digital forensic within enterprise risk management - Information Systems
After reading the required articles this week, please write a research paper that answers the following questions:
What are mobile forensics and do you believe that they are different from computer forensics?
What is the percentage of attacks on networks that come from mobile devices?
What are challenges to mobile forensics?
What are some mobile forensic tools?
Should the analysis be different on iOS vs Android?
Your paper should meet the following requirements:
Be approximately 4-6 pages in length, not including the required cover page and reference page.
Follow APA7 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.
Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The UC Library is a great place to find resources.
Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.
reading airtical for this week
Montasari, R., & Hill, R. (2019). Next-Generation Digital Forensics: Challenges and Future Paradigms. 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3), Global Security, Safety and Sustainability (ICGS3), 205. https://doi.org/10.1109/ICGS3.2019.8688020
Sahinoglu, M., Stockton, S., Barclay, R. M., & Morton, S. (2016). Metrics Based Risk Assessment and Management of Digital Forensics. Defense Acquisition Research Journal: A Publication of the Defense Acquisition University, 23(2), 152–177. https://doi.org/10.22594/dau.16-748.23.02
Nnoli, H. Lindskog, D, Zavarsky, P., Aghili, S., & Ruhl, R. (2012). The Governance of Corporate Forensics Using COBIT, NIST and Increased Automated Forensic Approaches, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Conference on Social Computing, Amsterdam, 734-741.
The Governance of Corporate Forensics using
COBIT, NIST and Increased Automated Forensic
Approaches
Henry Nnoli1, Dale Lindskog2, Pavol Zavarsky2, Shaun Aghili2, Ron Ruhl2
1ATB Financial, Edmonton T5J 1P1, Canada
2Information Systems Security Management, Concordia University College of Alberta, Edmonton T5B 4E4, Canada
[email protected], {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}@concordia.ab.ca
Abstract—Today, the ability to investigate internal matters
such as policy violations, regulatory compliance, and employee
separation has become important in order for corporations to
manage risk. The degree of information security threats evolving
on a daily basis has increasingly raised concerns for enterprise
organizations. These threats include but are not limited to fraud,
insider threat and intellectual property (IP) theft. These have
increased the demand for organizations to implement corporate
forensics as a deterrent to illegitimate acts or for linking
perpetrators to their illegitimate acts. This explains why forensic
practices are expanding from the traditional role in law
enforcement and becoming an essential part of business
processes. However, most organizations may not be maximizing
the benefits of corporate forensic capabilities because of lack of
corporate forensic governance best practices, needed to ensure
organizations prepare their operating environment for digital
forensic investigation. Corporate forensic governance will help
ensure that digital evidence is obtained in an efficient and
effective way with minimal interruption to the business. This
paper presents a corporate forensic governance framework
intended to enhance forensic readiness, governance, and
management, and increase the use of automated forensic
techniques and in-house forensically sound practices in large
organizations that have a need for these practices.
Index Terms—corporate forensic governance; corporate
forensic readiness; increased automated forensic solutions;
digital forensic investigation; digital evidence
I. INTRODUCTION
Most organizations waste effort, time and resources in
carrying out forensic investigations due to lack of corporate
forensic preparedness [4]. Forensic readiness (preparedness)
can be defined as the process of being prepared (having the
right policies, procedures, people, techniques in place to
respond professionally and timely) before an incident occurs.
Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic
Readiness’ described forensic readiness as the ability of an
organization to maximize its potential to use digital evidence
while minimizing the cost of an investigation. In his paper he
discussed practices that, when implemented before a digital
incident occurs, can help organizations to be ready to carry out
forensic investigations. However, forensic readiness is one part
of a comprehensive and well-structured corporate forensic
governance program.
Governance is the process of establishing and maintaining a
framework and supporting management structure and processes
to provide assurance that applicable strategies are aligned with
and support business objectives, and are consistent with
applicable laws and regulations through adherence to policies
and internal controls, and assignment of responsibility, all in
the effort to manage risk [22]. In most organizations when
incidents occur, the incident response team’s major concern is
to contain the incident and restore operations, paying less
attention to potential evidence. In most cases digital evidence is
contaminated, incomplete and untrustworthy, all of which
inhibits linking perpetrators to their illegitimate acts if a crime
is committed [2]. This is simply because of the lack of forensic
readiness which is part of a good corporate forensic governance
program. Grobler et al [5] stated, “all disciplines need some
form of policy, procedures, standards and guidelines hence
necessitating the proper facilitation of governance”. In their
paper, entitled ‘Managing digital evidence - The governance of
digital forensics’, they introduced a preliminary framework for
the governance of digital forensics.
According to COBIT [10], the principles of governance
best practices include strategic alignment, risk management,
value delivery, resource optimization, and continuous
performance evaluation. Board briefings on IT governance [22]
stated that, governance practices have been confirmed to yield
huge benefits in the field of information technology (IT) and
information security (IS) due to the establishment and adoption
of applicable frameworks like COBIT. “In other words, top
management of various organizations are realizing the
significant impact information technology and information
security can have on the success of their enterprise because of
governance of these fields” [22]. Such governance practices are
lacking in the field of digital forensics [5]. For various reasons
which will be highlighted later in this paper, there is a need for
effective and efficient governance practices for corporate
forensic programs to ensure that value, risk and resources are
optimized during forensic investigations. Most organizations
are still biased about in-house forensic readiness and capability
because they feel that it involves complex processes but with
proper best practice framework for corporate forensic
governance and readiness they will observe that in-house
forensic readiness can be conducted in an efficient and
effective way. In addition, the use of innovative, user friendly
and increased corporate forensic automated solutions (like
2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security,
Risk and Trust
978-0-7695-4848-7/12 $26.00 © 2012 IEEE
DOI 10.1109/SocialCom-PASSAT.2012.109
734
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.
Encase Enterprise) reduces the amount of resources (time,
effort and personnel) used for such practices. With the
existence of COBIT [10][11] and other IT and IS governance
frameworks, including research work like [1][2][3][4][5][8] it
is obvious that there is a governance gap in the field of
corporate forensics.
In this paper, a governance framework is presented, one
that will guide those large organizations who are in need of a
corporate forensic program on how best governance practices
can enhance corporate forensic readiness and in-house
forensically sound practices in an efficient and effective way.
This paper is organized into the following sections: Section II
argues the need for corporate forensic readiness and
governance; Section III explains best practice governance
principles; Section IV is a brief discussion of related work;
Section V is a description of the proposed framework; finally,
in Section VI we conclude and recommend future work.
II. CORPORATE FORENSIC READINESS AND GOVERNANCE
According to [8], litigation is a last option for most
organizations, because of concerns like negative publicity and
its negative impact to the business. Therefore, corporate
forensic readiness, governance and in-house forensic capability
will help organizations to be prepared to gather and use digital
evidence as a deterrent and for making firm conclusions during
internal investigations of non-criminal violations. The objective
of corporate forensic readiness is to ensure that digital evidence
is collected using sound forensic processes and in an effective
way with minimal interruption to the business. This evidence
can also be used for the organizations interest and defense.
Although many organizations outsource forensic activities, it is
likely that most will prefer to perform them internally. The
reasons for this include privacy, confidentiality of
organizational and customer data, legal risk, delayed forensic
results from consultants and compliance with regulations like
Sarbanes Oxley, King 3 Report, the Basel Committee report on
banking supervision, and FIPS PUB 200. In addition, it is
costly to outsource forensic activities in those large
organizations that experience recurring digital incidents.
Regulations like FIPS PUB 200 (2002) mandated all federal
agencies in the United States to comply with the standard’s
Audit and Accountability section, which states that
“Organizations must:
1. Create, protect, and retain information system audit
records to the extent needed to enable the monitoring,
analysis, investigation, and reporting of unlawful,
unauthorized, or inappropriate information system
activity.
2. Ensure that the actions of individual information
system users can be uniquely traced to those users so
they can be held accountable for their actions” [12].
These considerations show that, in a great many cases,
there is a clear need for corporate forensic readiness
and in-house forensic capability.
Rowlingson [4] articulates ten steps toward corporate
forensic readiness:
1. “Define the business scenarios that require digital
evidence.
2. Identify available sources and different types of
potential evidence.
3. Determine the evidence collection requirement.
4. Establish a capability of securely gathering admissible
evidence to meet the requirement.
5. Establish a policy for secure storage and handling of
potential evidence.
6. Ensure monitoring is targeted to detect and deter major
incidents.
7. Specify circumstances when escalation to a full formal
investigation should be launched.
8. Train staff in incident awareness so that all those
involved understand their role in the digital process and
the legal sensitivities of evidence.
9. Document an evidence-based case describing the
incident and its impact.
10. Ensure legal review to facilitate action in response to the
incident”.
A good governance framework consists of both governance
and management processes [11]. Rowlingson’s work should be
incorporated into management processes and we therefore
refined and used it in the development of the management
processes (CFM domain) of our proposed corporate forensic
governance framework. More elaboration on the need for
corporate forensics can be found in [8].
A. The Relationship between IT Governance, IS Governance
and Corporate Forensics
It could be argued that corporate forensics falls, in some
respects, under IT governance and IS governance. However,
some important aspects of corporate forensics, like
jurisprudence (legal) and forensically sound processes are not
fully part of IT and IS governance [3]. According to ACPO
[30], forensically sound processes mean performing forensic
practices (collection, examination, analysis, documentation,
preservation of evidence and chain of custody) according to
applicable jurisdiction. It also means that forensic practices
should be conducted in such a way that if necessary an
independent third party is able to repeat the same processes and
obtain the same result. This shows that the preservation of the
integrity of evidence is very important during forensic
investigations. Corporate forensics (CF) and digital forensics
(DF) will be used interchangeably in this paper. Researchers
like Von Solms [3] and Grobler [5] explains the relationship
between Digital Forensic (DF), IS Governance, IT Governance
and Corporate Governance. Von Solms et al states “that the
proactive mode of information security ensures all policies,
procedures, and technical mechanisms are in place to prevent
harm to the organization’s information; the reactive mode
ensures that if harm occur, it will be repaired (Business
continuity planning, Good backup and Disaster recovery
techniques are part of the reactive mode)” [3] . “The proactive
mode of digital forensics ensures all policies, procedure,
technical and automated mechanisms are in place to be able to
act when required; the reactive mode ensures that the necessary
actions can be performed to support specified analytical and
investigative techniques required by digital forensics”[3]. This
shows that some components of Digital forensic, IS and IT
governance overlap and are related. Therefore, the best practice
735
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.
governance principles used for effective IT and IS governance
can also be used for corporate forensic governance.
