF protocol to ensure a successful
investigation (par. 7.4).
21 ReDF
par. 7.4.7
ProDF par.
7.3.1.8
PP10 Policy and
Procedure
Manage and conduct the active or live DF investigation by using
the predefined ActDF protocol. Apply all the policies and
procedures required by the ActDF protocol to ensure a
successful investigation (par. 7.5).
22 ActDF par.
7.5.5
ProDF par.
7.3.1.8
T1 Technology Only consider the application and use of acceptable and
admissible forensic tools and technologies (par. 7.3.1.1.2).
4 ProDF par.
7.3.1.2
T2 Technology Identify the technical requirements applicable to digital and
physical evidence (par. 7.3.1.3.2).
5 ProDF par.
7.3.1.4
We will use the to-do list actions to identify specific deliverables to implement our CDF capability.
However, the actions can also be part of a hierarchy; for example, the general DF policy is supported
by a set of sub-policies, such as evidence management and handling, incident management and
handling and education and training policies. We will refer to the general DF policy as a first level
action and the supporting sub-policies as second level activities.
The next section will use the dimensions and relationship between the dimensions of DF to propose
a concept framework of our DFMF in a graphical format. The development of a fully functional DFMF
is not part of this thesis, but will be researched and developed in future.
8.4 STEP-BY-STEP CONSTRUCTION OF THE DFMF
We will now consider the to-do list actions to identify specific deliverables (using the CDF capability
in Chapter 7) to construct our DFMF. The construction will be step by step, starting from the legal
and judicial dimension, moving to the governance, then policy followed by process, people and
technology. The next section will consider the legal and judicial dimension.
Part 2: Construction of our DFMF
8-213 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.1 Legal and judicial dimension
The legal and judicial dimension will ensure that organisations identify applicable legal,
regulatory and judicial requirements for their organisation. The legal and judicial deliverables as
identified by the to-do list in Table 8.1 (above) are:
8.4.1.1 Table 8.1 L2: Evidence handling and management requirements (par. 7.3.1.4)
This group will consider digital (static, live, legacy), physical and post-investigation evidence
requirements.
8.4.1.2 Table 8.1 L1, L4: Process requirements (pars.7.3.1.4, 7.3.1.7.1, 7.3.1.8, 7.3.2.3)
The investigation process (incident handling) and the correct formulation of SOP in
organisations are essential. Organisations must consider the ReDF, ActDF and SOP process
requirements in terms of admissibility in a court of law.
8.4.1.3 Table 8.1 L1: Infrastructure requirements (par. 7.3.1.2)
The legal and judicial requirements of a prepared operational and investigation
infrastructure, as well as the validity of DF tools and technology, must be considered to
ensure the admissibility of evidence acquired in court.
8.4.1.4 Table 8.1 L3: Other legal, regulatory and judicial requirements.
These requirements can be for example SAQA requirements, to accredit training
programmes and to certify staff (par.7.3.1.6). The technical competence of the investigator
will influence the admissibility of evidence in a court of law.
Figure 8-3 (below) is a graphical representation of the first two levels of the legal and judicial
deliverables:
Part 2: Construction of our DFMF
8-214 | P a g e Chapter 8: Construction of our holistic DFMF
The requirements will be found in relevant laws, treaties, best practices, regulatory, judicial
requirements, and other regulatory bodies, for example, a qualification authority. Organisations
must identify all relevant laws, treaties, regulations, best practices, and judicial requirements
applicable to the organisation. If the organisation operates internationally, the different
countries’ legal and judicial requirements must be met. We use the first level legal and judicial
deliverables to construct DFMF in Figure 8-4 (below).
The second step will be to consolidate the governance dimension.
8.4.2 Governance dimension
The governance dimension deals with management issues, and will ensure that organisations
consider the strategic importance and the management of the application and implementation
of DF in an organisation. We have identified three groups of governance deliverables using the
to-do list in Table 8.1 (above).
8.4.2.1 Table 8.1 G7: Group 1: Formulate the DF strategy (par. 7.3.2.3)
The DF strategy should provide direction for the use and application of DF in an organisation. We
propose that the DF strategy should address the following three groups of activities:
Evidence
requirements
Process
requirements
Infrastructure
requirements
Other
requirements
Digital
Physical
Post incident
ActDF
SOP
ReDF
Investigation
Tools
Operational
Programme
accreditation
Certification
Par. 8.4.1.1 Par. 8.4.141Par. 8.4.1.3Par. 8.4.1.2
Figure 8-4 Legal and judicial deliverables as step 1 of the construction of our DFMF (by author)
LEGAL AND JUDICIAL
Evidence
requirements
Process
requirements
Infrastructure
requirements
Other
requirements
Figure 8-3 Graphical representation of the first two levels of the legal and judicial deliverables (by author)
Part 2: Construction of our DFMF
8-215 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.2.1.1 Table 8.1 G1, G5, G6, and G7: Manage the CDF capability (par. 7.3.2) (by author)
General management of the CDF capability
Manage DF investigations (case management)
Manage the use of DF for non-investigative purposes in the organisation
8.4.2.1.2 Table 8.1 G2; Establish an evidence management plan (par. 7.3.1.4)
8.4.2.1.3 Table 8.1 G4: Formulate a DF education, training and awareness strategy with
supporting policies and programmes (par. 7.3.1.6)
8.4.2.2 Table 8.1 G3, G6: Group 2: Augment the risk management / contingency strategy and
plans
The governance category must integrate DF requirements in the risk management and
contingency strategy and plans of the organisation. It is essential to establish or augment the
organisational risk management and contingency plans to include evidence and process
requirements (consider staff assignments and technical responsibilities) (par.7.3.1.7.3). Plans to
augment are as follows:
Business impact analysis to include evidence elements for specific risks (from evidence
management plan (par. 7.3.1.3.1).
Formulate or augment the contingency plans (pars. 7.3.1.3.4; 7.3.1.4; 7.3.1.7.3; 7.3.1.8),
and be sure to include the following:
IRP and the incident containment strategy by considering business, legal, technical,
and political factors and goals. It is also essential to specify incident acceleration
criteria in the IRP.
Disaster recovery plan.
Business continuity plan.
Include the assessment of new technologies in risk assessment to determine the impact
of the new technologies on forensic investigations (par. 7.3.2.2.3.).
8.4.2.3 Table 8.1 G1: Group 3: Manage infrastructure
Organisations must manage the physical infrastructure, which includes the physical investigation
laboratory, operational infrastructure (including all hardware and software) (pars. 7.3.1.1,
7.3.1.2).
Part 2: Construction of our DFMF
8-216 | P a g e Chapter 8: Construction of our holistic DFMF
Figure 8-5 (below) is a graphical representation of the first two levels of typical deliverables of
the governance category. We used the deliverable groups with sub-deliverables from par. 8.4.2.
The governance dimension is a subset of the legal and judicial dimension. We will add the first level
governance deliverable groups to the current version of DFMF in Figure 8-6 (below):
LEGAL AND JUDICIAL
Evidence Process Infrastructure Other
GOVERNANCE
Formulate
DF strategyManage
infrastructure
Risk management/
Contingency strategy
Management
of DF
capability
Evidence
management
plan
DF education,
training and
awareness strategy
DFMF
The third step will be to consolidate the policy dimension.
8.4.3 Policy dimension
Organisations must formulate a general DF policy to support the DF strategy. We have identified
and re-organised the following policies and propose the following six groups of related policies
with supporting policies that support the general DF policy using the to-do list in Table 8.1
(above). The policy deliverable groups are:
Formulate
DF strategy
Evidence
management plan
Education, training
and awareness
strategy
Manage DF
capbility
Augment risk
management / contingency
strategy
Manage
infrastructure
IRP
DRP
BIA
BCP
Evaluate new
technology
Operational
Investigation
Par. 8.4.2.1 Par. 8.4.2.2 Par. 8.4.2.3
Figure 8-5 First two levels of the governance deliverables (by author)
Figure 8-6 Addition of the governance deliverables as step 2 of the construction of our DFMF (by author)
Part 2: Construction of our DFMF
8-217 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.3.1 Table 8.1 PP2: Group 1: Evidence management and handling policies
8.4.3.1.1 Evidence management policies (par.7.3.1.4)
8.4.3.1.2 Digital evidence handling policies (par. 7.3.1.3.4)
Include static, live, legacy and archived digital evidence handling policies.
8.4.3.1.3 Physical evidence handling policies (par.7.4.2)
8.4.3.1.4 Post-investigation case documentation and evidence handling policy (par.7.3.1.4)
8.4.3.2 Table 8.1 PP5, PP6, PP9, PP10: Group 2: Incident management policies (par. 7.4.1)
8.4.3.2.1 Incident handling policy (by author)
Provide directives on the types of incident and criteria of when to investigate and the level
(internal or formal investigation). Include the management of the cost of an incident and
investigation.
8.4.3.2.2 ReDF investigation policy with supporting policies (par. 7.4)
IR policy. Include the ActDF activation criteria in the IR policy of the organisation
physical investigation policy
digital investigation policy
incident reconstruction policy
case presentation policy to provide guidelines for the presentation of the case
incident closure policy to provide guidelines for the closure of the case and the
dissemination of the result of the investigation.
