Contenu connexe
Similaire à File000176 (20)
Plus de Desmond Devendran
Plus de Desmond Devendran (18)
File000176
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Forensics Framework
Provides Savings for Police
Source: http://www.npia.police.uk/
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• What is Forensics Framework?
• Fundamental Principles in Digital Forensics Investigation Procedures
• FORZA Framework
• FORZA Framework Layers
• An Event-Based Digital Forensic Investigation Framework
• Digital Analysis Types
• Enhanced Digital Investigation Process Model
• Phases of Enhanced Digital Investigation Process Model
• An Extended Model of Cybercrime Investigations
• Activities in Cybercrime Investigations
• Computer Forensics Field Triage Process Model
• Computer Forensics Field Triage Process Model Phases
• Objectives-Based Framework for the Digital Investigations Process
• Proposed Digital Investigation Process
• Objectives-Based Framework Phases
This module will familiarize you with:
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Phases of Enhanced Digital
Investigation Process Model
Computer Forensics Field
Triage Process Model
Activities in Cybercrime
Investigations
Proposed Digital
Investigation Process
Objectives-Based Framework
for the Digital Investigations
Process
Computer Forensics Field
Triage Process Model
Phases
An Extended Model of
Cybercrime Investigations
Objectives-Based
Framework Phases
Fundamental Principles in
Digital Forensics
Investigation Procedures
What is Forensics
Framework?
Enhanced Digital
Investigation Process Model
FORZA Framework
Digital Analysis Types FORZA Framework Layers
An Event-Based Digital
Forensic Investigation
Framework
- 6. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is Forensics Framework?
Forensics framework is a digital forensics investigation procedure developed
by the personnel or by the particular organization
Many organizations developed their own framework, some focused on the
technology aspects in data acquisition and some focused on data analysis
portion of the investigation
- 7. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fundamental Principle in Digital
Forensics Investigation Procedures
• Reconnaissance
• Reliability
• Relevancy
Fundamental principles:
Digital Forensics Investigation is a process to determine and relate the extracted
information and digital evidence to establish factual information for judicial
review
Digital forensics investigation have a core principle that enables the
practitioners to view the underlying concept across different digital forensics
investigation procedures
Digital
Forensics
Reconnaissance
ReliabilityRelevancy
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FORZA Framework
FORZA framework depends on the participants in the organization
In a typical digital forensics investigation process, system owners, digital forensics
investigators, and legal practitioners are expected to be involved
FORZA framework participants:
• Case leader
• System/business owner
• Legal advisor
• Security/system architect/auditor
• Digital forensics specialist
• Digital forensics investigator/system administrator/operator
• Digital forensics analyst
• Legal prosecutor
Source: http://www.dfrws.org/
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles and Responsibilities of Participants in
Digital Forensics Investigation Procedures
• The case leader is the planner and orchestrator of the entire digital investigation
process
Case leader
• The system/business owner is the owner of the system being inspected
• He/she is usually the victim and sponsor of the case
System/business owner
• Legal advisor is the first legal practitioner the case leader would seek for legal advice
• He/she would advise the case leader whether it is applicable to proceed forward for
legal disputes
Legal advisor
• Case leader explores and understands more about the system and security design of the
system to be inspected from security/system architect
Security/system architect
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles and Responsibilities of Participants in Digital
Forensics Investigation Procedures (cont’d)
• Digital forensics specialists should reconsider all the inputs and requirements from
legal advice to plan the entire investigation strategy
Digital forensics specialist
• Digital forensics investigator collects, extracts, preserves and stores the digital
evidence from the systems
Digital forensics investigator/system administrator/operator
• Digital forensics analyst extracts relevant data, analyze them against the hypothetical
model proposed for investigation
Digital forensics analyst
• Legal prosecutor advise the case leader whether the collected evidence is sufficient,
relevant, admissible and favorable to which party
Legal prosecutor
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Flow in FORZA
Framework
Digital Forensics Specialists (Technical Preparation Layer)
Forensics Investigators/ System Administration/ Operator (Data Acquisition Layer)
Forensics Investigators/ Forensics Analysis (Data Analysis Layer)
Legal Prosecutor (Legal Presentation Layer)
Case Leader (Contextual
Investigation Layer)
System Owner (if any) (Contextual Layer)
Security/ System Architect/ Auditor (Conceptual Security Layer)
Legal Advisor (Legal Advisor Layer)
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
High-level View of FORZA
Framework
- 13. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FORZA Framework Layers
• What (the data attributes)
• Why (the motivation)
• How (the procedures)
• Who (the people)
• Where (the location)
• When (the time)
FORZA Framework layers are interconnected to each
other through sets of six categories of questions namely:
• Contextual investigation layer
• Contextual layer
• Legal advisory layer
• Conceptual security layer
• Technical presentation layer
• Data acquisition layer
• Data analysis layer
• Legal presentation layer