Fig. 1. Relationship between Corporate governance, IT governance, IS
governance and Digital forensic [3]
Figure 1 shows a holistic view of DF and its relationship
with corporate governance, IS governance and IT governance.
III. BEST PRACTICE GOVERNANCE PRINCIPLES
According to best practices [10][11][22] governance
principles include strategic alignment with business objectives,
value delivery to the business, risk management, resource
optimization of available resources and continuous
performance evaluation.
A. Strategic Alignment
Good governance of corporate forensics (CF) will ensure
that the objectives of CF practices are aligned to the
organization’s goals. According to Board briefing on IT
governance [22], the cost effectiveness of a security program is
determined by how well it supports the organization’s
objective. Corporate forensic governance will also ensure that
corporate forensic objectives are defined in business terms and
all CF controls tracked to a specific business requirement. The
following will indicate alignment: a corporate forensic program
that enhances business activities; a corporate forensic program
that is responsive to defined business needs; corporate forensic
program and organization objectives that are defined and
clearly understood by relevant stakeholders; corporate forensic
program that is mapped to organizational goals and is validated
by senior management; a corporate forensic strategy and
steering committee made up of key executives to ensure
continuous alignment of corporate forensic objectives and
business goals.
B. Value Delivery
Good governance of corporate forensic practices will also
ensure that corporate forensic investments are optimized in
support of enterprise objectives. It also ensures that the
organization gets benefits from their corporate forensic
investments. Governance will ensure corporate forensic
investments are supporting business needs and adding expected
value. For instance, in a scenario where there is no governance,
there won’t be monitoring and evaluation to ensure that
corporate forensic investment is continuously supporting the
business in achieving some of its strategic needs. Therefore,
forensic investments may not add expected value to the
business, since there are no metrics to measure if value is
optimized. Corporate forensic governance increases the
likelihood of corporate forensic program’s success considering
the significant cost associated with corporate forensic practices.
Figure 2 shows some of the questions governance will ask to
ensure value is optimized.
Fig. 2. Val IT Framework 2.0, Value according to the Four ‘Are’s as
described in the information paradox [34]
C. Risk Management
For applicable IT related business risk to be mitigated using
corporate forensic practices, CF governance would help ensure
that corporate forensic practices are an integral part of
enterprise risk management program. CF governance will also
ensure that corporate forensic strategy and program will help
organizations achieve acceptable level of applicable IT related
business risk. A structure for risk assessment as defined by
NIST 800-30 is shown in figure 3 below. If corporate forensic
practices are part of enterprise risk management program,
potential evidence sources will be identified in a proactive
manner. Also, CF governance will ensure legal risk involved
during corporate forensic practices are fully identified,
communicated, mitigated and managed.
Fig. 3. NIST 800-30 Risk Assessment Methodology [32]
Furthermore, from the risk assessment methodology shown
in Figure 3, step 4 requires control analysis and selection. This
736
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.
is where different controls are selected for all identified risks.
Different controls are weighed and analyzed based on their
strength and weaknesses and the best control to mitigate each
risk effectively is selected. All risks that could be best
mitigated with corporate forensic practices should be identified,
documented in a risk profile chart and rated to show their
potential value impact to the business. This is one of the
principles of good CF governance which will ensure that all
risk that could be mitigated with corporate forensic practices
are mitigated and optimized.
D. Resource Optimization
This principle of good corporate forensic governance deals
with planning, allocation and control of corporate forensic
resources which include people, processes and technologies
(increased automated forensic suites) towards adding value to
the business. CF resources need to be managed properly for its
effectiveness. Proper CF resource management will ensure that
corporate forensic practices are efficient, cost effective and
most importantly ensure corporate forensic is effectively
addressing applicable business needs.
E. Performance Evaluation
Since there is a clear saying that “you cannot manage what
you cannot measure,” the governance of corporate forensic
practices will ensure measures are in place to monitor corporate
forensic processes and measure its performance. This will help
management to make informed decisions about the state of
corporate forensic program and ascertain if it is effective or
not. Methods like Maturity model, checklist and other tools
could be used. Some of the indicators of effective corporate
forensic program as observed from performance measurement
include: the time it takes to detect and uncover potential
security threats to the business; number of threats effectively
traced to their sources within minimal time interval without
interruption to the business; number of security breaches
reported (lesser number of reported breaches means
effectiveness of the control in terms of deterrent). The
performance measurement module of the governance
framework is represented in the corporate forensic evaluation
(CFE) domain of the proposed framework.
IV. RELATED WORK
Researchers like [4][6][7][8] have looked into some form of
forensic readiness while [2][8][9][21] have looked into some
form of proactive digital forensics which are considered part
but not a comprehensive representation of good governance
practices. They did not comprehensively address the
establishment of a good governance framework and major
governance processes for corporate forensics practices which
will obviously make their work more effective. In other words,
they did not address in details how corporate forensic practices
could be enhanced using governance best practices. Lack of CF
governance practices might explain why management see
digital forensic as an abstract and highly technical field and
have very little interest in leveraging on its benefits to achieve
some of their corporate goals. Good governance referred to in
the beginning of this section means getting senior management
involved in an interactive manner by using globally adopted
common business languages in a governance framework for
forensic practices; management taking ownership of forensic
program by assuming responsibility and accountability (RACI
Chart) of forensic processes; use of increased automated
forensic suites with generation of user friendly executive
reports, remote forensics and automated processes; use of
forensic practices to minimize high IT related business risk. All
these enhancements are expected to help organizations
maximize the benefits of forensic practices in an efficient and
effective way. Discussing proactive or corporate forensic
readiness by [2][4][6][7][8][9][21] without the establishment of
a governance structure, framework and obtaining management
support will result in the corporate forensic readiness program
not being fully effective and efficient.
Furthermore, at the time this paper was written, only one
researcher, Grobler et al [5], to the best of our knowledge, had
researched on the governance of digital forensics. Their paper
was a preliminary framework in the form of an outline for the
governance of digital forensics. The scope of the paper did not
comprehensively address how globally accepted governance
best practices [10][11][22] can be used to enhance a corporate
forensic program in enterprise organizations.
V. DESCRIPTION OF THE PROPOSED FRAMEWORK
According to best practice [11] a governance framework
should consist of two major processes: the governance and
management processes. The governance processes involve
direction in strategic alignment, risk management, resource
optimization, value delivery and performance evaluation. The
governance field directs the management field and ensures
management processes are achieving their goals. The
management field is responsible for executing and
implementing directions from the governance field. The
management processes involved specialized and operational
processes which governance uses to achieve its tactical and
operational goals. The management section performs more
hands-on tasks than the governance section. The proposed
framework was developed with this principle. The framework
was categorized into three domains namely Corporate Forensic
Governance ((CFG) governance processes), Corporate Forensic
Management ((CFM) management processes) and Corporate
Forensic Evaluation (CFE). The third domain CFE maintains a
life cycle model for the framework by evaluating, monitoring
and continually improving forensic processes through lesson
learned and evaluation using maturity model. Figure 4 shows
the corporate forensic governance framework lifecycle.
Fig. 4. The three major domains of the proposed corporate forensic
governance framework lifecycle
The proposed corporate forensic governance framework
was developed with the common languages and best practices
used in related governance models.
737
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.
A. Corporate Forensic Governance (CFG)
Corporate Forensic Governance was developed with the
major principles of best governance practices as recommended
by COBIT [10][11] and Board briefing on IT governance [22],
which includes strategic alignment, risk management, resource
optimization, and value delivery. These principles represent
control objectives CFG 1 to CFG 4 of the corporate forensic
governance domain. Detailed control practices were developed
under each of these control objectives.
B. Corporate Forensic Management (CFM)
The second domain Corporate Forensic Management
(CFM) contains functions classified as management functions
in the framework. This domain was developed from best
practices, Rowlingson’s work [4] and all other literatures
reviewed in the reference section. The control objectives in
these domain (CFM 1 to CFM 10) include: manage legal and
ethical requirements; define policies; define procedures;
manage education, training and awareness; perform pro-active
evidence identification; collect evidence; examine and analyze
evidence; manage evidence; manage third party; document,
report and present evidence. Detailed control practices were
developed under each of these control objectives.
C. Corporate Forensic Evaluation (CFE)
The third domain Corporate Forensic Evaluation (CFE)
contains processes to evaluate (maturity model), monitor,
assess and improve (with lesson learned and feedback) forensic
practices to ensure the objective of the framework is
continuously achieved. The objective of the framework
includes performing corporate forensic activities in an efficient
and effective way, with minimal disruption to the business;
collecting evidence in a forensically sound way and reduction
of applicable potential IT related risk to the business. This
domain was developed from process assessment best practices
from all the literatures reviewed. Detailed control practices
were developed under each of the control objectives (CFE 1 to
CFE 3) for this domain.
D. Corporate Forensic Governance Structure
Figure 5 shows a high level hypothetical corporate forensic
governance structure. Other Assurance functions like HR,
Internal Audit, Privacy, Value Management office, Legal etc
are part of the corporate forensic strategy and steering
committee. To establish effective CF governance program, the
first step is to establish a governance structure that will oversee
the governance of corporate forensics program. This is one of
the requirements of good governance. According to several
regulations and best practices [11][22], senior management is
ultimately responsible for good governance and to exercise due
care in performing task involving all specialized disciplines.
