Phases Of A Forensic Investigation

Published Date: 02 Nov 2017

Digital Forensics

Abstract

Today the increasing number of computer and electronics components has demanded the use of Digital forensic showing that the digital forensics can be implemented in specialized fields of law enforcement, computer security, and national defense. In the information technology period, information stored in the devices are digital as mostly the institution or organization use computer storage media as compare to paper used by writers, scholars, scientists, musicians, and public figures. This gives new challenges to these concern persons related to accessing and preserving information, data recovery and maintaining trust. In this paper, review of the currently available investigation processes, methodologies and different tools used by forensics experts will be done.

Keywords

Digital Forensic, Computer Forensic, Forensic Models, Computer Forensic Investigation, Digital Forensic Methods, Forensic Techniques, Forensic Tools

Introduction

Digital forensics is the branch of forensic involving the recovery and investigation of material found in digital devices due to incident of computer crime occurrence. Digital forensic is a synonym for the computer forensic in early start but today it includes other area of investigation like computer, database, and network, mobile which are capable of storing digital data.

Due to much advancement in various types of technology devices, media, digital forensics has defined the sub branches according to the investigation required. One of the digital forensics branches are Computer forensics, Mobile device forensics, Network forensics, Forensic data analysis and Database forensics.

Computer forensics involves the examination of the digital media stored in the computers for investigation purpose, mobile forensic is recovery of digital evidence from a mobile device, network forensic is the getting evidence related to network traffic, information gathering or evidence collection of intrusion detection, forensic data analysis is investigate the pattern of fraudulent action using structure data while the final one is database forensic is the study of databases and their metadata including the its contents, log files and in-RAM data investigation.

When the computer forensic is in consideration usually three different sets of people from Law Enforcement agencies, Military, Business & Industry are involved with the intention of tracking down attackers/hackers and criminals who attack the security of systems and use computers for unauthorized activities. Computer Forensic address the issues of National and Information Security, Corporate Espionage, White Collar Crime, Child Pornography, Traditional Crime, Incident Response, Employee Monitoring, Privacy Issues.

In the following this paper start with investigation phases, methods, techniques and tools and then finally conclude the discussion how this information helps the novice in the computer, network and mobile forensic.

The phases of a forensic investigation

So many forensic investigation processes have been developed till now. The objective in this paper is to make the forensic investigation process or model with common phases of forensic to perform the intended investigation as compared to others model. Few models that exist are mentioned below.

Computer Forensic Investigative Process (1984)

Abstract Digital Forensics Model (ADFM) (2002)

Enhanced Digital Investigation Process Model (EDIP) (2004)

Computer Forensics Field Triage Process Model (CFFTPM) (2006)

Scientific Crime Scene Investigation Model (2001)

Common Process Model for Incident and Computer Forensics (2007)

Network Forensic Generic Process Model (2010)

Here is the generic investigation process known as Generic Computer Forensic Investigation Model (GCFIM) proposed in this article that share the common phases with previously developed models. Figure below, demonstrate the proposed GCFIM.

Model (GCFIM).JPG

Pre Process is the first phase of Generic Computer Forensic Investigation Model. In this phase the tasks are linked to other tasks that required to be completed before the investigating and collecting the official data. These tasks are having the required approval from concern authority, preparing and setting up of the tools to be utilized, etc.

Acquisition and Preservation is the second phase of Generic Computer Forensic Investigation Model. In this phase tasks performed related to the acquiring and collecting evidence in acceptable manner in which concern data is together base on the accepted methods utilizing a variety of recovery techniques, then the task is identifying the digital components from the acquired evidence, and finally in this phase the tasks are transporting, storing and preserving of data such as creating a good quality case management and ensuring an acceptable chain of custody. Overall, this phase is where all concern data are captured, stored and presented for the next phase.

Analysis is the third phase of Generic Computer Forensic Investigation Model. This is the core and the heart of the forensic investigation process. It has the largest part of phases including the tasks such as evidence tracing and validation, recovery of hidden or encrypted data, data mining, and timeline etc. Different types of analysis are performed on the acquired data using the appropriate tools and techniques to recognize the source of crime and eventually discovering the person accountable of the crime.

Presentation is the fourth phase of Generic Computer Forensic Investigation Model. The finding from analysis phase are documented and presented to the authority with expert testimony. The documentation presented also includes the adequate and acceptable evidence in order to understand by the concern party easily. The final outcome from this phase is either to prove or disprove the alleged criminal acts.

Post-Process is the last phase of Generic Computer Forensic Investigation Model. This phase concerns only the appropriate finishing of the investigation work. Digital and physical evidence should be appropriately handed over to the authorize owner and kept in secure place, if required. Finally but not the last, if there is a need to review the investigative process in each phase it should be done for the perfection of the future investigations.