8.4.3.2.3 ActDF investigation policy to include (par. 7.5):
IR policy. Include the ActDF activation criteria in the IR policy of the organisation – this
policy is from the contingency policies of the organisation
live evidence acquisition, analysis, limited reconstruction and ActDF termination criteria
ActDF termination policy.
8.4.3.3 Table 8.1 PP7: Group 3: Augment the organisational risk management and contingency
policies
Augment the organisational risk management and contingency policies to include DF
requirements. Typical policies are:
8.4.3.3.1 business impact analysis policy – change threat profile to be a risk profile as
suggested in par. 7.3.1.3.1
Part 2: Construction of our DFMF
8-218 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.3.3.2 IR policies (par.7.4.1, 7.5.1)
The ActDF and ReDF IR policies should be the same as this policy. The containment
policy is pertinent and must be in place to contain incidents to minimise the impact of
the incident on the organisation. Include incident acceleration criteria in the policy.
8.4.3.3.3 disaster recovery policies (pars.7.4.1, 7.3.1.7.3)
8.4.3.3.4 business continuity policies (par.7.3.1.7.3).
Note to reader:
This is not necessarily a complete list of policies, but an example of typical risk
management or contingency policies that should be augmented to include evidence
requirements and sound DF procedure structuring.
8.4.3.4 Table 8.1 PP3, PP4: Group 4: Education, training, and awareness policy (par. 7.3.1.6)
8.4.3.4.1 Include the curriculation requirements to offer accredited education and training
courses
8.4.3.4.2 Specify the minimum qualifications and requirements for DF investigators and first
responders in terms of training and certification.
8.4.3.5 Table 8.1 PP8: Group 5: DF Management policies
8.4.3.5.1 General DF management policies (par. 7.3.2.1)
Policy to describe the establishment of CERT
Policy to prescribe the segregation of duties of CERT, internal DF team, external DF
team, auditing, risk management, and Info Sec departments
Outsourcing policy
Whistle-blowing policy
An appeal policy
Policy for the use and application of DF tools and technologies
Policy to ensure cost-effective investigations and evidence acquisition.
8.4.3.5.2 Management and use of DF for non-forensic investigation purposes policies
(par.7.3.2.2)
Policy for the use of DF tools and technologies for non-investigation purposes, for
example, policies that guide the use of DF tools for data recovery, password recovery,
and disk wiping
Part 2: Construction of our DFMF
8-219 | P a g e Chapter 8: Construction of our holistic DFMF
Policy to apply DF tools and techniques to safeguard the company’s assets
Policy to apply DF to acquire evidence for continuous audits, quality assurance, and
compliance testing
Policy to apply DF tools and techniques to assess the effectiveness and efficiency of
operations and controls of the governance frameworks (pars. 7.3.2.2; 7.3.2.2.3).
8.4.3.6 Table 8.1 PP1: Group 6: Infrastructure policies (par. 7.3.1.1)
8.4.3.6.1 Operational infrastructure policies (par. 7.3.1.1.1)
Configuration of networks, IDS and other infrastructure (hardware and software)
A monitoring policy that provides clear directives on the systematic gathering of
evidence and targeted monitoring
Policy to ensure the inclusion of DF principles in design, implementation, and
development (SDLC) for applications and systems to ensure DF-friendly systems
Policy to prevent anti-forensic activities
Policy to prevent anonymous activities
Policy to evaluate new technologies and techniques.
8.4.3.6.2 DF laboratory policies (par. 7.3.1.1.2)
Policy for the acquisition and maintenance of DF tools and technologies
Policy for version control of DF tools to ensure the handling of legacy evidence (by
author)
Laboratory access control policy
Use of DF laboratory policy
Secure storage area policy
Backup policy
Ensure that a well-defined backup and recovery plan with policies exist for the DF
laboratory. It is essential to consider not only the evidence that includes data and
metadata, but also the tools and versions of tools.
Figure 8-7 (below) is a graphical representation of some of the first two level policy deliverables.
Part 2: Construction of our DFMF
8-220 | P a g e Chapter 8: Construction of our holistic DFMF
The policy dimension is a subset of the governance dimension. We will add the first level policy
deliverable to the current version of DFMF. Due to the importance of policies, we also include
the second level policy deliverable groups in Figure 8-8 (below):
The fourth step will be to consolidate the process deliverables.
8.4.4 Process dimension
To manage DF in an organisation, policies must be supported by well-defined forensically sound
procedures and guidelines. The process category is prominent in DF, as the procedure followed
during an investigation or assessment will determine the admissibility of the evidence gathered and
ultimately the success of an investigation. We propose the following six groups of process
deliverables to support the corresponding policy deliverable groups:
General DF policy
Education, training
awareness policies
Incident
management
policies
Risk management /
Contingency
policies
Management
policies
Evidence management
and handling
policies
Infrastructure
policies
Par. 8.4.3.1 Par. 8.4.3.2 Par. 8.4.3.3 Par. 8.4.3.4 Par. 8.4.3.5 Par. 8.4.3.6
Par. 8.4.3
Figure 8-7 Graphical representation of the first two levels of the policy deliverables (by author)
Figure 8-8 Addition of the policy deliverables as step 3 of the construction of our DFMF (by author)
LEGAL AND JUDICIAL
Evidence
requirements
Process
requirements
Infrastructure
requirements
Other
requirements
GOVERNANCE
POLICY General DF
Policy
Evidence
management
and handling
policies
Risk
management /
contingency
policies
DF
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness
policy
Formulate
DF strategy
Manage
Infrastructure
Augment the risk management /
contingency strategy
Part 2: Construction of our DFMF
8-221 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.4.1 Table 8.1 PP2: Group 1: Evidence management and handling procedures (pars. 7.3.1.3 -
7.3.1.4)
8.4.4.1.1 Evidence management procedures (par.7.3.1.3.1)
Procedure to provide directives on the creation and management of the risk profile,
calculation of CDE rating or an evidence set associated with a risk, and compilation of the
evidence index.
8.4.4.1.2 Digital evidence handling procedures (par. 7.3.1.3.4)
Static digital evidence handling procedures (par. 7.4.3)
The static evidence handling procedures should include identification; collection;
acquisition; ensuring integrity; authentication; preservation; storage and transportation
of digital evidence.
Live evidence handling procedures (par. 7.5.2)
The live evidence handling procedures are identification; collection (to be done by
considering the order of volatility); maintenance of the integrity of the evidence; live
evidence acquisition; live evidence authentication; live evidence transportation (same as
static evidence); and live evidence storage (same as static evidence).
Legacy evidence handling procedure (par. 7.3.1.3.4).
8.4.4.1.3 Physical evidence handling procedures (par.7.4.2)
Physical evidence handling procedures, for example, identification, collection (search
and collect), documentation, storage, and transportation procedures.
8.4.4.1.4 Post-investigation case documentation and evidence management and handling
procedures (par. 7.4.6.2,)
The procedures should consider the disposal, return and archiving of all evidence.
Include the presentation, storage, and transportation of the case file and evidence.
Consider the legal aspects of evidence retention.
8.4.4.2 Table 8.1 PP5, PP6, PP9, PP10: Group 2: Incident-management procedures (par.
7.3.1.7.1)
Organisations must have detailed DFI protocols for ActDF and ReDF (par. 7.4), which must
adhere to accepted investigation best practices with documentation and reporting
specifications. The detailed protocols of the ReDF and ActDF have been discussed in Chapter
7.The protocols will be supported by procedures and guidelines. We have identified the
following process deliverables in Chapter 8:
Part 2: Construction of our DFMF
8-222 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.4.2.1 ReDF processes or procedure
We have proposed a ReDF investigation protocol with phases and steps in par. 7.4. Typical
ReDF processes and procedures that would support the ReDF investigation protocol are:
incident detection and confirmation procedures (from contingency planning – IRP)
(par.7.4.1)
This procedure or set of procedures should include incident detection, activation of
ActDF component to acquire live evidence, notification of incident, incident validation
and confirmation, internal and external authorisation, containment, acceleration of an
investigation and notification of investigation procedure.
physical investigation procedure with supporting procedures. Typical procedures include
securing physical crime scene, and acquisition and analysis of physical evidence.
digital investigation procedure with supporting procedures. Include digital crime scene
preservation, evidence acquisition, analysis procedures and service restoration
procedure.
incident reconstruction procedure.
presentation procedure.
appeal procedure.
incident closure procedure.
8.4.4.2.2 ActDF processes or procedures
We have proposed an ActDF investigation protocol with phases and related steps in par. 7.5.
Typical deliverables that will support the protocol are:
incident detection and confirmation procedure (from the ReDF phase 3 or the trigger
event during phase 1)
securing the live investigation crime scene and containment procedure
ActDF investigation procedures
inclusion of live evidence acquisition and analysis procedures
limited incident reconstruction procedure
termination of the ActDF investigation procedure.