Corporate forensics, Information technology and Information
Security are examples of those specialized disciplines in a
corporate environment. Therefore the overall accountability of
good governance is the responsibility of the board of directors.
The Board or the CEO should set up a steering and strategy
committee to oversee its corporate forensic responsibilities and
report back to them since they have many commitments. This
responsibility could also be taken by the CIO depending on
how large the organization is or the business environment of
the organization. Therefore, this is just a hypothetical structure;
organizations can set up their governance structure as it suits
their business environment. For instance, if an organization is
experiencing various insider frauds and other negative publicity
due to security breaches, the Board of directors will be
interested in knowing the most effective mitigation strategy to
mitigate that risk. This will increase the organization’s interest
in implementing a corporate forensic program which the CEO
or board might want to oversee.
Fig. 5. A hypothetical corporate forensic governance structure
Each member of the governance and management teams in
the proposed framework has assigned roles and responsibilities
similar to those seen in [22]. They are either responsible,
accountable, consulted and/or informed on each of the
governance, management and evaluation processes of the
corporate forensic governance framework. This is achieved
using the RACI chart which means who is Responsible,
Accountable, Consulted and/or Informed. Table I briefly
explains the RACI chart.
E. Corporate Forensic Governance Framework
The framework consists of 3 domains (CFG, CFM & CFE),
17 high level control objectives (CFG1-CFG4, CFM1-CFM10,
CFE1-CFE3) and 119 detailed control practices. The control
practices and RACI assignment of roles and responsibilities
can be adjusted to suit each organization’s needs and business
environment. In other words some of the control practices
might not be applicable in some organizations depending on
how they are structured and what their business environment is
like.
TABLE I. THE RACI CHART
RACI Task
R means Responsible Those responsible for performing the task or ensuring the task is done
A means Accountable The person who must approve or sign off before the process is effective or person accountable for the success of the process.
738
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.
C means Consulted Those who provide input needed to complete the task
I means Informed Those who are regularly updated on the outcome of decisions, processes and actions taken
In addition, some of these controls have already been
implemented in some organizations (maybe for information
security) enhancement is needed in such scenario to
accommodate forensic practices. During implementation of the
framework CFG1 – CFG4 will be implemented first before
CFM1 – CFM10 and then CFE1 – CFE3. RACI chart was used
in assigning roles and responsibilities to the governance and
management team according to best practices [10][22]. Refer to
Section V. for more explanation on the structure of the
proposed framework. Brief explanation of the scope and
control objectives of the proposed framework is shown in
Table II.
The scope of the proposed corporate forensic governance
framework is based on the use of increased automated forensic
suites like Encase Enterprise for forensic practices. These
increased automated suites are known for increased automation
and provision of ease of use approach towards performing
forensic practices. However, a forensic expert is needed in the
forensic team for effective and efficient use of these automated
suites to achieve applicable organizational goals. The
framework was designed for global use and in a high level
format with general requirements for …
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Next-Generation Digital Forensics: Challenges and
Future Paradigms
Reza Montasari
Department of Computing and Engineering
The University of Huddersfield
Huddersfield, U.K.
[email protected]
Richard Hill
Department of Computing and Engineering
The University of Huddersfield
Huddersfield, U.K.
[email protected]
Abstract— In recent years, Information and Communications
Technology (ICT) has rapidly advanced, bringing numerous benefits
to the lives of many individuals and organisations. Technologies such
as Internet of Things (IoT) solutions, Cloud-Based Services (CBSs),
Cyber-Physical Systems (CPSs) and mobile devices have brought
many benefits to technologically-advanced societies. As a result,
commercial transactions and governmental services have rapidly
grown, revolutionising the life styles of many individuals living in
these societies. While technological advancements undoubtedly
present many advantages, at the same time they pose new security
threats. As a result, the number of cases that necessitate Digital
Forensic Investigations (DFIs) are on the rise, culminating in the
creation of a backlog of cases for law enforcement agencies (LEAs)
worldwide. Therefore, it is of paramount importance that new research
approaches be adopted to deal with these security threats. To this end,
this paper evaluates the existing set of circumstances surrounding the
field of Digital Forensics (DF). Our research study makes two
important contributions to the field of DF. First, it analyses the most
difficult technical challenges that need to be considered by both LEAs
and Digital Forensic Experts (DFEs). Second, it proposes important
specific future research directions, the undertaking of which can assist
both LEAs and DFEs in adopting a new approach to combating cyber-
attacks.
Keywords—digital forensics, IoT forensics, cloud forensics,
cybersecurity, digital investigation, encryption, anti-forensics
I. INTRODUCTION
In recent years, we have witnessed rapid advancements in
Information and Communication Technology (ICT) features.
Technologies such as communication networks, mobile devices,
Internet of Things (IoT) solutions, Cloud-Based Services
(CBSs), Cyber-Physical Systems (CPSs) have brought many
benefits to technologically-advanced societies [1, 2, 3]. As a
result, commercial transactions and governmental services have
rapidly grown, revolutionising the life styles of many
individuals living in these societies. While technological
advancements undoubtedly present many advantages, at the
same time they pose new cybersecurity threats which have
significant impacts on a variety of domains such as government
systems, enterprises, ecommerce, online banking, and critical
infrastructure. According to an official survey conducted by The
Office for National Statistics [4], there were an estimated 3.6
million cases of fraud and two million computer misuse offences
in a year. Although there is a variety of reasons for conducting
cybercrimes, the motivation is often for financial gain. The
fundamental issue associated with cybercrime consists of
damage to reputation, monetary loss, in addition to impacts on
the confidentiality, integrity and availability of data.
By exploiting technology, cybercriminals, for instance, will
be able to turn IoT nodes into zombies (using malicious
software), carry out distributed denial of service (DDoS) attacks
(engineered through botnets), and create and distribute malware
aimed at specific appliances (such as those affecting VoIP
devices and smart vehicles) [1, 2], [5, 6, 7, 8, 9]. Other
challenges resulting from such technological advancements
include, but are not limited to: high volume of data,
heterogeneous nature of digital devices, advanced hardware and
software technologies, anti-forensic techniques, video and rich
media, whole drive encryption, wireless, virtualisation, live
response, distributed evidence, borderless cybercrime and dark
web tools, lack of standardised tools and methods, usability and
visualisation. The deployment of IP anonymity and the ease with
which individuals can sign up for a cloud service with minimum
information can also pose significant challenges in relation to
identifying a perpetrator [2], [5], [8], [9, 10].
As a result, the number of cases that necessitate DFIs are on
the rise, culminating in the creation of a backlog of cases for
LEAs worldwide [11, 12]. Therefore, given the discussion
above, it is of paramount importance that new research
approaches be created to deal with the aforementioned security
challenges. To this end, we evaluate the existing set of
circumstances surrounding the field of DF. Our research study
makes two important contributions to the field of DF. First, it
analyses the most difficult mid and long-term challenges that
need to be considered by both LEAs and DFEs. Second, it
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:15:22 UTC from IEEE Xplore. Restrictions apply.
proposes important specific future research directions, the
undertaking of which can assist both LEAs and DFEs in
adopting a new approach to combating cyber-attacks.
II. CHALLENEGES
As the field of DF continues to evolve, its development is
severely challenged by the growing popularity of digital devices
and the heterogeneous hardware and software platforms being
utilised [2], [13, 14]. For instance, the increasing variety of file
formats and OSs hampers the development of standardised DF
tools and processes [15]. Furthermore, the emergence of
smartphones that increasingly utilise encryption renders the
acquisition of digital evidence an intricate task. Additionally,
advancements in cybercrime have culminated in the substantial
challenge of business models, such as Crime as a Service
(CaaS), which provides the attackers with easy access to the
tools, programming frameworks, and services needed to conduct
cyberattacks [2]. The following sub-sections analyse the key
issues that pose significant challenges to the field of DF.
A. Cloud Forensics
The cloud computing paradigm presents many benefits both
to the organisations and individuals. One of such advantages
relates to the manner in which data is managed by the cloud
infrastructure. For instance, data is spread between various data
centres to improve performance and facilitate load-balancing,
scalability, and deduplication features. Because of this, data
requires an efficient indexing so that retrieval and optimisation
performance can take place to evade duplication that often
contributes to the expansion of storage needs. As a result,
evidence left by adversaries is more difficult to eliminate since
it can be copied in various locations, rendering the acquisition
of evidence and its examination easier to perform.
However, despite its many benefits, cloud computing poses
significant challenges to the LEAs and DFEs from a forensic
perspective. These include, but are not limited to, problems
associated with the absence of standardisation amongst different
CSPs, varying levels of data security and their Service Level
Agreements [5], [16, 17], multiple ownerships, tenancies, and
jurisdictions. Moreover, the distributed nature of cloud
computing services presents a variety of challenges to LEAs as
data often resides in a number of different jurisdictions. In
contrast with traditional DF in which data is held on a single
device, within cloud environments data is often spread over
multiple different nodes. As a result, LEAs need to rely on local
laws to be able to conduct digital evidence acquisition [1], [7],
[18]. Therefore, the discrepancy in the legal systems of different
jurisdictions combined with the lack of cooperation between
CSPs also poses significant challenges from a DF perspective.
