2018 International Conference on Computational Science and Computational Intelligence (CSCI)

Digital Forensic Process Model for Information

System and Network Security Management
Ifeoma U. Ohaeri1 Bukohwo M. Esiefarienhe2
Computer Science Department Computer Science Department
North-West University Mafikeng North-West University Mafikeng
North-West Province, South Africa North-West Province, South Africa
*Contact author:oh.ifeoma@yahoo.com Michael.Esiefarienrhe@nwu.ac.za

Abstract— The huge dependence on systems and networks challenge of digital forensic analysis is to identify the necessary
for effective operation at all levels has heightened the rate evidence for legal proceedings in court [2].
of systems and networks attacks. Attackers do lunch attacks Therefore, digital forensic specifies how results can be
without the fright of their actions being traceable. This has gathered from an investigation or examination and also critically
made safety and security a global concern. There is need to analyzed in order to derive useful responses and conclusions to
revolutionize security measures consistently in other to the issues or questions reported from previous stages Digital
effectively combat cyber-attacks and crimes by designing a forensic analysis indicates the stages involved in the analysis of
Digital Forensic process model with the various relevant the product of an investigation/examination. It provides
phases that can be used to extract digital evidences by probative and significance value to a case. Typically, this is
investigating digital information, produced, stored, or where cases are resolved. The product of this phase can result
transmitted by computers or electronic devices for legal into more examination/investigation or draws a conclusion.
proceedings. This measure will greatly improve cyber
Nowadays, computers and other digital devices are
security and combat cybercrimes. everywhere. They have also, become quite vulnerable in our
modern society as they become heavily involved in crime.
Keywords—system; network; digital forensic; cyber-security; Beginning from late in 1970s the rate of crime that involves
cybercrime.
computers has grown rapidly. This creates a need for
consistency in the analysis of digital forensic processes and
I. INTRODUCTION
practices in order to keep abreast with the needs of the field and
Forensic science tends to apply the full range of science to acknowledge new innovations in the field. Digital forensics field
questions of interest in legal system usually relating to criminal has grown rapidly in popularity and support due to the rate at
and civil action cases. It is necessary in the smooth processing which it is being recognized and accepted in courts. There is a
of the criminal justice system especially for combating crime need to consistent ongoing analysis of the forensic process and
and terrorism. procedure so as to maintain its effectiveness in security
Digital forensics research workshop (DFRWS) defined measurement [3].
Digital Forensic as the use of methods derived and proven Hence, in this paper we designed a digital forensic model as
scientifically towards the preserving, collecting, validating, an analysis platform in digital forensic technology. The
identifying, analyzing, interpreting, documenting, and components of DF model were discussed extensively and
presenting of digital evidence obtained from digital sources of methodically. Its various stages can be applied and implemented
incidents discovered to be criminal or that disrupted operations as an accepted security mechanisms in digital forensic
as planned. This definition embraces the wide aspects of digital technology.
forensics beginning from the acquisition data to the stage of
legal actions. This process begins by acquiring and collecting II. DIGITAL FORENSIC PROCESS ANALYSIS
data of information has been acquired from the suspect system MODEL
or crime scene. It basically involves critical extermination of the
acquired data in order to identify evidence. Therefore, digital In 2001, the Digital Forensics Research Workshop
forensic process can be referred to as a measure of identifying [DFRW] [4] proposed a process for digital investigations that
digital evidence which are scientifically obtained using proven involves the following six stages as shown in the figure below.
procedures that can be used in facilitating or reconstructing of
events during an investigation period [1]. Forensic process involves basically four stages such as;
Obviously, like any other investigation of events, to find the collection, examination, analysis and reporting as earlier
truth data must be identified in order to either verify existing specified. Although identification and preservation are included
data and theories or to contradict existing data and theories. in the process diagram, they are not part of the basic phases
Before both evidences can be extracted from collected data, it involved in the forensic process.
must be thoroughly analyzed and identified. The task or