8.4.4.3 Table 8.1 PP7: Group 3: Augment the risk management and contingency procedures
It is essential that the current contingency procedures, for example, risk management and
Info Sec, are augmented and changed to deal with the forensic evidence and procedural
requirements of the organisation. Typical procedures or guidelines to consider are:
Part 2: Construction of our DFMF
8-223 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.4.3.1 business impact analysis procedures, which should change threat profile to be a risk
profile as suggested in (par.7.3.1.3.1)
8.4.4.3.2 IR procedures (par. 7.4.1, 7.5.1) – the ActDF and ReDF incident detection and
confirmation procedures should be the same as these procedures
8.4.4.3.3 disaster recovery procedures (pars. 7.3.1.7.3; 7.4.3.4)
8.4.4.3.4 business continuity procedure (par. 7.3.1.7.3; 7.4.3.4)
8.4.4.3.5 include a procedure to evaluate new technologies to determine risk factor in terms
of forensic investigations (par.7.3.2.2.3) during the risk assessment of risk
management.
8.4.4.4 Table 8.1 PP8: Group 4: DF Management procedures
8.4.4.4.1 General DF management procedures (par. 7.3.2)
The general management policies should be supported by procedures and guidelines, for
example:
when and how to outsource DF functions
whistle-blowing procedure to report violations
apply DF tools to safeguard organisation’s assets
calculate the cost of an investigation, ensuring that the cost is in proportion to the
investigation.
8.4.4.4.2 The management of the use of DF for non-forensic purpose procedures (par. 7.3.2.2)
are:
procedure and guidelines to enable DF in systems and processes
Include other areas of the organisation, and by including DF process and evidence
requirements in the formulation of business processes. Adapt the SOP of relevant
business processes for quality audits, compliance reports or, for example, change
management and ensure the existence of a procedure to measure or assess the
effectiveness and efficiency of controls within frameworks.
procedure for the use of DF tools and technologies for non-investigative purposes
Include for example, procedures that guide the use of DF tools for data recovery,
password recovery, and disk wiping.
procedure to apply DF tools and techniques to safeguard the company’s assets
procedure to apply DF to acquire evidence for continuous audits, quality assurance, and
compliance testing
Part 2: Construction of our DFMF
8-224 | P a g e Chapter 8: Construction of our holistic DFMF
procedure to apply DF tools and techniques to acquire evidence to assess the
effectiveness and efficiency of operations and controls of the governance frameworks
(pars. 7.3.2.2; 7.3.2.2.3).
8.4.4.5 Table 8.1 PP1: Group 5: Infrastructure procedures
DF tools and technologies can be very dangerous if used by the wrong people for the wrong
purposes therefore it is essential to formulate procedures and guidelines for their use (pars.
7.3.2.2.1; 7.3.1.1).
The organisation should have a DF laboratory if they have an internal DF team. Clear
procedures must be in place to regulate access to the laboratory and actions in it, as well as
backup and recovery of the evidence and related tools in the laboratory.
The evidence produced by DF tools and techniques must be acceptable in a court of law. It is
therefore essential to ensure that when acquiring DF tools the courts and the judicial system
recognise the tool as a forensically sound tool. A well-defined guideline should exist when
acquiring DF tools and techniques. Investigators must ensure that they use ActDF tools and
technologies that are acceptable in courts. The physical investigation will require specific
items, for example, evidence bags, cameras, and registers.
8.4.4.5.1 Operational infrastructure procedures (par. 7.3.1.1.1)
Management must ensure that procedures exist to configure:
the networks and operational infrastructure (hardware and software)
a systematic targeted monitoring or evidence collection capability
the IDS – set criteria, for example, the trigger event
Define clear procedures to prevent anti-forensic activities and anonymous activities
The infrastructure development procedures should be augmented to include DF
requirements when designing new systems, to ensure DF-friendly infrastructure
(par. 7.3.1.1.1).
8.4.4.5.2 DF investigation laboratory procedure (par. 7.3.1.1.2)
The physical laboratory procedure to include:
procedures to setup and manage the physical investigation infrastructure (DFI
laboratory)
access control procedure to the DFI laboratory and strong room
Part 2: Construction of our DFMF
8-225 | P a g e Chapter 8: Construction of our holistic DFMF
the use of the DFI laboratory procedure
a well-defined backup and recovery procedure for the DFI laboratory. The backup
procedure should include evidence (data and metadata), tools and case evidence
a procedure for DF tool acquisition, availability, version control, and maintenance.
Figure 8-9 (below) is a graphic representation of the first two levels of the process deliverables.
Incident
management
procedures
Risk management
and contingency
procedures
DF Management
procedures
Evidence management
and handling
procedures
Infrastructure
procedures
DRP
BCP
IRP
New technologies
BIA
Use of DF for non-
DFI purposes
General
management
Physical
evidence
Post incident
evidence
Digital
evidence
Operational
infrastructure
DFI infrastructure
Incident handling
Investigation
procedures
Evidence
management
Par. 8.4.4.1 Par. 8.4.4.5Par. 8.4.4.4Par. 8.4.4.3Par. 8.4.4.2
Figure 8-9 Graphical representation of the first two levels of the process deliverables (by author)
The process dimension is a subset of the policy dimension. We have added the process deliverables
to the current version of DFMF to Figure 8-10 (below):
Figure 8-10 Addition of the process deliverables as step 4 of the construction of our DFMF (by author)
LEGAL AND JUDICIAL
Evidence Process Infrastructure Other
GOVERNANCE
DF strategy InfrastructureRisk management/
Contingency strategy
POLICY
PROCESS
Evidence
handling
procedures
Incident
management
procedures
Infrastructure
procedures
Management
procedures
Risk management /
Contingency
procedures
General DF Policy
Evidence management
and handling
policies
Risk management /
Contingency policies
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness policy
Management
of DF
capability
Evidence
management
plan
DF Education,
training and
awareness strategy
DFMF
Part 2: Construction of our DFMF
8-226 | P a g e Chapter 8: Construction of our holistic DFMF
The fifth step will be to consolidate the people deliverables.
8.4.5 People dimension
People are the most uncertain and risky category, and it is very difficult to manage them in an
organisation. Effective training and awareness programmes can influence the behaviour of
employees. Everybody in the organisation must be aware of the role and application of DF in it
but it is essential to note that not all the employees will need the same training. One of the
governance deliverables is a DF education, training and awareness strategy (par.7.3.1.6). We
have identified three groups of people deliverables:
8.4.5.1 Table 8.1 P1: Group 1: DF education and training programmes (par. 7.3.1.5.1)
Organisations must curriculate education, training and awareness programmes. It will be
necessary to develop different education, training and awareness programmes to address
the different roles in the organisation. Typical education and training programmes include
those for first responders, general users, management, investigators, and the preparation of
expert witnesses.
It is essential to accredit internal training programmes with a qualification authority, for
example SAQA or another certification authority, e.g., En-Case® certified investigator. This
will ensure that training is at an acceptable level for the DF community and the courts.
Courts will rather accept evidence acquired by a competent investigator (certified) as it will
be assumed that the person possesses the skills to perform the investigation properly.
Employees can be certified at certain levels to ensure the successful prosecution of
perpetrators and positive investigation results.
The success of an investigation can be determined by the competence of an expert witness.
It is essential to prepare expert witnesses. Figure 8-12 (below) is a graphical representation
of the people deliverables. We have given examples of some technical training programmes.
8.4.5.2 Table 8.1 P1: Group 2: DF Awareness programmes (par. 7.3.1.5.2)
The awareness programmes should be integrated in the Info Sec or risk management
awareness programmes to alert employees and other stakeholders of the importance of
evidence and following the correct procedures.
Part 2: Construction of our DFMF
8-227 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.5.3 Table 8.1 P2: Group 3: Code of conduct (par. 7.3.1.5.3)
It is important that the training and awareness strategy embrace the ethical values of the
organisation so that it supports the organisation’s ethical culture. Due to the nature of DF
tools and technologies, the ethical use of DF is essential for the organisation. Organisations
must have a code of conduct for the use of DF tools and techniques in the organisation.
Figure 8-11 (below) is a graphical representation of the first two levels of the people deliverables:
The people dimension is a subset of the policy dimension. We will now add the people deliverables
to the current version of DFMF in Figure 8-12 (below):
DF awareness
programmes
Code of conduct
DF education and
training
programmes
General user
Management
First responders
Investigator
Technical
education and
training
Expert
witness
Par. 8.4.5.1 Par. 8.4.5.2 Par. 8.4.5.3
Figure 8-11 Graphical representation of the first two levels of the people deliverables (by author)
Part 2: Construction of our DFMF
8-228 | P a g e Chapter 8: Construction of our holistic DFMF
LEGAL AND JUDICIAL
Evidence Process Infrastructure Other
GOVERNANCE
DF strategy InfrastructureRisk management/
Contingency strategy
POLICY
PROCESS
Evidence
handling
procedures
Incident
management
procedures
Infrastructure
procedures
Management
procedures
Risk management /
Contingency
procedures
General DF Policy
Evidence management
and handling
policies
Risk management /
Contingency policies
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness policy
Management
of DF
capability
Evidence
management
plan
DF Education,
training and
awareness strategy
DFMF
PEOPLEEducation
and training
programmes
Awareness
programmes
Code of
Conduct
The last step will be to consolidate the technology deliverables.
8.4.6 Technology dimension
The technology dimension will consider all technology requirements for the operational
infrastructure and DFI infrastructure (par. 7.3.1.1).