FORZA Framework Layers are:
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contextual Investigation Layer
Case leader (such as the law enforcement team for criminal investigation)
after receiving the report of the case would:
• Determine the motivation (Why) of the case
• Identify the involved parties (Who)
• Confirm the time of the incident (When)
• Verify the location of the case (Where)
• Determine the reported event nature (What)
• Plan the next step procedure (How)
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contextual Layer
The case leader seek input from the system owner or his
representative
He/she would have to perform an interview with the system
owner and person who report the case to:
• Understand the business nature of the company and the business
objectives (Why) of the affected system
• Determine the business and event nature (What)
• Confirm business and system process model (How)
• Explore the business geography (Where)
• Determine the business and incident timeline (When)
• Understand organization and participants’ relationship (Who)
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Legal Advisory Layer
• The legal objectives (Why) of the case
• Legal background and preliminary issues (What) of the case
• Legal geography and jurisdiction (Where)
• Legal entities and participants (Who) of the case
• Legal timeframe (When) of the case
• Legal procedures for further investigation (How) of the case
After understanding the background case, the case leader should seek
legal adviser to determine:
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conceptual Security Layer
• Explore the system/security control objectives (Why) that has
been implemented to protect against external attacks
• Understand the system’s information and security control model
(What)
• Collect the implemented security mechanisms details (How)
• Explore the security domain and network infrastructure (Where)
• Determine the user and security entity model (Who)
• Determine the security timing and sequencing (When)
The case leader would:
After seeking legal advice, the case leader would explore and understand the
design of the information system and the relevant security controls, from the
system owner recommended technical staff
- 18. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Technical Presentation Layer
Case leader could assign relevant digital forensics specialists to plan before
on-site investigation
The Digital Forensics Specialists should:
• Understand the objective and plan the relevant forensics investigation strategy
objectives (Why)
• Determine the forensics data model (What)
• Explore geography location within the forensics data model (Where)
• Draft the entity lists for the forensics entity model (Who)
• Propose a hypothetical forensics event timeline (When)
• Define the forensics strategy (How)
- 19. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Layer
• Understand the Forensics Acquisition Objectives (Why) assigned by the
forensics specialists
• Perform on-site Forensics Data Observation (What)
• Interview participants and witnesses identified (Who)
• Perform Forensics Acquisition and Seizure Procedures (How)
• Perform site network forensics data acquisition (Where)
• Keep the forensics acquisition timeline and chain of custody (When)
The investigators should:
Based on the strategies and tasks outlined by the digital forensics specialists,
forensics investigators, system administrators, or operators could follow the
outline procedures strictly
- 20. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Analysis Layer
• Extract information that is critical for proving the case which
matches the forensics examination objectives (Why)
• Reconstruct the event data based on the extracted data (What)
• Extract network information (Where)
• Extract entity, accounts information, and rebuilding the
relationship linkage (Who)
• Analyze the extracted data based on forensics analysis procedures
(How)
• Reconstruct the event timeline (When) of the hacking activity
Digital forensics analysts would have to:
After collecting the necessary data being and transporting to the digital forensics
laboratory for further analysis and investigation, digital forensics analysts would have to
extract the relevant information and review them according to the hypothetical model
- 21. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Legal Presentation Layer
After extracting and analyzing the information collected from the victim,
together with the IP address information from the network service
providers, legal prosecutor has to discuss with the case leader and the
system owner on:
• Legal Presentation Objectives (Why)
• Legal Presentation Attributes (What)
• Legal Presentation Procedures (How)
• Legal Jurisdiction Location (Where)
• Entities in Litigation Procedures (Who)
• Timeline of entire event for Presentation (When)
- 22. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An Event-Based Digital Forensic
Investigation Framework
- 23. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event-based Framework
Event-based framework is used to develop hypotheses and answer questions
about an incident or crime
Hypotheses are developed by collecting objects that may have played a role in
an event that was related to the incident
Once the objects are collected as evidence, the investigator can develop
hypotheses about previous events at the crime scene
Source: http://www.digital-evidence.org/
- 24. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Analysis Types
A digital investigation may encounter many formats of digital data and
therefore several types of analysis exist
Common digital analysis types include:
• Media Analysis
• Media Management Analysis
• File System Analysis
• Application Analysis
• Network Analysis
• Operating System Analysis
• Executable Analysis
• Image Analysis
• Video Analysis
- 25. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Investigation Process
