After reading the required articles this week, please write a research paper that answers the following questions:
- What are mobile forensics and do you believe that they are different from computer forensics?
- What is the percentage of attacks on networks that come from mobile devices?
- What are challenges to mobile forensics?
- What are some mobile forensic tools?
- Should the analysis be different on iOS vs Android?
Your paper should meet the following requirements:
- Be approximately 4-6 pages in length, not including the required cover page and reference page.
- Follow APA7 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.
- Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The school Library is a great place to find resources.
- Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.
The Governance of Corporate Forensics using
COBIT, NIST and Increased Automated Forensic
ATB Financial, Edmonton T5J 1P1, Canada 2
Information Systems Security Management, Concordia University College of Alberta, Edmonton T5B 4E4, Canada
[email protected], {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}@concordia.ab.ca
Abstract—Today, the ability to investigate internal matters
such as policy violations, regulatory compliance, and employee
separation has become important in order for corporations to
manage risk. The degree of information security threats evolving
on a daily basis has increasingly raised concerns for enterprise
organizations. These threats include but are not limited to fraud,
insider threat and intellectual property (IP) theft. These have
increased the demand for organizations to implement corporate
forensics as a deterrent to illegitimate acts or for linking
perpetrators to their illegitimate acts. This explains why forensic
practices are expanding from the traditional role in law
enforcement and becoming an essential part of business
processes. However, most organizations may not be maximizing
the benefits of corporate forensic capabilities because of lack of
corporate forensic governance best practices, needed to ensure
organizations prepare their operating environment for digital
forensic investigation. Corporate forensic governance will help
ensure that digital evidence is obtained in an efficient and
effective way with minimal interruption to the business. This
paper presents a corporate forensic governance framework
intended to enhance forensic readiness, governance, and
management, and increase the use of automated forensic
techniques and in-house forensically sound practices in large
organizations that have a need for these practices.
Index Terms—corporate forensic governance; corporate
forensic readiness; increased automated forensic solutions;
digital forensic investigation; digital evidence
I. INTRODUCTION
Most organizations waste effort, time and resources in
carrying out forensic investigations due to lack of corporate
forensic preparedness [4]. Forensic readiness (preparedness)
can be defined as the process of being prepared (having the
right policies, procedures, people, techniques in place to
respond professionally and timely) before an incident occurs.
Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic
Readiness’ described forensic readiness as the ability of an
organization to maximize its potential to use digital evidence
while minimizing the cost of an investigation. In his paper he
discussed practices that, when implemented before a digital
incident occurs, can help organizations to be ready to carry out
forensic investigations. However, forensic readiness is one part
of a comprehensive and well-structured corporate forensic
governance program.
Governance is the process of establishing and maintaining a
framework and supporting management structure and processes
to provide assurance that applicable strategies are aligned with
and support business objectives, and are consistent with
applicable laws and regulations through adherence to policies
and internal controls, and assignment of responsibility, all in
the effort to manage risk [22]. In most organizations when
incidents occur, the incident response team’s major concern is
to contain the incident and restore operations, paying less
attention to potential evidence. In most cases digital evidence is
contaminated, incomplete and untrustworthy, all of which
inhibits linking perpetrators to their illegitimate acts if a crime
is committed [2]. This is simply because of the lack of forensic
readiness which is part of a good corporate forensic governance
program. Grobler et al [5] stated, “all disciplines need some
form of policy, procedures, standards and guidelines hence
necessitating the proper facilitation of governance”. In their
paper, entitled ‘Managing digital evidence – The governance of
digital forensics’, they introduced a preliminary framework for
the governance of digital forensics.
According to COBIT [10], the principles of governance
best practices include strategic alignment, risk management,
value delivery, resource optimization, and continuous
performance evaluation. Board briefings on IT governance [22]
stated that, governance practices have been confirmed to yield
huge benefits in the field of information technology (IT) and
information security (IS) due to the establishment and adoption
of applicable frameworks like COBIT. “In other words, top
management of various organizations are realizing the
significant impact information technology and information
security can have on the success of their enterprise because of
governance of these fields” [22]. Such governance practices are
lacking in the field of digital forensics [5]. For various reasons
which will be highlighted later in this paper, there is a need for
effective and efficient governance practices for corporate
forensic programs to ensure that value, risk and resources are
optimized during forensic investigations. Most organizations
are still biased about in-house forensic readiness and capability
because they feel that it involves complex processes but with
proper best practice framework for corporate forensic
governance and readiness they will observe that in-house
forensic readiness can be conducted in an efficient and
effective way. In addition, the use of innovative, user friendly
and increased corporate forensic automated solutions (like
2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security,
Risk and Trust
978-0-7695-4848-7/12 $26.00 © 2012 IEEE
DOI 10.1109/SocialCom-PASSAT.2012.109
734
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
Encase Enterprise) reduces the amount of resources (time,
effort and personnel) used for such practices. With the
existence of COBIT [10][11] and other IT and IS governance
frameworks, including research work like [1][2][3][4][5][8] it
is obvious that there is a governance gap in the field of
corporate forensics.
In this paper, a governance framework is presented, one
that will guide those large organizations who are in need of a
corporate forensic program on how best governance practices
can enhance corporate forensic readiness and in-house
forensically sound practices in an efficient and effective way.
This paper is organized into the following sections: Section II
argues the need for corporate forensic readiness and
governance; Section III explains best practice governance
principles; Section IV is a brief discussion of related work;
Section V is a description of the proposed framework; finally,
in Section VI we conclude and recommend future work.
II. CORPORATE FORENSIC READINESS AND GOVERNANCE
According to [8], litigation is a last option for most
organizations, because of concerns like negative publicity and
its negative impact to the business. Therefore, corporate
forensic readiness, governance and in-house forensic capability
will help organizations to be prepared to gather and use digital
evidence as a deterrent and for making firm conclusions during
internal investigations of non-criminal violations. The objective
of corporate forensic readiness is to ensure that digital evidence
is collected using sound forensic processes and in an effective
way with minimal interruption to the business. This evidence
can also be used for the organizations interest and defense.
Although many organizations outsource forensic activities, it is
likely that most will prefer to perform them internally. The
reasons for this include privacy, confidentiality of
organizational and customer data, legal risk, delayed forensic
results from consultants and compliance with regulations like
Sarbanes Oxley, King 3 Report, the Basel Committee report on
banking supervision, and FIPS PUB 200. In addition, it is
costly to outsource forensic activities in those large
organizations that experience recurring digital incidents.
Regulations like FIPS PUB 200 (2002) mandated all federal
agencies in the United States to comply with the standard’s
Audit and Accountability section, which states that
“Organizations must:
1. Create, protect, and retain information system audit
records to the extent needed to enable the monitoring,
analysis, investigation, and reporting of unlawful,
unauthorized, or inappropriate information system
activity.
2. Ensure that the actions of individual information
system users can be uniquely traced to those users so
they can be held accountable for their actions” [12].
These considerations show that, in a great many cases,
there is a clear need for corporate forensic readiness
and in-house forensic capability.
Rowlingson [4] articulates ten steps toward corporate
forensic readiness:
1. “Define the business scenarios that require digital
evidence.
2. Identify available sources and different types of
potential evidence.
3. Determine the evidence collection requirement.
4. Establish a capability of securely gathering admissible
evidence to meet the requirement.
5. Establish a policy for secure storage and handling of
potential evidence.
6. Ensure monitoring is targeted to detect and deter major
incidents.
7. Specify circumstances when escalation to a full formal
investigation should be launched.
8. Train staff in incident awareness so that all those
involved understand their role in the digital process and
the legal sensitivities of evidence.
9. Document an evidence-based case describing the
incident and its impact.
10. Ensure legal review to facilitate action in response to the
incident”.
A good governance framework consists of both governance
and management processes [11]. Rowlingson’s work should be
incorporated into management processes and we therefore
refined and used it in the development of the management
processes (CFM domain) of our proposed corporate forensic
governance framework. More elaboration on the need for
corporate forensics can be found in [8].
A. The Relationship between IT Governance, IS Governance
and Corporate Forensics
It could be argued that corporate forensics falls, in some
respects, under IT governance and IS governance. However,
some important aspects of corporate forensics, like
jurisprudence (legal) and forensically sound processes are not
fully part of IT and IS governance [3]. According to ACPO
[30], forensically sound processes mean performing forensic
practices (collection, examination, analysis, documentation,
preservation of evidence and chain of custody) according to
applicable jurisdiction. It also means that forensic practices
should be conducted in such a way that if necessary an
independent third party is able to repeat the same processes and
obtain the same result. This shows that the preservation of the
integrity of evidence is very important during forensic
investigations. Corporate forensics (CF) and digital forensics
(DF) will be used interchangeably in this paper. Researchers
like Von Solms [3] and Grobler [5] explains the relationship
between Digital Forensic (DF), IS Governance, IT Governance
and Corporate Governance. Von Solms et al states “that the
proactive mode of information security ensures all policies,
procedures, and technical mechanisms are in place to prevent
harm to the organization’s information; the reactive mode
ensures that if harm occur, it will be repaired (Business
continuity planning, Good backup and Disaster recovery
techniques are part of the reactive mode)” [3] . “The proactive
mode of digital forensics ensures all policies, procedure,
technical and automated mechanisms are in place to be able to
act when required; the reactive mode ensures that the necessary
actions can be performed to support specified analytical and
investigative techniques required by digital forensics”[3]. This
shows that some components of Digital forensic, IS and IT
governance overlap and are related. Therefore, the best practice
735
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
governance principles used for effective IT and IS governance
can also be used for corporate forensic governance.
