Fluent Essays

Digital forensics is often summarized in four phases (e.g., collection, preservation, analysis, and reporting). We have learned this already. However, I think its important for you to be aware of how there are many different excellent models out there that seek to break down digital forensics in a series of flowcharts/phases / moving parts. Then Chapter 14 talks about the different trends and future directions. So, I am attaching a couple research papers. Please check out them out in which can be found in the Supplemental Materials folder. Some of the models out there are very specific e.g., for network forensics, triage, or cybercrime. I would like you to read these papers - who knows you may see a model that resonates well with you. This can be helpful if you are asked to consult on what is the right model that should be followed in a particular legal matter in today’s brave new world. Instructions Now that you have reviewed the different models of digital forensics, what are your thoughts about the authors proposed model? Do you agree or disagree? Do you have a preference for the other models and if so, what is your preference and why? Note - there are NO right or wrong answers here. I value your insights. APA Format Need 1 Page without references page Plagiarism report  !!! RESEARCH DOCUMENTS ATTACHED !!!!   !!! NEED 2 ANSWERS FOR THIS QUESTION WITH 0\% PLAGIARISM!!!! See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/242524844 FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW Conference Paper · November 2012 DOI: 10.5121/csit.2012.2222 CITATIONS 19 READS 862 3 authors, including: Some of the authors of this publication are also working on these related projects: Edited Book View project Patent View project Gulshan Shrivastava Sharda University 95 PUBLICATIONS   507 CITATIONS    SEE PROFILE Kavita Sharma G.L. Bajaj Institute of Technology & Management 58 PUBLICATIONS   412 CITATIONS    SEE PROFILE All content following this page was uploaded by Gulshan Shrivastava on 04 April 2018. The user has requested enhancement of the downloaded file. https://www.researchgate.net/publication/242524844_FORENSIC_COMPUTING_MODELS_TECHNICAL_OVERVIEW?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_2&_esc=publicationCoverPdf https://www.researchgate.net/publication/242524844_FORENSIC_COMPUTING_MODELS_TECHNICAL_OVERVIEW?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_3&_esc=publicationCoverPdf https://www.researchgate.net/project/Edited-Book-6?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_9&_esc=publicationCoverPdf https://www.researchgate.net/project/Patent-56?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_9&_esc=publicationCoverPdf https://www.researchgate.net/?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_1&_esc=publicationCoverPdf https://www.researchgate.net/profile/Gulshan-Shrivastava?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_4&_esc=publicationCoverPdf https://www.researchgate.net/profile/Gulshan-Shrivastava?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_5&_esc=publicationCoverPdf https://www.researchgate.net/institution/Sharda_University?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_6&_esc=publicationCoverPdf https://www.researchgate.net/profile/Gulshan-Shrivastava?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_7&_esc=publicationCoverPdf https://www.researchgate.net/profile/Kavita-Sharma-4?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_4&_esc=publicationCoverPdf https://www.researchgate.net/profile/Kavita-Sharma-4?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_5&_esc=publicationCoverPdf https://www.researchgate.net/profile/Kavita-Sharma-4?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_7&_esc=publicationCoverPdf https://www.researchgate.net/profile/Gulshan-Shrivastava?enrichId=rgreq-c9b81550f21377b21b9aa9dca126b85c-XXX&enrichSource=Y292ZXJQYWdlOzI0MjUyNDg0NDtBUzo2MTE3NTE2MzI1ODA2MDhAMTUyMjg2NDM2MzA1OQ\%3D\%3D&el=1_x_10&_esc=publicationCoverPdf David C. Wyld, et al. (Eds): CCSEA, SEA, CLOUD, DKMP, CS & IT 05, pp. 207–216, 2012. © CS & IT-CSCP 2012 DOI : 10.5121/csit.2012.2222 FORENSIC COMPUTING MODELS: TECHNICAL OVERVIEW Gulshan Shrivastava, Kavita Sharma, Akansha Dwivedi Department of Information Technology, Dronacharya College of Engineering, Gr. Noida, U.P., India [email protected], [email protected], [email protected] ABSTRACT In this paper, we deal with introducing a technique of digital forensics for reconstruction of events or evidences after the commitment of a crime through any of the digital devices. It shows a clear transparency between Computer Forensics and Digital Forensics and gives a brief description about the classification of Digital Forensics. It has also been described that how the emergences of various digital forensic models help digital forensic practitioners and examiners in doing digital forensics. Further, discussed Merits and Demerits of the required models and review of every major model. KEYWORDS Digital Forensics, Computer Forensics, Digital Forensic Model, Digital Forensic History, Digital Evidence. 1. INTRODUCTION Today in the computers world along with the computers, its user is also increasing very rapidly. Now the time has come in which organization are strongly dependent on the computers and internet for taking their business to the crest. A large package of information is being sent or received at one click. The large numbers of computers are connected in a cob-web like network, which is necessary for dispatching and receiving information. Along with boom, these computers are also responsible for cyber frauds and cybercrimes (CFCC).the first computer crime was approximately 85\% of 66 million U.S dollar was last by organizations due to digital related crime in 2007.The technique named “Digital Forensics” has been started from a basic level and extended up to level, that it has occupied an untouched and influence able place in almost every field related to the computers. Its birth is stated in 1970’s almost forty years back. In the initiating days of digital forensics it was primarily used for data recovery and the technique was only performed by the computer professionals. This research emphasizes on a techniques through which the clues after crime can be constructed i.e. a uniform approach of digital forensic models 208 Computer Science & Information Technology (CS & IT) for digital forensic investigation. The research is about the postulates of the different digital forensic models and their limitation. The research will conclude to a new digital forensic model. 