The acquisition and management DFI tools and techniques are essential, as not all tools are
admissible in a court of law. The investigation must be managed to ensure that systematic
documentation exists to provide the chain of evidence and chain of custody required by courts,
therefore organisations should invest in case-management software (par. 7.4.7). The
investigator will also need presentation software to present the case. We have identified three
groups of technology deliverables:
Figure 8-12 Addition of the people deliverables as step 5 of the construction of our DFMF (by author)
Part 2: Construction of our DFMF
8-229 | P a g e Chapter 8: Construction of our holistic DFMF
8.4.6.1 Table 8.1 T1, T2: Group 1: Operational infrastructure (pars. 7.3.1.1; 7.3.1.1.2;)
Install an IDS
Establish a capability to systematically gather evidence
Establish a capability to monitor activities.
8.4.6.2 Table 8.1 T1, T2: Group 2: Physical DF investigation (DFI) infrastructure (par. 7.3.1.1)
8.4.6.2.1 Hardware
It is essential to ensure the availability of DFI specific infrastructure, for example, an
isolated network, forensic servers, and short- and long-term servers
DFI hardware tools and technologies, for example, disk duplicators and write blockers
General equipment, for example, digital cameras, jump bags, networking gear, and a
backup facility.
8.4.6.2.2 Software
Static ReDF investigation toolkits, for example EnCase® or Forensic Toolkit®
Live evidence ActDF investigation toolkits for example: EnCase® Enterprise
Legacy or older versions of toolkits (by author)
Case management software (by author)
Presentation software
Backup software.
8.4.6.2.3 Miscellaneous items
The facility will also need general items required for investigations, for example, evidence
bags, gloves and blank media.
Figure 8-13 (below) is a graphical representation of the first two levels of the technology
deliverables or requirements:
Part 2: Construction of our DFMF
8-230 | P a g e Chapter 8: Construction of our holistic DFMF
Operational
infrastructure
DFI
infrastructure
IDS
Monitoring
Networks
Systematic
gathering
Time-synchronize
Software
Miscellaneous
Hardware
Par. 8.4.6.1 Par. 8.4.6.2
The technology dimension is a subset of the policy dimension. We will add the technology
deliverables to the current version of DFMF in Figure 8-14 (below): miscellaneous
Figure 8-14 Addition of the technology deliverables as step 6 of the construction of our DFMF (by author)
Figure 8-13 Graphical representation of the first two levels of the technology deliverables (by author)
LEGAL AND JUDICIAL
Evidence Process Infrastructure Other
GOVERNANCE
DF strategy InfrastructureRisk management/
Contingency strategy
POLICY
PROCESS
Evidence
handling
procedures
Incident
management
procedures
Infrastructure
procedures
Management
procedures
Risk management /
Contingency
procedures
General DF Policy
Evidence management
and handling
policies
Risk management /
Contingency policies
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness policy
Management
of DF
capability
Evidence
management
plan
DF Education,
training and
awareness strategy
DFMF
PEOPLEEducation
and training
programmes
Awareness
programmes
Code of
Conduct
TECHNOLOGY
Operational
infrastructure
DFI
infrastructure
Part 2: Construction of our DFMF
8-231 | P a g e Chapter 8: Construction of our holistic DFMF
The next section will provide a high-level view of our DFMF.
8.5 CONSOLIDATED VIEW OF OUR DFMF
We have constructed the DF implementation and management framework DFMF step by step in the
previous part of the chapter. The current version of our DFMF consists of nested deliverable
categories. There are some important relationships between deliverables within the policy and
governance dimensions. The general DF policy will provide the strategic directives for all the
supporting policies in the organisation. The DF strategy will provide guidance for the application of
DF in the organisation and will be supported by the management of the DF capability, evidence
management plan and the DF education, training and awareness strategy (Figure 8-5). We have
reorganised some of the deliverable groups to propose our DFMF in Figure 8-15 (below):
Figure 8-15 High level graphical view of our DFMF (by author)
LEGAL AND JUDICIAL
Evidence Process Infrastructure Other
GOVERNANCE
DF strategy InfrastructureRisk management/
Contingency strategy
POLICY
PROCESSEvidence
management
and handling
procedures
Incident
management
procedures
Infrastructure
procedures
Management
procedures
Risk
management
/ Contingency
procedures
General DF Policy
Evidence
management and
handling
policies
Risk management /
Contingency policies
Management
policies
Infrastructure
policies
Incident
management
policies
Education,
training and
awareness policy
PEOPLEEducation
and training
programmes
Awareness
programmes
Code of
Conduct
TECHNOLOGY
Operational
infrastructure
DFI
infrastructure
Management
of DF
capability
Evidence
management
plan
DF Education,
training and
awareness strategy
DFMF
Part 2: Construction of our DFMF
8-232 | P a g e Chapter 8: Construction of our holistic DFMF
Management can use the framework to implement a CDF capability. The implementation of the CDF
capability using the DFMF can be done by starting from the outer legal and judicial dimension, then
working systematically towards the inner dimensions. The framework encapsulates the relationship
between the deliverables that is essential for the successful implementation of the CDF.
8.6 SUMMARY
We have used the to-do list actions of Chapter 7 and have categorised the actions by using the
dimensions of DF as categories (legal and judicial, governance, policy, process, people and
technology). The dimensions of DF are related and we have used the relationship between the DF
dimensions to construct our concept DFMF. The legal and judicial dimension provides the
background to the governance dimension. The policy dimension is a subset of the governance
deliverables. The policy dimension encapsulates the process, people and technology dimensions.
The chapter has proposed a holistic, DF management framework (DFMF) to implement and manage
our CDF capability in an organisation. The framework is comprehensive as it contains all three
components of our CDF capability (Chapter 7) by covering the to-do lists of all the components
(Table 7.2). The framework is holistic in that it provides management with a high-level concept guide
when considering the implementation of the CDF capability in an organisation. Although the
framework is on a high level, it is possible to drill down in a specific deliverable group. The DFMF will
be refined in further research.
8-233 | P a g e
PART 3
CONCLUSION
The aim of this part of the thesis will be to determine if the problem statement and objectives of the
thesis have been addressed in accord with sub-objective 5 (par. 1.5.5).
Sub-objective 5: Discuss potential challenges to the implementation of our DFMF and identify
further research opportunities.
Part 3: Conclusion
9-234 | P a g e Chapter 9: Conclusion
9 CHAPTER 9
CONCLUSION
9.1 INTRODUCTION
The prevalence of cybercrime and fraud and demands from corporate governance reports to
demonstrate due diligence with respect to good IT and Info Sec governance create the demand for
‘good’ evidence (CDE) in organisations. The need for evidence is increased by a requirement to prove
legal and regulatory compliance, and to assess the effectiveness of controls so as to improve the
governance frameworks. DF is becoming a survival tool for organisations to acquire evidence;
however, it is essential to prepare the organisation for the application of DF tools and technologies
to ensure that good evidence is available when needed. We have identified some challenges that
organisations face in preparing for DF that will prevent the realisation of the full benefit of its
application.
DF is traditionally a reactive investigation discipline. We have defined DF as the scientific study of all
the processes involved in the recovery, preservation and examination of digital evidence, including
audio, imaging and communication devices (TC-11, 2006) (par. 2.4). The conventional DF frameworks
researched in this thesis (Chapter 3) confirm this view (Barayumureeba & Tushabe, 2004; Carrier &
Spafford, 2003; Casey, 2004; Forrester & Irwin, 2007; Louwrens et al., 2006b). Most of the
frameworks recognise the need to become DF-ready, but concentrate on the preparation for
investigations (Chapter 4). Live evidence is becoming increasingly important for investigations and
various acquisition tools exist to acquire it during an investigation. Some of the conventional DF
frameworks refer to its acquisition but do not provide any specific guidelines on the process. Very
few technology-independent live DF investigation frameworks exist (Chapter 6) (Grobler, 2009;
Ieong & Leung, 2007). None of the frameworks discussed in this thesis contains all three components
(preparation, live evidence acquisition and actual reactive investigation); therefore, the first
challenge is to establish a CDF capability.
Other challenges that organisations face are that they are not prepared for the application of DF
tools and technologies. This manifests itself in failed investigations due to a lack of good evidence or
Part 3: Conclusion
9-235 | P a g e Chapter 9: Conclusion
spoiled evidence owing to poorly formulated policies and procedures, or incompetent staff. The
infrastructure should be configured to enable the application of DF.
We are therefore convinced that no holistic DF framework exists to manage and implement a
DF capability in an organisation (Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Casey,
2004; Forrester & Irwin, 2007; Ieong, 2006; Louwrens et al., 2006b; Nikkel, 2006). The objective of
the thesis has been to develop a holistic, theoretical DF Management Framework (DFMF) to
implement and manage an effective DF capability in an organisation.
The thesis has consisted of three main parts, as represented in Figure 1-3 p. 1-13:
Part 1: Background to DF
Part 2: Construction of the DFMF
Part 3: Conclusion.
We have made our own contribution to the body of knowledge (BOK) for Digital Forensics in the
thesis.
9.2 PART 1
The first part of the thesis provided a background to DF, with definitions and discussion of its
internal and external drivers to identify common reasons for its application in an organisation (par.
2.5.3). Organisations apply DF tools and technologies for investigative and non-investigative
purposes. For instance, they investigate cybercrimes to acquire digital evidence, both of which we
have discussed. Not all evidence is good evidence so it was essential to determine its characteristics.