Fig. 1. Relationship between Corporate governance, IT governance, IS
governance and Digital forensic [3]
Figure 1 shows a holistic view of DF and its relationship
with corporate governance, IS governance and IT governance.
III. BEST PRACTICE GOVERNANCE PRINCIPLES
According to best practices [10][11][22] governance
principles include strategic alignment with business objectives,
value delivery to the business, risk management, resource
optimization of available resources and continuous
performance evaluation.
A. Strategic Alignment
Good governance of corporate forensics (CF) will ensure
that the objectives of CF practices are aligned to the
organization’s goals. According to Board briefing on IT
governance [22], the cost effectiveness of a security program is
determined by how well it supports the organization’s
objective. Corporate forensic governance will also ensure that
corporate forensic objectives are defined in business terms and
all CF controls tracked to a specific business requirement. The
following will indicate alignment: a corporate forensic program
that enhances business activities; a corporate forensic program
that is responsive to defined business needs; corporate forensic
program and organization objectives that are defined and
clearly understood by relevant stakeholders; corporate forensic
program that is mapped to organizational goals and is validated
by senior management; a corporate forensic strategy and
steering committee made up of key executives to ensure
continuous alignment of corporate forensic objectives and
business goals.
B. Value Delivery
Good governance of corporate forensic practices will also
ensure that corporate forensic investments are optimized in
support of enterprise objectives. It also ensures that the
organization gets benefits from their corporate forensic
investments. Governance will ensure corporate forensic
investments are supporting business needs and adding expected
value. For instance, in a scenario where there is no governance,
there won’t be monitoring and evaluation to ensure that
corporate forensic investment is continuously supporting the
business in achieving some of its strategic needs. Therefore,
forensic investments may not add expected value to the
business, since there are no metrics to measure if value is
optimized. Corporate forensic governance increases the
likelihood of corporate forensic program’s success considering
the significant cost associated with corporate forensic practices.
Figure 2 shows some of the questions governance will ask to
ensure value is optimized.
Fig. 2. Val IT Framework 2.0, Value according to the Four ‘Are’s as
described in the information paradox [34]
C. Risk Management
For applicable IT related business risk to be mitigated using
corporate forensic practices, CF governance would help ensure
that corporate forensic practices are an integral part of
enterprise risk management program. CF governance will also
ensure that corporate forensic strategy and program will help
organizations achieve acceptable level of applicable IT related
business risk. A structure for risk assessment as defined by
NIST 800-30 is shown in figure 3 below. If corporate forensic
practices are part of enterprise risk management program,
potential evidence sources will be identified in a proactive
manner. Also, CF governance will ensure legal risk involved
during corporate forensic practices are fully identified,
communicated, mitigated and managed.
Fig. 3. NIST 800-30 Risk Assessment Methodology [32]
Furthermore, from the risk assessment methodology shown
in Figure 3, step 4 requires control analysis and selection. This
736
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
is where different controls are selected for all identified risks.
Different controls are weighed and analyzed based on their
strength and weaknesses and the best control to mitigate each
risk effectively is selected. All risks that could be best
mitigated with corporate forensic practices should be identified,
documented in a risk profile chart and rated to show their
potential value impact to the business. This is one of the
principles of good CF governance which will ensure that all
risk that could be mitigated with corporate forensic practices
are mitigated and optimized.
D. Resource Optimization
This principle of good corporate forensic governance deals
with planning, allocation and control of corporate forensic
resources which include people, processes and technologies
(increased automated forensic suites) towards adding value to
the business. CF resources need to be managed properly for its
effectiveness. Proper CF resource management will ensure that
corporate forensic practices are efficient, cost effective and
most importantly ensure corporate forensic is effectively
addressing applicable business needs.
E. Performance Evaluation
Since there is a clear saying that “you cannot manage what
you cannot measure,” the governance of corporate forensic
practices will ensure measures are in place to monitor corporate
forensic processes and measure its performance. This will help
management to make informed decisions about the state of
corporate forensic program and ascertain if it is effective or
not. Methods like Maturity model, checklist and other tools
could be used. Some of the indicators of effective corporate
forensic program as observed from performance measurement
include: the time it takes to detect and uncover potential
security threats to the business; number of threats effectively
traced to their sources within minimal time interval without
interruption to the business; number of security breaches
reported (lesser number of reported breaches means
effectiveness of the control in terms of deterrent). The
performance measurement module of the governance
framework is represented in the corporate forensic evaluation
(CFE) domain of the proposed framework.
IV. RELATED WORK
Researchers like [4][6][7][8] have looked into some form of
forensic readiness while [2][8][9][21] have looked into some
form of proactive digital forensics which are considered part
but not a comprehensive representation of good governance
practices. They did not comprehensively address the
establishment of a good governance framework and major
governance processes for corporate forensics practices which
will obviously make their work more effective. In other words,
they did not address in details how corporate forensic practices
could be enhanced using governance best practices. Lack of CF
governance practices might explain why management see
digital forensic as an abstract and highly technical field and
have very little interest in leveraging on its benefits to achieve
some of their corporate goals. Good governance referred to in
the beginning of this section means getting senior management
involved in an interactive manner by using globally adopted
common business languages in a governance framework for
forensic practices; management taking ownership of forensic
program by assuming responsibility and accountability (RACI
Chart) of forensic processes; use of increased automated
forensic suites with generation of user friendly executive
reports, remote forensics and automated processes; use of
forensic practices to minimize high IT related business risk. All
these enhancements are expected to help organizations
maximize the benefits of forensic practices in an efficient and
effective way. Discussing proactive or corporate forensic
readiness by [2][4][6][7][8][9][21] without the establishment of
a governance structure, framework and obtaining management
support will result in the corporate forensic readiness program
not being fully effective and efficient.
Furthermore, at the time this paper was written, only one
researcher, Grobler et al [5], to the best of our knowledge, had
researched on the governance of digital forensics. Their paper
was a preliminary framework in the form of an outline for the
governance of digital forensics. The scope of the paper did not
comprehensively address how globally accepted governance
best practices [10][11][22] can be used to enhance a corporate
forensic program in enterprise organizations.
V. DESCRIPTION OF THE PROPOSED FRAMEWORK
According to best practice [11] a governance framework
should consist of two major processes: the governance and
management processes. The governance processes involve
direction in strategic alignment, risk management, resource
optimization, value delivery and performance evaluation. The
governance field directs the management field and ensures
management processes are achieving their goals. The
management field is responsible for executing and
implementing directions from the governance field. The
management processes involved specialized and operational
processes which governance uses to achieve its tactical and
operational goals. The management section performs more
hands-on tasks than the governance section. The proposed
framework was developed with this principle. The framework
was categorized into three domains namely Corporate Forensic
Governance ((CFG) governance processes), Corporate Forensic
Management ((CFM) management processes) and Corporate
Forensic Evaluation (CFE). The third domain CFE maintains a
life cycle model for the framework by evaluating, monitoring
and continually improving forensic processes through lesson
learned and evaluation using maturity model. Figure 4 shows
the corporate forensic governance framework lifecycle.
Fig. 4. The three major domains of the proposed corporate forensic
governance framework lifecycle
The proposed corporate forensic governance framework
was developed with the common languages and best practices
used in related governance models.
737
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
A. Corporate Forensic Governance (CFG)
Corporate Forensic Governance was developed with the
major principles of best governance practices as recommended
by COBIT [10][11] and Board briefing on IT governance [22],
which includes strategic alignment, risk management, resource
optimization, and value delivery. These principles represent
control objectives CFG 1 to CFG 4 of the corporate forensic
governance domain. Detailed control practices were developed
under each of these control objectives.
B. Corporate Forensic Management (CFM)
The second domain Corporate Forensic Management
(CFM) contains functions classified as management functions
in the framework. This domain was developed from best
practices, Rowlingson’s work [4] and all other literatures
reviewed in the reference section. The control objectives in
these domain (CFM 1 to CFM 10) include: manage legal and
ethical requirements; define policies; define procedures;
manage education, training and awareness; perform pro-active
evidence identification; collect evidence; examine and analyze
evidence; manage evidence; manage third party; document,
report and present evidence. Detailed control practices were
developed under each of these control objectives.
C. Corporate Forensic Evaluation (CFE)
The third domain Corporate Forensic Evaluation (CFE)
contains processes to evaluate (maturity model), monitor,
assess and improve (with lesson learned and feedback) forensic
practices to ensure the objective of the framework is
continuously achieved. The objective of the framework
includes performing corporate forensic activities in an efficient
and effective way, with minimal disruption to the business;
collecting evidence in a forensically sound way and reduction
of applicable potential IT related risk to the business. This
domain was developed from process assessment best practices
from all the literatures reviewed. Detailed control practices
were developed under each of the control objectives (CFE 1 to
CFE 3) for this domain.
D. Corporate Forensic Governance Structure
Figure 5 shows a high level hypothetical corporate forensic
governance structure. Other Assurance functions like HR,
Internal Audit, Privacy, Value Management office, Legal etc
are part of the corporate forensic strategy and steering
committee. To establish effective CF governance program, the
first step is to establish a governance structure that will oversee
the governance of corporate forensics program. This is one of
the requirements of good governance. According to several
regulations and best practices [11][22], senior management is
ultimately responsible for good governance and to exercise due
care in performing task involving all specialized disciplines.