1.1 History and Previous Work Mark Reith et al. concluded that “digital forensic is the use of scientifically derived and proven methods toward the identification, preservation, collection, validation, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the reconstruction of events”. Digital forensics is a wide branch comprising of branch like computer forensics, digital forensics not only cover the evidences reconstructed after the crime committed by or through a stand-alone computers , the evidences reconstructed from any of digital sources can be interpreted by using digital forensics. Digital forensics investigation has three phases to go through. Table 1 :( History Evolution of digital forensic) [2] Year History 1978 First computer crime in Florida which involved unauthorized modification and deletion of data on a computer system. Prior 1980 Computer crimes were solved using existing laws. No federal laws for computer crimes. 1983 Canada – The first country to pass legislation dealing with computer crimes. 1984 United States passed Federal Computer Fraud & Abuse Act 1990 United Kingdom passed British Computer Misuse Act. 1992 Collier & Spaul wrote a paper ‘A forensic methodology for countering computer crime.’ 2002 Scientific Working Group on Digital Evidence (SWGDE) produced a paper ‘Best practices for computer forensic’. 2005 Publication of an ISO standard (ISO 17025, General requirements) for the competence of testing & calibration laboratories. 2005 Onwards till now Various dimensions related to computer crimes are being discussed. Computer Science & Information Technology (CS & IT) 209 1.2 Process of Digital Forensic Investigation Figure 1 :( Process of Digital Forensic) [1] 1.2.1 Acquiring It is the process of conquering the digital evidences carefully, so the integrity of evidence can be maintained. 1.2.2 Authenticating The process of examining the validation of evidence, whether it is valid to use or not. 1.2.3 Analyzing The close examination of data to sort out the case. 2. DIGITAL EVIDENCES AND IT’S CHARACTERISTICS Digital evidence is defined as the clues which can be recovered from digital sources and helps in digital forensic investigation. Digital evidence is very delicate to deal with. If it is handed improperly, its integrity can be spoiled. Digital evidence is hidden evidence just like any biometric evidence [3]. 2.1 Classification of Digital Forensics It is stated that there are various types of digital forensics. Some of them are:- ACQUIRING AUTHENTICATING ANALYZING 210 Computer Science & Information Technology (CS & IT) Figure 2 :( Types of Digital Forensics) i. Computer Forensics It has been defined that this branch of digital forensics deals with the reconstruction of evidences from the suspected computer which is found from the location of crime. It has also been called as ‘media forensics. ii. Software Forensics It has been called as ‘code analysis. In this branch it has been discussed about the identification of the developer of unauthorized code, or of any e-mail document. iii. Cyber Forensics It is also called as ‘network forensics. This technique is used to identify, collect, examine the digital evidences reconstructed from various digital sources or to measure the amount of unauthorized activities meant to disrupt, corrupt the particular system. iv. Document Digitized Forensics It is being considered as upcoming branch of digital forensics to develop the procedures for detecting the decepted data and its solution. Usually frauds committed through printers and scanners will be resolved by this technique. 3. NEED OF DIGITAL FORENSIC MODEL To reconstruct the digital evidences from digital sources a technique called digital forensics has been developed. The digital forensic models have been constructed so that step wise or ordered inspection procedure of digital evidences can be made through it. The models can provide digital evidence examiners or investigators with the detailed and transparent information’s about particular aspect or phase to be considered during the process of digital forensic investigation. Computer Science & Information Technology (CS & IT) 211 4. EXISTING DIGITAL FORENSIC INVESTIGATION MODEL Table 2 :( Existing digital forensics models) 4.1 The Forensic Process Model [4] This model was proposed by NIJ for electronic crime scene investigation. It comprises of four phases: 1. COLLECTION: in this process evidences are searches, felicitated and get collected. 2. EXAMINATION: it is done to make the evidences transparent & find the base of its origin. 3. ANALYSIS: the inspection of the outcome of the examination phase. 4. REPORTING: outlining the outcomes and conclusion of all the phases and information gathered. Disadvantage: The analysis phase of this model is improperly defined and ambiguous [9]. Year Model Description 2001 The forensic process model proposed by Ashcroft the U.S National Institute of Justice(NIJ) It serves as a guide for first responders. This guide is used by enforcement & other for protecting , recognition , can of digital evidence 2002 Abstract digital forensic model proposed by Reith , Carr & Gunsch It is based on traditional strategy of forensic evidence collection. 2003 The integrated digital investigation process model (IDIP) proposed by Carrier and Spafford. In this model digital investigative process is converted into physical investigation process. 2004 Extended model of cyber crime investigation proposed by Ciardhuain It emphasizes on the management aspect. 2005 Case-relevance information investigation proposed by Ruibin, Yun & Gartner. In this model computer intelligence will assist in investigation procedures. The degrees of case-relevance are defined. 2009 Digital forensic model based on Malaysian investigation process proposed by Perusal The acquiring of static & dynamic data is included in this model. 2011 The systematic digital forensic investigation model (SRDHM) proposed by Ademu, Imafidon and Preston. It helps forensic examiner & organization in a proper manner. 