Importance of Digital Forensics Process Models: Some Examples

By David Begg on May 3, 2024

Introduction

The field of digital forensics faces many challenges, and one of the most important is the field’s need for models with regards to the procedures of investigations and organizational capability of cyber defenses, as there is a lack of widely accepted standards governing these matters. This lack of standardization means not just a loss in efficiency and time in conducting investigations, but also a potential for losing critical evidence and knowledge that could be applied to future investigations and further development of the field as a whole. The field needs both general models that cover the broad processes of the investigation as well as specific models that guide how investigators should interact with specific kinds of technologies and devices. This report will cover some recent models that have been proposed and developed to address these needs.

The Need for Digital Forensics Models

As computing and networking technologies advance and proliferate, the field of digital forensics must necessarily grow with it if it is to effectively keep up with the increasing amount and sophistication of cyber-focused or cyber-assisted threats. One of the biggest challenges facing digital forensics is the lack of standards when it comes to determining an organization’s security stance and capability as well as for the handling of digital evidence, both generally and for specific types of evidence, especially in newer and emerging technologies (e.g., mobile devices, smart/Internet of Things (IoT) devices, cloud services, etc.) [3, 4]. Research in the field has tended to focus on issues in specific topics rather than issues that affect multiple areas within the field, signifying low collaboration and potentially missing knowledge and courses of action that can be generalized across multiple areas [3]. In turn, there is a general lack of capacity across organizations to prepare for or handle situations that require digital forensic procedures, resulting in potential loss of evidence and knowledge about an incident including due to anti-forensic measures the perpetrators may have implemented [2, 4, 6] As such, there is a need for both general models of procedures that govern broad aspects of how digital forensics should be conducted, as well as technology-specific models that guide how evidence is collected from specific types of technologies while taking into account the unique complexities and challenges associated with them.

General Models

General models of digital forensic investigation exist either to guide the common procedures undertaken during most if not all investigations, regardless of the technology involved in an incident, or to evaluate security stance of organizations with regards to how they may handle a situation that will demand a digital forensic investigation. In the case of the former, they govern what courses of action that investigators, first-responders, and organizations should take when encountering and handling potential sources of digital evidence, with the primary goal of preserving the evidence and maintaining their validity as much as possible so that they may be analyzed, interpreted, and utilized properly [4, 6].

Models in the procedure category focus on creating a standardized procedural framework for the digital forensic investigation as a whole. To this end, Thakar et al. propose the Next Generation Digital Forensic Investigation Model (NGDFIM) [7]. They posit that this model, once fully developed and realized, will not only provide a standardized evidence collection and analysis process, but also streamline the process of digital evidence collection, making it faster and more efficient in comparison to typical modern investigative processes, by setting a three-phase investigative process where each stage has a decision flowchart that dictates the actions responders/investigators should take when confronted with a source of digital evidence, depending on the circumstance of the situation; the three phase are 1) on-site triage, 2) analysis, and 3) presentation [7]. For example, in the triage phase, if a powered and active portable device is found, personnel should determine if live acquisition is possible and proceed to capture the physical memory and associated hash value, and if not then the device should be shut down and proceed to the final step for all choice flows, collecting the device evidence for further analysis [7].

In the organizational evaluation category, a set of models focuses on the concept of digital forensic readiness. This concept overlaps with the overall readiness of an organization to identify and respond to cyber incidents, and a lack of digital forensic readiness means not only a lack of ability to detect incidents but also a potential loss of knowledge associated with such incidents and thus an overall decrease in potential future incident handling capability [2, 4]. Proposed digital forensic readiness models take a proactive stance, with a focus on enabling organizations to gather digital evidence in a cost effective manner to produce actionable threat intelligence that can be utilized by security personnel [2, 4]. Bankole et al. and Englbrecht et al. propose maturity models; models of this kind focus on examining organizational processes and resources with the purpose of measuring their digital forensics readiness so that they can adjust accordingly [2, 4]. Englbrecht et al. in particular endorse the concept of the capability maturity model, which measures both the organization’s overall level of digital forensic readiness (maturity) and the status of the required objectives and activities necessary to reach that maturity level (capability) [4].

Technology-Specific Models

While generalized models and standards are needed, so too are models for dealing with specific types of technology, as the intricacies of particular devices and types of evidence will inevitably call for specialized handling techniques. Mobile devices, smartphones, IoT devices, and drones are some examples of technological devices that serve as sources of digital evidence but also pose unique problems to investigators, and if responders and investigators are not prepared to deal with these devices the evidence within them can be compromised or lost. Two specific technologies, drones and IoT devices, are used as examples here.