Corporate forensics, Information technology and Information
Security are examples of those specialized disciplines in a
corporate environment. Therefore the overall accountability of
good governance is the responsibility of the board of directors.
The Board or the CEO should set up a steering and strategy
committee to oversee its corporate forensic responsibilities and
report back to them since they have many commitments. This
responsibility could also be taken by the CIO depending on
how large the organization is or the business environment of
the organization. Therefore, this is just a hypothetical structure;
organizations can set up their governance structure as it suits
their business environment. For instance, if an organization is
experiencing various insider frauds and other negative publicity
due to security breaches, the Board of directors will be
interested in knowing the most effective mitigation strategy to
mitigate that risk. This will increase the organization’s interest
in implementing a corporate forensic program which the CEO
or board might want to oversee.
Fig. 5. A hypothetical corporate forensic governance structure
Each member of the governance and management teams in
the proposed framework has assigned roles and responsibilities
similar to those seen in [22]. They are either responsible,
accountable, consulted and/or informed on each of the
governance, management and evaluation processes of the
corporate forensic governance framework. This is achieved
using the RACI chart which means who is Responsible,
Accountable, Consulted and/or Informed. Table I briefly
explains the RACI chart.
E. Corporate Forensic Governance Framework
The framework consists of 3 domains (CFG, CFM & CFE),
17 high level control objectives (CFG1-CFG4, CFM1-CFM10,
CFE1-CFE3) and 119 detailed control practices. The control
practices and RACI assignment of roles and responsibilities
can be adjusted to suit each organization’s needs and business
environment. In other words some of the control practices
might not be applicable in some organizations depending on
how they are structured and what their business environment is
like.
TABLE I. THE RACI CHART
RACI Task
R means Responsible Those responsible for performing the task or ensuring the task is done
A means Accountable The person who must approve or sign off before the process is effective or person accountable for the success of the process.
738
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
C means Consulted Those who provide input needed to complete the task
I means Informed Those who are regularly updated on the outcome of decisions, processes and actions taken
In addition, some of these controls have already been
implemented in some organizations (maybe for information
security) enhancement is needed in such scenario to
accommodate forensic practices. During implementation of the
framework CFG1 – CFG4 will be implemented first before
CFM1 – CFM10 and then CFE1 – CFE3. RACI chart was used
in assigning roles and responsibilities to the governance and
management team according to best practices [10][22]. Refer to
Section V. for more explanation on the structure of the
proposed framework. Brief explanation of the scope and
control objectives of the proposed framework is shown in
Table II.
The scope of the proposed corporate forensic governance
framework is based on the use of increased automated forensic
suites like Encase Enterprise for forensic practices. These
increased automated suites are known for increased automation
and provision of ease of use approach towards performing
forensic practices. However, a forensic expert is needed in the
forensic team for effective and efficient use of these automated
suites to achieve applicable organizational goals. The
framework was designed for global use and in a high level
format with general requirements for performing forensic
practices using automated forensic suites. Brief explanation of
the control objectives are shown below.
TABLE II. EXPLANATION OF THE SCOPE AND CONTROL OBJECTIVES FOR THE PROPOSED FRAMEWORK
Control objectives Brief explanation of the controls in the proposed framework
CFG1 Strategic alignment This control ensures clear goals and objectives of a corporate forensic program are defined and that these defined
goals and objectives are strategically aligned to enterprise goals and objectives. In other words this control ensures
that corporate forensic program is helping the organization achieve some of its goals and objectives.
CFG2 Ensure risk is optimized with
CF implementation
This control ensures that business risk which can be mitigated with corporate forensics are identified and mitigated.
To achieve this a corporate forensic program should be part of enterprise risk management program to ensure CF is
effectively used as a mitigation control in managing applicable IT related business threat and risk such as insider
threat, fraud, IP theft, staff sabotage etc.
CFG3 Ensure resources are
optimized with CF
implementation
Due to the significant cost involved in establishing a CF program, this control will ensure that CF resources are
managed properly and are optimized efficiently. Also this control will ensure CF resource management is aligned
with enterprise resource management for efficient utilization of budget and organization finances.
CFG4 Ensure value is optimized
with CF implementation
This control ensures that CF program is adding expected value to the business. It will also ensure that forensic
investments are monitored and value documented to determine if it is helping the business achieve some of its
goals and objectives.
CFM1 Manage legal and ethical
requirements
This control ensures that digital evidence is obtained in accordance with applicable law, regulation and standards
for digital evidence acquisition.
CFM2 Define policies Grobler et al stated that “policies are the building blocks for management to provide a framework to manage DF in
an organization” [2]. This control will ensure that the necessary policies required for a CF program are established
and managed.
CFM3 Define procedures This control ensures that procedures for a CF program are established and are based on standards like ACPO [30].
CFM4 Manage education, training
and awareness
This control ensures that awareness is created for CF program in an organization. It also ensures that forensic
resources are reputable and that forensic personnel have relevant skills to perform CF tasks.
CFM5 Perform pro-active evidence
identification
This control ensures that digital evidence is identified in a proactive manner by analysis and assessment of
enterprise resources that might be potential evidence source. This is based on enterprise risk assessment.
CFM6 Collect evidence This control ensures that evidence is collected in a forensically sound manner using automated forensic suites.
CFM7 Examine and analyze
evidence
This control ensures that evidence is examined and analyzed in a forensically sound manner using automated
forensic suites.
CFM8 Manage evidence (chain of
custody)
This control ensures that evidence is managed, secured and chain of custody monitored and managed to ensure the
integrity of evidence is maintained.
CFM9 Manage third party This control ensures that third party forensic consultants are managed in other not to introduce new business risk to
the organization when outsourcing forensic practices.
CFM10 Documentation, Reporting
and Presentation
This control ensures that forensic processes are documented in such a way that an independent forensic examiner
can repeat the same process and obtain the same result. It also ensures digital evidence is presented using the right
format to the applicable audience.
CFE1 Monitor and evaluate forensic
process compliance with
regulation
This control will ensure that all forensic processes conform to regulation and legal requirement of obtaining
forensically sound digital evidence in each applicable jurisdiction.
CFE2 Monitor, evaluate and report
forensic process performance
and conformance
This control ensures that all forensic practices are monitored, evaluated using maturity model, checklist to ensure
the controls are effectively achieving its objectives.
CFE3 Continuously improve
corporate forensic processes
Without proper monitoring and evaluation of CF practices, it will be difficult to improve CF practices or make CF
program effective. This control also ensures that CF practices are continuously improved using lesson learned and
maturity model to make CF program more effective in mitigating applicable business risk.
739
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
Table III below shows the proposed corporate forensic
governance framework at a high level with only the control
objectives. The full table with its control practices will be
available for download at infosec.concordia.ab.ca after the
conference.
TABLE III. THE PROPOSED CORPORATE FORENSIC GOVERNANCE FRAMEWORK
Domain
Control Objectives and
Practices
Board
CEO
CFO
COO
CIO
Corporate Forensic Strategy
& Steering Committee
Chief Risk Officer
Chief Information Security Officer
HR
Internal Audit
Compliance
Business Process Owners
Value Management Office
Forensic Specialist (s)
Privacy Officer
General Counsel/Legal
CFG
CFG1 Strategic alignment C C C C R A C R C C R C R C C
CFG2
Ensure risk is optimized with
CF implementation C R C R R R A R C R R C I R R R
CFG3 Ensure resources are optimized
with CF implementation I C C C A R I R C I I C C R C C
CFG4 Ensure value is optimized with
CF implementation C R R R R A C R I C C C R R C C
CFM
CFM1 Manage legal requirements I C I C C C C R I I C C I R C A/R
CFM2 Define policies C A C C R R C R C C C C C R C C
CFM3 Define procedures C C I A/R I C C C I R C C
CFM4 Manage education, training and
awareness: I I I I A/R R C C C R C C
CFM5 Perform pro-active evidence
identification I I I C A/R C I C C C R C C
CFM6 Collect evidence I I I C A I I C C I R C C
CFM7 Examine and analyze evidence I I I A C C C R C
CFM8 Manage evidence (chain of
custody) I I I C R C C R A
CFM9 Manage third party C C C I C R I C C C C R C A
CFM10 Documentation, Reporting and
Presentation I I I I I I I A I I I R I C
CFE CFE1
Monitor and evaluate forensic
process compliance with
regulation
I I R R C R C C C I R C A
CFE2
Monitor, evaluate and report
forensic process performance
and conformance
I I A R C R I C C C I R C C
CFE3 Continuously improve
corporate forensic processes I I I A R C R I C C C I R C C
F. Corporate Forensic Governance Flow Diagram
This explains summarily the flow of processes explained in
the corporate forensic governance framework. The flow
diagram shows the processes from the establishment of a
corporate forensic governance structure to the evaluation of
corporate forensic processes and improvements applied to
ensure the goal of the program is constantly being achieved.
The flow diagram can be seen in the full paper and will be
available for download at infosec.concordia.ab.ca after the
conference.
740
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
VI. CONCLUSION AND FUTURE WORK
This paper provided best practices for corporate forensic
governance, and management that will help empower
organizations with efficient and effective corporate forensic
readiness and an in-house forensic capability using automated
forensic techniques. It also showed how governance best
practices can ensure organizations get benefits from forensic
investments. In addition, it can show that implementation of an
enterprise automated forensic suites can detect, deter and
reduce high profile business threats like insider threat, fraud
and intellectual property theft since all employees are aware
that illegitimate acts can be linked to the perpetrators.