212 Computer Science & Information Technology (CS & IT) Figure 3 : ( Forensic Process Model) Figure 4 : ( Disadvantage in Forensic Process Model) Collect The Evidence Examine the evidence Analyze the evidence Reporting Improperly defined and ambiguous process. It is often misunderstood as an interpretation of the results from examination phase COLLECTION EXAMINATION ANALYSIS REPORTING Computer Science & Information Technology (CS & IT) 213 4.2 The Abstract Digital Forensic Model [5] This model comprises of nine components. 1. IDENTIFICATION: It helps in recognizing & identifying the type of the incident. It has a influence on other steps or phases of this model. 2. PREPARATION: The preparation of procedure, techniques, search warrants. 3. APPROACH STRATEGY: It is the formulation of procedures and approach to be used in the collection of evidences. 4. PRESERVATION: It deals with securing and preserving the evidences. 5. COLLECTION: The collection is done using the standardized procedures to record the physical scene. 6. EXAMINATION: It deals with searching evidences of the related suspect of the crime. 7. ANALYSIS: The inspection of importance of examined product. 8. PRESENTATION: The explanation of all the phases involved. 9. RETURNING EVIDENCE: Returning the digital sources back to the right owner. Disadvantage: In this model third phase is to an extent a duplication of its second phase. This is because the preparation wile selecting tools directly depends on strategy selected. Figure 5 : ( Disadvantage of the Abstract Digital Forensic Model) Returning Evidence Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Duplication of each other 214 Computer Science & Information Technology (CS & IT) 4.3 The Integrated Digital Investigation Model (2003) [3] The previous work has been reviewed and digital investigation process is transformed into the physical investigation process. Brian Carrier and Eugene Spafford proposed model that manages the process into five groups. 1. READINESS PHASES: The goal of this phase is to ensure that the operations and infrastructure are able to fully support an investigation. 2. DEPLOYMENT PHASE: The motive of this phase is to provide a mechanism for an incident to be detected and confirmed. 3. PHYSICAL CRIME SCENE INVESTIGATION PHASE: The goal of this phase is to collect and analyze the physical evidence and reconstruct the actions that took place during the incident. 4. DIGITAL CRIME SCENE INVESTIGATION PHASE: The goal is to collect and analyze the digital evidence that was obtained from the physical investigation phase and through any other future means. It includes same process as physical evidence phase; however the main focus is to collect digital evidence. 5. REVIEW PHASE: This includes a review of the whole investigation and identifies areas of improvement. Disadvantage: The deployment phase of this model deals with the confirmation of the incidents. But in practice it is impossible to confirm the digital or computer crime before proper investigation. 4.4 Extended Model Of Cyber Crime Investigation (2004)[6] It was stated that the previous models were concentrated only to the processing of cyber crime evidences in cyber crime investigation. This model emphasizes on the management aspect of digital evidences. 4.5 Case – Relevance Information Investigation(2004)[7] The requirement of computer intelligence technology has been explained in this model it emerges as an assistant to the investigation procedures it is used to describe the degrees of case- applicability and to distinguish between the forensics and the computer security. 4.6 Digital Forensic Model Based On Malaysian Investigation Process (2009)[8] It was proposed by Perusal in 2009. It is defined that this model has been proved as an important phase to acquire static and dynamic data. This model emphasis more on delicate digital evidence. 4.7 The Systematic Digital Forensic Investigation Model (2011)[1] This was proposed by Ademu, Imafidon and Preston. This model helps the forensics practitioners, examiners to set accurate procedures techniques in a proper manner. Computer Science & Information Technology (CS & IT) 215 5. CONCLUSIONS In order to be revealed or accepted in the court, digital evidences must be precise and accurate and its integrity should not be spoiled by heedlessness. The process of digital forensics is to aid the digital forensic investigation and practitioners in reconstructing the evidences the association of digital forensics needs to form a guide line for the swift development of digital forensic procedure so that evidences can be easily elucidated, examined and processed. ACKNOWLEDGEMENTS We are grateful to Prof. M.P.S. Bhatia (Dean of Student Welfare, Netaji Subhas Institute of Technology), Dr. Vishal Bhatnagar (Associate Professor, Ambedkar Institute of Communication Technologies and Research), & Mr. Parbal Partab (Scientist, DRDO) for taking time to read carefully drafts of this paper and provide us with valuable comments. The authors are also grateful for thoughtful comments from reviewers who improved the content of the paper. The authors would like to thank everyone, just everyone! REFERENCES [1] Inikpi O.Ademu, Dr. Chris.O.Imafidon, Dr.David S. Preston (2011)“A new approach of digital forensic model for digital forensic investigation” vol 2, no. 12, 2011. [2] Kruse II, Warren and Jay, G. Heiser (2002) Computer Forensics: Incident Response Essentials.Addison-Wesley. [3] Carrier, B.Spafford, H.(2006),getting physical with digital forensics process vol. 2(2)available online: http://www.cerias.purdue.Edu/ homes/carrier/forensics accessed on 20 th September 2011. [4] National institute of Justice.(July 2001) Electronic Crime Scene Investigation A guide for first responders http://www.ncjrs.org/pdffiles1/nij/187736.pdf. [5] Reith, M.Carr.c.Gunsch, G. (2002) an examination of digital forensic model. Department of electrical and computer engineering Air force institute of technology.Wright-Patterson.available (online): http://www.utica.edu/academic/institutes/escii/ijde/articles.cfm?action accessed on the 7 th October 2011. [6] Ciardhuain, S.(2004) an extended model of cyber-crime investigation Accessed on 20 th October 2011 available (online): www.ijde.org/citeseerx.ist.psu.edu/view doc/download? doi=10.1.180......Accessed on 11th august 2011 [7] Ruibin, G.Gaertner, M.(2005)case-relevance information investigation process : binding computer intelligence to the current computer forensics frame work. Vol. 4(1) available (on line): http://www.utica.edu/academic/institutes/ecii/publications/article/B4A6A102-A93D- 85B195C575D5E35F3764.pdf Accessed 15 th September 2011. [8] Perumal,S.