Model
This model is based on the phases that are documented for investigating
physical crime scenes
Readiness Phases
Presentation PhaseDeployment Phases
Physical Crime Scene
Investigation Phases
Digital Crime Scene
Investigation Phases
- 26. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Investigation Process
Model (cont’d)
Phase 1: Readiness Phases
• Readiness phase includes the operations readiness phase that trains the appropriate
people and tests the tools that will be used to investigate a system
Phase 2: Deployment Phases
• Deployment phase includes the detection and notification phase where the incident is
detected by the victim or another party and the investigators are alerted
• It also includes the confirmation and authorization phase where the investigators
receive authorization to conduct the investigation
Phase 3: Physical Crime Scene Investigation Phases
• Physical Crime Scene Investigation Phases include the search for physical evidence
and the reconstruction of physical events
- 27. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Investigation Process
Model (cont’d)
Phase 4: Digital Crime Scene Investigation Phases
• Digital Crime Scene Investigation Phases includes three sub phases:
• Digital crime scene preservation and documentation
• Digital Evidence searching and documentation phase
• Digital evidence reconstruction and documentation
Phase 5: Presentation Phase
• The result must be presented to either a corporate audience or a court of law
- 28. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Crime Scene Investigation
Phases
Sub phase 1: Digital crime scene preservation and documentation
• This phase occurs when the first responder arrives at the scene and assists the
wounded, detains suspects, and limits the amount of unofficial traffic in the area
• The crime scene is documented through video, photography, and sketches
System Preservation and
Documentation Phase
Evidence Searching and
Documentation Phase
Event Reconstruction and
Documentation Phase
Digital Crime Scene Investigation Phases
- 29. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Crime Scene Investigation
Phases (cont’d)
Sub phase 2: Digital evidence searching and documentation
- 30. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Crime Scene Investigation
Phases (cont’d)
Sub phase 3: Digital Event Reconstruction and Documentation
- 31. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An Event-Based Digital
Forensic Investigation
Framework
FORZA Framework
Enhanced Digital Investigation
Process Model
Objectives-Based Framework
for the Digital Investigations
Process
An Extended Model of
Cybercrime Investigations
Computer Forensics Field
Triage Process Model
- 32. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Enhanced Digital Investigation
Process Model
Enhanced Digital Investigation Process Model is based on the Integrated Digital
Investigation Model
Phase of Integrated Digital Investigation Model(IDIP):
Readiness
Phases
Deployment
Phases
Physical Crime Scene
Investigation Phases
Digital Crime Scene
Investigation Phases
Review Phase
Source: http://www.dfrws.org/
- 33. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Physical Crime Scene Investigation
• Preserves the crime scene so that evidence can be later identified
and collected by personnel trained in digital evidence identification
Preservation phase:
• Identifies the pieces of physical evidence, determines the extent of
the search, identifies potential evidence
Survey phase:
• Takes photographs, sketches, and videos of the crime scene and the
physical evidence
Documentation phase:
• Performs in-depth search
Search and collection
phase:
• Transports identified electronic evidence to the digital
investigation team
Presentation phase:
Physical crime scene investigation includes five phases:
- 34. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Crime Scene Investigation
• Preserves the digital crime scene so that evidence can be later
synchronized and analyzed for further evidence
Preservation phase:
• Identifies and separates potentially useful data from the imaged
dataset
Survey phase:
• Performs in-depth analysis of the digital evidence
Search and collection
phase:
• Properly documents the digital evidence when it is foundDocumentation phase:
Digital crime scene investigation includes four phases:
- 35. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phases of Enhanced Digital
Investigation Process Model
Readiness
Phases
Deployment
Phases
Traceback
Phases
Dynamite
Phases
Review
Phase
- 36. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phases of Enhanced Digital
Investigation Process Model (cont’d)
Phase 1: Readiness phases:
• Readiness phases ensure that the operations and infrastructure are able to fully
support an investigation
• It includes two phases:
• Operations Readiness phase
• Infrastructure readiness phase
Phase 2: Deployment phases:
• The deployment phases provide a mechanism for an incident to be detected and
confirmed
• It consists of five phases:
• Detection and Notification phase
• Physical Crime Scene Investigation
• Digital crime scene investigation phase
• Confirmation phase
• Submission phase
- 37. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phases of Enhanced Digital
Investigation Process Model (cont’d)
Phase 3: Traceback phases:
• Within these phases, the perpetrator’s physical crime scene of operation is tracked
down leading to identification of the devices that were used to perform the act
Phase 4: Dynamite phases:
• In these phases, analysis is performed on the items found from the crime scene to
obtain further evidence
• It includes the following phases:
• Physical crime scene investigation phase
• Digital crime scene investigation phase
• Reconstruction phase
• Communication phase
Phase 5: Review phase:
• The whole investigation is reviewed and areas of improvement identified