Therefore, compliance with regulation like FIPS PUB 200 will
be effectively established in such applicable organizations.
Furthermore, the developed framework will enhance the way
organizations perform forensic practices by reducing the rate of
unsuccessful investigations and the effective use of resources
(time, cost and personnel) during forensic investigations. Also
the forensic governance framework used common and business
languages that management understands with roles and
responsibilities assigned using RACI Chart. This will increase
the effectiveness of the program since accountability and
responsibility for each corporate forensic process is properly
defined.
For future work, since the framework was developed for
global usage in a high level structure, the CFM domain section
of the framework can be narrowed down to a specific
jurisdiction (continent) with the development of a more
comprehensive step-by-step details of all forensically sound
processes considering legal requirements for collecting
evidence applicable to the chosen jurisdiction. Also, the
framework can be tested and evaluated in a real organization
with analysis of the test result documented.
ACKNOWLEDGMENT
The authors are thankful to the Faculty of Graduate Studies
at Concordia University College of Alberta for providing
resources used in the accomplishment of this research. Special
thanks go to Amer Aljaedi for his advice and discussions.
REFERENCES
[1] C. Grobler and C. Louwrens, “Digital evidence management plan,”
Proc. IEEE Information Security for South Africa (ISSA), South Africa,
August 2-4, 2010, pp. 1-6.
[2] C. Grobler, C. Louwrens and S. Von Solms, “A framework to guide the
implementation of proactive digital forensics in organizations,” Proc.
IEEE ARES ’10, Krakow, Poland, February 15-18, 2010, pp. 677-682.
[3] S. Von Solms and C. Louwrens, “The relationship between digital
forensics, corporate governance, it governance and is governance,” in
Digital Crime and Forensic Science in Cyberspace, PA: Idea, 2006, pp.
243- 265
[4] R. Rowlingson, “A ten step process for forensic readiness,”
International Journal of Digital Evidence, 2004, Available: http:/ijde.org
[5] M. Grobler and I. Dlamini, “Managing digital evidence: the governance
of digital forensics,” Journal of Contemporary Management, 2010,
Available: http://www.researchspace.csir.co.za
[6] S. Von Solms, C. Louwrens, C. Reekie and T. Grobler, “A control
framework for digital forensics,” Information Federation for
Information Processing, 2006, vol. 222, pp. 343-355.
[7] C. Grobler and C. Louwrens, “Digital forensic readiness as a component
of information security best practice,” Information Federation for
Information Processing, 2007, vol. 233, pp. 13-24.
[8] G. Pangalos, C. IIioudis and I. Pagkalos “ The importance of corporate
forensic readiness in the information security framework,” Proc. IEEE
WETICE ’10, Krakow, Poland, June 28-30, 2010, pp. 12-16.
[9] M. Kohn, J. Eloff, M. Oliver, “Framework for a Digital Forensic
Investigation,” Unpublished Paper.
[10] Information System Audit and Control Association (ISACA), “COBIT
4.1,” 2007, Available: http://www.isaca.org
[11] Information System Audit and Control Association (ISACA), “COBIT
5.0,” 2011, Available: http://www.isaca.org
[12] FIPS PUB 200 “Minimum Security Requirements for Federal
Information and Information. Systems”, 2006.
[13] FIPS PUB 199 “Standard for Security Categorization of Federal
Information and Information Systems”, 2002.
[14] Y. Shin, “New digital forensic investigation procedure model,” Proc.
NCM ’08, 2008, vol. 1, pp 528-531.
[15] C. Shields, “Towards proactive forensic evidentiary collection,” Proc.
HICSS ’10, 2010, pp 1-9.
[16] C. Walker. (2010), “Computer Forensics: Bringing the Evidence to
Court”, Unpublished Paper, Available: http://www.infosecwriters.com
[17] K. Nance, B. Hay and M. Bishop, “Digital forensics: defining a research
agenda,” Proc. HICSS ’09, 2009, pp 1-6.
[18] D. Barske, A. Stander, J. Jordan, “A digital forensic readiness
framework for South African SME’s,” Proc. ISSA, 2010, pp 1-6.
[19] CSI report “Computer crime security survey 2010/2011, Available:
http://www.gocsi.com/survey
[20] G. Mohay, “Technical challenges and directions for digital forensics,”
Proc. SADFE, 2005, pp 155-161.
[21] C. Grobler, C. Louwrens and S. Von Solms, “A multi-component view
of digital forensics,” Proc. ARES 2010, pp 647-652.
[22] ISACA, “Board briefing on IT governance”, 2003, Available:
http://www.isaca.org
[23] B. Endicott and D. Frincke, “Embedding forensic capabilities into
networks: addressing inefficiencies in digital forensic investigations,”
Proc. IAW 2006, pp 133-139
[24] “The practitioner’s guide to legal issues related to digital investigations
and electronic discovery,” Encase Legal Journal, 2011, Available:
http://www.guidancesoftware.com/
[25] Guidance Software, “The seven best practices of highly effective
eDiscovery practitioners,” 2010, Available: http://www.guidancesoft
ware.com/
[26] ACFE Report 2010/2011, “Report to the nations on occupational fraud
and abuse”, Available: http://www.acfe.com/rttn.aspx
[27] NIST SP 800-86, “Guide to integrating forensic techniques into incident
response,” 2006Available: http://www.nist.gov
[28] ISO/IEC FDIS 27001, “Information security management systems
requirements”, 2005, Available: http://www.iso.org
[29] ISO/IEC FDIS 27037, “Guideline for identification, collection,
acquisition and preservation of digital evidence, 2005, Available:
http://www.iso.org
[30] ACPO Association of chief police officers, Available:
http://www.acpo.police.uk
[31] NIST SP 800-92, “Guide to computer security log management,” 2006,
Available: http://www.nist.gov.
[32] NIST SP 800-30, “Risk management guide for information technology
systems”, Rev. 1, 2010, Available: http://www.nist.gov
[33] ISACA, The risk IT practitioner guide, 2009, Available: http://
www.isaca.org
[34] ITGI, “The VAL IT framework 2.0,” 2008, Available: http://
www.isaca.org
741
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:12:44 UTC from IEEE Xplore. Restrictions apply.
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Next-Generation Digital Forensics: Challenges and
Future Paradigms
Reza Montasari
Department of Computing and Engineering
The University of Huddersfield
Huddersfield, U.K.
[email protected]
Richard Hill
Department of Computing and Engineering
The University of Huddersfield
Huddersfield, U.K.
[email protected]
Abstract— In recent years, Information and Communications
Technology (ICT) has rapidly advanced, bringing numerous benefits
to the lives of many individuals and organisations. Technologies such
as Internet of Things (IoT) solutions, Cloud-Based Services (CBSs),
Cyber-Physical Systems (CPSs) and mobile devices have brought
many benefits to technologically-advanced societies. As a result,
commercial transactions and governmental services have rapidly
grown, revolutionising the life styles of many individuals living in
these societies. While technological advancements undoubtedly
present many advantages, at the same time they pose new security
threats. As a result, the number of cases that necessitate Digital
Forensic Investigations (DFIs) are on the rise, culminating in the
creation of a backlog of cases for law enforcement agencies (LEAs)
worldwide. Therefore, it is of paramount importance that new research
approaches be adopted to deal with these security threats. To this end,
this paper evaluates the existing set of circumstances surrounding the
field of Digital Forensics (DF). Our research study makes two
important contributions to the field of DF. First, it analyses the most
difficult technical challenges that need to be considered by both LEAs
and Digital Forensic Experts (DFEs). Second, it proposes important
specific future research directions, the undertaking of which can assist
both LEAs and DFEs in adopting a new approach to combating cyberattacks.
Keywords—digital forensics, IoT forensics, cloud forensics,
cybersecurity, digital investigation, encryption, anti-forensics
I. INTRODUCTION
In recent years, we have witnessed rapid advancements in
Information and Communication Technology (ICT) features.
Technologies such as communication networks, mobile devices,
Internet of Things (IoT) solutions, Cloud-Based Services
(CBSs), Cyber-Physical Systems (CPSs) have brought many
benefits to technologically-advanced societies [1, 2, 3]. As a
result, commercial transactions and governmental services have
rapidly grown, revolutionising the life styles of many
individuals living in these societies. While technological
advancements undoubtedly present many advantages, at the
same time they pose new cybersecurity threats which have
significant impacts on a variety of domains such as government
systems, enterprises, ecommerce, online banking, and critical
infrastructure. According to an official survey conducted by The
Office for National Statistics [4], there were an estimated 3.6
million cases of fraud and two million computer misuse offences
in a year. Although there is a variety of reasons for conducting
cybercrimes, the motivation is often for financial gain. The
fundamental issue associated with cybercrime consists of
damage to reputation, monetary loss, in addition to impacts on
the confidentiality, integrity and availability of data.
By exploiting technology, cybercriminals, for instance, will
be able to turn IoT nodes into zombies (using malicious
software), carry out distributed denial of service (DDoS) attacks
(engineered through botnets), and create and distribute malware
aimed at specific appliances (such as those affecting VoIP
devices and smart vehicles) [1, 2], [5, 6, 7, 8, 9]. Other
challenges resulting from such technological advancements
include, but are not limited to: high volume of data,
heterogeneous nature of digital devices, advanced hardware and
software technologies, anti-forensic techniques, video and rich
media, whole drive encryption, wireless, virtualisation, live
response, distributed evidence, borderless cybercrime and dark
web tools, lack of standardised tools and methods, usability and
visualisation. The deployment of IP anonymity and the ease with
which individuals can sign up for a cloud service with minimum
information can also pose significant challenges in relation to
identifying a perpetrator [2], [5], [8], [9, 10].