(2009) digital forensics model based on Malaysian investigation process vol. 9(8) available (on line): http://paper.ijcsns.org/o7_book/200908/20080805 pdf Accessed on 7th august 2011. 216 Computer Science & Information Technology (CS & IT) [9] Baryamureeba, V.Tushabe, F. (2004) The Enhanced digital investigation process (2004) Available (online):http//www.dfrws.org/2004/bios/day1/tushabeEIDIP.pdf Accessed on 15 th June 2011. Authors Gulshan Shrivastava, working as Assistant Professor in Dronacharya College of Engineering, Greater Noida (U.P.). He has obtained a degree of M.Tech. (Information Security) from Ambedkar Institute of Communication Technology and Research, New Delhi and MBA (IT) from Punjab Technical University, Jalandhar, Punjab after completing B.E. (Computer Science Engineering) from Hindu College of Engineering, Sonipat, Haryana. He has rich experience in teaching the classes of Graduate and Post- Graduate in India and Abroad. He is a Sun Certified Java Programmer (SCJP 5.0). He has been continuously imparting corporate training to the experienced professionals of multinational IT giants in the area of Java Programming & Information Security. He has participated in many National & International Workshop and Technical Fest. He has contributed to numerous International journal & conference publications in various areas of Computer Science. He published more than 10 Research Paper in International Journals and Conferences. He has also written an International book Titled as “Java Programming & Website Design” (ISBN 81-87201-25-8), which is published by Suhavi Publication, India. He is also holding position in editor team of various International Journals and magazines of high repute. He is member of The Society of Digital Information and Wireless Communications (SDIWC), Internet Society, Institute of Nanotechnology, Life Member, International Association of Engineers (IAENG), Life Member, International Association of Computer Science and Information Technology (IACSIT), Computer Science Teachers Association (CSTA), International Association of Online Engineering (IAOE). His area of interest includes Java Programming, Website Designing, Data Mining, Information Security and Forensic Investigation. Kavita Sharma, working as Assistant Professor in Dronacharya College of Engineering, Greater Noida (U.P.). She received the M.Tech. (Information Security) from Ambedkar Institute of Technology, New Delhi, India, Affiliated by G.G.S. Indraprastha University after completed her B.Tech. Degree in Information Technology from the I.M.S. Engineering College, Ghaziabad, India. She has published more than 9 research papers in International Journals and Conferences of high repute. She has also written an International book ISBN as “81-87201-25-8”, which is published by Suhavi Publication, India. She is also holding position in editorial team of various International Journals and magazines of high repute. She is member of The Society of Digital Information and Wireless Communications (SDIWC), Internet Society, Life Member, International Association of Engineers (IAENG), Life Member, International Association of Computer Science and Information Technology (IACSIT), Computer Science Teachers Association (CSTA), International Association of Online Engineering (IAOE). She has actively participated in different faculty development programs. She has participated in different National & International Workshop. Her area of interest includes Digital Forensic Investigation, Data Structure and Algorithm, Web Mining, Programming Language, Cryptography and Data Security. Akansha Dwivedi, pursuing Bachelor of Technology Degree in Information Technology from Dronacharya College of Engineering, Greater Noida, U.P. India, Affiliated by Gautam Buddh Technical University (GBTU). She has participated in different National Workshop. Her areas of interest include Computer Forensic Investigation, Ethical Hacking & Information Security etc. View publication statsView publication stats https://www.researchgate.net/publication/242524844 JISTEM - Journal of Information Systems and Technology Management Revista de Gestão da Tecnologia e Sistemas de Informação Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 ISSN online: 1807-1775 DOI: 10.4301/S1807-17752015000200003 ___________________________________________________________________________________________ Manuscript first received/Recebido em: 13/11/2013 Manuscript accepted/Aprovado em: 10/04/2015 Address for correspondence / Endereço para correspondência Khuram Mushtaque, Federal Urdu University of Arts, Science and Technology, University Rd, Karachi, Karachi, Paquistão E-mail [email protected] Kamran Ahsan, Federal Urdu University of Arts, Science and Technology, University Rd, Karachi, Karachi, Paquistão E-mail [email protected], Ahmer Umer, Mohammad Ali Jinnah University, Karachi, University Rd, Karachi, Paquistão E-mail [email protected] Published by/ Publicado por: TECSI FEA USP – 2015 All rights reserved. DIGITAL FORENSIC INVESTIGATION MODELS: AN EVOLUTION STUDY Khuram Mushtaque Kamran Ahsan Federal Urdu University of Arts, Science and Technology, Karachi, Paquistão , Ahmer Umer Mohammad Ali Jinnah University, Karachi, Paquistão ______________________________________________________________________________________________ ABSTRACT With increased use of technology in organizations and rapid changes in technology cyber forensic process is also advancing into new ways. In this context, organizations also need to align their technological infrastructure to meet the challenges in conducting successful process of forensic investigations to attain maximum and desired benefits of it. The objective of this article is to perceive the status of different I.T comprising organizations in terms of cyber crime and forensic investigation process and we take Pakistan as a case here. For this purpose, a questionnaire was designed to survey different organizations to find out that how effectively they have secured their technology infrastructure and how supportive this setup could be for any forensic firm to perform the forensic investigation in case of occurrence of any cyber crime. In the critical analysis, the main finding reckoned as flaw found in these organizations was that they don’t pay much importance to forensic investigation and because of this they don’t incorporate forensic supportive