978-1-7281-1360-9/18/$31.00 ©2018 IEEE 65

DOI 10.1109/CSCI46756.2018.00020

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.
 I. Identification is the process of recognizing an incident process that included six steps as shown in the figure below:
from indicators and determining its type. It is not Identification, Preservation, Collection, Examination, Analysis,
explicitly within the field of forensics, but it is and Reporting. Basically, their forensic process involved four
included because it impacts other steps. In some stages such as; collection, examination, analysis and reporting
digital forensic processes and model, they are not as earlier specified, but they included identification and
included. preservation in their process diagram but according to them,
II. Preservation is the process of isolating, securing, and they are not part of the basic stages involved in the process [6].
preserving of the state of physical and digital However, in order to discuss the analysis of digital forensic
evidence. This involves preventing people from technology section of this paper, we utilize majorly the DF
further use of the digital devices or electronic devices process framework shown in figure1 below. Therefore, the
which are connected to an affected device or network. significance of this is that every institution and organization is
III. Collection is the process of identifying, isolating, expected to specify the framework that is most appropriate for
labelling, recording and collecting of data and other the particular need they intend to address. The figure depicts the
physical evidences relating to the incident under several phases involved in the process framework designed for
investigation, while establishing, and maintaining the the digital forensic process analysis section of this paper.
integrity of the evidence through chain of custody. However, in order to discuss the analysis of digital forensic
IV. Examination is the process of identification and technology section of this paper, we utilize majorly the DF
extraction of relevant information from the collected process framework shown in figure 1 below.
data using appropriate forensic tools and techniques
while continuing to maintain integrity of the evidence.
V. Analysis is the process of analysis useful/appropriate
answers to questions that were presented from the
previous phases of the forensic process. This is the
main focus in this paper.
VI. Reporting is the process of reporting the results of the
analysis phase which includes the following: findings
which are relevant to the case; actions that were
performed; actions that were left to be performed; and
recommendations of improvements to procedures and
tools.

This section of analysis of digital forensic process reports the

design of digital forensic process framework as a platform to
analyze digital forensic process. The components of Digital
Forensic (DF) process model were discussed extensively and Fig.1: Digital Forensic Process Model
methodically as the various stages applied in digital forensic The process/methodology as shown in our framework entails
technology enables its implementation as a widely accepted that the forensic examiner should obtain and image forensic
security mechanism. This analysis emphasizes that digital data, obtain a Forensics request, Prepares and Extracts forensic
forensic technology is an effective tool to enhance information data, identifies relevant data, conducts analysis on the data
security and network management. collected, provides a forensic report and lastly perform case
The digital forensic process transforms systems and level analysis. The three major components as highlighted in the
networks into digital evidence, whenever information is diagram are preparation and extraction, examination and
required by law enforcement agents or by organizations for analysis are core responsibilities of the forensic examiners and
internal use. There can be several forensic processes depending must be solely carried out by them. Consequently, all the various
on the kind of investigation that is to be performed. The entire components including Obtaining and Imaging, Forensic Data
purpose of Digital Forensic Process Analysis Framework stage, Preparation and Extraction stage Examination phase,
(DFPAF) is to follow a process which extracts systems’ or analysis phase, documentation phase, Reporting phase, Case
networks’ information and transforms it into an understandable Level Analysis are described in details using their respective
and useful form using a forensic tool for the law enforcements diagrams shown below.
or the organizations or institutions that requested [5]. Typically, the central reason for digital forensic process
The digital forensic analysis framework designed and analysis is to determine who may have done what to a system or
shown in the figure 1 provides a simple and coherent manner of a network and for prosecution in court. Similarly, the focus point
discussing the stages of the digital forensic process in this paper. of biometric analysis is also to identify who the impostor,
It reflects the overall principles of the forensic methodology. intruder, or attacker is but not necessarily for court presentation,
Several Forensic frameworks exist but primarily differ based on but to ensure that they are warded off and restricted from
the type of investigation and analysis to be performed. For accessing the computer or network resources. Hence, it is
example; the Digital Forensics Research Workshop in 2001 complemented with digital forensic because its main target is
presented a proposal on the process for digital investigations discovering the culprit and hand him/her over in court.