As a result, the number of cases that necessitate DFIs are on
the rise, culminating in the creation of a backlog of cases for
LEAs worldwide [11, 12]. Therefore, given the discussion
above, it is of paramount importance that new research
approaches be created to deal with the aforementioned security
challenges. To this end, we evaluate the existing set of
circumstances surrounding the field of DF. Our research study
makes two important contributions to the field of DF. First, it
analyses the most difficult mid and long-term challenges that
need to be considered by both LEAs and DFEs. Second, it
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
proposes important specific future research directions, the
undertaking of which can assist both LEAs and DFEs in
adopting a new approach to combating cyber-attacks.
II. CHALLENEGES
As the field of DF continues to evolve, its development is
severely challenged by the growing popularity of digital devices
and the heterogeneous hardware and software platforms being
utilised [2], [13, 14]. For instance, the increasing variety of file
formats and OSs hampers the development of standardised DF
tools and processes [15]. Furthermore, the emergence of
smartphones that increasingly utilise encryption renders the
acquisition of digital evidence an intricate task. Additionally,
advancements in cybercrime have culminated in the substantial
challenge of business models, such as Crime as a Service
(CaaS), which provides the attackers with easy access to the
tools, programming frameworks, and services needed to conduct
cyberattacks [2]. The following sub-sections analyse the key
issues that pose significant challenges to the field of DF.
A. Cloud Forensics
The cloud computing paradigm presents many benefits both
to the organisations and individuals. One of such advantages
relates to the manner in which data is managed by the cloud
infrastructure. For instance, data is spread between various data
centres to improve performance and facilitate load-balancing,
scalability, and deduplication features. Because of this, data
requires an efficient indexing so that retrieval and optimisation
performance can take place to evade duplication that often
contributes to the expansion of storage needs. As a result,
evidence left by adversaries is more difficult to eliminate since
it can be copied in various locations, rendering the acquisition
of evidence and its examination easier to perform.
However, despite its many benefits, cloud computing poses
significant challenges to the LEAs and DFEs from a forensic
perspective. These include, but are not limited to, problems
associated with the absence of standardisation amongst different
CSPs, varying levels of data security and their Service Level
Agreements [5], [16, 17], multiple ownerships, tenancies, and
jurisdictions. Moreover, the distributed nature of cloud
computing services presents a variety of challenges to LEAs as
data often resides in a number of different jurisdictions. In
contrast with traditional DF in which data is held on a single
device, within cloud environments data is often spread over
multiple different nodes. As a result, LEAs need to rely on local
laws to be able to conduct digital evidence acquisition [1], [7],
[18]. Therefore, the discrepancy in the legal systems of different
jurisdictions combined with the lack of cooperation between
CSPs also poses significant challenges from a DF perspective.
In addition, existing DF models, frameworks, methodologies
and tools are mainly intended for off-line investigations,
designed on the premise that data storage under investigation is
within the LEAs’ control [19]. However, performing DFIs
within a cloud environment is increasingly challenging as digital
evidence is often short-lived and stored on media beyond the
control of DFEs [1]. Anonymising tools and distributed data
storage in cloud services also enable criminals to cover their
malicious activities more easily. Furthermore, the use of features
such as IP anonymity and the ease with which one can sign up
for a cloud service with minimal information make it almost
impossible to identify criminals in cloud environments [1], [7,
8]. Another challenge for DF is the availability of different
models for delivering cloud services (CSs). Specifically,
investigating the data of an infrastructure-as-a-service (IaaS)
user can be done without too many restrictions, but in the case
of customers using software-as-a-service (SaaS) resources,
access to information might be minimal or entirely absent.
Last, but not least, accessing a software application through
a cloud computing system often leaves traces of evidence in
various places on the OS, such as registry entries or temporary
Internet files. However, evidence is lost once the user has exited
the virtual environment as virtualisation sanitises traces of
leftover artefacts. As a result, virtualisation limits the traditional
examination of the leftover artefacts, rendering digital evidence
traditionally stored on hard drives potentially unrecoverable [20,
21]. Therefore, cloud-based forensic investigations pose
significant challenges related to the identification and extraction
of evidential artefacts.
B. Network Forensics
A Network Forensic Investigation (NFI) pertains to the
acquisition, storage and examination of network traffic
(encapsulated in network packets) generated by a host, an
intermediate node, or the whole portion of a network in order to
establish the source of a security attack. Network traffic objects
that require analysis consist of protocols used, IP addresses, port
numbers, timestamps, malicious packets, transferred files, useragents, application server versions, and operating system
versions, etc. This data can be acquired from different types of
traffic.
Similar to any other sub-fields of DF, NF poses various
challenges to DFEs and LEAs. One of the challenges concerns
traffic data sniffing. Contingent on the network set up and
security measures where the sniffer is installed, the tool is likely
not to capture all intended traffic data. However, this challenge
can be addressed by utilising a span port on network devices in
various places in the network. Another challenge for NF is that
an attacker might be able to encrypt the traffic by utilising a SSL
VPN connection. In this case, although the address and port will
still be visible to DFEs, data stream will not be available.
Therefore, additional analysis will need to be carried out so as
to establish penetrated data.
Another challenge is determining the source of an attack
since an attacker may use a zombie machine, an intermediate
host to perform an attack, or simply use a remote proxy server.
The deployment of such methods by an attacker makes it very
difficult for DFEs to determine the source of the attack.
However, this can be remedied by examining each packet only
in a basic manner in memory and storing only certain data for
future examination. Notwithstanding that this approach
necessitates less amounts of storage, it often requires a faster
processor to be able to manage the incoming traffic. To capture
and analyse evidential network data, DFEs need to use a number
of commercial and open-source security applications such as
tcpdump and windump. Additionally, ensuring the privacy of
legitimate end users is another challenging factor in NF as all
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
packet data including that of the end user is captured during an
investigation.
C. Internet of Things (IoT) Forensics
The Internet of Things (IoT) which is supported by the cloud,
big data and mobile computing often connects anything and
everything ‘online’. The IoT represents the interconnection of
uniquely identifiable embedded computing devices within the
current Internet infrastructure. Some IoT devices are ordinary
items with built-in Internet connectivity, whereas some are
sensing devices developed specifically with IoT in mind. The
IoT covers technologies, such as: unmanned aerial vehicles
(UAVs), smart swarms, the smart grid, smart buildings and
home appliances, autonomous cyber-physical and cyberbiological systems, wearables, embedded digital items, machine
to machine communications, RFID sensors, and context-aware
computing, etc. Each of these technologies has become a
specific domain on their own merit. With the new types of
devices constantly emerging, the IoT has almost reached its
uttermost evolution. With an estimated number of 50 billion
devices that will be networked by 2020 [20, 21], it is estimated
that there will be 10 connected IoT devices for every person
worldwide [22].
IoT-connected devices offer many benefits both individually
and collectively. For instance, connected sensors can help
farmers to monitor their crops and cattle so as to improve
production, efficiency and track the health of their herds.
Intelligent health-connected devices can save or significantly
improve patients’ lives through wearable devices. For instance,
the wearable device developed by Intel can track symptoms of
Parkinson’s disease patients by passively collecting 300
observations per second from each wearer, tracking various
activities and symptoms [23, 24].
However, despite its many benefits, IoT-connected devices
pose significant privacy and security challenges as these devices
and systems collect significant personal data about individuals.
As an example of privacy challenge, employers can use their
employees’ security access cards to track where they are in the
building to determine how much time the employees spend in
their office or in the kitchen. Another example relates to smart
meters that can determine when one is home and what
electronics they use. This data is shared with other devices and
stored in databases by companies. In relation to the security
challenges, due to the constant emergence of new and diverse
devices with varied OSs as well as the different networks and
related protocols, IoT produces a wider security attack surface
than that created by cloud computing. Examples of cyberattacks
that can be carried out on IoT devices include: intercepting and
hacking into cardiac devices such as pacemakers and patient
monitoring systems, launching DDoS attacks using
compromised IoT devices, hacking or intercepting In-Vehicle
Infotainment (IVI) systems, and hacking various CCTV and IP
cameras. Therefore, security is of paramount importance for the
secure and reliable operation of IoT-connected devices.
Although IoT uses the same monitoring requirements similar
to those utilised by cloud computing, it poses more security
challenges resulting from issues such volume, variety and
velocity. Furthermore, DFIs of IoT devices can be even more
difficult than those of cloud-based investigations as more
complex procedures are needed for investigation of these
devices.
IoT Forensics must involve identification and extraction of
evidential artefacts from smart devices and sensors, hardware
and software which facilitate a communication between smart
devices and the external world (such as computers, mobile, IPS,
IDS and firewalls), and also hardware and software which are
outside of the network being investigated (such as cloud, social
networks, ISPs and mobile network providers, virtual online
identities and the Internet). However, extracting evidential
artefacts from IoT devices in a forensically-sound manner and
then analysing them tend to be a complex process, if not
impossible, from a DF perspective. This is due to a variety of
reasons, including: the different proprietary hardware and
software, data formats, protocols and physical interfaces, spread
of data across multiple devices and platforms, change,
modification, loss and overwriting of data, and jurisdiction and
SLA (when data is stored in a cloud). Thus, determining where
data resides and how to acquire data can pose many challenges
to DFEs.