tools such as employees’ awareness training programs, clauses in hiring documents and acquiring the services of forensic firms as per requirement. This ignorance may lead organizations towards different types of losses in case of occurrence of cyber crime and if this situation is not addressed, forensic investigation process also could not be as accurate and successful as it has to be. Keywords: Cyber Forensic; Organizations; Forensic Models; Cyber Crime; Forensic Firms mailto:[email protected] mailto:[email protected] mailto:[email protected] 234 Mushtaque, K., Ahsan, K., Umer, A. JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br 1. INTRODUCTION In current era, majority of large enterprises rely heavily over the usage of technology in operations and other segments of the business. With the increased reliance and usage of technology, the risk of cyber crime becomes also more serious in case of occurrence. To counter this risk, digital forensic investigation firms provide assistance in conducting the forensic analysis after occurrence of any cyber crime. With the passage of time, the forensic investigation process has also modified and distributed into different phases to make this investigation more effective. Every phase has its own impact over the process of investigation. (Sivaprasad & JangaJe, 2012): With the introduction of Information Technology in the business, every organization that comprises IT has started to take benefits of this technology. This is done by attaining the advantage over other competitors in the market, by providing new features to the customers after incorporating technology at the operational side specially, increasing the operational speed and reducing the probability for any error in operations. (Wen, 2012): IT also assists higher management in the process of decision making. (Morozini, Claudio, Ivam. & Reinaldo. 2012): As we all know that room for improvement and step towards the perfection is always available in every field of the world, similarly there are very few loop holes in the information technology becoming key part of the business industry of today. Besides the entire physical infrastructure like machinery, human resource, buildings etc associate with the organization, information has also come up as the one of the most important asset of any organization comprising information technology in their business not to just support the IT operations but also provide the platform to connect with other business associated partners as well. (Sladić, Milosavljević & Konjović, 2012): As the information technology relies heavily and works around the information, therefore it becomes tremendously important to protect the information by ensuring that no any unauthorized person can get the access and the integrity and confidentiality remains sustained. (Belabed, Aimeur, & Chikh, 2012): Ensure the timely availability of the information for associated operations and secure these operations from the different threats such e.g. Phishing are vital tasks for the technical persons for their organization. (Den & Warnier, 2013): While organizations investing towards launching, updating and securing the security of their technology associated infrastructure and operations, still, threat of cyber crimes remains alive and open which could not just exploit the Data breaches badly but also could cause ruining to their entire business or also might affect some or large extent. (Pérez 2013): The biggest threat of such type is the threat from the insiders and they keep seeking for the right opportunity to commit their cyber crime in order to achieve their illegitimate objectives. Therefore identification of threat becomes another crucial segment needs to be monitored and controlled. (Onome, Thereza & Formigoni, 2013): In order to deal with such criminals, along with annual external audit, many organizations have started acquiring the services of digital forensic firms. These digital forensic firms comprise with forensic experts and technical persons to provide their clients or organizations complete solution to their cyber crime affected scenarios. As these firms have no stack or association with any insider of organizations, therefore the investigations provided them remain trust worthy. Digital forensic investigation models: An evolution study 235 JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br (Ma, Sun & Wang, 2011): Different models are followed by every forensic firm depending on the target organization and the type or intensity of the loss by committed cyber crime. These models are based on different phases containing different sets of steps in order to gather the valuable and effective evidences against the culprit of that crime which carry out limitation of time and legal constraints in linear course control and forensic administration to the entire forensic process. (http://en.wikipedia.org/wiki/Digital_forensics): Forensic firms also ensure that the evidences generated by them follow all the legal requirements of pertaining organization and also law of country so that these evidences could become admissible in the court of law as well if required to present over there. In current research, first we have described the different models of digital forensic investigations year by year and have explained all the phases of these models according to their sequence. This has exhibited the evolution of the digital forensic investigation around the world and its importance in the different types of business industry. The core objective of all the described models remains same. Apart from responsibilities and models used by digital forensic firms, we have also highlighted numerous addressable elements in different types of organizations of Pakistan in the context of enabling and helping out the firms to gather effective evidences as required. These elements if addressed properly could open more and more options for forensic firms to find better platform in the process of evidence collection available maximum in the crime scene. 