In addition, existing DF models, frameworks, methodologies
and tools are mainly intended for off-line investigations,
designed on the premise that data storage under investigation is
within the LEAs’ control [19]. However, performing DFIs
within a cloud environment is increasingly challenging as digital
evidence is often short-lived and stored on media beyond the
control of DFEs [1]. Anonymising tools and distributed data
storage in cloud services also enable criminals to cover their
malicious activities more easily. Furthermore, the use of features
such as IP anonymity and the ease with which one can sign up
for a cloud service with minimal information make it almost
impossible to identify criminals in cloud environments [1], [7,
8]. Another challenge for DF is the availability of different
models for delivering cloud services (CSs). Specifically,
investigating the data of an infrastructure-as-a-service (IaaS)
user can be done without too many restrictions, but in the case
of customers using software-as-a-service (SaaS) resources,
access to information might be minimal or entirely absent.
Last, but not least, accessing a software application through
a cloud computing system often leaves traces of evidence in
various places on the OS, such as registry entries or temporary
Internet files. However, evidence is lost once the user has exited
the virtual environment as virtualisation sanitises traces of
leftover artefacts. As a result, virtualisation limits the traditional
examination of the leftover artefacts, rendering digital evidence
traditionally stored on hard drives potentially unrecoverable [20,
21]. Therefore, cloud-based forensic investigations pose
significant challenges related to the identification and extraction
of evidential artefacts.
B. Network Forensics
A Network Forensic Investigation (NFI) pertains to the
acquisition, storage and examination of network traffic
(encapsulated in network packets) generated by a host, an
intermediate node, or the whole portion of a network in order to
establish the source of a security attack. Network traffic objects
that require analysis consist of protocols used, IP addresses, port
numbers, timestamps, malicious packets, transferred files, user-
agents, application server versions, and operating system
versions, etc. This data can be acquired from different types of
traffic.
Similar to any other sub-fields of DF, NF poses various
challenges to DFEs and LEAs. One of the challenges concerns
traffic data sniffing. Contingent on the network set up and
security measures where the sniffer is installed, the tool is likely
not to capture all intended traffic data. However, this challenge
can be addressed by utilising a span port on network devices in
various places in the network. Another challenge for NF is that
an attacker might be able to encrypt the traffic by utilising a SSL
VPN connection. In this case, although the address and port will
still be visible to DFEs, data stream will not be available.
Therefore, additional analysis will need to be carried out so as
to establish penetrated data.
Another challenge is determining the source of an attack
since an attacker may use a zombie machine, an intermediate
host to perform an attack, or simply use a remote proxy server.
The deployment of such methods by an attacker makes it very
difficult for DFEs to determine the source of the attack.
However, this can be remedied by examining each packet only
in a basic manner in memory and storing only certain data for
future examination. Notwithstanding that this approach
necessitates less amounts of storage, it often requires a faster
processor to be able to manage the incoming traffic. To capture
and analyse evidential network data, DFEs need to use a number
of commercial and open-source security applications such as
tcpdump and windump. Additionally, ensuring the privacy of
legitimate end users is another challenging factor in NF as all
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:15:22 UTC from IEEE Xplore. Restrictions apply.
packet data including that of the end user is captured during an
investigation.
C. Internet of Things (IoT) Forensics
The Internet of Things (IoT) which is supported by the cloud,
big data and mobile computing often connects anything and
everything ‘online’. The IoT represents the interconnection of
uniquely identifiable embedded computing devices within the
current Internet infrastructure. Some IoT devices are ordinary
items with built-in Internet connectivity, whereas some are
sensing devices developed specifically with IoT in mind. The
IoT covers technologies, such as: unmanned aerial vehicles
(UAVs), smart swarms, the smart grid, smart buildings and
home appliances, autonomous cyber-physical and cyber-
biological systems, wearables, embedded digital items, machine
to machine communications, RFID sensors, and context-aware
computing, etc. Each of these technologies has become a
specific domain on their own merit. With the new types of
devices constantly emerging, the IoT has almost reached its
uttermost evolution. With an estimated number of 50 billion
devices that will be networked by 2020 [20, 21], it is estimated
that there will be 10 connected IoT devices for every person
worldwide [22].
IoT-connected devices offer many benefits both individually
and collectively. For instance, connected sensors can help
farmers to monitor their crops and cattle so as to improve
production, efficiency and track the health of their herds.
Intelligent health-connected devices can save or significantly
improve patients’ lives through wearable devices. For instance,
the wearable device developed by Intel can track symptoms of
Parkinsons disease patients by passively collecting 300
observations per second from each wearer, tracking various
activities and symptoms [23, 24].
However, despite its many benefits, IoT-connected devices
pose significant privacy and security challenges as these devices
and systems collect significant personal data about individuals.
As an example of privacy challenge, employers can use their
employees’ security access cards to track where they are in the
building to determine how much time the employees spend in
their office or in the kitchen. Another example relates to smart
meters that can determine when one is home and what
electronics they use. This data is shared with other devices and
stored in databases by companies. In relation to the security
challenges, due to the constant emergence of new and diverse
devices with varied OSs as well as the different networks and
related protocols, IoT produces a wider security attack surface
than that created by cloud computing. Examples of cyberattacks
that can be carried out on IoT devices include: intercepting and
hacking into cardiac devices such as pacemakers and patient
monitoring systems, launching DDoS attacks using
compromised IoT devices, hacking or intercepting In-Vehicle
Infotainment (IVI) systems, and hacking various CCTV and IP
cameras. Therefore, security is of paramount importance for the
secure and reliable operation of IoT-connected devices.
Although IoT uses the same monitoring requirements similar
to those utilised by cloud computing, it poses more security
challenges resulting from issues such volume, variety and
velocity. Furthermore, DFIs of IoT devices can be even more
difficult than those of cloud-based investigations as more
complex procedures are needed for investigation of these
devices.
IoT Forensics must involve identification and extraction of
evidential artefacts from smart devices and sensors, hardware
and software which facilitate a communication between smart
devices and the external world (such as computers, mobile, IPS,
IDS and firewalls), and also hardware and software which are
outside of the network being investigated (such as cloud, social
networks, ISPs and mobile network providers, virtual online
identities and the Internet). However, extracting evidential
artefacts from IoT devices in a forensically-sound manner and
then analysing them tend to be a complex process, if not
impossible, from a DF perspective. This is due to a variety of
reasons, including: the different proprietary hardware and
software, data formats, protocols and physical interfaces, spread
of data across multiple devices and platforms, change,
modification, loss and overwriting of data, and jurisdiction and
SLA (when data is stored in a cloud). Thus, determining where
data resides and how to acquire data can pose many challenges
to DFEs.
For instance, the DF analysis of IoT devices used in a
business or home environment can be challenging in relation to
establishing whom data belongs to since digital artefacts might
be shared or transmitted across multiple devices. In addition, due
to the fact that IoT devices utilise proprietary formats for data
and communication protocols, understanding the links between
artifacts in both time and space can be very complex. Another
challenge related to the DFI of IoT devices concerns the chain
of custody. In civil or criminal trial, collecting evidence in a
forensically sound manner and preserving chain of custody are
of paramount importance. However, ownership and preservation
of evidence in an IoT setting could be difficult and can have a
negative effect on a court’s understanding that the evidence
acquired is reliable.
Furthermore, existing DF tools and methods used to
investigate IoT devices are designed mainly for traditional DF
examining conventional computing devices such as PCs, laptops
and other storage media and their networks. For instance, the
current methods utilised to extract data from IoT devices
include: obtaining a flash memory image, acquiring a memory
dump through Linux dd command or netcat, and extracting
firmware data via JTAG and UART techniques. Moreover,
protocols such as Telnet, SSH, Bluetooth and Wi-Fi are
deployed to access and interact with IoT devices. Likewise, tools
such as FTK, EnCase, Cellebrite, X-Ways Forensic and
WinHex, etc. and internal utilities such as Linux dd command
(for IoT devices with OSs such as embedded Linux) are used to
extract and analyse data from IoT devices. However, the
forensic investigation of IoT devices necessitates specialised
handling procedures, techniques, and understanding of various
OSs and file systems. Additionally, by using conventional
Computer Forensic tools to conduct IoT Forensics, it would be
highly unlikely to maintain a chain of custody, the adherence to
which is required by the Association of Chief Police Officers
[25], concerning the collection of digital evidence.
Therefore, to deal with the aforementioned challenges posed
by IoT-connected devices, cloud cybersecurity will need to be
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:15:22 UTC from IEEE Xplore. Restrictions apply.
reviewed since each IoT device produces data that is stored in
the cloud. Cloud cybersecurity policies must be blended with
IoT infrastructure so as to provide timely responses for
suspicious activities [20]. They must be reviewed in relation to
evidence identification, data integrity, preservation, and
accessibility. CSPs will need to ensure the integrity of the digital
evidence acquired from cloud computing components in order
to facilitate an unbiased investigation process in establishing the
root cause of the cyberattack in IoT. Therefore, as the IoT
paradigm is further developed, it becomes necessary to develop
adaptive processes, accredited tools and dynamic solutions
tailored to the IoT model.
D. Big Data and Backlog of Digital Forensic Cases
Another key challenge that the field of DF is currently facing
pertains to the substantial and continuing increase in the amount
of data, i.e. big data – both structured and unstructured –
acquired, stored and presented for forensic examination. This
data is collected from a variety of sources such as digital devices,
networks, cloud, IoT devices, social media, sensors or machine-
to-machine data, etc. In particular, this challenge is relevant to
live network analysis since DFEs are unlikely to acquire and
store all the essential network traffic [2], [10]. This growth in
data volume is the consequence of the ongoing advancement of
storage technology such as growing storage capacity in devices
and cloud storage services, and an increase in the number of
devices seized per case. Consequently, this has resulted in an
increase in the backlog of DF cases that are awaiting (often
many months or years in some cases) investigations. The
backlog of DF cases necessitating investigation has had a
seriously adverse impact on the timeliness of criminal
investigations and the legal process. The delays of up to 4 years
in performing DFIs on seized digital devices have been reported
to have significant effect on the timeliness of criminal
investigations [5], [11], [26]. Due to such delays, some
prosecutions have even been discharged in courts. This backlog
of DF cases is predicted to increase due to the modern sources
of evidence such as those of IoT devices and CBSs.