Digital evidence must adhere to legal and judicial criteria if it is to be admissible in a court of law. We
have proposed a comprehensive DF (CDF) capability that includes preparation (Proactive DF - ProDF),
live evidence (Active DF - ActDF) and reactive investigation (Reactive DF - ReDF) components (par.
2.8), as well as a definition of digital evidence. We coined a term: comprehensive digital evidence
(CDE).
DF frameworks can be classified as process- or role-based frameworks (par. 3.1), and in Chapter 3
we identified, discussed, and compared various process DF frameworks, i.e., Carrier and Spafford,
O’Ciardhuan, Barayumureeba, Beebe and Clark, Louwrens et al., Casey and Forrester, and a role-
based framework (Ieong). Most of the researched DF frameworks consider three areas or
components:
Part 3: Conclusion
9-236 | P a g e Chapter 9: Conclusion
Component 1: Preparation to ensure DF readiness
Component 2: Live evidence acquisition
Component 3: Reactive forensic investigation
(Barayumureeba & Tushabe, 2004; Beebe & Clark, 2005; Carrier & Spafford, 2003; Casey,
2004; Forrester & Irwin, 2007; Louwrens et al., 2006b; O'Ciardhuain, 2004).
None of the DF frameworks addressed all three components comprehensively. We used the
comparison of the different frameworks and viewpoints to formulate a draft version of our CDF
capability in par. 3.5. Our CDF capability consists of three distinct, but related components, namely
ProDF, ActDF and ReDF. We coined another term: comprehensive DF (CDF) capability.
The ProDF component deals with the preparation of organisations for the application and use of DF
tools and technologies. The ReDF and ActDF components concentrate on the actual investigation of
incidents; with ReDF, handling the traditional investigations after an incident has been detected,
whereas the ActDF component focuses on the acquisition of live evidence during an incident.
We have used the identified ProDF component of the first draft of our CDF capability (par. 3.5.1) and
the DF readiness views of Rowlingson and Garcia to identify goals and elements for DF readiness
(par. 4.4.2.3). We have compared DF readiness as proposed in Chapter 4 and the common list of
reasons why organisations should prepare themselves for the application of DF (par. 2.5.3). The
comparison clearly demonstrated that DF readiness is a subset of ProDF (par.4.4; Table 4.3). We
have formulated a ProDF component by confirming the definition for ProDF, identified goals (par.
4.5), sub-goals and related elements for the component. This component will enable organisations
to become DF-ready, and to implement and manage DF to improve governance programmes in the
organisation. ProDF is a new concept that we have added to the BOK for DF, as it refers to more than
DF readiness.
We have consolidated the ReDF component in Chapter 5, confirmed the definition for ReDF,
identified goals, and provided a comprehensive ReDF investigation protocol. Our protocol has six
phases with related sub-phases and/or steps (par. 5.5).
To formulate a comprehensive ActDF component, we have identified, discussed and compared
different live investigation frameworks (Payer, Ren, Foster, Grobler & Ieong) and the ActDF
component (as identified in Chapter 3, par. 3.5.1) to define ActDF, identify goals for ActDF and
Part 3: Conclusion
9-237 | P a g e Chapter 9: Conclusion
formulate our ActDF protocol with four phases and related sub-phases and/or steps to acquire live
evidence during an on-going incident (par. 6.7). There is a need for an ActDF protocol (par. 1.3.3).
Contribution to BOK:
Digital evidence is any data stored or transmitted using a digital device that tends to
establish or disprove a fact(Chawki, 2004). The data stored or transmitted should be reliable
information that supports or refutes a hypothesis and can establish that a crime has been
committed (Casey, 2004), or can provide a link between a crime and its perpetrator (Casey,
2004) (par. 2.7.1).
Comprehensive Digital Evidence (CDE) is digital evidence that will have evidentiary weight in
a court of law and that contains all the evidence necessary (relevant and sufficient) to
establish or disprove a fact (par. 2.7.2).
A Comprehensive DF (CDF) capability includes a preparation (Proactive DF - ProDF), live
evidence acquisition (Active DF - ActDF) and reactive investigation (Reactive DF - ReDF)
component (par. 2.8).
The second part of the thesis began in Chapter 7, in which we proposed the CDF capability.
9.3 PART 2
This part of the thesis used the results of Chapters 3, 4, 5, and 6 of Part 1 as a starting point to
formulate our CDF capability in Chapter 7. The CDF capability is our main contribution to the BOK for
DF. Chapter 7 formulated our CDF capability by considering the ProDF, ReDF and ActDF components
individually and discussed the relationship between the components.
9.3.1 ProDF component
The ProDF component as proposed in this thesis has not been defined in the literature. We consider
the preparation of the organisation for the application of DF for investigative and non-investigative
purposes. We have formulated our ProDF component by defining ProDF, formulated goals, sub-goals
and related elements.
We are convinced that the successful implementation of the ProDF component will enable
organisations to realise the full potential of the implementation of DF tools in the organisation.
Part 3: Conclusion
9-238 | P a g e Chapter 9: Conclusion
Contribution to BOK:
9.3.1.1 General ProDF
ProDF definition (par. 7.3)
The ProDF component with goals with related sub-goals and elements (Figure 7-3).
ProDF
ProDF goal 1: Become DF-readyProDF goal 2: Implement and manage DF
to improve governance programmes
Sub-goal 1:
Prepared
infrastructure
Sub-goal 4:
Ensure a
cost-effective
investigation
Sub-goal 3:
Prepare
responsible,
competent
employees
Sub-goal 2:
Maximise
CDE
availability
Sub-goal 1:
Establish a DF
management
capability
Sub-goal 2:
Apply DF to provide
reasonable assurance
regarding the achievement of
organisational objectives
Figure 9-1 ProDF component (also Figure 7-3)
9.3.1.2 ProDF goal 1: Become DF-ready
The prepared infrastructure includes operational and investigation infrastructure (par.
7.3.1.1).
The operational infrastructure preparation includes the formulation of DF sound SOP,
configuration of infrastructure to enable the productive application of DF, and the
inclusion of DF requirements in the development of new systems and applications. The
digital forensic infrastructure should include the laboratory, admissible tools and
technologies, software and hardware. A backup policy and procedure for the DFI
laboratory is essential.
To maximise the CDE availability and to ensure the proactive identification of evidence
for specific risks or scenarios (par. 7.3.1.3) we have proposed an Evidence Management
Plan (EMP).
We proposed the construction of a risk profile that will expand the typical attack profile
by adding evidence elements and a rating for the completeness of the evidence set for
the specific risk or scenario (par. 7.3.1.3.3). We have organised the identified evidence
into an evidence index (par. 7.3.1.3.2). The EMP recommends the formulation of all
evidence-related policies and procedures and includes the legal, regulatory, judicial and
technical requirements of the identified evidence (par. 7.3.1.3.4).
Part 3: Conclusion
9-239 | P a g e Chapter 9: Conclusion
The EMP is a completely new concept as it enables an organisation to determine the
comprehensiveness and availability of the evidential status of known risks or scenarios.
To prepare responsible and competent employees, we have proposed the formulation
of a DF education, training and awareness strategy with supporting accredited
programmes.
We highlight the importance of accrediting training programmes and the certification of
employees to improve the credibility of the investigator and evidence. We recommend
the formulation of a code of conduct for the application and use of DF tools and
technologies (par. 7.3.1.5).
To ensure a cost-effective investigation we recommended well-defined acceptable
investigation protocols, and the balancing of the cost of an investigation and the cost of
the incident.
DF requirements must be incorporated in the risk management and contingency
strategies, plans and policies of the organisation (par. 7.3.1.7).
9.3.1.3 ProDF goal 2: Implement and manage DF to improve governance programmes is a
unique contribution to the BOK for DF (par. 7.3.2).
ProDF goal 2 considers the application of DF tools and technologies for non-investigative
purposes. A successful implementation and management approach will be to:
formulate a DF strategy
establish a DF management capability by providing clear guidelines on how to include DF
in the organisational structures
specify how to include DF requirements in the contingency and risk management
strategy, plans, policies and procedures of the organisation, to ensure the admissibility
and availability of evidence, should an investigation be required
provide clear guidelines for the use of DF tools and techniques to provide reasonable
assurance for the achievement of organisational objectives – we focus on the application
of DF for non-investigation purposes.
9.3.2 ReDF component
The ReDF component is well defined and researched in the literature. We have identified
process- and role-based DF frameworks. We have formulated our ReDF component by defining
ReDF, formulated goals, and a ReDF protocol with six phases and related sub-goals and/or
steps. Our ReDF protocol is a process framework by which the result of a phase serves as input
Part 3: Conclusion
9-240 | P a g e Chapter 9: Conclusion
to the next phase; however, it is possible to revert to a previous phase if it is required.
We are convinced that our ReDF protocol is more comprehensive than the DF frameworks
reviewed in Chapter 3, as we have included all possible activities from the various frameworks as
well as unique steps in our protocol.
Contribution to BOK:
ReDF definition and goals (par. 7.4).
We proposed the following ReDF protocol (Figure 9-2 – below) with six phases and related
steps:
Phase 1: Incident response and confirmation is part of the incident response plan of the organisation
and organisations should augment their plans to include the specified DF activities, policies and
procedures.
The protocol clearly indicates the activation of the ActDF component to acquire live evidence.
