Chain of Digital Evidence Based Model of Digital Forensic Investigation Process

Jasmin osi (Author)

IT Section of Police Administration Ministry of Interior of Una-sana canton Biha , Bosnia and Herzegovina jascosic@bih.net.ba Katel Stari, Croatia zoran.cosic@statheros.hr

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

Miroslav Ba a (Author)
Faculty of Organization and Informatics University of Zagreb Varadin, Croatia miroslav.baca@foi.hr

Zoran osi (Author)

director Statheros d.o.o.

Abstract- Computer forensics is essential for the successful prosecution of criminals in computer (cyber) crime. Digital investigation process must be done in a lawful way, and some proposed steps must be followed in order for evidence to be accepted by the court of law. The digital forensic investigation process will be successful, if we follow simple rules. The aim of this paper is to compare different existing models and framework developed in recent years and propose a new framework based on chain of digital evidence. This Framework will be modeled using a UML Use Case and Activity diagrams. The authors also warns of certain shortcomings and suggests some recommendation for further research. Keywords- digital forensic; computer forensic; models of digital forensic; cyber crime investigation; digital forensic framework

II.

EXISTING MODELS AND FRAMEWORKS OD DIGITAL

INVESTIGATION PROCESS

I. INTRODUCTION Computer crime, cyber or internet crime is escalating and the race against cyber criminals is never ending. The field of digital forensics has become a critical part of legal system through the world. In 2002 the FBI stated that fifty percent of the cases the FBI now opens involve a computer. [1] Therefore, it is very important to have good models and frameworks for computer (cyber) crime investigation. With model we can generalize a process and create a framework to understand all techniques and technology for supporting the work of investigators or other personnel in digital investigation process. In many situations investigators might not lead to a successful prosecution. In most cases the reason is a lack of preparation and non-compliance with defined procedures. They often do not have tools, skills, and other required staff to successfully work with digital evidence. Very often the problem is collection and gathering of evidence. In digital forensic practice, there are over hundreds of digital forensic investigation procedures, recommendation and documents, developed all over the world. In this paper author discusses models and framework of forensic investigation and propose a new framework based on weaknesses and failures that are commonly occur in forensic process.

There are lots of forensic models and frameworks in literature. Some authors propose a model and some framework. What is the difference and where is the border? According to the Oxford dictionary framework is a supporting or underlying structure [2]. Some other dictionary defined a framework as a skeletal structure designed to support or enclose something [3].It can be said that framework is a structure designed to support some action. In forensic investigation, some action includes forensic stages, steps or levels. On other side, the same source defined model as a standard or example for imitation or comparison and a representation, generally in miniature, to show the construction or appearance of something. In computer world it can be said that model represents an abstraction of something consisting insufficient detail to be useful as a formula. As we can see there is a difference between a model and a framework. Model is something that we apply to a situation, and framework we use to place aspect. Models generalize a process to provide a framework that enables people to understand what that process does, and does not, do [4]. Brief description of the most important models used in computer (digital) investigation, are given below. A. Lee`s model Lee`s model (2001) is based on Scientific Crime Scene Investigation process [5]. This model identifies 4 steps: recognition, identification, individualization and reconstruction. Fig. 1 shows the Lee Scientific Crime Scene Investigation Model. This model is focused on a systematic and methodical way of investigation of any digital crime cases, the barrier of the model is analyzing a part of digital forensic process only, this has made a limitation in the digital

forensic investigation, as not be focusing on the data acquisition neither preparation and presentation [8].

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

Figure 3.DFRWS framework (2001) Figure 1.Lee`s S CSI model (2001) D. Reith, Carr and Gunch model This model (2002) has come up and included some of the missing components from the previous model which all the while been suggested. The model is focused in depth concerning investigation procedures and has 9 stages. [9] This model is similar to the DFRWS and is presented on Fig. 4.

B. Casey model Casey (2004) proposes a model, which is focused on processing and examining digital evidence [6]. This model is focused on processing and examining digital evidence (Fig. 2). The model is similar to Lees model.

Figure 4 Reith, Carr & Gunch model (2002) Figure 2.Casey model (2004) First and last stages recognition and reconstruction are the same like in Lee`s model. This phase only focuses on a part of digital forensic investigation process. E. Kruss & Heisser model According to Kruse and Heisser (2001), computer forensic investigation process has 3 basic components: acquiring the evidence, authenticating and analyzing the data [Kohn.]. These components are presented in Figure 5.

