Venansius Baryamureeba and Florence Tushabe
barya@ics.mak.ac.ug, tushabe@ics.mak.ac.ug

Institute of Computer Science, Makerere University
P.O.Box 7062, Kampala Uganda
www.makerere.ac.ug/ics

May 27, 2004

Abstract

Computer crimes are on the rise and unfortunately less than two percent of the reported cases result in conviction. The process (methodology and approach) one adopts in conducting a digital forensics investigation is immensely crucial to the outcome of such an investigation. Overlooking one step or interchanging any of the steps may lead to incomplete or inconclusive results hence wrong interpretations and conclusions. A computer crime culprit may walk Scot-free or an innocent suspect may suffer negative consequences (both monetary and otherwise) simply on account of a forensics investigation that was inadequate or improperly conducted. In this paper, we present a brief overview of forensic models and propose a new model based on the Integrated Digital Investigation Model.

Keywords Computer Forensics, Crime Scene Investigation, Forensic Process model, Abstract Digital Forensic Model, Integrated Digital Investigation Model.

1 Introduction

Computer forensics emerged in response to the escalation of crimes committed by the use of computer systems either as an object of crime, an instrument used to commit a crime or a repository of evidence related to a crime. Computer forensics can be traced back to as early as 1984 when the FBI laboratory and other law enforcement agencies begun developing programs to examine computer evidence. Research groups like the Computer Analysis and Response Team (CART), the Scientific Working Group on Digital Evidence (SWGDE), the Technical Working Group on Digital Evidence (TWGDE), and the National Institute of Justice (NIJ) have since been formed in order to discuss the computer forensic science as a discipline including the need for a standardized approach to examinations[2].

Digital forensics has been defined as the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal or helping to anticipate the unauthorized actions shown to be disruptive to planned operations [3]. One important element of digital forensics is the credibility of the digital evidence. Digital evidence includes computer evidence, digital audio, digital video, cell phones, digital fax machines etc. The legal settings desire evidence to have integrity, authenticity, reproductivity, non-interference and minimization.

Since computer forensics is a relatively new field compared to other forensic disciplines, which can be traced back to the early 1920s, there are ongoing efforts to develop examination standards and to provide structure to computer forensic examinations. This paper attempts to address the methodology of a computer forensic investigation.

2 Previous work

Computer and network forensics methodologies consist of three basic components that Kruse and Heiser[4] refer to as the three As of computer forensics investigations. These are: acquiring the evidence while ensuring that the integrity is preserved; authenticating the validity of the extracted data, which involves making sure that it is as valid as the original and analyzing the data while keeping its integrity. Some process models that put the three factors into consideration include the Forensics Process Model [5], the Abstract Digital Forensics Model [6] and the Integrated Digital Investigation Model[7].

2.1 The Forensics Process Model

The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders[5] that consists of four phases: -

1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation.
2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation.
3. Analysis; this looks at at the product of the examination for its significance and probative value to the case.
4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.

The analysis phase of this model is improperly defined and ambiguous. It for instance emerges as an interpretation of the results from the examination phase, and in the process confuses analysis with interpretation despite these being two distinct processes.

2.2 The Abstract Digital Forensics Model

The Abstract Digital Forensics model [6] proposes a standardized digital forensics process that consists of nine components:

1. Identification; which recognizes an incident from indicators and determines its type.
2. Preparation; which entails the preparation of tools, techniques, search warrants, and monitoring authorizations and management support.
3. Approach strategy; that develops a procedure to use in order to maximize the collection of untainted evidence while minimizing the impact to the victim.
4. Preservation; which involves the isolation, securing and preservation of the state of physical and digital evidence.
5. Collection; that entails the recording of the physical scene and duplicate digital evidence using standardized and accepted procedures.
6. Examination; which involves an in-depth systematic search of evidence relating to the suspected crime.
7. Analysis; which involves determination of the significance, reconstructing fragments of data and drawing conclusions based on evidence found.
8. Presentation; that involves the summary and explanation of conclusions.
9. Returning evidence; that ensures physical and digital property is returned to proper owner.

Although this model is generally a good reflection of the forensic process, it is open to at least one criticism. Its third phase (the approach strategy) is to an extent a duplication of its second phase (the preparation phase). This is because at the time of responding to a notification of the incident, the identification of the appropriate procedure will likely entail the determination of techniques to be used.