To address the aforementioned issues, i.e. the 3Vs of the big
data, including: volume, variety and velocity, researchers have,
in recent years, proposed various solutions ranging from data
mining [27, 28, 29], data reduction and deduplication [27], [30,
31], triage [12], [32, 33, 34], increased processing power,
distributed processing [35, 36], cross-drive analysis [31],
artificial intelligence, and other advanced methods [30]. Despite
the usefulness of these solutions, additional research studies are
required to address the real-world relevance of the proposed
methods to deal with the data volume that gravely challenges the
field of DF. Therefore, it is of paramount importance to
implement several practical infrastructural enhancements to the
existing DF process. These augmentations should cover
elements such as automation of device collection and
examination, hardware-facilitated heterogeneous evidence
processing, data visualisation, multi-device evidence and
timeline resolution, data deduplication for storage and
acquisition purposes, parallel or distributed investigations and
process optimisation of existing techniques. Such enhancements
should be integrated to assist both law enforcement and third-
party providers of DF service to speed up the existing DF
process. The implementation of the stated elements can
significantly assist both new and augmented forensic processes.
E. Encryption
According to a survey conducted by the Forensic Focus [37],
data encryption in addition to Cloud Forensics (discussed
previously) are the most difficult challenges encountered by
DFEs. Encryption is the fastest method used to prevent access
to data held on a device. There exist numerous encryption
methods that can be implemented on a system or its peripherals.
Increase in storage devices has resulted in the creation of tools
capable of encrypting the entire volume of a hard drive.
Encryption can also be performed on an application, a folder, a
cloud service, mobile devices, and data stored in a database or
transmitted through email, etc. Concerning network-based data
hiding, this can be facilitated through methods such as Virtual
Private Network (VPN) tunnelling and the utilisation of proxy
servers and terminal emulators. Regardless of data being stored
in an unknown server in the cloud or on the perpetrator’s
computer’s encrypted hard drive, encryption often makes it
impossible for DFEs to acquire data essential for a DFI.
Although such technologies are not unbeatable, they often
necessitate large amount of time and luck to be bypassed [32],
[38, 39].
Since many of the encryption schemes are implemented to
resist brute-force attacks, it is, therefore, of paramount
importance that researchers be able to design certain
workarounds and exploits in order to be able to overcome
encryption and acquire evidence from encrypted devices.
Depending on the type of digital device involved, forensic
challenges of encrypted devices differ. There are currently
several exploits that DFEs can leverage to overcome encryption
in DFIs. For instance, DFEs can decrypt a BitLocker volume by
determining the correct Microsoft Account password. This can
be achieved by recovering the matching escrow key directly
from Microsoft Account. There are various tools and methods
(the discussion of which is outside the scope of this paper) for
retrieving the password. Another method of exploit used by the
researchers is to conduct RAM Forensics (imaging the RAM)
using a tool such as Belkasoft Live RAM Capturer and then
draw out a binary decryption key from that RAM image. Using
this method enables DFEs to bypass encryption and identify
malware that is not placed in persistent storage. For instance,
full-disk encryption on Windows desktop computers
(BitLocker) can be attacked by imaging the RAM through a
kernel-mode tool while the volume is mounted and examining
that memory image to acquire the binary decryption key. This
facilitates mounting BitLocker volumes in a short period of
time.
However, the development of RAM Forensic tools as noted
by Garfinkel [32] is more challenging than the creation of disk
tools. Data stored in disks is persistent and intended to be read
back in the future. However, data written to RAM can only be
read by the running program. Garfinkel [32] argues that as a
result there is less desire “for programmers to document data
structures from one version of a program to another”. Therefore,
issues as such can complicate the tasks of tool developers.
Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:15:22 UTC from IEEE Xplore. Restrictions apply.
F. Limitations in DF Tools and Lack of Standardisation
Existing DF tools and techniques are also limited in their
functionality and are poorly appropriate to the task of identifying
data which is “out-of-the-ordinary, out-of-place, or subtly
modified” [32], [40]. Traditional DF tools, techniques and
methods often lag behind new emerging technologies lacking
adequate capabilities to address the resultant challenges
presented by these technologies. Although current DF tools
might be able to handle a case containing several terabytes of
data, they are incapable of putting together terabytes of data into
a succinct report. Furthermore, it is challenging to employ DF
tools to recreate a unified timeline of past events or the activities
of a culprit. Event and timeline reconstructions are often
conducted manually during a given DFI. DF tools are also often
slow to conduct data analysis. Furthermore, the task of creating
digital documents which can be presented in courts has had an
adverse effect on the production of DF methods that could
process data that is not easily available [32], [41].
With regards to the lack of standardisation in DF, although
researchers in the field have made some attempts to agree on
formats, schema, and ontologies on DF artefacts, very little
progress have been made, if any [15], [42, 43, 44]. This is while
analysis of advanced cyber-attacks often necessitates concerted
efforts to deal with the processing of complex data. In most cases
such cooperation does not exist amongst DFEs and DF
researchers alike. As a result, the diversity problem arising from
the absence of standardised methods and guidelines to detect,
acquire, store, examine, analyse and present digital evidence
also pose significant challenges for DFIs [45, 46]. The lack of
formal and generic Digital Forensic Investigation Process
Models (DFIPMs) also contribute to the intricacy of acquiring
and analysing digital evidence in a forensically sound manner
[42]. Therefore, it is essential that DF community engage in
more collaborations to create effective standard formats and
abstractions.
III. RESEARCH DIRECTIONS
A. IoT Forensics
The Identification, Acquisition and Analysis (main phases of
a conventional DFI) of digital evidence in IoT environments
pose significant challenges to LEAs and DFEs. In relation to the
identification of a particular user’s data, it would be difficult for
investigators to determine how to conduct search and seizure
when the location and provenance of data (representing potential
digital evidence) cannot be determined. One of the ways to
address this challenge is to integrate the IoT device data into
Building Information Modelling. Thus, the research community
can consider this as a research opportunity to be explored.
With regards to the problems of extracting a specific user’s
data in IoT devices, the volatility of evidence in these devices is
more complex than the evidence volatility in traditional devices.
In IoT environments, data might be held locally by an IoT
device. In this case, the lifespan of the data is very short before
it is overwritten or compressed. Furthermore, digital evidence
(data) from an IoT device might be shifted and used by another
IoT device (or a local network of IoT-connected devices), or it
might be moved to the cloud for aggregation and processing. As
a result, the transmission and aggregation of evidence poses
significant challenges for maintaining the chain of evidence. To
deal with this challenge, we propose the development of new
investigation methods that can track and filter the transfer of data
across IoT-connected devices as …
D
EF
EN
S
E
A
C
Q
U
IS
IT
IO
N
UN
IVERSITY ALU
M
N
I A
S
S
O
C
IA
T
IO
N
R
E
S
E
A
R
C
H
PA
PER COMPETIT
IO
N
2010 ACS
2ndplace
METRICS-BASED
Risk Assessment
and Management
of DIGITAL FORENSICS
Mehmet Sahinoglu, MSgt Stephen Stockton, USAF (Ret.),
Capt Robert M. Barclay, USAF (Ret.), and Scott Morton
Driven by the ubiquity of computers in modern life and the subsequent rise of
cybercriminality and cyberterrorism in the government and defense industry,
digital forensics is an increasingly salient component of the defense acquisi-
tion process. Though primarily located in the law enforcement community,
digital forensics is increasingly practiced within the corporate world for legal
and regulatory requirements. Digital forensics risk involves the assessment,
acquisition, and examination of digital evidence in a manner that meets legal
standards of proof and admissibility. The authors adopt a model of digital
forensics risk assessment that quantifies an investigator’s experience with
lead image by Diane Fleischer
eight crucial aspects of the digital forensics process. This research adds the
concept of quantifying through a designed risk meter algorithm to calculate
digital forensics risk indices. Numerical and/or cognitive data were pains-
takingly collected to supply input parameters to calculate the quantitative
risk index for the digital forensics process. Much needed risk management
procedures and metrics are also appended.
Keywords: Cyberterrorism, cybercriminality, risk meter
154 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
Digital forensics is a topic that has been popularized by television pro-
grams such as CSI. Crime-solving glamour and drama aside, the reality is
that the digita l forensics process is a highly technica l field that depends
on the proper implementation of specif ic, well-accepted protocols a nd
procedures. Inadequate forensic tools and technical examination, as well
as lack of adherence to appropriate protocols and procedures, can result
in evidence that does not meet legal standards of proof and admissibility.
Digital forensics risk arises, for example, when personnel lack the proper
tools to conduct investigations, fail to process evidentiary data properly, or
do not follow accepted protocols and procedures.
Assessing and quantifying digital forensics risk is the goal of this article. To
do so, the authors utilize a digital forensics risk meter, based on a series of
questions designed to assess respondents’ perceptions of digital forensics
risk. Based on the responses, a digital forensics risk index will be calculated.
Where this approach differs is that other approaches typically provide gen-
eral guidance in the form of best practices, classification schemes or, at best,
a checklist for digital forensics procedures, and do not provide quantitative
tools (based on game theory) for risk management and mitigation. Examples
of other such approaches follow:
155Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
• U.S. Department of Justice, Forensic Examination of Digital
Evidence: A Guide for Law Enforcement (general guidelines and
worksheets) (U.S. Department of Justice, 2004)
• Error, Uncertainty, and Loss in Digital Evidence (cer tainty
levels) (Casey, 2002)
• Cyber Criminal Activity Analysis Models using Markov Chain
for Digital Forensics (suspicion levels) (Kim & In, 2008)
• Two-Dimensional Evidence Reliability Amplification Process
Model for D igital Forensics (ev idence reliabi lit y) (K hatir,
Hejazi, & Sneiders, 2008)
• Building a D igital Fore n sic Laborator y: Establishing and
Managing a Successful Facility (checklist) (Jones & Valli, 2011)
One approach that does employ quantification, Metrics for Network Forensics
Conviction Evidence, is confined to network forensics—mostly measuring
severity impact—and does not provide mitigation advice (Amran, Phan,
& Parish, 2009). In that research article, the authors show “how security
metrics can be used to sustain a sense of credibility to network evidence
gathered as an elaboration and extension to an embedded feature of Network
Forensics Readiness (NFR).” They then propose “a procedure of evidence
acquisition in network forensics … then analyze a sample of a packet data in
order to extract useful information as evidence through a formalized intu-
itive model, based on capturing adversarial behavior and layer analysis, …
apply the Common Vulnerability Scoring System—or CVSS metrics to show
the severity of network attacks committed…”(p. 1).