66

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.
Categorically, the exact details can vary depending on the software tools used in the process. It involves making a duplicate
respective organization’s policies, guidelines, and procedures. in order to verify its integrity. If integrity is confirmed then the
Most times they tend to include certain variations from the requested data should be extracted using the prescribed tools and
normal standard procedures or regulations [7]. the data added to the specified list for the phase. If there is no
other data to be extracted, then the next Stage should be
The identification process determines who the actual embarked on. If the process cannot be concluded, then the
impostor is. In every investigation, the analysis phase mostly requester of the forensic process should be informed.
relies on the investigator’s skills and it is influenced by
experience. However, Figure 1 presents the forensic analysis The purpose is to describe the various data sources that are
methodology designed and discussed in this research in order to available, and discuss possible actions which the organization
present its significance and attributes as an identification system. and law enforcement can undertake in supporting the collection
of data for forensic purposes. Also, the Preparation and
Digital forensic process analysis emphasizes that for any Extraction stage makes recommendations on the subsequent
data collected from a case or an incident to be relevant it must ones that the relevant bodies can undertake to support proper
be successfully analyzed. Therefore, the forensic examiner or forensic processes that align with both legal and internal
analyst is responsible for performing the analysis either proceedings [9]. In addition, this phase labels, records, collects,
automatically or manually, and gathering information from the
and extracts relevant data or data of interest while preserving its
extracted data. Also, Digital forensic processes can be integrity. Preparing and extraction involves preservation and
significant in extracting biometric (fingerprint) features for more extraction of useful data from the collected using suitable
detailed examination and identification of a suspect where a forensic tools while ensuring that the evidence integrity is
biometric authentication system is deployed [8]. consistently maintained.
The main idea as reported in this paper is to provide a
detailed knowledge of the practices of digital forensic
technology, such that every institution, company or organization
can be able to see the potential of the security mechanism and
what it offers. Any system or network can deploy it for a more
reliable, efficient and effective security structure that ensures
quality of service. It provides exact discovery and identification
of subjects under investigation. This study is relevant because
digital forensic technology is getting wider acceptance and
deployment on a daily basis.
A. Obtaining and Imaging Forensic Data Stage
Obtaining and imagining forensic data is the first component
of the framework which entails the ability to get the exact copy
of the image of interest. For instance, if a violation or intrusion
is suspected in a biometric authentication system or any
network, it is advised that the investigator or analyst perform a
network traffic analysis and port scanning using network
forensic tools like the encase to explore, obtain and document
what the perpetrator did or tried to do. If it is identified as a
serious issue that requires legal procedures then, the next step
should be to obtain forensic request.
B. Obtaining the Forensic Request Stage
The forensic examiner should adopt the procedures that exist
which are followed in securing the rights and warrants from the
relevant bodies in other to commence the digital forensic
methodology as approved.
C. Preparation and Extraction Stage
The main steps in the Preparation and Extraction stage are
shown in Figure 2 below. From figure once the process begins
the first step is to determine if the forensic request contains what
is sufficient to initiate the extraction phase. If not, then the Fig. 2: Preparation and Extraction Phase
forensic expert should consider restarting by obtaining and
The providers of internet service for any organization have
imaging forensic data in order to ensure that all possible sources
the network logs; therefore, forensic examiners must put into
are explored and all potentially relevant data is collected to
high consideration the owners of the network and the possible
enable onward progression in the methodology. If the request
effects of the data collection on the system or network. They
contains sufficient information to start the process, then the
should also be able to obtain relevant documents for a search
process continues to the setup validation of all hardware and

67

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.
warrant putting into consideration the organization’s and Data Search Lead Lists and New Source of Data documented.
company’s policies that must not be violated unnecessarily, like After this, the preparation and extraction phase can be
court orders where necessary. Forensic examiners should utilize commenced. The forensic requesters and the relevant bodies
attainable possible sources of data instead of unattainable ones should be notified. And when all the extracted data have been
which may not be practical. However, once all the relevant data properly examined, then the Analysis phase may commence.
are processed then the examination process should be [9].
commenced. Consequently, the steps in examination stage
specified in the figure below are followed to ensure that useful During this stage, it is recommended that examiners inform
data and information are obtained to enable the proper flow in the forensic requesters of the first and previous findings in the
the identification phase [9]. process. Both the requester and the examiners will be able to
decide together on what they envisage should be the effect and
D. Examination Stage impact of continuing with the new leads on the investment. The
examination phase involves close identification of collected data
This is the next stage after conducting the preparation and in order to identify relevant pieces of information and in turn
extraction Stage. At this level, the examiners/analyst will extract them. Additionally, those data files that are of high
conduct the examination process on each and every item on the interest can contain a lot of information which may be irrelevant
Extracted Data List. This phase is diagrammatically explained
and unrelated, so the files need to be filtered to get hold of useful
in Figure 3 below. information. Several tools exist which can be used to filter and
sieve the collected data files to identify information of interest.
E. Analysis Stage
The next stage after the examination phase is the analysis;
this involves the evaluating the results obtained from the
Preparation Stage extraction and identification phases.

