Proceedings of the Fifth International Conference on Electronics, Communication and Aerospace Technology (ICECA 2021)

IEEE Xplore Part Number: CFP21J88-ART; ISBN: 978-1-6654-3524-6

Data Acquisition based Seizure Record Framework

for Digital Forensics Investigations
Srinivasa M urthy Pedapudi1 Nagalakshmi Vadlamani2
Research Scholar, Department of Computer Science, Research Guide & Professor, Dept. of Computer Science,
GITAM University, Visakhapatnam, India GITAM University, Visakhapatnam, India
[email protected] [email protected]
2021 5th International Conference on Electronics, Communication and Aerospace Technology (ICECA) | 978-1-6654-3524-6/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICECA52323.2021.9676088

Abstract— In the computer era, various digital devices are after the incident. The main role of this person is to preserve,
used along with networking technology for data consolidate and protect the evidence gathered from the crime
communication in secured manner. But sometimes these scene.[6] He must collect reliable, authorised software and
systems are misused by the attackers. Information security hardware tools for gathering evidence from numerous digital
with the high efficiency devices, tools are utilized for protecting devices. Equipment such as antistatic bags, cable ties,
the communication media and valuable data. In case of any evidence tape/storage, label tag packing equipment, seizure
unwanted incidents and security breaches, digital forensics discs should be taken to the crime scene. Interviews of
methods and measures are well utilized for detecting the type relevant individuals are also accurately cited. Software tools
of attacks, sources of attacks, their purposes. By utilizi ng
information related to security measures, digital forensics
include X-Ways Forensics, Forensic Toolkit, Encase, and so
evidences with suitable methodologies, digital forensics
on. Likewise, hardware tools such as Tableau hardware,
investigators detect the cyber-crimes. It is also necessary to hardware tools, paraben forensic hardware and so on. It is
prove the cyber-crimes before the law enforcement necessary to collect the evidence data in systematic and
department. During this process investigators type to collect standard formats for further data analysis and investigation.
different types of information from the digital devices
concerned to the cyber-attack. One of the major tasks of the II. SEIZURE RECORD FRAMEWORK - DIGITAL
digital investigator is collecting and managing the seizure FORENSICS
records from the crime-scene. The present paper discusses the For starting any digital investigation, Normally, first
seizure record framework for digital forensics investigations. copy, the evidences, using various techniques and tools.
Evidence collection fro m the identified digital sources by
Keywords— Seizure Records, digital forensics, digital following a systematic investigation plan. It is required to
evidences, artifacts. note the informat ion pertaining to actual storage media,
I. INT RODUCT ION custodian forms of evidences collected with witnesses,
proper containers to preserving the media in suitable bags
The present utilization of network-based communication which protects fro m electrostatic, weather, fire etc. [7] All
services are exploit ing by the cyber attackers to do these should be kept in suitable fire-proof safety protective
cybercrimes activities.[1] The exploitation of the cloud lockers for safe custody during the digital forensic
services these crimes need to be protected and also investigations. Figure-1 demonstrates Digital Forensics
investigate for the criminal activity to take suitable action Investigator – Seizure Record Framework.
against the attackers by presenting suitable evidences before
law enforcement departments.
During the investigations digital data acquisition is
mainly copying data from d ifferent electronic sources and is
static or live data acquisition from the cyber-crime scene.
Search and seizure are a lawful word utilised to explain a
civil and general legal system process.[2] Law enforcement
suspected of committing a crime begins to search a people’s
asset and seize any evidence related to it. Seizure planning
must be accurate and include details such as the incident
details, location details, case details, witness details, etc.
Evidence should be understandable and clear in announcing
Figure 1: Digital Forensics Investigator – Seizure Record Framework
by a legal individual.[3] Evidence should be true, and it must
be facts. This information must be dependable and III. DIGITAL FORENSICS INVESTIGATOR – SEIZURE
completeness to prove the case. This digital evidence can be RECORD FRAMEWORK METHODOLOGY
recorded on any computer or its associated digital devices or
transferred digitally through any of the networks or using System Configuration details: System make,
various electronic devices containing remaining and configuration, model, type, point of LAN connectivity, USB,
metadata. Information stored or transmitted through any ports, keyboard, mouse, Wi-Fi, graphics/video card, Network
electronic communication is also considered as digital card, SCSI details, drives like DVD/Floppy/CD details, Hard
evidences.[4] Identified digital informat ion are called as disk make, speed, type, capacity, RAM make, speed, type,
artifacts and these must be attained methodically also a support, power, motherboard, type, bus type, Processor,
technical method must be followed. [5] cache memory, speed, make, type, OS version, single OS
booting details and so on. [8]
The first responder is the person who first reaches
the crime scene and approaches the victim co mputer system