Include an appeal procedure in phase 5 (par. 7.4.5.3, p. 7-189).
9.3.3 ActDF component
We have identified the need for a technology independent ActDF framework in par. 6.3. We
have used the format of our ReDF protocol to propose the ActDF protocol. We have formulated
our ActDF component by defining ActDF, formulated goals and an ActDF protocol with four
Figure 9-2 ReDF protocol (also Figure 7-5)
Phase 1: Incident
Response and
confirmation
Phase 2: Physical
investigation
Phase 3: Digital investigation
Phase 4: Incident
reconstruction
Phase 5:
Presentation of
findings
Phase 6: Incident
closure
ActDF
Sub-phase 2: Evidence
acquisition
Sub-phase 3: Analysis
Sub-phase 4: Service
restoration
Sub-phase 1: Securing
the evidence
Part 3: Conclusion
9-241 | P a g e Chapter 9: Conclusion
phases and related sub-goals and /or steps (par. 6.7). Phase 1 of the ReDF and ActDF protocols is
a shared phase. The ActDF protocol will be activated if live evidence is required.
Contribution to BOK:
ActDF definition and goals
A unique ActDF protocol with four phases and related steps (Figure 9-3 ActDF protocol (also
Figure 7-12) below):
The ActDF protocol is activated by specific pre-determined incidents or by the ReDF protocol
if live evidence is required.
Phase 4 is unique as the Incident closure phase is the consolidation of the live evidence
acquired and control is passed to the ReDF component to continue with the investigation.
9.3.4 Construction of our DFMF
To implement the CDF capability in an organisation, it will be necessary to determine exactly what to
do. To assist organisations with the formulation of strategies, plans, policies and procedures, the
preparation of the operational and investigation infrastructure and a competent HR capacity, we
have identified typical to-do activities after each component of the CDF capability in Chapter 7. None
of the researched DF frameworks provides this level of guidance or detail to assist with the
implementation or management of DF in an organisation.
Figure 9-3 ActDF protocol (also Figure 7-12)
ReDF
ReDF Phase 2:
Physical
investigation
ReDF Phase
3: Digital
investigation
ReDF Phase 4: Incident
reconstruction
ReDF Phase 5: Presentation of
findings
ReDF Phase 6: Incident closure
ActDFPhase 2: ActDF digital
investigation
Sub-phase 1:
Evidence acquisition
Sub-phase 2:
Analysis
Phase 1:
Incident
response and
confirmation
Phase 4:
Incident closure
Phase 3:
Incident
reconstruction
1
2
Please note:
Phase 1: Incident response and
confirmation is a common phase
between ReDF and ActDF
Part 3: Conclusion
9-242 | P a g e Chapter 9: Conclusion
In Chapter 8, we categorised the consolidated to-do list from Chapter 7, using the dimensions of DF
(legal and judicial, governance, policy, process, people and technology). We used the relationship
between the dimensions of DF to propose a concept DF implementation and management
framework (DFMF). There is no DF framework available in the literature that provides the level of
detail of precisely what to formulate to establish and manage a CDF capability in an organisation.
Our CDF capability and associated DFMF provide organisations with a complete guide to prepare
organisations successfully and to manage and apply DF in an organisation for investigative and non-
investigative purposes. The result will be that organisations will be able to apply DF tools and
techniques to (par. 2.5.3):
investigate incidents, fraud or employee behaviour
ensure the availability of good, admissible digital evidence
assess effectiveness and efficiency of controls or procedures
measure legal or regulatory compliance
use DF tools for non-investigative purposes to improve IT and Info Sec governance structures
and performance.
Contribution to BOK:
A concept DFMF that provides a structured approach to implementing and managing our
CDF capability.
Detailed deliverable lists in terms of legal and judicial, governance, policy, procedure, people
and technology perspectives.
The DFMF encapsulates the relationship between the deliverables.
9.4 POTENTIAL CHALLENGES TO THE APPLICATION OF OUR CDF CAPABILITY AND
DFMF
Our CDF capability and DFMF are theoretical frameworks and have not been tested in a real life
environment. To evaluate the CDF capability and DFMF we use Casey’s criteria for a DF
framework in Table 9.1 (below):
Part 3: Conclusion
9-243 | P a g e Chapter 9: Conclusion
Table 9.1 Evaluation of our CDF capability and DFMF (by author)
Requirements by Casey (Casey, 2004) Evaluation Result
Accepted - determine if professional steps and methods from literature have been used for the formulation of the framework.
We have applied steps and methods from the literature to formulate the CDF capability and the DFMF.
Meets requirement
Reliable - determine if the framework recommends the use of proven methods.
DFMF recommend the use of proven method, admissible tools and competent investigators.
Meets requirement
Repeatable - determine if the process can be repeated to provide the same result.
Any process is repeatable, as the framework will prescribe the same deliverable for a specific need.
Meets requirement
Ensure integrity - provide evidence that can be trusted.
All evidence requirements have top priority in the CDF capability and the DFMF. The EMP will ensure the availability and integrity of all digital evidence.
Meets requirement
Can determine cause and effect - determine if there is a logical connection between the suspected individual, events and evidence.
The ReDF component goal 1 is to investigate an incident successfully. To achieve this goal it is essential to acquire the relevant CDE to determine the root cause of the incident and link the perpetrator to the incident, and present the case successfully.
Meets requirement
Ensure that documentation exists - including the recording of all testamentary evidence.
The CDF capability explicitly includes the documentation for all phases of the investigation protocols.
Meets requirement
9.5 FUTURE RESEARCH OPPORTUNITIES
We have identified the following future research opportunities:
Use our CDF capability and determine the DF readiness of organisations in South Africa.
Determine how well organisations are prepared for DF (evaluate the ProDF component).
Expand on the evidence management plan to assess the comprehensiveness of an evidence
set to incorporate more attributes in the algorithm.
Determine the relationship between e-discovery and the application of DF tools and
technologies.
Incorporate measurable attributes to the deliverables to enable management of our CDF
capability.
Refine and conduct further research on the DFMF to provide a comprehensive framework
for implementation and management of our CDF capability.
Develop a user-friendly application for DFMF (dashboard) that management can use.
Part 3: Conclusion
9-244 | P a g e Chapter 9: Conclusion
9.6 ACHIEVEMENT OF THE OBJECTIVE OF THESIS
In this thesis, we have developed a holistic, theoretical DF Management Framework (DFMF) to
implement and manage an effective CDF capability in an organisation and have therefore achieved
the objective (par. 1.5). Table 9.2 (below) provides a summary with references to the chapters of the
achievement of the sub-objectives as stated in Chapter 1.
Table 9.2 Summary of the achievement of the sub-objectives of the thesis
Sub-objective Chapter Status of the sub-
objective
Provide background to DF (par. 1.5.1)
Define DF
Discuss driving factors for DF
Discuss cybercrime and digital evidence
Propose our Comprehensive DF (CDF) capability
Chapter 2 Fully addressed
Provide background to our CDF capability (par. 1.5.2)
Identify, discuss and compare various DF frameworks
Use the comparison of the DF frameworks and views of DF
readiness to propose the formulation of a preparation (proactive)
DF component (ProDF) with goals and steps
Use the comparison of the DF frameworks to propose the
formulation of a post-incident investigation (reactive) DF
component (ReDF) with goals and steps
Use the comparison and investigate live and real-time
investigation practices and frameworks to formulate a live (active)
DF component (ActDF) with DF goals and steps
Chapters 3,
4, 5, 6
Fully addressed
Formulate our CDF capability (par. 1.5.3)
Expand on the identified phases and steps for each component to
formulate our CDF capability and identify to-do lists for the CDF
capability
Discuss the relationship between the defined components of our
CDF capability
Consolidate the to-do lists to assist management to implement
the CDF capability
Chapter 7 Fully addressed
Part 3: Conclusion
9-245 | P a g e Chapter 9: Conclusion
Sub-objective Chapter Status of the sub-
objective
Construct our holistic, theoretical implementation and management DF
framework (DFMF) (par. 1.5.4)
Use the consolidated to-do list as a basis for the formulation of
the DFMF
Identify deliverables to implement and manage for each
component of our CDF capability. The deliverables will be used to
formulate DFMF
Use the dimensions of DF to categorise the identified deliverables
Use the relationship between the dimensions of DF to construct
the holistic, comprehensive DF implementation and management
framework (DFMF)
Ensure that our DFMF is easy to use as it should be able to
provide management with a high-level overview of ‘what to do,
who should do it, how to do it’
Chapter 8 Fully addressed
Identify challenges to the implementation of our DFMF and further
research opportunities (par. 1.5.5)
Chapter 9 Fully addressed
In summary, the thesis has addressed the problem statement that no holistic DF framework exists
to manage and implement a DF capability in an organisation by the proposal of the CDF capability
and the DFMF. We have assessed all the sub-objectives of the thesis and have determined that we
have addressed them all. We have therefore met the objective of the thesis as we have developed a
holistic, theoretical DF Management Framework (DFMF) to implement and manage an effective CDF
capability in an organisation.
We are confident that we have made a substantial contribution to the BOK for DF. If organisations
implement our CDF capability they will be able to realise the full value of DF, as evidence will be
available, processes sound and the evidence acquired can enable organisations to conduct effective
investigations successfully, and demonstrate due diligence with respect to good governance and
improving governance frameworks of the organisation.