C. DFRW framework The Digital Forensic Research Working Group (DFRW, 2001) developed a framework that consists of 7 classes(Fig. 3). The classes that are defined by the framework serve to categorize the activities of an investigation into groups. The specifics of the framework must be largely redefined for each particular investigation. [7] This framework is not intended as a final comprehensive one, but rather as a basis for future work which will define a full model, and framework for future research. The Model is presented as linear. [8]

Figure 5 Kruss & Heisser model (2001)

F. USDOJ model The United States of America`s Department of Justice proposed a process model for forensics. This model has 4 phases: collection, examination, reporting and analysis (Fig. 6), and is abstracted from technology [10]. They do significantly better at identifying the core aspects of the forensic process and then building steps to support it, rather than becoming entangled in the details of a particular technology or methodology. This is commendable because it allows traditional physical forensic knowledge to be applied to electronic evidence.

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

Figure 6. USDOJ model

III. IV.

Figure 7 Ciardhuain model (2004) PROPOSED FRAMEWORK BASED ON CHAIN OF EVIDENCE

EVIDENCE

G. Ciardhuain Extended model The model proposed by Ciardhuain (2004) is the most complete model. His phases (stages) are also called activities. There are 13 activities (Fig. 7). Unlike previous models, Ciardhuain model explicitly represents the information flows in an investigation and captures the full scope of an investigation, rather than only the processing of evidence. The inclusion of information flows in this model, as well as the investigative activities, makes this model more comprehensive than other models. It provides a basis for the development of techniques and especially tools to support the work of investigators.[8] H. A few newest models In 2006, forensic process, proposed by [11] consists of 4 phases, collecting, examination, analysis and reporting. This model is very similar to early models proposed by. [Pollit, 1995]. Kohn, Eloff & Oliver (2006) proposed a framework, which is based on experience of other authors [9]. According [12] , a process framework to investigate incident includes and combines Incident Response and Computer Forensic to improve the overall process of computer investigation. All frameworks are useful and have their own strength. It is very hard to develop one framework to be used in all investigation processes. Some researcher proposes a mapping process between a process/activities of digital investigation, and offers a simplified Digital Forensic Investigation Framework to establish a clear guideline on steps that should be followed in forensic process [13].

PROPOSED FRAMEWORK BASED ON CHAIN OF DIGITAL

In the previous section, 10 models and framework being presented. In his earlier work, the authors have encountered in the literature on several new model, which are interpreted most commonly used models and framework , described in this paper. In this situation, central question is why develop new model which does not offer anything new. Some of previous presented model are based on few stages of investigation process, but Ciardhuain model is the most complete model. He based his model on all stages of digital forensic process. The problem can be the fact that in every country is not same procedures for initiate forensic process and every model cannot be applied in every country. In some European country (Croatia for example) there are not enough forensic experts who will handle with digital evidence in every stages/phase. Police officers (crime investigation) for example will be a first responders and collecting personal. Second problem is that most of presented model does not emphasis a process of documentation and chain of evidence respectively chain of custody of digital evidence. What it actually means? The phrase chain of custody or chain of evidence refers to the accurate auditing control of original evidence material that could potentially be used for legal purposes [14]. Some authors use a term chain of evidenceinstead chain of custody. The purpose of testimony concerning chain of custody is to prove that evidence has not been altered or changed through all phases, and must include documentation on how evidence is gathered, how was transported, analyzed and presented. Access to the evidence must be controlled and audited. [14]

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

Figure 8 Proposed framework based on chain of evidence Chain of custody and integrity of digital evidence play a very important role in the digital process of forensic investigation, due to the fact that in every phase forensic investigators must know where, when and how the digital evidence was discovered, collected, handled with, when and who came in contact with the evidence, etc. Proper chain of custody must include documentation with answers to all these questions. If one of these questions remains unanswered, the chain of custody is compromised and disrupted. [15] Essentiality of documentation and chain of evidence (chain of custody) are central point of proposed framework. The major stages are below: Allowance Planing and preparation Chain of custody stages o Identification o Collection o Examination o Transport and Storage Reconstruction (Hypothesis) Publishing (Proof/Defense) Closing Case Fig.8 shows the complete flow diagram of proposed framework. Every process is discussed below: 1) Allowance It is not allowed to start a digital investigation process or computer forensic process without permission or allowance. Process of collecting digital evidence must begin in a lawful way. In other words, if there is a forensic investigation, competent prosecution or court must issue the order to initiate an investigation, or if there is a corporate internal investigation, management or supervisory board must agree with investigation. In both cases, approval must be in a written document. [14] 2) Planing and Preparation In this two phase (stages) investigators (or other person who investigate) still has not come into contact with digital evidence. This process involves making a plan for investigation process and authorization from the local police institution. This authorization is not the same like a allowance-permission that is required to make the process even began. This authorization is required for getting a search warrant for use of any items that were found during investigation process. That mean, if we do not have authorization, the evidence that we are found, cannot be accepted by the court. Because of that this phase is very

important and must be applied. This also must be done lawful and must be documented. 3) Chain of Evidence Phases