978-1-6654-3524-6/21/$31.00 ©2021 IEEE 1766

Authorized licensed use limited to: Universitas Brawijaya. Downloaded on October 14,2023 at 14:06:41 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Electronics, Communication and Aerospace Technology (ICECA 2021)
IEEE Xplore Part Number: CFP21J88-ART; ISBN: 978-1-6654-3524-6

BIOS Configuration: BIOS system date and time, Zip/Tape drive: Tape drive type, model, make, size, type
memory levels, memory bank details, CPU type, cache, of storage and use.
speed details, graphics/video adoption details, SATA info
List of seized Ev idence Items: Evidence, source, make,
onboard, USB connection, RAM and ROM details, internal
network details, I / O Device configurations, boot priority type, purpose, labelling and its details.
details, boot time details and more. Evidence Protection: Protecting all evidence gathered
Crime Scene Photo details: If necessary, the crime scene fro m different sources and storage details, data protection
standards and organisational policy followed protection
should be photographed in a way that is systematic and
details.[12]
understandable to each location of the device and should be
appropriate for the evidence presented. Physical safety details: This denotes the overall location/
office details, Physical entry, access control process and
Application wise attainment details: name of the
application, application type, version, installation date, devices in line, Lighting, Entry processes, physical safety
system executed, Online, offline, remote access setup,
manufacturer/developer details, and any other data.[9]
camera positions, critical infrastructure security details,
Digital devises acquisition details: Device Name, Type, physical security policy adopting, Logbook managing, in and
particulars, Power Type, A C / DC Details, Audio / Video out process, equipment progress processes.
Specifications, Operating System, Serial Nu mber, Device
Place of the case details: Digital forensic investigator
Dimensions, Processor, Manufacturer, Model and
originally gathers the data from the crime site. He has to
Configuration. Password preserved device or not and
password details. store computer and associated digital sources, numerous
behaviours, photos, IT infrastructure details of the case
Mobile Devices: Mobile Phone Type, Manufacturing, location.
Model, Resolutions, Display, Dimensions, Size, IM EI
Evidence protection Details: The gathered proofs are
Number, Serial Nu mber, Battery Details, SIM Card Details,
contact details, Installed and Running Applications, Memory protected as per the digital forensics’ standards. These
requirements to be stored correctly for more processing and
Sizes and Free Memory, Number of SIM Cards, Network
examination.
Details, and so on.
CD/ DVD attainment Details: CD/ DVD type, capability, Image Construction Details: Generally, the gathered
evidence is recorded as image formats based on various
CD inserted at the drive, make and CD labelling details.
backup and image copiers’ tools by appropriate hardware
Floppy Disk: Floppy type, capacity, floppy disk inserted elements.
in the drive, make, disk labelling details and so on.
Achievement wise investigator details: When the case
Hard disk: Hard disk make, type, model, cylinders, investigated, a variety of digital resources are attained
capacity, serial number, jumper settings and so on. through the team of investigators using the crime and crimes
sites. It is further required to be stored like the achievement
FAX/Printer: FAX/Printer type, make, model, data investigator details.
transfer rate, buffer size, network connectivity, on/off
condition, storage, memory, power specifications, Witness Details: For each acquisition using the crime
connection details. type and its site, witness details must be stored. It is needed
that locations, Evidence protection, Image Creation,
Flash Drive Acquisition: Flash Drive make, type, I/O Investigator, and Witness Details are general to all other data
speed, model, speed, specifications, reason, etc.
collected. According to the Digital Forensic Investigator
Network Acquisition details: Networking devices, framework, it is necessary to refer to these details, and the
connectivity type, IP configurations, VPN system, elements proof gathered from others referred to in the seizure record
utilised and details.[11] structure.[13]
HUB: Hub make, type, serial number, nu mber of ports, Process of recovering the file information fro m the
network latency, maximu m bandwidth supported, the frag ments of scattered data in the disk. Which is called as
purpose of the hub, memory, and ports occupied forwarding carving is used to identify the artifacts from the different
and sensing modes details, power details, and network types of disks. After identified fro m the various sources, the
connectivity details. collected evidences are preserved, and well documented
evidences are analysed and processed for detecting the attack
Monitor Details: Monitor make, type, connectivity, and their sources. which can be presented before the law
resolution, dimensions, size, and port details. enforcement for suitable actions against the attack.[14]
Router details: Router type, make, model, size, A. ADVANTAGES SEIZURE RECORD FRAMEWORK
connectivity type, modes, ports, buffer memory, VPN
tunnels, power necessity, construct in features, network Digital forensics policy provides a systematic approach
latency, forwarding and sensing modes details, power details, and suitable auditing procedures. It also gives a good path
network connectivity details, internal/external utilisation for detecting the evidences to identify the attackers and the
details. sources of attacks if any. This seizure record framework is
useful for digital forensics investigator for handling
Switch Details: Switch type, make, model, serial number, acquiring and handling the seizure data for proper
L2/ L3 usage details, size, power details, number of ports, investigation in this field. Which can also be utilized for data
configuration details, intelligent or non-intelligent type, interpretation and analysis. [15] Major advantage of using
network latency, and maximu m bandwidth support. the Seizure Record framework provides a significant