2. FORENSIC MODELS (Ojo & Adebayo, 2011): Since the introduction of the discipline of Digital Forensic in the field of Information Technology especially in the corporate business industry, the persons associated with technology started their efforts in order to overcome the audit and research challenges associated with digital forensic of the organizations as much as possible. (Nnoli, Lindskog, Zavarsky, Aghili & Ruhl, 2012): It was due to their understanding towards the significance of this field in the governance of IT but also organizations started investing over it after identifying the intensity of effect it could leave over the business and the economy of organizations. Most enterprises are seen wasting their precious time, efforts and resources to implement digital forensic investigation because of their lacking in awareness towards corporate forensic. (Horsman, Laing & Vickers. 2012): The process of digital forensic investigations, as recommended by experts, must be conducted by its specialist persons who have totally unbiased approach to ensure trustworthiness over them and image against the organizations where the investigation will be performed. The remains a question mark over the internal person as forensic investigation performer and the evidences produced by internal process might not become as influential as this need to be in order to establish any culprit in the court of Law. Figure 1 exhibits the different models launched in different years with the objective to provide guidelines to the Digital forensic investigative firms. Every model is divided in different steps and these steps kept expending as the time progresses and with the increase and identification of importance of the process of digital forensic investigation. http://en.wikipedia.org/wiki/Digital_forensics 236 Mushtaque, K., Ahsan, K., Umer, A. JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br 3. RESEARCH METHODOLOGY Research methodology used in this research is questionnaire based survey because by survey provides unbiased and different types of feedbacks. After gathering it useful analysis can be produced addressing particular topic of interest which could become significant for the future decision making in that specific field. For this research, a question based on 72 questions related to digital forensic was designed and distributed in 80 different types of large enterprises comprising I.T. The feedbacks provided us significant information about the status of the technological and other issues related to forensic investigation procedure in these organizations. This attained information was later on analyzed in different angels to perform the critical analysis and highlight the addressable elements in large enterprises in this regard. Evolution of Digital Forensic Investigation Models P h a se s 11. Results & review 9. Returning evidence 10. Presentation 8. Presentation 9. Analysis 7. Analysis 8. Examination 6. Examination 7. Evidence gathering 5. Collection 5. Review 6. Communication. 5. Shielding 4. Reporting 4. Preservation 4. Digital Crime Scene Investigation 4. Scene documentation 3. Analysis 3. Approach 3. Physical Crime Scene Investigation 3. Survey & recognition 2. Examination 2. Preparations 2. Deployment 2. Secure scene 1. Collection 1. Identification 1. Readiness 1. Preparation Figure 1: Forensic Models (Valjarevic & S.Venter, 2012): The first digital forensic model was introduced in 2001. The instigator of this project was Ashcroft who was associated with the U.S National Institute of Justice. This model contained investigation process of crime scene associated with the electronic field and it become a guideline for the responders who were very novice to it. Later on, this model was also utilized by the law enforcement and other agencies to secure and identify the digital evidences. 2001 2002 2003 2011 Digital forensic investigation models: An evolution study 237 JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br The first (out of four) phase of this model is about the collection of the evidences after performing a thorough search process around the crime scene. Second phase contained the process of examination of which is to put together the evidences collected from previous phase as transparent and identify its source as well. Third phase is to perform the analysis of outcome of the phase of examination. After the analysis, last phase comprise reporting and drawing of outcomes of all previous phases and the information that was collected in entire process. However, the only constraint of this model is that it remains unclear and is not explained properly. Following the model of 2001, in 2002 Carr, Reith and Gunsch made an effort to further clarify the digital forensic investigation model by adding some more phases into this process. They incorporated the traditional approach of accumulating the evidences to simplify in this model. First phase of this model is to identify the occurred incident and its type and provide all the assistance to achieve the goal of this phase. Second phase is to get prepared regarding the methods and the procedures which will be used in remaining phases of this forensic model. It also guides about the preparation of different search warrants if required in order to gather the evidences. Third phase is to devise appropriate approaches and processes which will be adopted in the fifth phase of evidence gathering. Fourth phase of preservation is to preserve all the components and devices potentially containing the relevant evidences. After securing the evidence containing devices and components, fifth phase of collection is used to unify the procedures in order to record the physical scene. Sixth phase is to examine, which treats with the finding of the relevant suspect of the crime that was committed. Seventh phase is to analyze the importance of items on which the inspection has been performed. Presentation of the all phases that are involved in this model is the phase which comes at later stage after the analysis phase while last and ninth phase contains the process of returning the devices and sources of digital evidences to the real owner after accomplishment of the task of forensic investigation. The only flaw or room for improvement in this phase indentified is that the third phase is quite similar to the second phase to some degree. Third model of digital forensic investigation was introduced by Spafford and Carrier in 2003. This model was named as Integrated Digital Investigation Process and became another guideline for the forensic examiners in order to perform digital forensic investigation and gather the evidences. This model was again resized into five phases. The objective of first and initial phase named as readiness phase was to ensure that the actions and provided