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

evidence are particularly vulnerable, because they are influenced by various factors (personal, etc.).

a) Identification Identification phase in proposed framework deals with locating and identifying a equipment where evidence is stored - computer, external devices, network, embedded devices etc. Environment can be a simple (computer) and can be investigated very simple, and can be a very complex where we must include a ISP providers, other Agencies or Corporate. In both case we must identify a evidence from heap of usual files. In this phase we need to remind a Locard exchange principe, according to which anyone or anything, it was the site of committing an offense, it brought with it a part of committing the offense, and the place of committing an offense has left traces of their presence. [16] It is very important that we have in mind that evidence can be in temporary state ( in Random Access Memory or Swap file example), and live acquisition must be applied. With live acquisition process we retrieve the file time stamp, registry key, swap files and memory details. [9]. b) Collection Process of collection of digital evidence is most sensitive phase, because in most cases this is the first contact with evidence. In this phase personal must be very careful, because evidence is in digital format and easily can be change even destroyed. All equipment are seizure and data are in acquisition process prepared for later analysis. This phase is in focus of many science research because, every mistake or error in this phase can be futile to do further investigation. Authors [14,15,16] in his early research also warns on risk of collection process. Examination Everything that is said for the phase of collecting is valid for process of examination. Examination of digital evidence requires a lot of knowledge, skills and mastering a forensic tools & technique. In this phase is very important to have control over integrity of digital evidence [14] All what we doing, must be documented and chain of custody must be applied at this stage as no one so far. Process of examination usually work a computer forensic expert, but in some case, in some country, court may required a expert witness testimony. This expertise must be independent and must rely on scientific methods. Depending on the amount of input data, which today can order a few Terabytes, in output can be a very large volume of data to be examined. d) Storage and Transport of digital evidence Storage and transport of digital evidence are the phases that are periodically repeated. In this phase digital c)

4) Reconstruction In process and after examination of evidence, personal who investigate a digital evidence must have a hypothesis, usually one main hypothesis, but in some more complex case a few hypothesis. On this way is trying to prove what is really occurred. Reconstruction process must also be documented. 5) Publishing a results Process of publishing of results of digital investigation means a presentation of results before the court, or in case of an internal investigation in the corporation, before the management board , proof & defense process and at the end, later dissemination of knowledge throughout knowledge database. Every corporation, firm or enterprise, even the court have own knowledge base system, that stores all knowledge from the past to future. 6) Closing Case The last phase in forensic investigation process is not presentation of evidence before the court. In some cases there is a need to deal with original evidence before the court, and in this phase also we are in contact with evidence. This can be sensitive, and in this case must be applied a chain of evidence. Digital evidence passing throughout life cycle phase, and at the end of trial, can be stored and archived (closing case).

Figure 9 Use-case diagram of presented framework On Figure 9 is presented a UML diagram of proposed framework based on chain of evidence. This framework corresponding with few actors: Law enforcement personnel (First responders, Forensic investigators, etc.), Court expert witness, Defense, Prosecution and Court. Every actors will interact with some of the use cases (Fig.9)

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011

V.

COMPARISON OF EXISTING MODELS

[3] [4] [5] [6] [7] [8] [9]

Table 1 gives a comparison of the stages/phases of all models previously described. There are a number of activities (phases) in this table, which are not same in other models. The author used all activities from all models, the name is different, but the process is similar. As we can see in the table, some models are incomplete and focused just on few phases, Ciardhuain model is most complete and includes all phases of digital investigation process. The proposed model is also complete and consists of all forensic investigation phases.