The digital forensics risk meter presented in this article will provide objec-
tive, automated, dollar-based risk mitigation advice for interested parties
such as investigators, administrators, and officers of the court to minimize
digital forensics risk. Figure 1 represents a decision tree diagram to assess
risk; Figure 2 (with the Advice column on the right extracted from Figure
B-1, Appendix B) represents sample mitigation advice generated from the
respondents’ inputs. This article will not only present a quantitative model,
but will generate a prototype numerical index that facilitates appropriate
protocols and procedures to ensure that legal standards of proof and admis-
sibility are met.
156 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
FIGURE 1. DIGITAL FORENSICS RISK DIAGRAM
Protocols &
Procedures
Mission Statement
Personnel
Administrative
Service Request/Intake
Case Management
Evidence Handling/
Retention
Case Processing
Technical Procedures
Development
Case Assessment
Onsite
Location Assessment
Processing
Search Authority
Evaluation
Precautions
Protection
Preservation
Preparation
Physical Extraction
Logical Extraction
Timeframe Analysis
Data Hiding Analysis
Application/File Analysis
Ownership/Possession
Examiner Notes
Examiner Report
Findings Details/
Summation
Hardware
Software
Training
Funding
Jurisdiction
Search & Seizure
Admissibility
Victim Rights & Support
Court Preparation
Media
Victim
Relations
Legal
Aspects
Digital
Forensics Tools
Documentation
& Reporting
Evidence
Examination
Digital
Forensics
Risk
Evidence
Acquisition
Evidence
Assessment
157Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
F
IG
U
R
E
2
. M
E
D
IA
N
D
IG
IT
A
L
F
O
R
E
N
S
IC
S
R
IS
K
M
E
T
E
R
R
E
S
U
LT
S
M
IT
IG
A
T
E
D
T
O
3
5
.8
3
\%
V
u
ln
er
ab
.
T
h
re
at
C
M
&
LC
M
R
es
.
R
is
k
C
M
&
LC
M
R
es
.
R
is
k
C
h
an
g
e
O
p
t
C
o
st
U
n
it
C
o
st
F
in
al
C
o
st
A
d
v
ic
e
0
.2
2
0
0
4
2
0
.4
15
7
7
1
0
.3
2
5
0
0
0
0
.3
2
5
0
0
0
0
.6
7
5
0
0
0
0
.0
6
17
5
4
0
.6
7
5
0
0
0
0
.0
6
17
5
4
0
.2
3
7
7
5
4
0
.3
7
5
0
0
0
0
.3
7
5
0
0
0
0
.6
2
5
0
0
0
0
.0
3
2
6
9
7
0
.6
2
5
0
0
0
0
.0
3
2
6
9
7
0
.3
4
6
4
7
6
0
.5
5
0
0
0
0
0
.5
5
0
0
0
0
0
.4
5
0
0
0
0
0
.0
3
4
3
0
8
0
.4
5
0
0
0
0
0
.0
3
4
3
0
8
0
.3
17
11
1
0
.5
5
9
2
5
9
0
.4
5
0
0
0
0
0
.7
2
17
0
5
0
.2
7
17
0
5
$
4
9
.7
7
In
c
re
a
se
t
h
e
C
M
c
a
p
a
c
it
y
f
o
r
th
re
a
t
“E
x
a
m
in
e
r
N
o
te
s”
f
o
r
th
e
v
u
ln
e
ra
b
ili
ty
o
f
“D
o
c
u
m
e
n
ta
ti
o
n
&
R
e
p
o
rt
in
g
”
fr
o
m
4
5
.0
0
\%
to
7
2
.17
\%
f
o
r
a
n
im
p
ro
ve
m
e
n
t
o
f
2
7.
17
\%
0
.5
5
0
0
0
0
0
.0
9
7
5
4
1
0
.2
7
8
2
9
5
0
.0
4
9
3
5
5
0
.4
4
0
74
1
0
.3
7
5
0
0
0
0
.3
7
5
0
0
0
0
.6
2
5
0
0
0
0
.0
8
7
3
5
2
0
.6
2
5
0
0
0
0
.0
8
7
3
5
2
158 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
F
IG
U
R
E
2
. M
E
D
IA
N
D
IG
IT
A
L
F
O
R
E
N
S
IC
S
R
IS
K
M
E
T
E
R
R
E
S
U
LT
S
M
IT
IG
A
T
E
D
T
O
3
5
.8
3
\%
, C
O
N
T
IN
U
E
D
V
u
ln
er
ab
.
T
h
re
at
C
M
&
LC
M
R
es
.
R
is
k
C
M
&
LC
M
R
es
.
R
is
k
C
h
an
g
e
O
p
t
C
o
st
U
n
it
C
o
st
F
in
al
C
o
st
A
d
v
ic
e
0
.4
6
2
8
4
7
0
.4
0
8
2
6
9
0
.7
2
5
0
0
0
0
.9
9
9
19
5
0
.2
74
19
5
$
5
0
.2
3
In
c
re
a
se
t
h
e
C
M
c
a
p
a
c
it
y
f
o
r
th
re
a
t
“V
ic
ti
m
R
ig
h
ts
&
S
u
p
p
o
rt
”
fo
r
th
e
v
u
ln
e
ra
b
ili
ty
o
f
“V
ic
ti
m
R
e
la
ti
o
n
s”
fr
o
m
7
2
.5
0
\%
t
o
9
9
.9
2
\%
f
o
r
a
n
im
p
ro
ve
m
e
n
t
o
f
2
7.
4
2
\%
0
.2
7
5
0
0
0
0
.0
5
19
6
6
0
.0
0
0
8
0
5
0
.0
0
0
15
2
0
.2
5
0
6
4
6
0
.5
7
5
0
0
0
0
.5
7
5
0
0
0
0
.4
2
5
0
0
0
0
.0
4
9
3
0
5
0
.4
2
5
0
0
0
0
.0
4
9
3
0
5
0
.3
4
10
8
5
0
.7
2
5
0
0
0
0
.7
2
5
0
0
0
0
.2
7
5
0
0
0
0
.0
4
3
4
14
0
.2
7
5
0
0
0
0
.4
3
4
14
To
ta
l
C
h
a
n
g
e
To
ta
l
C
o
st
B
re
a
k
E
ve
n
C
o
st
To
ta
l
F
in
a
l
C
o
st
5
4
.5
9
\%
$
10
0
.0
0
$
1.
8
3
159Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
F
IG
U
R
E
2
. M
E
D
IA
N
D
IG
IT
A
L
F
O
R
E
N
S
IC
S
R
IS
K
M
E
T
E
R
R
E
S
U
LT
S
M
IT
IG
A
T
E
D
T
O
3
5
.8
3
\%
, C
O
N
T
IN
U
E
D
C
h
a
n
g
e
U
n
it
C
o
st
C
ri
ti
c
a
lit
y
1.
0
0
To
ta
l
R
is
k
0
.4
5
8
3
3
7
To
ta
l
R
is
k
0
.3
5
8
3
3
7
C
a
lc
u
la
te
F
in
a
l
C
o
st
C
a
p
it
a
l
$
1,
0
0
0
.0
0
P
e
rc
e
n
ta
g
e
4
5
.8
3
3
6
7
0
P
e
rc
e
n
ta
g
e
3
5
.8
3
3
6
9
8
C
o
st
P
ri
n
t
S
u
m
m
a
ry
To
ta
l
T
h
re
a
t
N
/A
F
in
a
l
R
is
k
0
.4
5
8
3
3
7
F
in
a
l
R
is
k
0
.3
5
8
3
3
7
C
o
st
s
P
ri
n
t
R
e
su
lt
s
Ta
b
le
E
C
L
$
4
5
8
.3
4
E
C
L
$
3
5
8
.3
4
V
ie
w
T
h
re
a
t
A
d
v
ic
e
C
h
a
n
g
e
E
C
L
D
e
lt
a
$
10
0
.0
0
C
o
st
P
ri
n
t
S
in
g
le
T
h
re
a
t/
C
M
S
e
le
c
ti
o
n
S
h
o
w
w
h
e
re
y
o
u
a
re
i
n
P
ri
n
t
A
d
v
ic
e
T
h
re
a
t/
C
M
S
e
le
c
ti
o
n
s
S
e
c
u
ri
ty
M
e
te
r
O
p
ti
m
iz
e
P
ri
n
t
A
ll
T
h
re
a
t/
C
M
S
e
le
c
ti
o
n
s
U
p
d
a
te
S
u
rv
e
y
Q
u
e
st
io
n
s
N
o
te
. C
M
=
C
o
u
n
te
rm
e
a
su
re
; E
C
L
=
E
x
p
e
c
te
d
C
o
st
o
f
L
o
ss
; L
C
M
=
L
a
c
k
o
f
C
o
u
n
te
rm
e
a
su
re
; O
p
t
=
O
p
ti
m
iz
e
t
o
; R
e
s.
R
is
k
=
R
e
si
d
u
a
l R
is
k
;
V
u
ln
e
ra
b
. =
V
u
ln
e
ra
b
ili
ty
.