infrastructure are good enough to favor and assist the investigation process appropriately. Therefore this phase is used only to get ready for the remaining phases of investigation process. Second phase is of deployment, it supplies a system to the forensic examiners through which they could become capable to detect and incident and then certify it. Third phase is about the gathering and examining the physical evidences from the crime scene and go through the keen observation of the acts that where associated during the incident was occurring. Fourth phase is sequel to third phase, but it deals with the examining and gathering of digital evidences which were obtained by the 238 Mushtaque, K., Ahsan, K., Umer, A. JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br physical crime scene investigation phase. The remaining process used in phase is similar to the third phase of this model. Fifth and final phase is to review the entire analysis that was performed during previous phases of digital forensic investigation process and then underline those areas where the room for improvement exists. The reason behind this model not being used mostly and not known as the best model for digital forensic investigation is that deployment phase of this model deals with the certification of the occurred incident, on the other hand practically it is impossible to endorse the digital crime earlier than appropriate investigation. (Khan, Kock & Memon, 2010): In 2004 a Ciardhuain proposed a model for digital forensic investigation which didn’t have detailed phases and proper guidelines therefore it could not get familiar and in utilization as the previous models. (Ademu, Imafidon & Preston, 2011):Similarly in 2005 Ruibin Yun and in 2009 Perusal proposed their models for investigation and evidences collection but had same lacking of unclear and detailed explanation of their process and also they didn’t categorized their models into separate phases. Therefore these models also couldn’t get the identification and credit as they needed to be. (Ankit Megha, Saurabh & Gupta. 2011): In 2011 Preston, Ademu and Imafidon proposed their model for investigation process which became the most recent guideline with utmost detailed description of phases and the distribution of the entire process into separate phases. This model was titled as systematic digital forensic investigation model (SRDHM) and it contained 11 phases to perform investigation process. First phase of this model was preparatory phase as it has to be in the initial stage of an investigation process. In this phase, the forensic examiner obtains the understanding that what type of the crime has been committed and what are the activities which were associated during occurrence of the crime. Then examiner plans about the material that was collected in order to pack the sources of evidences. Besides, examiner must also keep in mind about the different legal constraints and the target organizational limitations as well. In this phase, if required, examiner also attain the relevant and necessary search warrants, different authorizations from the higher management with their full support and dispatching of the legal notices to all the relevant segments or parties associated with the committed crime. Another vital function performed in this phase is to design a proper policy that will be adopted during the inquiry. Second important phase is to protect the crime scene in order to sustain the integrity of all the evidences and devices at the crime scene. These devices may come up as the main sources of evidences at any stage of investigation. For this, examiner makes sure that no any unauthorized person gets the access of these devices after the investigation process started. Quality of evidence is also decided in this phase. But the main theme of this phase is ensuring the integrity of the crime scene and its infrastructure. After performing first two phases successfully, an initial survey is conducted by examiner to the crime scene with the objective of identifying the sources of evidences and brings up an strategy to start looking for evidences. During the evaluation of electronic devices examiner may require aid from other experts as well in order to deal the crime scene. Interviewing the relevant persons after their identifications is another function of this phase performed preliminarily. Digital forensic investigation models: An evolution study 239 JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br Significant and effective information gathering can be done by inquiring the different users, administrators or even from the owners of the devices which could produce key evidences for examination. After collecting and developing the evidences from this phase, examiner should also plan that how to analyze these evidences in the later stages of this process in different phases. Documentation of the entire scene is also another key phase of this model for investigation process. It includes the documenting of all the gathered data that is visible such as different snaps etc. This may help to review the entire process at any stage. All the logs and records about people’s entrance and exit from the crime scene also must be documented with the date and its time. In fifth phase of current model, examiner list downs the all possible communication ways of the associated devices and blocking these communication systems so that nobody could alter, modify, delete or overwrite the information after the process of examination starts. This might be done by isolating these devices completely with all other connected devices. Blocking Bluetooth and wireless services are two most common ways of communication that must be considered by the examiner in this phase. Sixth phase, which might be the most important phase of all, is to gather the evidences. This is the primary objective of entire investigation model and all phases of it. This phase requires keen consideration and attention to design a most effective system through which the desired and evidences can be gathered which later on could be presented in the court of law and get the status of admissible over there as well to establish the culprit. To collect volatile evidences from the devices especially from mobile devices need quick decision making as the data in ROM can be modified. Quick response is also needed if the battery of evidence source is low. In this case, image