For instance, the DF analysis of IoT devices used in a
business or home environment can be challenging in relation to
establishing whom data belongs to since digital artefacts might
be shared or transmitted across multiple devices. In addition, due
to the fact that IoT devices utilise proprietary formats for data
and communication protocols, understanding the links between
artifacts in both time and space can be very complex. Another
challenge related to the DFI of IoT devices concerns the chain
of custody. In civil or criminal trial, collecting evidence in a
forensically sound manner and preserving chain of custody are
of paramount importance. However, ownership and preservation
of evidence in an IoT setting could be difficult and can have a
negative effect on a court’s understanding that the evidence
acquired is reliable.
Furthermore, existing DF tools and methods used to
investigate IoT devices are designed mainly for traditional DF
examining conventional computing devices such as PCs, laptops
and other storage media and their networks. For instance, the
current methods utilised to extract data from IoT devices
include: obtaining a flash memory image, acquiring a memory
dump through Linux dd command or netcat, and extracting
firmware data via JTAG and UART techniques. Moreover,
protocols such as Telnet, SSH, Bluetooth and Wi-Fi are
deployed to access and interact with IoT devices. Likewise, tools
such as FTK, EnCase, Cellebrite, X-Ways Forensic and
WinHex, etc. and internal utilities such as Linux dd command
(for IoT devices with OSs such as embedded Linux) are used to
extract and analyse data from IoT devices. However, the
forensic investigation of IoT devices necessitates specialised
handling procedures, techniques, and understanding of various
OSs and file systems. Additionally, by using conventional
Computer Forensic tools to conduct IoT Forensics, it would be
highly unlikely to maintain a chain of custody, the adherence to
which is required by the Association of Chief Police Officers
[25], concerning the collection of digital evidence.
Therefore, to deal with the aforementioned challenges posed
by IoT-connected devices, cloud cybersecurity will need to be
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
reviewed since each IoT device produces data that is stored in
the cloud. Cloud cybersecurity policies must be blended with
IoT infrastructure so as to provide timely responses for
suspicious activities [20]. They must be reviewed in relation to
evidence identification, data integrity, preservation, and
accessibility. CSPs will need to ensure the integrity of the digital
evidence acquired from cloud computing components in order
to facilitate an unbiased investigation process in establishing the
root cause of the cyberattack in IoT. Therefore, as the IoT
paradigm is further developed, it becomes necessary to develop
adaptive processes, accredited tools and dynamic solutions
tailored to the IoT model.
D. Big Data and Backlog of Digital Forensic Cases
Another key challenge that the field of DF is currently facing
pertains to the substantial and continuing increase in the amount
of data, i.e. big data – both structured and unstructured –
acquired, stored and presented for forensic examination. This
data is collected from a variety of sources such as digital devices,
networks, cloud, IoT devices, social media, sensors or machineto-machine data, etc. In particular, this challenge is relevant to
live network analysis since DFEs are unlikely to acquire and
store all the essential network traffic [2], [10]. This growth in
data volume is the consequence of the ongoing advancement of
storage technology such as growing storage capacity in devices
and cloud storage services, and an increase in the number of
devices seized per case. Consequently, this has resulted in an
increase in the backlog of DF cases that are awaiting (often
many months or years in some cases) investigations. The
backlog of DF cases necessitating investigation has had a
seriously adverse impact on the timeliness of criminal
investigations and the legal process. The delays of up to 4 years
in performing DFIs on seized digital devices have been reported
to have significant effect on the timeliness of criminal
investigations [5], [11], [26]. Due to such delays, some
prosecutions have even been discharged in courts. This backlog
of DF cases is predicted to increase due to the modern sources
of evidence such as those of IoT devices and CBSs.
To address the aforementioned issues, i.e. the 3Vs of the big
data, including: volume, variety and velocity, researchers have,
in recent years, proposed various solutions ranging from data
mining [27, 28, 29], data reduction and deduplication [27], [30,
31], triage [12], [32, 33, 34], increased processing power,
distributed processing [35, 36], cross-drive analysis [31],
artificial intelligence, and other advanced methods [30]. Despite
the usefulness of these solutions, additional research studies are
required to address the real-world relevance of the proposed
methods to deal with the data volume that gravely challenges the
field of DF. Therefore, it is of paramount importance to
implement several practical infrastructural enhancements to the
existing DF process. These augmentations should cover
elements such as automation of device collection and
examination, hardware-facilitated heterogeneous evidence
processing, data visualisation, multi-device evidence and
timeline resolution, data deduplication for storage and
acquisition purposes, parallel or distributed investigations and
process optimisation of existing techniques. Such enhancements
should be integrated to assist both law enforcement and thirdparty providers of DF service to speed up the existing DF
process. The implementation of the stated elements can
significantly assist both new and augmented forensic processes.
E. Encryption
According to a survey conducted by the Forensic Focus [37],
data encryption in addition to Cloud Forensics (discussed
previously) are the most difficult challenges encountered by
DFEs. Encryption is the fastest method used to prevent access
to data held on a device. There exist numerous encryption
methods that can be implemented on a system or its peripherals.
Increase in storage devices has resulted in the creation of tools
capable of encrypting the entire volume of a hard drive.
Encryption can also be performed on an application, a folder, a
cloud service, mobile devices, and data stored in a database or
transmitted through email, etc. Concerning network-based data
hiding, this can be facilitated through methods such as Virtual
Private Network (VPN) tunnelling and the utilisation of proxy
servers and terminal emulators. Regardless of data being stored
in an unknown server in the cloud or on the perpetrator’s
computer’s encrypted hard drive, encryption often makes it
impossible for DFEs to acquire data essential for a DFI.
Although such technologies are not unbeatable, they often
necessitate large amount of time and luck to be bypassed [32],
[38, 39].
Since many of the encryption schemes are implemented to
resist brute-force attacks, it is, therefore, of paramount
importance that researchers be able to design certain
workarounds and exploits in order to be able to overcome
encryption and acquire evidence from encrypted devices.
Depending on the type of digital device involved, forensic
challenges of encrypted devices differ. There are currently
several exploits that DFEs can leverage to overcome encryption
in DFIs. For instance, DFEs can decrypt a BitLocker volume by
determining the correct Microsoft Account password. This can
be achieved by recovering the matching escrow key directly
from Microsoft Account. There are various tools and methods
(the discussion of which is outside the scope of this paper) for
retrieving the password. Another method of exploit used by the
researchers is to conduct RAM Forensics (imaging the RAM)
using a tool such as Belkasoft Live RAM Capturer and then
draw out a binary decryption key from that RAM image. Using
this method enables DFEs to bypass encryption and identify
malware that is not placed in persistent storage. For instance,
full-disk encryption on Windows desktop computers
(BitLocker) can be attacked by imaging the RAM through a
kernel-mode tool while the volume is mounted and examining
that memory image to acquire the binary decryption key. This
facilitates mounting BitLocker volumes in a short period of
time.
However, the development of RAM Forensic tools as noted
by Garfinkel [32] is more challenging than the creation of disk
tools. Data stored in disks is persistent and intended to be read
back in the future. However, data written to RAM can only be
read by the running program. Garfinkel [32] argues that as a
result there is less desire “for programmers to document data
structures from one version of a program to another”. Therefore,
issues as such can complicate the tasks of tool developers.
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
F. Limitations in DF Tools and Lack of Standardisation
Existing DF tools and techniques are also limited in their
functionality and are poorly appropriate to the task of identifying
data which is “out-of-the-ordinary, out-of-place, or subtly
modified” [32], [40]. Traditional DF tools, techniques and
methods often lag behind new emerging technologies lacking
adequate capabilities to address the resultant challenges
presented by these technologies. Although current DF tools
might be able to handle a case containing several terabytes of
data, they are incapable of putting together terabytes of data into
a succinct report. Furthermore, it is challenging to employ DF
tools to recreate a unified timeline of past events or the activities
of a culprit. Event and timeline reconstructions are often
conducted manually during a given DFI. DF tools are also often
slow to conduct data analysis. Furthermore, the task of creating
digital documents which can be presented in courts has had an
adverse effect on the production of DF methods that could
process data that is not easily available [32], [41].
With regards to the lack of standardisation in DF, although
researchers in the field have made some attempts to agree on
formats, schema, and ontologies on DF artefacts, very little
progress have been made, if any [15], [42, 43, 44]. This is while
analysis of advanced cyber-attacks often necessitates concerted
efforts to deal with the processing of complex data. In most cases
such cooperation does not exist amongst DFEs and DF
researchers alike. As a result, the diversity problem arising from
the absence of standardised methods and guidelines to detect,
acquire, store, examine, analyse and present digital evidence
also pose significant challenges for DFIs [45, 46]. The lack of
formal and generic Digital Forensic Investigation Process
Models (DFIPMs) also contribute to the intricacy of acquiring
and analysing digital evidence in a forensically sound manner
[42]. Therefore, it is essential that DF community engage in
more collaborations to create effective standard formats and
abstractions.
III. RESEARCH DIRECTIONS
A. IoT Forensics
The Identification, Acquisition and Analysis (main phases of
a conventional DFI) of digital evidence in IoT environments
pose significant challenges to LEAs and DFEs. In relation to the
identification of a particular user’s data, it would be difficult for
investigators to determine how to conduct search and seizure
when the location and provenance of data (representing potential
digital evidence) cannot be determined. One of the ways to
address this challenge is to integrate the IoT device data into
Building Information Modelling. Thus, the research community
can consider this as a research opportunity to be explored.