Fig. 3: Examination Phase

In this Stage the forensic expert examines all the collected
data in the extracted data list to determine the type of data and
its relevance for the forensic request specified. Following the Fig. 4: Analysis Phase
components of the figure, all the unprocessed data in the Analysis involves examination of the obtained relevant and
extracted data list is identified and the relevant documents are useful data that properly addresses the reasons resulting into
documented and recorded in the Relevant Data List. If other performing the preparation and extraction phase (collection and
suspicious documents are discovered, it is expected of the examination). Through careful analysis, the information is
forensic expert to stop and notify the appropriate authorities and transformed into evidence and the data obtained from the
the forensic requester while the entire process is on hold. But if analysis phase is transferred into actions by the use of
not, then the process should be continued with all the discovered information obtained during the process in anyway during

68

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.
reporting. For example, the information can be useful in 3.4 above shows that, analysis is a continuous process because
prosecuting some persons involved, it can also be helpful in whenever any new source of data list is identified it re-starts the
ameliorating certain activities, or can as well provide obtaining and imaging forensic data phase [9].
supporting-knowledge required to generate new leads in a
specified case [10]. Generally, having immediately extracted the relevant
information, the forensic expert should examine the data so as
In the analysis phase, the examiner or analyst ensures that a to obtain reasonable conclusions on the case for documentation
complete picture for the requester. He/she also ensures that the and reporting. This phase of the methodology helps the
entire extracted item on the Relevant Data List is examined and examiner in identifying persons, locations, items, and incidents,
all the questions such as: who, what, when, where and how are as well as determining how those elements are related to each
addressed. Analysis is the final stage involving the other so as to arrive at the appropriate conclusion. At this stage,
documentation of the results or findings which may involve a documentation is required for presentation to any court of law
detailed description of the actions carried out, specifying other or the organizations or company’s internal actions [15].
possible actions that should be performed, providing
recommendations on how the guidelines, policies, tools and F. Documentation Phase
procedures may be improved, including some support on other The next stage after the analysis is the documentation.
forensic process aspects. It is one of the main aspects of this Documentation is used to keep a comprehensive log of each and
study. Once there is no more unprocessed data in the ‘prepared/ every step taken in the data collection and detailed information
extracted list’ the questions such as; who and what should be of all the tools involved in the process. The essence of this is to
addressed. The process of analysis tends to provide answers to enable other examiners and analysts to repeat or review the
the question, who, what, where, when, and how? Once it is entire process if need be. All evidences that were photographed
concluded that there is unprocessed data in the prepared and during the process are also provided here. All the outcomes of
extracted data list, then the forensic analysis process can the analysis phase are detailed here in the analysis results list.
commence. However, analysis phase must provide answers to All the information that provided any answer to the analysis-
the specific questions which include: specified questions is also provided here. This is the end of the
i. Who/What? forensic process before the law enforcement agencies are
acquainted with the results. Therefore, it is expected that all
In the process of analysis of the identified relevant data it newly generated data search leads are collected and processed
provides answers to the question: what application was created, up to the examination stage and then all the information obtained
edited, modified, sent, received, or caused the file to be, who is is documented properly before it is reported [9].
the file linked to and identified with?
G. Reporting Stage
ii. Where?
The final phase which is involved in the process of
More so, the analysis process tends to provide answers to preparation and presentation of information acquired/obtained
questions such as where was the data found? And where did it from the analysis phase is the reporting stage.
come from? Does the data show where relevant events took
place? Finally, after examiners/ analysts go through various phases
for quite a number of times and having been able to gather
iii. When? enough information, then they can adequately respond to all the
forensic requests. This now gets to the Forensic Reporting
The next question it tries to answer is when did they create phase. At this Reporting stage the examiners/analysts document
the data and when was it accessed? When was the data modified, their findings in such a format that it is understandable to those
received, sent, viewed, deleted, or launched? who requested for it and they can also be able to apply it
iv. How? depending the case. Forensic reporting is too important to be
side-lined, because this is where the examiners/analysts
In addition, the analysis phase provides answers to the communicate their final findings to the body who requested for
question of how did the data originated on the system or the forensic investigation. The significance of the concluded
network. How was it made (created), transmitted, modified, and forensic process dwells in the capabilities of the
used? And also, does it show how the relevant events or examiners/analysts to communicate the result to those who
incidents occurred. requested for the forensic investigation [9].
Categorically, among other responsibilities of the analyst at H. Case Level analysis
this summative and critical stage is to provide answers to these
principal questions, who/what, where, when, and how? The significance of case level analysis is to identify any
Furthermore, the analyst or forensic expert also analyses the problem that requires a remedy during the reporting process. At
registry entries and the application/system logs as earlier stated. the end of the reporting phase, the requester performs a case
It also checks other connections for other suggested useful links level analysis in which he or she together with the examiners
and correlating information with what the system or network will interpret the findings within the context of the entire case.
user did with the data. If any other data of interest are identified, Several factors are possible to affect a reporting process. Those
then the analyst may use a timeline or any other documentation factors include alternative explanation or more plausible
method to document the findings in the result analyst list explanations. Both must be given considerations. All
including all the steps taken to reach a conclusion. The Figure explanations must be supported using systematic approach.