[10]

[11] [12]

[13]

Table 1: Comparison of most used models VI. CONCLUSION AND FURTHER RESEARCH
[14]

The aim of this paper is to make a review of all essential models and framework of digital investigation forensic process and proposed a new model which can be applied in some specific condition. There are lots of models, which are different, some are focused on process of collecting and examination, and some are complete and can be used to make a clear guideline on steps to be followed in a forensic process. The framework that the authors have proposed are based on documentation and chain of custody of digital evidence, and consist of all forensic investigation phases. Any of the above-mentioned processed can be chosen and used in digital investigation process but there are certain specific in each country, that we should not forget when choosing it.

http://www.askoxford.com/concise_oed/framework?vie w=uk, Accessed: 24.12.2009. Dictionary services, available at: http://dictionary.reference.com/browse/framework , Accessed: 24.12.2009. Peisert S.,Bishop M.,Marzullo K., Computer Forensics in Forensis, ACM Operating Systems Review (OSR), Special Issue on Computer Forensics, 2008 Lee H.C., Palmbach, T.M., & Miller, M.T., Henry Lee`s Crime Scene Handbook, San Diego:Academic Press, 2001 Casey E.,Digital Evidence and a Computer Crime, San Diego:Academic Press, 2004 Ray,A.D., Bradford, P.G.,Models of Models: Digital Forensics and Domain-Specific Language Ciardhuain S., An extended Model of Cybercrime Investigation, Internation Journal of Digital Evidence, Summer 2004, Volume 3, Issue I Perumal S., Digital Forensic Model Based On Malaysian Investigation Process, International Journal of Computer Science and Network Security, Vol.9, No.8, August 2009-12-24 Kohn M.,Elof JHP, Oliver MS.,Framework for a Digital Forensic Investigation, Proceeding of the ISSA 2006 from Insight to Foresight Conference, South Africa, July 2006 Kent,K., Chevalier,S.,Grance, T. & Dang,H. , Guide to integration Forensic Tehcniques into Incident Response, NIST Special Publication 800-86, Gaithersburg, 2006 Freiling, F.C., & Schwittaz, B.,A Common process Model for Incident Response and Computer Forensic. Proceeding of Conference on IT incident Management and IT Forensic , Germany Selanat.S.R.,Yusof R.,Sahib, S., Mapping Process of Digital Forensic Investigation Framework, IJCSNS, VOL.8,No.10, 2008 osi , J., Ba a, M.: Do We Have Full Control Over Integrity in Digital Evidence Life Cycle?, ITI2010-32nd Internation Conference on Information Technology Interfaces, Cavtat/Dubronik-Croatia, 2010

[15]

osi , J., Ba a, M.: (Im)Proving Chain of Custody and Digital Evidence Integrity with Time Stamp, MIPRO2010-33rd International Convention on Information and Communication Technology, Electronics and Microelectronics, Opatija-Croatia,2010 Ba a, M., Introduction in computer security Croatian). Zagreb: NN; 2004 (on

[16]

ACKNOWLEDGMENT The presented research and results came out form the research supported by the Center for biometrics - Faculty of Organization and Information Science Varazdin, University of Zagreb, Croatia.

AUTHORS PROFILE Jasmin osi has received his BE (Economics) degree from University of Biha (B&H) in 1997. He completed his study in Information Technology field (dipl.ing.Information Technlogy) in Mostar, University of Demal Bijedi , B&H. Currently he is PhD candidate in Faculty of Organization and Informatics in Varadin, University of Zagreb, Croatia. He is working in Ministry of the Interior of Una-sana canton, B&H. He is a ICT Expert Witness, and is a member of Association of Informatics of B&H, Member of IEEE and ACM. His areas of interests are Digital Forensic, Computer Crime, Information Security, Information Society and DBM Systems. He is author or coauthor more than 25 scientific and professional papers and one book.

REFERENCES
[1] [2] Peisert S., Bishop M.,Marzullo K., Operating Systems Review (OSR), Special Issue on Computer Forensics, 42(3), pp. 112122, April 2008 Oxford Dictionaries, available at:

Zoran osi , CEO at Statheros ltd, and business consultant in business process standardization field. He received BEng degree at Faculty of nautical science , Split (HR) in 1990, MSc degree at Faculty of nautical science , Split (HR) in 2007 , actually he is a PhD candidate at Faculty of informational and Organisational science Varadin Croatia. He is a member of various professional societies and program committee members. He is author or coauthor more than 20 scientific and professional papers. His main fields of interest are: Informational security, biometrics and privacy, business process reingeenering,

(IJCSIS) International Journal of Computer Science and Information Security, Vol. XXX, No. XXX, 2011
Miroslav Ba a is currently an Full professor, University of Zagreb, Faculty of Organization and Informatics. He is a member of various professional societies and program committee members, and he is reviewer of several international journals and conferences. He is also the head of the Biometrics centre in Varadin, Croatia. He is author or coauthor more than 70 scientific and professional papers and two books. His main research fields are computer forensics, biometrics and privacy professor at Faculty of informational and Organisational science Varadin Croatia