978-1-6654-3524-6/21/$31.00 ©2021 IEEE 1767

Authorized licensed use limited to: Universitas Brawijaya. Downloaded on October 14,2023 at 14:06:41 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Electronics, Communication and Aerospace Technology (ICECA 2021)
IEEE Xplore Part Number: CFP21J88-ART; ISBN: 978-1-6654-3524-6

methodology for better acquisition of data from different [2] Hassan, N. A. (2019). Digital Forensics Basics: A Practical Guide
digital sources like Network Acquisition, Flash Drive, Using Windows OS. Apress.
System Configuration etc. [3] Gupta, M., Barwa, J., Kumath, M., Kharab, V., Gupta, A. and
Panwar, M., 2012. Digital Forensics, Hacking and its role in Crime
B. DIGITAL FORENSICS TOOLS Investigations. Medico-Legal Update, 12(2).
Some tools for forensic investigations for acquiring the [4] Okereafor, K. and Djehaiche, R., 2020. A Review of Application
Challenges of Digital Forensics. International Journal of Simulation
digital proof for the sources.[16] These tools are utilized for: Systems Science and T echnology, 21(2), pp.35-1.
• Ext ract Retrieve all main office document types [5] Grispos, G. and Bastola, K., 2020, July. Cyber autopsies: the
integration of digital forensics into medical contexts. In 2020 IEEE
(RTF, PDF, Open Office, Microsoft Office) 33rd International Symposium on Computer-Based Medical Systems
• Retrieve Registration Files for main 70+ Instant (CBMS) (pp. 510-513). IEEE.
Messengers (Linux, macOS and Windows) [6] https://evestigate.com/Case_Studies/Case_St udy_Prescription_Drug_
Diversion_Brand_Protection.pdf
• Retrieve web histories, examine cookies, favored of [7] Kortjan, N., & Von Solms, R. (2014). A conceptual framework for
entire main web browsers cyber-security awareness and education in SA. South African
Computer Journal, 52(1), 29-41.
• Retrieve e -mail messages, links, address books of [8] Mutune, G. (2021, May 9). 23 Top Cybersecurity Frameworks.
all famous e-mail customers CyberExperts.Com. https://cyberexperts.com/cybersecurity-
frameworks/.
• Examine social networks and functions in peer-to- [9] Pilli, E. S., Joshi, R. C., & Niyogi, R. (2010). A generic framework
peer (P2P) software for network forensics. International Journal of Computer
Applications, 1(11), 1-6.
• Retrieve the contacts that occur in multip le player
[10] Dimitriadis, A., Ivezic, N., Kulvatunyou, B. and Mavridis, I., 2020.
games D4I-Digital forensics framework for reviewing and investigating
• Find pornographic images, faces and embedded text cyber attacks. Array, 5, p.100015.
in stills and video files [11] Computer Science & Engineering: An International Journal (CSEIJ),
Vol.2, No.3, June 2012 A framework for database forensic analysis
• Find mobile device back-ups (BlackBerry, iPod and Harmeet Kaur Khanuja1 and D.S.Adane2 Department of Computer
Engineering, Pune University, MS, India
iPhone)
[12] Nortjé, J.G. and Myburgh, D.C., 2019. The search and seizure of
Based on the requirement and availability suitable tools digital evidence by forensic investigators in South Africa.
need to be selected for better results. Potchefstroom Electronic Law Journal (PELJ), 22(1), pp.1-42.
[13] Casey, E., 2009. Handbook of digital forensics and investigation.
IV. CONCLUSION Academic Press.
[14] Babun, L., Sikder, A. K., Acar, A., & Uluagac, A. S. (2018). Iotdots:
Organizat ions need to have a separate individual digital A digital forensics framework for smart environment s. arXiv preprint
forensics policy, for better cyber forensics investigations. arXiv:1809.00745.
This seizure record framework can be utilized during the [15] Sikos, L. F. (2020). Packet analysis for network forensics: A
digital forensic policy design. This framework helps in comprehensive survey. Forensic Science International: Digital
collecting the evidences in a systematic approach during the Investigation, 32, 200892.
first phase of the data acquisition and processing. [16] Ruibin, G., Yun, T., & Gaertner, M. (2005). Case-relevance
information investigation: binding computer intelligence to the
REFERENCES current computer forensic framework. International Journal of Digital
Evidence, 4(1), 1-13.
[1] Kumar, A., & Malhotra, S. (2015). Network Security Threats and
Protection Models. arXiv preprint arXiv:1511.00568.

978-1-6654-3524-6/21/$31.00 ©2021 IEEE 1768

Authorized licensed use limited to: Universitas Brawijaya. Downloaded on October 14,2023 at 14:06:41 UTC from IEEE Xplore. Restrictions apply.