69

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.
 1) Recommendations integrity must be justified while keeping the rules and laws of
digital evidence that guarantee admissibility in court. Hence,
Furthermore, in response to case level analysis, the key this paper reported a model for a digital forensic process
recommendations should be pointed out and presented after the analysis. We achieved this from the already existing knowledge
analysis in the forensic process. in literature and the model was presented in a methodological
However, our designed framework and its corresponding manner which we intend to further implement in real time.
framework provide the various steps that should be strictly
followed in a real time forensic investigation process. But due to REFERENCES
the constraints encountered in the demo version of the forensic [1] G. Pangalos, C. Linoudis, and I. Pagkalos.” The Importance of
tool deployed in this research study some of the phases were not Cooperate Forensic Readiness in the Information Security
practically reported. Framework,” in Proceedings of the IEEE Workshop on
Enabling Technologies infrastructure for Collaborative Enterprise”
IV. CONCLUSION 2010, pp.12-18.K. Hafner and J. Markoff. Cyberpunk: Outlaws and
Hackers on the Computer Frontier. Touchstone, New York, pp. 1-
Crime is both a local and a global phenomenon; the criminal 136, 1991.
activities are increasing rapidly so the science to tackle them
[2] S. Al-Fedaghi S, and B. Al-Babtain. “Modeling the Forensics
should be equally growing globally at the same rate in order to Process” International Journal of Security and Its Applications, vol.
sustain the forever advancing technology and its consumer 6, No. 4, pp. 97 – 108, October, 2012.
community.
[3] M. Pollitt. “A History of Digital Forensics” International Journal of
This paper presented a detailed review of Digital Forensic Advances in Information and Communication Technology, vol. 337,
Technology beginning from its invention to its methodology as pp. 3-15, 2010.
implemented in literature. We designed a process analysis [ 4] B. J. Rothstein, R.J. Hedges, E.C. Wiggins, F.J. Center. Managing
model and described the phases specified in the model which discovery of electronic information: A pocket guide for judges.
include; Preparation and Extraction Phase, Examination Phase, Washington, D.C. CQ Press, 2011, 225-250.
Analysis Phase, Documentation Phase, Reporting Phase, Case [5] J., M. “Computer Forensics in a Global Company”, in proceedings
Level analysis, and Recommendations phases. of 16th International Conference on Computer Security Incident
Handling & Response. Budapest, 2004, pp.109-117.
This study on digital forensic process reported in this paper
was conducted in order to ascertain its uniqueness and [6] R. Lee. “Forensic and Investigative Essentials,” in proceedings of
effectiveness in providing adequate, reliable, and effective Sans Institute Forensics 508: Advanced Computer Forensic
Analysis and Incident Response Training, Washington, DC, 2010,
security. Analytically, the essence of the architectural design of pp. 1-35.
the system development was to systematically analyse the
various phases, stages, and sections involved in the digital [7] I.O. Ademu , and C.O. Imafidon, “Applying Security Mechanism to
Digital Forensic Investigation Process”. International Journal of
forensic processes analysis in practice. These phases were Emerging trends in Engineering and Development, vol. 7, issue 2,
discussed structurally in other to ease system in real time. pp.128-132, 2012.
Digital forensic process s is very necessary at this time [8] L. C. Ovie, K. B. Stephen, and S. Thomas. “Computer Forensics:
because most impostors are becoming knowledgeable on Digital Forensic Analysis Methodology,” Computer Forensics
steganography and encryption methods that are used for hiding Journal, vol. 56, No 1, pp. January 2008.
data and digital evidence beyond the capability of the traditional [9] D. Mellado, E. Fernández Medina, “A Common Criteria Based
searching methods. Indeed there is so much to forensic Security Requirements Engineering Process for the Development of
processes than what we can literally imagine. Not only that they Secure Information Systems.” International Journal of Computer
offer detective and discovery techniques, they also involve Standards and Interfaces, vol. 29 (2), pp. 244 - 253, 2007.
various activities that assure the security and proper handling of [10] K. M. Enos, H. S Venter. ―State of the art of Digital Forensic
fragile information, such that it does not get damaged or Techniques, in proceedings of the ISSA Conference, 2011, pp. 1-7.
corrupted along the process of investigation. Because the data

70

Authorized licensed use limited to: University of Canberra. Downloaded on July 26,2020 at 19:18:27 UTC from IEEE Xplore. Restrictions apply.