With regards to the problems of extracting a specific user’s
data in IoT devices, the volatility of evidence in these devices is
more complex than the evidence volatility in traditional devices.
In IoT environments, data might be held locally by an IoT
device. In this case, the lifespan of the data is very short before
it is overwritten or compressed. Furthermore, digital evidence
(data) from an IoT device might be shifted and used by another
IoT device (or a local network of IoT-connected devices), or it
might be moved to the cloud for aggregation and processing. As
a result, the transmission and aggregation of evidence poses
significant challenges for maintaining the chain of evidence. To
deal with this challenge, we propose the development of new
investigation methods that can track and filter the transfer of data
across IoT-connected devices as supported by (Hegarty et al.,
2014). Such methods can then pave the way for the acquisition
of data that have been altered or deleted. Therefore, the creation
of such techniques should be considered as a new research
opportunity for further exploration
In terms of the challenges of the analysis process, IoT
devices produce large amounts of data which are stored in largescale distributed cloud environments. If this data requires Digital
Forensic analysis, first it needs to be imaged in order to adhere
to the principles of ‘forensically-sound investigations’.
However, from a technical point of view, the imaging of such
data (representing potential digital evidence) using the existing
conventional DFI procedures is not a feasible acquisition
process. This is due to the scale, distribution and remote nature
of such data, generated by IoT and stored in the cloud. As a
result, new research studies must be conducted to develop new
distributed analysis techniques that could facilitate the
examination of this kind of data, which is generated by IoT
devices and stored in the cloud.
Last, but not least, we suggest the revision of standards in
traditional DFIs against which digital evidence in IoT is assessed
in order to accommodate the evolving nature of digital evidence
in IoT environments.
B. Big Forensic Data
Analysing big forensic data (BFD) in both a timely and a
forensically-sound manner poses significant challenges to LEAs
and DFEs. However, there are a number of research directions
that researcher can adopt to address these challenges. One of the
research areas on which the researchers can focus is to alter the
conventional principles (that ‘all data’ must be extracted in a
‘strict’ forensically-sound manner) and procedures. To do so,
similar to our proposed research direction in the previous subsection, the techniques related to the main phases of DF process
(i.e. Identification, Acquisition, and Analysis) could be adapted
to the context of BFD. For instance, concerning the Acquisition
Phase, proper triage procedures can be developed (i.e. through
the visualisation both for low-level file system analysis and
higher level content analysis) to enable investigators to conduct
prioritisation of data when conventional ‘bit-by-bit’ forensic
image is not possible due to the sheer volume of data. This
denotes that by using the new triage procedures, investigators
should be able to scan ‘all’ data but only extract the parts
applicable to the investigation. In these scenarios, investigators
might need to access original source of evidence [12]. If this is
the case, they must be able to justify and document their actions
so as to adhere to the Principle two of the ACPO Guidelines, “In
circumstances where a person finds it necessary to access
original data, that person must be competent to do so and be able
to give evidence explaining the relevance and the implications
of their actions.” [25].
Another research possibility to address the BFD is to develop
new tools and techniques or adapt the existing ones. For
instance, machine learning algorithms (MLAs) can be adapted
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
for specific use in the unique context of DF for triage and
analysis of big forensic data (such as disk images and network
traffic dumps). Currently, there are only few DF tools that make
use of MLAs for the triage and analysis of forensic data. On the
other hand, the existing machine learning tools and libraries
used in ‘data science’ are not fit or court-approved for use in the
context of DF. Another example of adapting the existing tools
to the context of DF is that of MapReduce, widely used in data
science. As a research opportunity, MapReduce can be adapted
to the task of processing the big data sets in DF with a parallel,
distributed algorithm on a cluster. Similarly, Neural Networks
can be extended to facilitate the complex patter recognition in
various branches of DF such as Cloud Forensics and Network
Forensics. Researchers can also build upon Natural Language
Processing (NLP) techniques, for clustering and categorisation
of unstructured DF data.
C. Distributed Processing
Although researchers have investigated Distributed Digital
Forensics [30], [47], there is more scope for research in this area.
The processing speed of existing tools is insufficient for the
average case [13]. This is due to the fact that users have not been
able to define clear performance requirements and that
developers have not prioritised performance in accordance with
reliability and accuracy [5], [13]. In their research paper,
Roussev et al. [13] suggest a method for conducting data
collection in such a way that facilities file-centric processing
without disrupting optimal data throughput from the raw device
[5]. Roussev et al.’s [13] assessment of core forensic processing
functions in relation to processing rates demonstrate limits both
in desktops and servers.
D. Digital Forensic Data Abstraction
In order for DFEs and researchers in the field to maintain DF
capabilities, research studies in the field necessitates becoming
more effective and being harmonised better. Due to the fact that
DFEs often encounter a large amount of complex data, it is of
paramount importance for them to create standards for data
exchange. Furthermore, to enhance DF research, it is vital to
implement standards for case data, data abstractions, and
“composable models” for DF processing [32]. There are five
broadly utilised abstractions including: disk images, packet
capture files, files, file signatures and Extracted Named Entities.
Due to the absence of standardised data abstractions and data
formats, researchers are often made to implement more parts of
a system prior to being able to create initial results. As a result,
this hinders their progress. Therefore, new abstractions are
needed to be developed in order to represent and compute with
large amount of data. For instance, the researchers in the field
can consider implementing the followings [32], [48]:
x Signature metrics for representing parts of files or
whole files,
x File metadata JPEG EXIF information or
geographical information,
x File system metadata and the physical location of
files in a disk image,
x Application profiles, the Windows Registry or
Macintosh plist information related to an
application, document signatures, and network
traffic signatures,
x User profiles, and
x Internet and social network information associated
with the user, e.g. the acquisition of accounts
accessed by the user, or user’s Internet “imprint” or
“footprint”.
E. Digital Forensics as a Service (DFaaS)
Digital Forensics as a Service (DFaaS) is an extension of the
traditional DF process. DFaaS can be used to reduce the backlog
of DF cases. DFaaS solution can address issues such as the
storage, automation, investigators’ queries in the cases in which
they are responsible. Furthermore, it facilitates efficient resource
management, allows DFEs detectives to query data directly and
enables easier teamwork amongst DFEs [5], [49]. Although
DFaaS already provides multiple benefits, there are still many
enhancements that can be made to the existing model in order to
accelerate the existing process [5]. For instance, such
improvements can be made in relation to DFaaS’ functionality,
indexing capabilities and identification of incriminating
evidence during the Collection Phase in a DFI process [49].
However, it should be noted that DFaaS is not devoid of
drawbacks, one of which pertains to latency concerning the
online platform. Furthermore, DFaaS relies on the upload
bandwidth available during the physical storage of data acquired
through the Collection Phase in a DFI process.
F. HPC and Parallel Processing
The benefits of HPC should be considered to decrease
computation time and the time needed by the users. HPC
methods, which leverage a degree of parallelism, have not been
adequately investigated by researchers in the field of DF. HPC
methods and hardware could be used for various purposes such
as accelerating each phase in a Digital Forensic Investigation
Process following the Collection Stage, i.e., Storage,
Examination, Even Reconstruction, and Presentation and
Reporting Ps, etc. and reporting.
G. Development of New Tools
By default, the existing DFI tools are designed to run on the
perpetrator’s device. However, these tools provide restricted
ability to examine complex cyberspace such as cloud sources
[2], [32]. Therefore, many of DFIs tools are inappropriate to
discover anomalies in an automatic manner [2]. As a result, one
of the key problems that need to be addressed as future research
relates to the development of new tools and methods to examine
the volume of data and provide potential digital clue to the DFEs
for additional examination. However, the design and
implementation of such tools and techniques are a complex task
due to the absence of standardisation and computational
requirements. Auspiciously, DFI can take advantage of the
element of cloud computing, for example, to reduce the most
challenging processes of a DFI, such as log examination, data
reduction, indexing and carving.
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
IV. CONCLUSION
The field of DF is facing various challenges that are often
difficult to overcome. As the new technologies are constantly
being developed, DFEs are presented with numerous challenges
that can have substantial socioeconomic impact on both global
enterprises and individuals [2], [6], [10]. Evidential data is no
longer restricted to a single host but instead spread between
different or virtual locations, including: online social networks,
cloud resources, and personal network–attached storage devices.
Furthermore, advances in technology and propagation of
innovative services have led to a significant rise in the
complexity of DFIs that DFEs must manage [2]. Hence, to
mitigate these challenges, worldwide collaboration among
LEAs, academic institutions and corporates becomes of
paramount importance. Without a clear plan to facilitate
research efforts that extend one another, forensic research will
lag behind, tools will become outdated, and law enforcements’
products will be incapable of relying on the results of DF
analysis [32]. Thus, the aforementioned entities will need to
converge regularly to discuss the future of the discipline and
work out how to address the challenging aspects of the field.
Likewise, more skills, tools and time are required to reconstruct
digital evidence in a forensically sound manner. We believe that
the future research directions outlined in this paper can have a
positive impact on further research in the field of DF.
REFERENCES
[1] Montasari, R. (2017, a). An Overview of Cloud Forensics Strategy:
Capabilities, Challenges, and Opportunities. In Strategic Engineering for
Cloud Computing and Big Data Analytics, pp. 189-205. Springer, Cham.