Alotaibi et al. propose a model specifically for dealing with Unmanned Aerial Vehicles (UAVs), also known commonly as drones, when they are involved in an incident [1]. The proposed drone forensics (DRF) model outlines the process of dealing with drones in four stages: 1) preparation, 2) collection, 3) analysis, and 4) documentation [1]. Each of these stages details specific steps and procedures that must be undertaken in order to successfully capture a drone and analyze it for evidence. For example, in the preparation stage, the drone can be at risk of being intercepted by bystanders or perpetrators, and so it is necessary to secure the area where the drone is suspected to be in so as to minimize this possibility; it is also important to visually monitor and record both the area the drone is in and the drone itself, as the location the drone has operated in can provide important contextual information that may affect how evidence is analyzed [1]. It is also important to capture all the hardware associated with the drone so that it may be properly identified and the appropriate tools for data extraction utilized; some drones may utilize cellular towers, Wi-Fi access points, or other external communication equipment for control and data collection, making identification critical to isolating what the drone has interacted with [1].

The increasing ubiquity and diversity of IoT devices means that not only will such devices be more and more commonly involved in cyber incidents, but also that there must be continuous reassessment of how such devices are to be handled. Fagbola and Venter propose a digital forensic readiness model, Shadow Internet of Things Digital Forensic Readiness (SIoTDFR), specifically for dealing with shadow IoT devices [5]. Shadow IoT devices are IoT devices that connect to a network without the knowledge of the network owner/security team, and thus can then be used to facilitate attacks on that network via exploitation of the device itself [5]. Typical modern digital forensics procedures may not be capable of effectively collecting evidence from IoT devices, often due to the large amount of resources required for data collection from an IoT network, as well as the short lifespan/collection window of evidence stored on them [5]. SIoTDFR is a multistage model, with the stages as follows: A) device connection, B) device identification, C) shadow device monitoring, D) digital evidence gathering, E) digital evidence preservation, and F) digital evidence storage [5]. The critical stages in this model are C and D, where a shadow device has been positively identified and must be observed with regards to how it interacts with the network and other devices on it; special procedures take place at this point to determine in-depth characteristics of the device as well as data capture and logging where possible and necessary [5].

Conclusion

In the field of digital forensics there is a strong need for standardized general models governing how investigations should be carried out and for judging the overall security stance of an organization, as well as procedures for handling special kinds of devices that may be involved in a cyber incident. Implementation of these models will lead to increased efficiency, less time spent on investigations, more potential for evidence to be found and used, and a lower likelihood of evidence being lost or compromised. The models examined here today are only a few examples of such models, and further development of these and other models will be necessary for the field of digital forensics to resolve future incidents in an effective way.

References

[1] Alotaibi, F., Al-Dhaqm, A., & Al-Otaibi, Y. D., “A Conceptual Digital Forensic Investigation Model Applicable to the Drone Forensics Field,” 2023 https://etasr.com/index.php/ETASR/article/view/6195

[2] Bankole, F., Taiwo, A., & Claims, I., “An extended digital forensic readiness and maturity model,” 2022 https://www.sciencedirect.com/science/article/abs/pii/S26662 81722000178

[3] Casino, F., Dasaklis, T. K., Spathoulas, G. P., Anagnostopoulos, M., Ghosal, A., Borocz, I., Solanas, A., Conti, M., & Patsakis, C. “Research Trends, Challenges, and Emerging Topics in Digital Forensics: A Review of Reviews,” 2022 https://ieeexplore.ieee.org/document/9720948

[4] Englbrecht, L., Meier, S., & Pernul, G., Towards a capability maturity model for digital forensic readiness,” 2020 https://www.proquest.com/docview/2162261436?sourcetype=Scholarly%20Journals

[5] Fagbola, F. I., & Venter, H. S., “Smart Digital Forensic Readiness Model for Shadow IoT Devices,” 2022 https://www.mdpi.com/2076-3417/12/2/730

[6] Mothi, D., Janicke, H., & Wagner, I., “A novel principle to validate digital forensic models,” 2020 https://dora.dmu.ac.uk/server/api/core/bitstreams/9d95f5dc-96e0-4bc8-b463-2d39812b0471/content

[7] Thakar, A. A., Kumar, K., & Patel, B., “Next Generation Digital Forensic Investigation Model (NGDFIM) – Enhanced, Time Reducing and Comprehensive Framework,” 2021 https://iopscience.iop.org/article/10.1088/1742-6596/1767/1/012054