160 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
Vulnerabilities, Threats, and
Countermeasures
Based on industry best practices guidelines, such as the U.S. Department
of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law
Enforcement, eight specific vulnerabilities are assessed:
1. Protocols and Procedures
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documentation and Reporting
6. Digital Forensics Tools
7. Legal Aspects
8. Victim Relations
Within each vulnerability category, questions pertain to specific threats and
countermeasures. For example, within the Evidence Acquisition vulnera-
bility, respondents are asked questions regarding precautions, protection,
a nd preser vation threats a nd countermea sures. Within the Ev idence
Exa mination v ulnerability, respondents a re asked questions rega rding
preparation, physica l extraction, logica l extraction, timeframe ana lysis,
data hiding analysis, application/file analysis, and ownership/possession
threats and countermeasures. Within the digital forensics Tools vulnerabil-
ity, respondents are asked questions regarding hardware, software, training,
and funding threats and countermeasures. Figure 1 details these vulnera-
bilities and threats. The responses are then used to generate a quantitative
Digital Forensics risk index.
Assessment Questions
Questions are designed to elicit responses regarding the perceived risk
to proper Digital Forensics procedures, evidence handling/examination,
admissibility, and other associated issues from particular threats, as well
as the countermeasures the respondents may employ to counteract those
161Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
threats. For example, in the Evidence Examination vulnerability, questions
regarding the data hiding analysis threat include both threat and counter-
measure questions. Threat questions would include:
• Do file headers not correspond to file extensions?
• Did the suspect encrypt or password-protect data?
• Are hidden messages present?
• Are host-protected areas (HPA) present?
Countermeasure questions would include:
• Did the examiner correlate file headers to the corresponding
file extensions to identify any mismatches that may indicate
the user intentionally hid data?
162 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
• Did t he exa m i ner ga i n access to a l l pa ssword-protected,
encr y pted, a nd compressed f i les, wh ich may i nd icate a n
attempt to conceal the data from unauthorized users?
• Did the examiner conduct a thorough stenographic analysis?
• Did the examiner gain access to HPAs that may indicate an
attempt to conceal data?
Sa mple v u l nera bi l it y ( E v idence A cqu i sit ion) a s ses sment ques t ion s
employed in the dig ita l forensics risk meter a re found in Appendi x A .
Appendi x A a lso cla rif ies a nd precludes conf usion bet ween Ev idence
Acquisition and materiel acquisition. The first proactive step in any digi-
tal forensic investigation is acquisition. The inherent problem with digital
media is that it is readily modified just by accessing files. Working from
a copy is one of the fundamental steps to making a forensic investigation
auditable and acceptable to a court (Acquisition, n.d.).
Risk Calculation and Risk Management
through Surveys
Based on their experience, the respondents a nswer yes or no to the
survey questions. These responses are then used to calculate residual risk.
Employing a game-theoretical mathematical approach, the calculated risk
index is used to generate an optimization or lowering
of risk to desired levels (Sa hinoglu, 2007, 2016).
A more deta iled set of mitigation advice will be
generated to show interested parties (such as inves-
tigators, administrators, and officers of the court)
where risk can be reduced to optimized or desired
levels. An example of such risk reduction is shown
in Fig ure 2, f rom 45.8 percent to 35.8 percent ,
which represents the media n response from the
study participants (Sahinoglu, Cueva-Parra, & Ang,
2012). Figure 2 is an actual screenshot of a results
table, representing the median digital forensics risk
meter results displaying threat, countermeasures,
residua l risk indices, optimization options, a nd
risk mitigation advice. For this study, a random
sample of responses from 27 survey par-
ticipants was analyzed; their residual
163Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
risk results are tabulated and presented in Appendix B. The survey portfo-
lio used in this assessment and upon which this research article is based
showed the complexity of the digital forensics field, encompassing tools,
procedures, specific training, budget, and trial.
Dig ita l forensics has two crucia l phases (Appendix A). The f irst phase
included a ll the forensics involved with the collection of data, while the
second phase concerns defending the data collected, the means by which
the data were collected, a nd cha in of custody applied from the origina l
collection until court (Sahinoglu, Stockton, Morton, Barclay, & Eryilmaz,
2014). The initial goal was to obtain survey input from local city leaders in
Montgomery, Alabama. Although individuals from the Governor’s Office,
Montgomery Police Department, and District Attorney’s office were will-
ing to assist, our short timeframe and their busy schedules prevented their
offices from providing input to the digital forensics survey. Fortunately, the
authors had contacts at other law enforcement offices, which agreed to make
personnel available for the survey and eventual follow-up. Eventually, three
law enforcement offices and one special investigation/training organization
participated and provided valuable input.
Our first objective was to explain the purpose of the survey and the potential
value the combined results could offer each of the offices. At each location,
participants included investigators, initia l responders, digita l forensics
specia lists, a nd lega l exper ts (i.e., District Attorney Off ice personnel).
The ra nge of exper tise of the pa r ticipa nts was inva luable, as each pro-
vided insight into an aspect of the survey that is often
unique to a position within a department. Because
of this range of expertise, the authors are confident
they were able to capture the three main components
of the sur vey por tion of the R isk-o-Meter (RoM).
Perspectives from collection of evidence, packaging
of evidence for trial, and presentation of evidence at
trial were all given. Although the special investiga-
tion/training organization had many fewer survey
participants, they did offer a unique perspective, as
they represented a n orga nization that focuses on
training digital forensics experts for the military.
The resu lts were t hen r un for each pa r ticipa nt ,
determining the Initia l Repair Cost to Mitigate.
This was determined by using a Criticality
of 1.0, Equipment Cost of $0.0, and a
164 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
Production Cost of $1,000. The median of all results was determined and
then optimized through the RoM to determine the best “bang for the buck”
that would reduce the participant’s Total Residual Risk by 10 percent. The
initial Total Residual Risk for the median participant was 45.8 percent, with
an Expected Cost of Loss (ECL) of $458.34. Once optimized, the Total Risk
was reduced to 35.8 percent, and the ECL was reduced by $100 to a total
ECL of $358.34 (Fig ure 2). The first optimized solution was to increase
the countermeasure (CM) capacity for the “Examiner Notes” threat for
the Documentation and Reporting vulnerability from 45.0 percent to 72.17
percent, for an improvement of 27.17 percent. The second optimized solution
was to increase the CM capacity for the “Victim Rights and Support” threat
for the Victim Relations vulnerability from 72.50 percent to 99.92 percent,
for an improvement of 27.42 percent.
Table B-2 in Appendix B depicts
a s e t o f c o n s t r a i n e d l i n e a r
equations used within the body
of t he r isk meter ’s innovative
second-sta ge sof t wa re for the
ga me -t heoret ic opt i m i z at ion
necessar y to create the Advice
column (shown on the right in
Figure 2). The Advice column’s
original survey calculations are
depicted in Fig ure B -1, which
displays company ECSO8: 14th
Ranked Overall Median Survey.
This is followed by Figure B-2,
which displays company OPD1’s
Group Media n Sur vey Ta ker’s
Origina l Sur vey Outcome; while Fig ure B-3 displays company AUPD5’s
Group Median Survey Taker’s Original Survey Outcome. In each case, the
company representative seemed impressed with the results and noted the
results for possible future implementation. One organization actually com-
mented that they had already begun looking into increases in at least one
CM that was identified by the optimization. Clearly, this episode validated
the tool and its usefulness in their eyes.
165Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
Discussion and Conclusions
The advantages of conducting business on the Internet have been well
documented. Conducting business online is frequently faster and cheaper
than utilizing traditional methods. However, this comes with the digital
forensics-related vulnerabilities and pertinent threats that tend to convert
the positive adva ntages to clea r disadva ntages as a result of fraud a nd
wrongdoing. With the advent of the Internet and burgeoning information
systems, digital forensics has gained worldwide momentum. In every envi-
ronment, the content of digital information relative to criminal undertakings
and investigations alike has vastly increased, growing disproportionately
to the capacities of state and local governments, as well as federal agencies
and military components. The risk assessment, risk mitigation, or general
risk management that involve planned investment policy in order of priority,
with a sound and auditable, cost-effective approach, are missing links. The
proposed digital forensics risk meter is an innovative initiative that provides
a quantitative assessment of risk to the user as well as recommendations
for mitigating that risk. This approach will be a highly useful tool to inter-
ested parties such as investigators, company or system administrators, and
officers of the court seeking to minimize and thereby mitigate digital foren-
sics risk by leveraging and introducing early, preventive CMs identified as
an outcome of this dynamic closed-end survey.
Additional future research by the principal author will involve the addition
of cloud computing concerns such as service provider cooperation and data
accessibility, as well as the incorporation of new questions so as to better
refine user responses and subsequent calculation of risk and mitigation rec-
ommendations. Minimization or mitigation of digita l forensics risk will
greatly facilitate the success of digital forensics investigations, ensuring that
legal standards of proof and admissibility are ultimately met. The digital
forensics risk meter tool provides the means to identify areas where risk can
This approach will be a highly useful tool to interested
parties such as investigators, company or system admin-
istrators, and officers of the court seeking to minimize
and thereby mitigate digital forensics risk by leveraging
and introducing early, preventive CMs identified as an
outcome of this dynamic closed-end survey.
166 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
be minimized, as well as giving the objective, dollar-based mitigation advice
to do just that. This aspect of objective quantifiable risk assessment and man-
agement will add to the trustworthiness of acquisition practices in terms of
dependable Internet communications involving great quantities of materiel
and their budgetary repercussions.
Limitations and Future Research
The limitations are obvious due to input data deficiency, but methods
such as the one proposed in this article are a good way to start due to the
objective, hands-off, automated, cost-effective treatment of the problem at
hand. Sound assessment of digital forensics risk can result when informa-
tion entered, from learned respondents, is as close to the truth as feasibly
possible. The discussion that follows clarifies how this proposed work is
directly relevant to acquisition reisk mitigation if applied appropriately
within a system.