- 38. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An Event-Based Digital
Forensic Investigation
Framework
FORZA Framework
Enhanced Digital Investigation
Process Model
Objectives-Based Framework
for the Digital Investigations
Process
An Extended Model of
Cybercrime Investigations
Computer Forensics Field
Triage Process Model
- 39. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extended Model of
Cybercrime Investigations
An extended model of cybercrime investigations provides a common reference
framework for discussion and for the development of terminology
It provides a unified structure for case studies/lessons learned materials to be
shared among investigators, and for the development of standards,
conformance testing, and investigative best practices
Source: http://www.utica.edu/
- 40. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extended Model of Cybercrime
Investigations
- 41. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activities in Cybercrime
Investigations
• Awareness is typically created by events external to the organization
which will carry out the investigation
• It allows the relationship with the events requiring investigation to be
made clear
Awareness:
• Authorization is required to carry out the investigation
• It requires interaction with both external and internal entities to obtain
the necessary authorization
Authorization:
• The planning activity is strongly influenced by information from both
inside and outside the investigating organization
Planning:
- 42. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activities in Cybercrime
Investigations (cont’d)
• Notification refers to informing the subject of an investigation or other concerned
parties that the investigation is taking place
Notification:
• This activity deals with locating the evidence and identifying what should be the next
activity
Search and identification of evidence:
• Collection is the activity in which the investigating organization takes possession of the
evidence in a form which can be preserved and analyzed
Collection of evidence:
• Transport evidence to a suitable location for later examination
• Transmission of data through networks
Transport of evidence:
- 43. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activities in Cybercrime
Investigations (cont’d)
• The collected evidence needs to be stored because examination cannot
take place immediately
Storage:
• Examination of the evidence will involve the use of potentially large
number of techniques to find and interpret significant data
Examination:
• Based on the examination of the evidence, the investigators must
construct a hypothesis of what occurred
• The degree of formality of this hypothesis depends on the type of
investigation
Hypothesis:
- 44. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activities in Cybercrime
Investigations (cont’d)
• The hypothesis must be presented to persons other than the investigators
Presentation:
• In general, the hypothesis will not go unchallenged; a contrary hypothesis
and supporting evidence will be placed before a jury
Proof/Defense:
• The final activity in the model is the dissemination of information from
the investigation
• Some information may be made available only within the investigating
organization, while other information may be more widely disseminated
Dissemination:
- 45. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An Event-Based Digital
Forensic Investigation
Framework
FORZA Framework
Enhanced Digital Investigation
Process Model
Objectives-Based Framework
for the Digital Investigations
Process
An Extended Model of
Cybercrime Investigations
Computer Forensics Field
Triage Process Model
- 46. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field
Triage Process Model
The traditional cyber forensics approach of seizing a system(s)/media, transporting it to
the lab, making a forensic image(s), and then searching the entire system for potential
evidence, is no longer appropriate in some circumstances
In cases such as child abductions, pedophiles, missing or exploited persons, time is of the
essence
The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field
approach for providing the identification, analysis, and interpretation of digital evidence in
a short time frame, without the requirement of having to take the system(s)/media back to
the lab for an in-depth examination or acquiring a complete forensic image(s)
Source: http://www.digitalforensics-conference.org/
- 47. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field
Triage Process Model (cont’d)
The computer forensics field triage process model (CFFTPM) is defined as:
• Those investigative processes that are conducted within the first few hours of an
investigation and provide information used during the suspect interview and search
execution phase
The focus of the model is to:
• Find useable evidence immediately
• Identify victims at acute risk
• Guide the ongoing investigation
• Identify potential charges
• Accurately assess the offender’s danger to society
- 48. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model
Planning
Triage
User Usage
Profiles
Chronology
Timeline
Internet
Case Specific
Home Directory
File Properties
Registry
Browser Artifacts
Email
IM
At Scene
- 49. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model Phases
• Lead investigator will have a matrix that quantifies the various possibilities
of the crime scene, the suspect and the digital evidence, and qualifies the
expertise of the various investigators on the investigation team
• It is used to define what is known and what is not known thus aiding in
determining what is wanted to be known
Planning:
• A process in which things are ranked in terms of importance or priority
Triage:
- 50. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model Phases (cont’d)
Usage/User Profiles:
• When compelling evidence is found on the digital media, it is essential to
show a link between that evidence and a specific, identifiable suspect