DF will become the lifeline (survival tool) for organisations to ensure the availability
of CDE in a competitive world where good governance is a priority and cybercriminals
will exploit all vulnerabilities to launch cyberattacks (by author).
246 | P a g e Bibliography
10 BIBLIOGRAPHY
ADELSTEIN, F. (2006). Live Forensics: Diagnosing your system without killing it first. Communications of the ACM, 49(2) 63-6. (Accessed May 5, 2008).
ALLEN, W. (2005). Computer Forensics. IEEE: Security and Privacy 3(4) 59-62. Available from: http://0-ieeexplore.ieee.org.raulib.rau.ac.za/iel5/8013/32072/01492345 .pdf?tp=&arnumber =1492345&isnumber=32072 (Accessed August 6, 2009).
ARTHUR, K., VENTER, H. & OLIVIER, M. (2007). Applying the BIBA integrity model within a forensic evidence management system. In: IFIP International Federation for Information Processing. Advances in Digital Forensics III. Edited by CRAIZER, P. & SHENOI, S.: Springer.
BABU, M. & PARISHAT, M. (2004). What is cybercrime? , Star Of Mysore Online. Available from: http://www.crime-research.org/analytics/702/ (Accessed 1 September 2010).
BARAYUMUREEBA, V. & TUSHABE, F. (2004). The enhanced digital investigation process model. Conference proceedings of the Fourth Annual Digital Forensics Research Workshop held in Baltimore, Maryland. 11- 13 August 2004. Available from: http://www.dfrws.org/2004/bios/day1/Tushabe_EIDIP.pdf (Accessed 5 March 2005).
BEEBE, N. & CLARK, J. (2005). A hierarchical, objectives-based framework for the digital investigations process Digital Investigation Journal, Elsevier, 2 147-67.
BRADFORD, P., BROWN, M. & PERDUt, J. (2007). Towards Proactive Computer-Systems Forensics. Available from: www.cs.ua.edu/~pgb/papers/proactiveForensics.pdf (Accessed February 2, 2007).
CAMPIA, M. (2012). Security+ Guide to networking security fundamentals. Course Technology. CARRIER, B. (2003a). Defining digital forensic examination and analysis tools using abstraction
layers. International Journal of Digital Evidence, 1(4). CARRIER, B. (2003b). Open Source Digital Forensics Tools, The Legal Argument, @stake Research
Report. Available from: www.digital-evidence.org/papers/opensrc_legal.pdf (Accessed 26 June 2007).
CARRIER, B. (2006). Risks of live Digital Forensic analysis. Communications of the ACM, 49(2) 56 - 61.
CARRIER, B. & SPAFFORD, E. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2).
CARRIER, B. D. & GRAND, J. (2004). A Hardware-Based Memory Acquisition Procedure for Digital Investigations. Digital Investigation Journal, 1(1). Available from: http://www.digital-evidence.org/papers/tribble-preprint.pdf (Accessed 6 April 2006).
CARRIER, B. D. & SPAFFORD, E. H. (2005). Automated digital evidence target definition using outlier analysis and existing evidence. Conference proceedings of the 2005 Digital Forensic Research Workshop (DFRWS) held in New Orleans. Available from: www.dfrws.org/2005/proceedings/carrier_targetdefn.pdf (Accessed 17 April 2006).
CASEY, E. (2004). Digital evidence and computer crime. Elsevier academic press. CASEY, E. (2007). Digital evidence maps - A sign of the times. Digital Investigation, Elsevier, 4( ) 1-
2. CASEY, E. (2011). Digital evidence and computer crime, forensic science, computers and the
Internet. Elsevier. CASEY, E. & STANLEY, A. (2004). Tool review - remote forensic preservation and examination
tools. Digital Investigation Journal, Elsevier, 1 284-97.
247 | P a g e Bibliography
CERT®_COORDINATION_CENTER. (2004). How the FBI investigates computer crime. Available from: www.cert.org/tech_tips/FBI_investigates_crime.html (Accessed Aug 9, 2009).
CHAWKI, M. (2004). The Digital Evidence in the Information Era Computer Crime Research Center. Available from: http://www.crime-research.org/articles/chawki1/2 (Accessed October 6, 2008).
CLARK, A. (2006). Are you ready for Forensics? Available from: http://www.inforenz.com/press/20060223 (Accessed October 6, 2008).
COMMISSION ON CRIME PREVENTION AND CRIMINAL JUSTICE, T. S. (2001). Conclusions of the Study on effective measures to prevent and control high-technology and computer-related crime. No:E/CN.15/2001/4.
Computer evidence defined [Online]. (2008). Available from: http://www.forensics-intl/def4.html (Accessed July 1, 2011).
FBI, U. D. O. J. (1999). Trace evidence recovery guidelines. Forensic science communications, 1 (3). Available from: http://www.fbi.gov/hq/lab/fsc/backissu/oct1999/trace.htm (Accessed February 5, 2009).
FERGUSON, N. (2006). AES-CBC + Elephant di®user A Disk Encryption Algorithm for Windows Vista. Available from: http://pdos.csail.mit.edu/6.858/2011/readings/bitlocker.pdf (Accessed 20 February 2012).
FORRESTER, J. & IRWIN, B. (2007). A Digital Forensic investigative model for business organisations. Conference proceedings of the IFIPSec 2007 held in Sandton, South Africa. 14-16 May 2007
FOSTER, M. & WILSON, J. (2004). Process Forensics: A pilot study on the use of checkpointing technology in computer forensics. International Journal of Digital Evidence, 3(1).
FRYE, M. (2005). The Coroner’s Toolkit. Linux magazine, Tuesday, 15 March 2005. GARCIA, J. (2005). Proactive and Reactive Forensics. Available from:
http:rediris.es/cert/doc/reuniones/af05/proactive_n_reactive_forensics.pdf (Accessed 5 September 2005).
GARFINKEL, S. (2010). Digital forensic research: The next 10 years. Digital Investigation, Elsevier, 7 64-78.
GORDON, L., LOEB, M., LUCYSHYN, W. & RICHARDSON, R. (2006). CSI/FBI Computer Crime and Security Survey.
GROBLER, C. & LOUWRENS, C. (2006). Digital Forensics: a multi dimensional discipline. Conference proceedings of the 4th annual Information Security South Africa conference held in Sandton, South Africa. 5 - 7 July 2006.
GROBLER, C. & LOUWRENS, C. (2007). DF readiness a component of Information Security best practise. Conference proceedings of the IFIPSec 2007 held in Sandton, South Africa. 14-16 May 2007. Springer.
GROBLER, C. & LOUWRENS, C. (2009). High-level integrated overview of DF. Conference proceedings of the Information Security of South Africa held in Johannesburg.
GROBLER, C. & LOUWRENS, C. (2010). Evidence Management Plan. Conference proceedings of the Information Security South Africa held in Sandton South Africa. IEEE Express.
GROBLER, C., LOUWRENS, C. & VON_SOLMS, S. (2010a). A framework to guide the implementation of Proactive Digital Forensics in organizations. Conference proceedings of the Workshop for Digital Forensics 2010 held in Krakow, Poland. IEEE Explore.
GROBLER, C., LOUWRENS, C. & VON_SOLMS, S. (2010b). A multi-component view of Digital Forensics. Conference proceedings of the Workshop for Digital Forensics held in Krakow, Poland. 15-18 February 2010. IEEE Explore.
GROBLER, M. (2009). Liforac, a model for live forensic acquisition. PhD Computer Science, University of Johannesburg.
GUIDANCE_SOFTWARE. (2005). EnCase Enterprise detailed product description. Available from: http://www.encaseenterprise.com/support/resources.aspx (Accessed 8/8/2009).
248 | P a g e Bibliography
GULDENTOPS, E., HARDY, G., HESCHL, J. & STROUD, R. (2005). Aligning COBIT, ITIL and ISO 17799 for Business Benefit.
HILLEY, S. (2006). The Corporation: the non-policed state. Available from: http://www.infosecurity-magazine.com/features/novdec04/corp_novdec.html).
IEONG, R. (2006). FORZA – Digital forensics investigation framework that incorporate legal issues. Digital Investigation 329-36.
IEONG, R. & LEUNG, H. (2007). Deriving Cse-specific Live Forensics Investigation Procedures from FORZA. Conference proceedings of the 2007 ACM symposium on Applied computing held in Seoul, Korea. 2007. ACM Press New York, NY, USA. Available from: http://portal.acm.org/citation.cfm?id=1244049 (Accessed 11 Oct 2007).
INSTITUTE, I. G. (2000). Control Objectives for Information and related technologies. Available from: ('Accessed').
ISACA. (2004). IS Auditing guideline Computer forensics Document G28. Available from: http://www.isaca.org/AMTemplate.cfm?Section=Standards,_Guidelines,_Procedures_for_IS_Auditing&Template=/ContentManagement/ContentDisplay.cfm&ContentID=18642.
ISO/IEC17799. (2005). ITGI. (2000). Control Objectives for Information and related Technologies. Available from:
www.isaca.org/cobit (Accessed 20 Feruary 2007). KING. (2003). King II Report on Corporate Governance. Available from:
http://iodsa.co.za/lod%20draft%20king%20report.pdf (Accessed January 2006). KING. (2009). King III Report on Corporate Governance. Available from:
http://www.iodsa.co.za/downloads/documents/King_Code_of_Governance_for_SA_2009.pdf (Accessed 13 October 2009).