This research article is not focused on the usual law enforcement or digi-
tal-policing procedures, but is directed towards greater awareness for the
in-house (e.g., acquisition community) workforce as they manage already
existing risk assessment and risk management algorithms. By leveraging
the countermeasures outlined in this article (in particular, the Advice col-
umn in Figure 2, which employs probability-estimation and game-theoretic
risk computing), the authors anticipate that acquisition practitioners can
better preclude future digital forensics breaches by taking timely CMs.
Law enforcement, in cooperation with the defense acquisition community,
is increasingly becoming an important player in digital forensics, thereby
lending increased scrutiny in this vital area. Law enforcement is more aware
of evidence such as drug cartel activity and money laundering through all
avenues such as export, import, and domestic acquisition activities. Even
in homicide cases, much useful evidence can be deduced by using digital
forensics information. In addition, digital forensics sciences not only can
break a difficult case, but can do so quickly and inexpensively compared to
police detectives’ usual time-tested, but tedious practices. The proposed
risk meter software and its algorithm can successfully lead the way toward
navigating the stages of cost-effective risk assessment and management.
In conclusion, the best “bang for the buck” derives from simple usability
and scientific objectivity.
167Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
References
Acquisition. (n.d.). In Wikibooks. Retrieved from https://en.wikibooks.org/wiki/
Introduction_to_Digital_Forensics/Acquisition
Amran, A. R., Phan, R. C. W., & Parish, D. J. (2009). Metrics for network
forensics conviction evidence. Proceedings of the International Conference
for Internet Technology and Secured Transactions (ICITST), Institute of
Electrical and Electronics Engineers (pp. 1–8), London, England. doi: 10.1109/
ICITST.2009.5402640
Casey, E. (2002, Summer). Error, uncertainty, and loss in digital evidence.
International Journal of Digital Evidence, 1(2). Retrieved from https://utica.
edu/academic/institutes/ecii/publications/articles/A0472DF7-ADC9-7FDE-
C80B5E5B306A85C4.pdf
Jones, A., & Valli, C. (2011). Building a digital forensic laboratory: Establishing and
managing a successful facility, Burlington, MA: Butterworth Heinemann &
Syngress.
Khatir, M., Hejazi, S. M., & Sneiders, E. (2008). Two-dimensional evidence reliability
amplification process model for Digital Forensics. Proceedings of the IEEE
Third International Annual Workshop on Digital Forensics and Incidents Analysis
(WDFIA 2008) (pp. 21–29), Malaga, Spain. doi: 10.1109/WDFIA.2008.11
Kim, D. H., & In, H. P. (2008). Cyber criminal activity analysis models using Markov
chain for Digital Forensics. Proceedings of the 2nd International Conference
on Information Security and Assurance (pp. 193–198), Busan, Korea. doi: 1109/
ISA.2008.90
Sahinoglu, M. (2007). Trustworthy computing: Analytical and quantitative engineering
evaluation. Hoboken, NJ: John Wiley.
Sahinoglu, M. (2016). Cyber-risk informatics: Engineering evaluation with data science.
Hoboken, NJ: John Wiley.
Sahinoglu, M., Cueva-Parra, L., & Ang, D. (2012, May-June). Game-theoretic computing
in risk analysis. Wiley Interdisciplinary Reviews: Computational Statistics, 4(3),
227–248. doi: 10.1002/wics.1205. Retrieved from http://authorservices.wiley.com/
bauthor/onlineLibraryTPS.asp?DOI=10.1002/wics.1205&ArticleID=961931
Sahinoglu, M., Stockton, S., Morton, S., Barclay, R., & Eryilmaz, M. (2014, November
20). Assessing Digital Forensics risk: A metric survey approach. Proceedings of
the SDPS 2014 Malaysia, 19th International Conference on Transformative Science
and Engineering, Business and Social Innovation, Sarawak, Malaysia. Retrieved
from https://www.researchgate.net/publication/268507819_ASSESSING_
DIGITAL_FORENSICS_RISK_A_METRIC_SURVEY_APPROACH
U.S. Department of Justice. (2004). Forensic examination of digital evidence: A guide
for law enforcement. Retrieved from https://www.ncjrs.gov/pdffiles1/nij/
199408.pdf
168 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University http://www.dau.mil
Appendix A
Sample Vulnerability (Evidence Acquisition, Documentation
and Reporting, and Victim Relations) Assessment Questions
(in XML format) and Survey Template
<survey>
<vulnerability title= “Evidence Acquisition” level= “0”>
<vQuestion> Are special precautions not taken to preserve digital evidence?
</vQuestion>
<vQuestion> Was write protection not utilized to preserve and protect
original evidence? </vQuestion>
<vQuestion> Was digital evidence not secured in accordance with
departmental guidelines? </vQuestion>
<vQuestion> Was speed the primary concern when it came to acquiring
digital evidence? </vQuestion>
<threat title = “Precautions”>
<tQuestion> Was evidence on storage devices destroyed or altered?
</tQuestion>
<tQuestion> Was equipment damaged by static electricity and magnetic
fields? </tQuestion>
<tQuestion> Was the original internal configuration of storage devices and
hardware unnoted? </tQuestion>
<tQuestion> Were investigators unable to provide drive attributes?
</tQuestion>
<threat title = “Protection”>
<tQuestion> Was CMOS/BIOS information not captured? </tQuestion>
<tQuestion> Was the computer’s functionality and the forensic boot disk
not …
CATEGORIES
Economics
Nursing
Applied Sciences
Psychology
Science
Management
Computer Science
Human Resource Management
Accounting
Information Systems
English
Anatomy
Operations Management
Sociology
Literature
Education
Business & Finance
Marketing
Engineering
Statistics
Biology
Political Science
Reading
History
Financial markets
Philosophy
Mathematics
Law
Criminal
Architecture and Design
Government
Social Science
World history
Chemistry
Humanities
Business Finance
Writing
Programming
Telecommunications Engineering
Geography
Physics
Spanish
ach
e. Embedded Entrepreneurship
f. Three Social Entrepreneurship Models
g. Social-Founder Identity
h. Micros-enterprise Development
Outcomes
Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada)
a. Indigenous Australian Entrepreneurs Exami
Calculus
(people influence of
others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities
of these three) to reflect and analyze the potential ways these (
American history
Pharmacology
Ancient history
. Also
Numerical analysis
Environmental science
Electrical Engineering
Precalculus
Physiology
Civil Engineering
Electronic Engineering
ness Horizons
Algebra
Geology
Physical chemistry
nt
When considering both O
lassrooms
Civil
Probability
ions
Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years)
or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime
Chemical Engineering
Ecology
aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less.
INSTRUCTIONS:
To access the FNU Online Library for journals and articles you can go the FNU library link here:
https://www.fnu.edu/library/
In order to
n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading
ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.
Key outcomes: The approach that you take must be clear
Mechanical Engineering
Organic chemistry
Geometry
nment
Topic
You will need to pick one topic for your project (5 pts)
Literature search
You will need to perform a literature search for your topic
Geophysics
you been involved with a company doing a redesign of business processes
Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience
od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages).
Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in
in body of the report
Conclusions
References (8 References Minimum)
*** Words count = 2000 words.
*** In-Text Citations and References using Harvard style.
*** In Task section I’ve chose (Economic issues in overseas contracting)"
Electromagnetism
w or quality improvement; it was just all part of good nursing care. The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases
e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management. Include speaker notes... .....Describe three different models of case management.
visual representations of information. They can include numbers
SSAY
ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3
pages):
Provide a description of an existing intervention in Canada
making the appropriate buying decisions in an ethical and professional manner.
Topic: Purchasing and Technology
You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class
be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique
low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.
https://youtu.be/fRym_jyuBc0
Next year the $2.8 trillion U.S. healthcare industry will finally begin to look and feel more like the rest of the business wo
evidence-based primary care curriculum. Throughout your nurse practitioner program
Vignette
Understanding Gender Fluidity
Providing Inclusive Quality Care
Affirming Clinical Encounters
Conclusion
References
Nurse Practitioner Knowledge
Mechanics
and word limit is unit as a guide only.
The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su
Trigonometry
Article writing
Other
5. June 29
After the components sending to the manufacturing house
1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend
One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard. While developing a relationship with client it is important to clarify that if danger or
Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business
No matter which type of health care organization
With a direct sale
During the pandemic
Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record
3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i
One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015). Making sure we do not disclose information without consent ev
4. Identify two examples of real world problems that you have observed in your personal
Summary & Evaluation: Reference & 188. Academic Search Ultimate
Ethics
We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities
*DDB is used for the first three years
For example
The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case
4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972)
With covid coming into place
In my opinion
with
Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA
The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be
· By Day 1 of this week
While you must form your answers to the questions below from our assigned reading material
CliftonLarsonAllen LLP (2013)
5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda
Urien
The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle
From a similar but larger point of view
4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open
When seeking to identify a patient’s health condition
After viewing the you tube videos on prayer
Your paper must be at least two pages in length (not counting the title and reference pages)
The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough
Data collection
Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an
I would start off with Linda on repeating her options for the child and going over what she is feeling with each option. I would want to find out what she is afraid of. I would avoid asking her any “why” questions because I want her to be in the here an
Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych
Identify the type of research used in a chosen study
Compose a 1
Optics
effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte
I think knowing more about you will allow you to be able to choose the right resources
Be 4 pages in length
soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test
g
One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research
Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti
3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family
A Health in All Policies approach
Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum
Chen
Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change
Read Reflections on Cultural Humility
Read A Basic Guide to ABCD Community Organizing
Use the bolded black section and sub-section titles below to organize your paper. For each section
Losinski forwarded the article on a priority basis to Mary Scott
Losinksi wanted details on use of the ED at CGH. He asked the administrative resident