• User profile is a collection of files, folders, registry keys, and file properties
that are exclusively associated with a unique user account
• Digital evidence is found by examining the:
• Home Directory
• File Properties (security)
• Registry
- 51. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model Phases (cont’d)
Chronology/Timeline:
• The chronological scope of the investigation can be defined by the case
intelligence
• For the CFFTPM, several quantifications should be examined by sorting
the files on their various MAC times within the chronological scope of the
investigation such as:
• Time periods of normal use by the suspect and other known users of the computer
or device
• Identification and analysis of software applications and data files used or accessed
during qualified times of interest
• Identification and analysis of recent shortcuts and stored information
- 52. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model Phases (cont’d)
Internet:
• An effective practice is for the computer forensic examiner to evaluate
what type of Internet activities they believe the suspect (or victim) was
involved in, and to evaluate if and how each of those activities relate to
the case
• Types of activities include:
• Web browsing
• E-mail
• Instant messaging
• Reading or posting to USENET newsgroups
• Trading files
- 53. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Field Triage
Process Model Phases (cont’d)
• It is important for the computer forensic examiner to adjust the
focus of every examination to the specifics of that case
• A computer forensic examiner should be able to evaluate time
resources, utilize pre-raid intelligence, customize search goals,
and prioritize search goals
Case Specific Evidence:
- 54. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An Event-Based Digital
Forensic Investigation
Framework
FORZA Framework
Enhanced Digital Investigation
Process Model
Objectives-Based Framework
for the Digital Investigations
Process
An Extended Model of
Cybercrime Investigations
Computer Forensics Field
Triage Process Model
- 55. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Objectives-based Framework
Objectives-based framework for the digital investigations
process is based on higher ordered (first tier) phases, more
definitive sub-phases (second tier), objectives, and framework
principles
Proposed phases and sub-phases are objectives-based which
are distinct, discrete steps in the process that are usually a
function of time, and suggest a necessarily sequential
approach
Phases and sub-phases are applicable to various layers of
abstraction and are used to analyze and translate data into
more manageable formats
Source: http://faculty.business.utsa.edu/
- 56. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Proposed Digital Investigation
Process
Single Tier Digital Investigations
Process Framework
Two-Tier Digital Investigations
Process Framework
- 57. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Objectives-Based Framework
Phases
• Preparation phase maximizes the availability and quality of digital
evidence when needed, while minimizing the associated organizational
and financial burden
• Preparation activities include:
• Develop information retention plan
• Develop evidence preservation and handling procedures
Preparation phase:
• Incident response phase consists of the detection and initial, pre-
investigation response to a suspected security incident
• The purpose of this phase is to detect, validate, assess, and determine a
response strategy for the suspected security incident
Incident response phase:
- 58. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Objectives-Based Framework
Phases (cont’d)
• The purpose of the data collection phase is to collect digital evidence in support of the
response strategy and investigative plan
• Data collection activities include:
• Complete live response data collection, which began during the Incident Response
Phase
• Obtain network-based and host-based evidence from applicable sources
Data collection phase:
• The purpose of the data analysis phase is confirmatory analysis (to confirm or refute
allegations of suspicious activity) and/or event reconstruction (answer “who, what,
where, when, why, and how” type questions)
• Data analysis activities include:
• Conduct initial data survey to recognize obvious pieces of digital evidence and assess
the skill level of the suspect(s)
• Examine, analyze, and event reconstruct the data to answer critical investigative
questions
Data analysis phase:
- 59. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Objectives-Based Framework
Phases (cont’d)
• The purpose of the presentation of findings phase is to communicate
relevant findings to a variety of audiences, including management, technical
personnel, legal personnel, and law enforcement
Presentation of findings phase:
• The incident closure phase includes the following steps:
• Conduct a critical review of the entire process and investigation to identify and apply
lessons learned
• Make and act upon decision(s) that result from the findings presentation phase
• Collect and preserve all information related to the incident
Incident closure phase:
- 60. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Forensics framework is a digital forensics investigation procedures developed by the
personnel or by the particular organization
FORZA framework layers are interconnected to each other through sets of six categories
of questions
Event-based framework is used to develop hypotheses and answers questions about an
incident or crime
An extended model of cybercrime investigations provides a common reference
framework for discussion and for the development of terminology
Objectives-Based Framework for the Digital Investigations Process is based on higher
ordered (first tier) phases, more definitive sub-phases (second tier), objectives, and
framework principles