KRUSE, W. & HEISER, J. (2004). Computer Forensics, Incident Response Essentials. Addison-Wesley.
LEE, H., PALMBACH, T. & MILLER, M. (ed.). 2001. Henry Lee’s crime scene handbook. : San Diego: Academic Press.
LEIGHLAND, R. & KRINGS, A. (2004). A Formalization of Digital Evidence. International journal of Digital Evidence, 3(2).
LEMOS, R. (2011). Stuxnet more effective than bombs. Info world Techwatch, 19 January 2011. LOUWRENS, C. & VON_SOLMS, S. (2005). Relationship between Digital Forensics, Corporate
Governance, Information Technology and Information Security Governance. In: Digital Crime and Forensic Science in Cyberspace. Edited by KANELLIS, P., KIOUNTOUZIS, E., KOLOKOTRONIS, N. & MARTAKOS, D.: National and Kapodistrian University of Athens, Greece.
LOUWRENS, C., VON_SOLMS, S. & KANNELIS (ed.). 2006a. Digital Crime and forensic Science in Cyberspace: The relationship between Digital Forensics, Corporate Governance, IT Governance and IS Governance Idea Group publishing, Hershey
LOUWRENS, C., VON_SOLMS, S., REECKIE, C. & GROBLER, T. (2006b). A control Framework for Digital Forensics. Conference proceedings of the IFIP11.9 International Conference on Digital Forensics held in Orlando Florida. Springer.
NIKKEL, B. (2006). The role of Digital Forensics within a corporate organization. Conference proceedings of the IBSA Conference held in Vienna. May 2006. Available from: http://digitalforensics.ch/nikkel06a.pdf#search=%22digital%20Forensic%20readiness%22 (Accessed November 2007).
NIKKEL, B. J. (2005). Generalizing sources of live network evidence. Digital Investigation Journal, 2(3) 193-200.
NOLAN, R., O'SULLIVAN, C., BRANSON, J. & WAITS, C. (2001). Electronic Crime Scene Investigation: A Guide for first responders. No:NIJ#: 187736. Available from: http://www.ncjrs.org (Accessed June 2007).
249 | P a g e Bibliography
O'CIARDHUAIN, S. (2004). An extended model of cybercrime investigations. International journal of Digital Evidence, 3(1).
OREBAUGH, A. (2006). Proactive Forensics. Journal of Digital Forensic Practice, Volume 1 37-41. PALMER, G. (2001). A Roadmap for Digital Forensics Research. Conference proceedings of the
Digital Forensic Research Workshop held in Utica, New York. 7- 8 August 2001. Available from: http://www.dfrws.org/2001/dfrws-rm-final.pdf (Accessed 2 February 2006).
PARKINSON, M. & BAKER, N. (2005). IT and Enterprise Governance. Journal of Information Systems Control, 3 17-21.
PATZAKIS, J. (2003). Computer Forensics as an Integral component of the Information Security Enterprise. Available from: http://www.guidancesoftware.com/downloads/ getpdf.aspx?fl=.pdf (Accessed 10 May 2009).
PATZAKIS, J. & LIMONGELLI, V. (2004). Internal computer investigations as a critical control activity under Sarbanes-Oxley. Available from: http://www.guidancesoftware.com/ downloads/getpdf.aspx?fl=.pdf (Accessed 10 May 2009).
PAYER, U. (2004). Realtime intrusion forensics: A first prototype implementation (based on a stack-based NDIS). Conference proceedings of the Terena networking conference held in University of Aegean, Rhodes, Greece. 7-10 June. Terena publishing.
PIETERSE, I. (2006). E-mail risk not managed. ITWeb, 11 July 2006. REITH, M., CARR, C. & GUNSCH, G. (2002). An examination of Forensic models. International
Journal of Digital Evidence, 1(3). REN, W. & JIN, H. (2005). Honeynet based distributed adaptive network forensics and active real-
time investigation. Conference proceedings of the ACM Symposium on Applied Computing held in Santa Fe, New Mexico, USA. 13-17 March 2005.
RICHARDSON, R. (2007). The 12th Annual Computer Crime and Security Survey. Available from: http://www.gocsi.com/forms/csi_survey_thanks.jhtml?_DARGS=/forms/csi_survey.jhtml.2 (Accessed 29 February 2008).
RICHARDSON, R. (2008). The 13th CSI/FBI Computer Crime & Security Survey. RICHARDSON, R. (2012). 15th Annual 2010/1022 Computer crime and security survey. Available
from: www.GoCSI.com (Accessed February 25, 2012). ROGERS, M. & SIEGFRIED, K. (2004). The future of computer forensics: a needs analysis survey.
Computers and Security, 23(1) 12-6. ROWLINGSON, R. (2004). A ten step process for forensic readiness. International journal of
Digital Evidence, Elsevier, 2(3). Available from: www.ijde.org (Accessed June 2006). RUDD, C. (ed.). 2004. An Introductory Overview of ITIL® Version 1.0a: ITSMF Ltd. SAPS. (2011). Crime Situation in South Africa Available from:
http://www.saps.gov.za/statistics/reports/crimestats/2011/crime_stats.htm (Accessed 28 February 2012).
Sarbanes-Oxley Act of 2002. (2002). USA. Available from: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf. (Accessed 10 November 2008).
SHELDON, A. (2004). Forensic Auditing, The role of computer forensics in the corporate toolbox. Available from: http://www.itsecurity.com/papers/p11.htm (Accessed 25/3/2004).
SHIPLEY, T. G. & REEVE, H. R. (2006). Collecting evidence from a running computer: A technical and legal primer for the justice community. Available from: http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Accessed Aug 8, 2009).
SINANGIN, D. (2002). Computer forensics investigations in a corporate environment. Computer Fraud and Security Bulletin, 8(June) 11-4.
SOANES, C. & HAWKER, S. (2005). Oxford Dictionary. Oxford University press. Available from: http://www.askoxford.com/dictionaries/?view=uk).
250 | P a g e Bibliography
SOMMER, P. (1999). Intrusion Detection Systems as Evidence. Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 31 , (I23-24 (December 1999)) 2477 - 87 Available from: http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf.
SOMMER, P. (2005). Directors and Corporate Advisors' Guide to Digital Investigations and Evidence, Information Assurance Advisory Council. Available from: http://www.iaac.org.uk/Portals/0/Evidence%20of%20Cyber-Crime%20v12-rev.pdf (Accessed June 3, 2007).
SREMACK, J. (2005). Investigating real-time systems forensics. Conference proceedings of the Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, SecureComm 2005 held in Athens, Greece. 5-9 Sept 2005. IEEE Explore.
STEPHENSON, P. (2002). End to End Forensics. Computer Fraud and Security Bulletin, 2002(9) 17-9.
STEPHENSON, P. (2003). Conducting incident post mortems. Computer Fraud and Security. Available from: www.emich.edu/cerns/downloads/pstephen/Conducting-Incident-Post-Mortems.pdf (Accessed January 2006).
SWGDE & IOCE (2000). Digital Evidence: Standards and Principles. Forensic Science Communications, April 2000 Volume 2 (2). Available from: http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (Accessed June 2008).
TC-11, I. (2006). Digital Forensics - Fact sheet. Available from: http://www.tc11.uni-frankfurt.de/WG/Factsheet_WG_11-9.pdf (Accessed February 3, 2007).
TECHNET. (2009). Windows BitLocker Drive Encryption Frequently Asked Questions. Available from: http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx#BKMK_WhatIsBitLocker (Accessed August 6, 2009).
THOMAS, D. (2005). Organisations need a digital evidence plan. Computing, 21 Sep 2005. TURNER, D., ENTWISLE, S. & DENESIUK, M. (2007). Symantec Internet Security Threat Report
Trends for July–December 06, Volume XI. Available from: http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_keyfindings_03_2007.en-us.pdf (Accessed January 2008).
TURNER, P. (2007). Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags. Digital Investigation, (4) 30-5.
UNESCO. (1997). Definitions, Technology and Learning portfolio. Available from: http://www.unesco.org/education/educprog/lwf/doc/portfolio/definitions.htm (Accessed 8 August 2008).
VON_SOLMS, S. & VON_SOLMS, R. (2009). Information Security Governance. Springer. WHITMAN, M. & MATTORD, H. (2008). Managment of Information Security. Course Technology
Cengage learning. WHITMAN, M. E. & MATTORD, H. J. (2009). Princilples of Information Security. Thompson Course
technology. WIKIPEDIA. (2008). Cybercrime. Available from: http://en.wikipedia.org/wiki/Cyber_Crime
(Accessed July 19, 2008). WIKIPEDIA. (2009). BitLocker Drive Encryption. Available from: http://en.wikipedia.org/
wiki/BitLocker_Drive_Encryption#Security_concerns (Accessed January 2010). WIKIPEDIA. (2012a). Expert witness. Available from: http://en.wikipedia.org/wiki/Expert_witness
(Accessed 20 February 2012). WIKIPEDIA. (2012b). Statement on auditing standards. Available from: http://
en.wikipedia.org/wiki/SAS_70 (Accessed February, 28 2012).