can be created of entire data existed on that device and then it can be dispatched to any other device to analyze easily and freely. For this sake, tools used in this process for image creation also must be best and swiftest. Another way is to replace the low battery with the newer one and then perform the examination and gathering of evidences without restraint. Second type evidences gathered is non volatile evidences. Such evidences more than often exist in the external media such as flash drives etc. Here again, examiner needs effective and appropriate tools for gathering the evidences from such storage medias. Different methods can be used to assure the integrity of the gathered evidences such as the method of write protect and hashing. Evidences, which were collected in the previous phase, need to be packed, transported and stored as properly in the electronic devices so that nobody could harm or modify them. This is done in this phase of the model. All necessary and universal techniques must be adopted in order to secure such electronic devices such as supply of the required temperature, saving it from the dust etc after the packaging process done. After the successful packaging and transportation of gathered evidences, in this phase, these evidences are examined by the expert forensic examiners. After this phase, the team of experts analyzes these evidences and defines the relationship between different segments of data, disclose the data that was hidden and provide the results of all phases of entire forensic model in the end. After the successful gathering of evidences and analyzes by the forensic experts, these evidences need to be presented in front of any authority such as the higher management of the targeted organization or in front of court of law. Therefore, these 240 Mushtaque, K., Ahsan, K., Umer, A. JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br evidences must be presented in a form that clearly exhibits that the person highlighted as culprit is in real a culprit and all the presented evidences are supporting this claim as well. Reviewing the result is the final phase of this model. All the steps performed in the previous all phases are keenly reviewed and analyzed. Many lessons and room for improvement can come up after performing the review of all steps one by one. These lessons may help examiners to incorporate them in the next coming investigations in the future. 4. FINDINGS  In our findings of current research, we have highlighted the different important security elements that need to be addressed by enterprises of Pakistan as effectively and appropriately that it assists the digital forensic examination process towards collecting the evidences and establishing the actual culprit behind the committed cyber crime.  Every element highlighted here is equally importance as it possesses capability to provide evidence or hint or even provides the path the reach out the offender of cyber crime and then prove in the court of Law as legitimized matter. Large Enterprise Issues: Addressable Elements  Only 55\% of recipients are fully aware about the Domain of Cyber Forensics. It means that 45\% organizations have employed the I.T persons who are considered to be most responsible and considered as reliable I.T person don’t even know anything about the Domain of Cyber Forensics, it is really alarming situation and addressable too.  58\% organizations don’t have a formal, institutional plan that outlines Digital Forensics for the institution as a whole. It means that if any situation arises to conduct a Digital Forensic Investigations then the employees may deny any responsibility since this section is not addressed by the institutional plan at all.  50\% of the organizations may collapse by single incident in the absence of Cyber Forensic Policy and procedure. It shows the significance of this domain needs to be addressed at enterprise level and also reveals the flaws in the I.T security level in these organizations.  79\% of organizations don’t even acquire the service of cyber forensic firms.  46\% of organizations’ I.T operations section is being spoiled mostly affected by cyber crime.  51\% or organizations don’t conduct any awareness training programs for employees to educate them about cyber crime and forensics. It is quite shocking situation because if we don’t educate our employees to face any such situation or avoid or prevent it, then how may we expect that our security measure are up to the mark.  47\% enterprises don’t contain any clause addressing the cyber crime in their hiring terms and conditions document. It needs to be addressed to ensure the function of accountability against the employees.  73\% organizations don’t employ any tool to record the key strokes of client. It eliminates another effective element of collecting evidences therefore must be addressed. Digital forensic investigation models: An evolution study 241 JISTEM, Brazil Vol. 12, No. 2, May/Aug., 2015 pp. 233-244 www.jistem.fea.usp.br  28\% organizations don’t use cameras as per requirement of recording the physical activities. Physical evidences are often undeniable in the court of law therefore need to work on it as well to rectify it.  25\% companies store the recorded videos forever, while only 15\% perform it for 1 year. The requirement of these durations may vary organization to organization by considering its nature of business, but still this sector should be improved.  If the primary media of recorded videos is lost then backup of these videos becomes essential. 25\% organizations don’t opt to take backups of videos is not reckoned as fool proof scenario.  If we allow employees to use their blue-tooth service freely, especially in the financial institution like Banks which contain extremely confidential information of customers then it will be mentioned as a vulnerable part of I.T security as well. 57\% of organizations don’t restrict their employees or other to use blue-tooth inside the organization, which is highlight able matter.  33\% of organizations allow their employees to download freeware on their computers. This percentage is worry because freeware downloading may cause some security or monitoring tools troubles to record or collect the appropriate evidences.  28\% of enterprises don’t adopt any mechanism and monitor the downloading or installing new applications in the client systems. This ought to be addressed to …