[2] Caviglione, L., Wendzel, S. and Mazurczyk, W. (2017). The Future of
Digital Forensics: Challenges and the Road Ahead. IEEE Security &
Privacy, (6), pp.12-17.
[3] Pichan, A., Lazarescu, M. and Soh, S.T. (2015). Cloud forensics:
Technical challenges, solutions and comparative analysis. Digital
Investigation, 13, pp.38-57.
[4] BBC. (2017). ‘Cybercrime and fraud scale revealed in annual figures’.
Available at:
https://www.bbc.co.uk/news/uk-38675683 (Accessed: 21st September
2018).
[5] Lillis, D., Becker, B., O’Sullivan, T. and Scanlon, M. (2016). Current
challenges and future research areas for digital forensic investigation.
arXiv preprint arXiv:1604.03850.
[6] Jang-Jaccard, J. and Nepal, S. (2014). A survey of emerging threats in
cybersecurity. Journal of Computer and System Sciences. 80(5), pp.973-
993.
[7] Ruan, K., Carthy, J., Kechadi, T. and Baggili, I. (2013). Cloud forensics
definitions and critical criteria for cloud forensic capability: An overview
of survey results. Digital Investigation, 10(1), pp.34-43.
[8] Chen, G., Du, Y., Qin, P. and Du, J. (2012). Suggestions to Digital
Forensics in Cloud computing ERA. The 3rd IEEE International
Conference on Network Infrastructure and Digital Content (IC-NIDC),
pp. 540-544.
[9] Ruan, K., Carthy, J., Kechadi, T. and Crosbie, M. (2011). ‘Cloud
Forensics’. International Conference on Digital Forensics, Springer
Berlin Heidelberg, pp. 35-46.
[10] Cameron, L. (2018). ‘Future of Digital Forensics Faces Six Security
Challenges in Fighting Borderless Cybercrime and Dark Web Tools’.
Available at:
https://publications.computer.org/security-and-privacy/tag/dark-web/
(Accessed: 19th September 2018).
[11] Montasari, R. (2016, a). The Comprehensive Digital Forensic
Investigation Process Model (CDFIPM) for Digital Forensic Practice,
PhD Thesis.
[12] Montasari, R. (2016, b). Formal Two Stage Triage Process Model
(FTSTPM) for Digital Forensic Practice. International Journal of
Computer Science and Security (IJCSS). 10(2), pp.69-87.
[13] Roussev, V., Quates, C. and Martell, R. (2013). Real-time Digital
Forensics and Triage. Digital Investigation, 10(2), pp.158-167.
[14] Raghavan, S. (2013). Digital forensic research: current state of the art.
CSI Transactions on ICT, 1(1), pp.91-114.
[15] Montasari, R. (2018). Testing the Comprehensive Digital Forensic
Investigation Process Model (the CDFIPM). In Technology for Smart
Futures, pp. 303-327. Springer, Cham.
[16] Morioka, E. and Sharbaf, M.S. (2015). Cloud computing: Digital forensic
solutions. The 12th IEEE International Conference on Information
Technology-New Generations (ITNG), pp. 589-594.
[17] Almulla, S., Iraqi, Y. and Jones, A. (2013). Cloud forensics: A research
perspective. The 9th IEEE international conference on Innovations in
information technology (IIT), pp. 66-71.
[18] Simou, S., Kalloniatis, C., Kavakli, E. and Gritzalis, S. (2014). Cloud
forensics solutions: A review. International Conference on Advanced
Information Systems Engineering, pp. 299-309. Springer, Cham.
[19] Grispos, G., Storer, T. and Glisson, W.B. (2012). Calm before the storm:
The challenges of cloud computing in digital forensics. International
Journal of Digital Crime and Forensics (IJDCF), 4(2), pp.28-48.
[20] MacDermott, A., Baker, T. and Shi, Q. (2018). IoT Forensics: Challenges
for The IoA Era. The 9th IEEE IFIP International Conference on New
Technologies, Mobility and Security (NTMS), pp. 1-5.
[21] Taylor, M., Haggerty, J., Gresty, D. and Lamb, D. (2011). Forensic
investigation of cloud computing systems. Network Security, 2011(3),
pp.4-10.
[22] Bojanova, I and Voas, J. (2015). ‘Securing the Internet of Anything
(IoA)’. Available at:
https://www.computer.org/web/computingnow/archive/securing-theinternet-of-anything-november-2015 (Accessed: 20th September 2018).
[23] Kobie, N. (2015). ‘What is the internet of things?’. Available at:
https://www.theguardian.com/technology/2015/may/06/what-is-theinternet-of-things-google
(Accessed: 20th September 2018).
[24] McCallion, J. (2014). ‘Parkinson’s disease to be tracked by wearables’.
Available at:
http://www.alphr.com/news/390259/parkinsons-disease-to-be-trackedby-wearables
(Accessed: 20th September 2018).
[25] ACPO. (2012). ‘ACPO Good Practice Guide ACPO Good Practice Guide
for Digital Evidence’. Available at:
http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf
(Accessed: 21st September 2018).
[26] Quick, D. and Choo, K.K.R. (2014, a). Impacts of increasing volume of
digital forensic data: A survey and future research challenges. Digital
Investigation. 11(4), pp.273-294.
[27] Quick, D. and Choo, K.K.R. (2014, b). Data reduction and data mining
framework for digital forensic evidence: storage, intelligence, review and
archive.
[28] Beebe, N. and Clark, J. (2005). Dealing with terabyte data sets in digital
investigations. IFIP International Conference on Digital Forensics, pp. 3-
16. Springer, Boston, MA.
[29] Palmer, G. (2001). A road map for digital forensic research. First Digital
Forensic Research Workshop, pp. 27-30, Utica, New York.
[30] Beebe, N. (2009). Digital forensic research: The good, the bad and the
unaddressed. IFIP International Conference on Digital Forensics, pp. 17-
36. Springer, Berlin, Heidelberg.
[31] Garfinkel, S.L. (2006). Forensic feature extraction and cross-drive
analysis. Digital Investigation, 3, pp.71-81.
[32] Garfinkel, S.L. (2010). Digital forensics research: The next 10 years.
Digital Investigation. 7 (Supplement). pp. S64-S73.
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.
[33] Mislan, R.P., Casey, E. and Kessler, G.C. (2010). The growing need for
on-scene triage of mobile devices. Digital Investigation, 6(3-4), pp.112-
124.
[34] Casey, E., Ferraro, M. and Nguyen, L. (2009). Investigation delayed is
justice denied: proposals for expediting forensic examinations of digital
evidence. Journal of Forensic Sciences, 54(6), pp.1353-1364.
[35] Richard III, G.G. and Roussev, V. (2006). Next-generation digital
forensics. Communications of the ACM, 49(2), pp.76-80.
[36] Roussev, V. and Richard III, G.G. (2004). Breaking the performance wall:
The case for distributed digital forensics. Proceedings of the digital
forensics research workshop, 94, pp. 1-16.
[37] Forensic Focus. (2016). Current Challenges in Digital Forensics.
Available at:
https://articles.forensicfocus.com/2016/05/11/current-challenges-indigital-forensics/
(Accessed: 19th September 2018).
[38] Grispos, G., Glisson, W.B. and Storer, T. (2013). Using smartphones as a
proxy for forensic evidence contained in cloud storage services. The 46th
IEEE Hawaii International Conference on System Sciences (HICSS), pp.
4910-4919.
[39] Casey, E. and Stellatos, G.J. (2008). The impact of full disk encryption
on digital forensics. ACM SIGOPS Operating Systems Review. 42(3),
pp.93-98.
[40] Scanlon, M. (2016). Battling the digital forensic backlog through data
deduplication. The 6th IEEE International Conference on Innovative
Computing Technology (INTECH). pp.10-14.
[41] Sencar, H.T. and Memon, N. (2009). Identification and recovery of JPEG
files with missing fragments. Digital Investigation, 6, pp. S88-S98.
[42] Montasari, R. (2017, b). A Standardised Data Acquisition Process Model
for Digital Forensic Investigations. International Journal of Information
and Computer Security, 9(3), pp.229-249.
[43] Montasari, R. (2016, c). A Comprehensive Digital Forensic Investigation
Process Model. International Journal of Electronic Security and Digital
Forensics, 8(4), pp.285-302.
[44] Montasari, R., Peltola, P. and Evans, D. (2015). Integrated Computer
Forensics Investigation Process Model (ICFIPM) for Computer Crime
Investigations. International Conference on Global Security, Safety, and
Sustainability, pp. 83-95. Springer, Cham.
[45] Montasari, R. (2016, d). An Ad Hoc Detailed Review of Digital Forensic
Investigation Process Models. International Journal of Electronic Security
and Digital Forensics, 8(3), pp.205-223.
[46] Montasari, R. (2016, e). Review and Assessment of the Existing Digital
Forensic Investigation Process Models. International Journal of Computer
Applications, 147(7), pp. 1-9.
[47] Garfinkel, S., Farrell, P., Roussev, V. and Dinolt, G. (2009). Bringing
science to digital forensics with standardized forensic corpora. Digital
Investigation, 6, pp. S2-S11.
[48] Garfinkel, S. and Cox, D. (2009). Finding and archiving the internet
footprint. Naval Postgraduate School Monterey CA.
[49] Van Baar, R.B., Van Beek, H.M.A. and van Eijk, E.J. (2014). Digital
Forensics as a Service: A game changer. Digital Investigation, 11, pp.
S54-S62.
Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.