DIGITAL FORENSIC RESEARCH CONFERENCE

The Enhanced Digital Investigation Process Model

By

Venansius Baryamureeba, Florence Tushabe

From the proceedings of

The Digital Forensic Research Conference

DFRWS 2004 USA
Baltimore, MD (Aug 11th - 13th)

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics
research. Ever since it organized the first open workshop devoted to digital forensics
in 2001, DFRWS continues to bring academics and practitioners together in an
informal environment.
As a non-profit, volunteer organization, DFRWS sponsors technical working groups,
annual conferences and challenges to help drive the direction of research and
development.

http:/dfrws.org
 The Enhanced Digital Investigation Process
Model

Venansius Baryamureeba and Florence Tushabe

[email protected], [email protected]
Institute of Computer Science, Makerere University
P.O.Box 7062, Kampala Uganda
www.makerere.ac.ug/ics

May 27, 2004

Abstract Computer crimes are on the rise and unfortunately less than two percent of
the reported cases result in conviction. The process (methodology and approach) one adopts
in conducting a digital forensics investigation is immensely crucial to the outcome of such
an investigation. Overlooking one step or interchanging any of the steps may lead to incom-
plete or inconclusive results hence wrong interpretations and conclusions. A computer crime
culprit may walk Scot-free or an innocent suspect may suffer negative consequences (both
monetary and otherwise) simply on account of a forensics investigation that was inadequate
or improperly conducted. In this paper, we present a brief overview of forensic models and
propose a new model based on the Integrated Digital Investigation Model.
Keywords Computer Forensics, Crime Scene Investigation, Forensic Process model, Ab-
stract Digital Forensic Model, Integrated Digital Investigation Model.

1 Introduction
Computer forensics emerged in response to the escalation of crimes committed by the use
of computer systems either as an object of crime, an instrument used to commit a crime or
a repository of evidence related to a crime. Computer forensics can be traced back to as
early as 1984 when the FBI laboratory and other law enforcement agencies begun developing
programs to examine computer evidence. Research groups like the Computer Analysis and
Response Team (CART), the Scientific Working Group on Digital Evidence (SWGDE), the
Technical Working Group on Digital Evidence (TWGDE), and the National Institute of
Justice (NIJ) have since been formed in order to discuss the computer forensic science as a

1
discipline including the need for a standardized approach to examinations[2].

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the preservation, collection, validation, identification, analysis, interpretation and
presentation of digital evidence derived from digital sources for the purpose of facilitating
or furthering the reconstruction of events found to be criminal or helping to anticipate
the unauthorized actions shown to be disruptive to planned operations [3]. One important
element of digital forensics is the credibility of the digital evidence. Digital evidence includes
computer evidence, digital audio, digital video, cell phones, digital fax machines etc. The
legal settings desire evidence to have integrity, authenticity, reproductivity, non-interference
and minimization.

Since computer forensics is a relatively new field compared to other forensic disciplines,
which can be traced back to the early 1920s, there are ongoing efforts to develop examination
standards and to provide structure to computer forensic examinations. This paper attempts
to address the methodology of a computer forensic investigation.

2 Previous work
Computer and network forensics methodologies consist of three basic components that Kruse
and Heiser[4] refer to as the three As of computer forensics investigations. These are: acquir-
ing the evidence while ensuring that the integrity is preserved; authenticating the validity of
the extracted data, which involves making sure that it is as valid as the original and analyz-
ing the data while keeping its integrity. Some process models that put the three factors into
consideration include the Forensics Process Model [5], the Abstract Digital Forensics Model
[6] and the Integrated Digital Investigation Model[7].

2.1 The Forensics Process Model

The U.S. Department of Justice published a process model in the Electronic Crime Scene
Investigation: A guide to first responders[5] that consists of four phases: -
1. Collection; which involves the evidence search, evidence recognition, evidence collection
and documentation.
2. Examination; this is designed to facilitate the visibility of evidence, while explaining
its origin and significance. It involves revealing hidden and obscured information and
the relevant documentation.
3. Analysis; this looks at at the product of the examination for its significance and pro-
bative value to the case.
4. Reporting; this entails writing a report outlining the examination process and pertinent
data recovered from the overall investigation.
The analysis phase of this model is improperly defined and ambiguous. It for instance
emerges as an interpretation of the results from the examination phase, and in the process
confuses analysis with interpretation despite these being two distinct processes.

2
2.2 The Abstract Digital Forensics Model
The Abstract Digital Forensics model [6] proposes a standardized digital forensics process
that consists of nine components:
1. Identification; which recognizes an incident from indicators and determines its type.
2. Preparation; which entails the preparation of tools, techniques, search warrants, and
monitoring authorizations and management support.
3. Approach strategy; that develops a procedure to use in order to maximize the collection
of untainted evidence while minimizing the impact to the victim.
4. Preservation; which involves the isolation, securing and preservation of the state of
physical and digital evidence.
5. Collection; that entails the recording of the physical scene and duplicate digital evi-
dence using standardized and accepted procedures.
6. Examination; which involves an in-depth systematic search of evidence relating to the
suspected crime.
7. Analysis; which involves determination of the significance, reconstructing fragments of
data and drawing conclusions based on evidence found.
8. Presentation; that involves the summary and explanation of conclusions.
9. Returning evidence; that ensures physical and digital property is returned to proper
owner.
Although this model is generally a good reflection of the forensic process, it is open to at
least one criticism. Its third phase (the approach strategy) is to an extent a duplication of
its second phase (the preparation phase). This is because at the time of responding to a
notification of the incident, the identification of the appropriate procedure will likely entail
the determination of techniques to be used.

2.3 The Integrated Digital Investigation Model(IDIP)

Brian Carrier and Eugene Spafford [7] proposed yet another model that organizes the process
into five groups consisting all in all 17 phases.

Figure 1: Phases of the IDIP Model

2.3.1 Readiness phases
The goal of this phase is to ensure that the operations and infrastructure are able to fully
support an investigation. It includes two phases:
1. Operations Readiness phase; which ensures that human capacity is fully trained and
equipped to deal with an incident when it occurs.
2. Infrastructure readiness phase; that ensures that the underlying infrastructure is suf-
ficient enough to deal with incidents that come. For example equipment like video
cameras and card readers being there and3 in good working condition.
2.3.2 Deployment phases
The purpose is to provide a mechanism for an incident to be detected and confirmed. It
includes two phases:
1. Detection and Notification phase; where the incident is detected and then appropriate
people notified.
2. Confirmation and Authorization phase; which confirms the incident and obtains au-
thorization for legal approval to carry out a search warrant.
2.3.3 Physical Crime Scene Investigation phases
The goal of these phases is to collect and analyze the physical evidence and reconstruct the
actions that took place during the incident. It includes six phases:-
1. Preservation phase; which seeks to preserve the crime scene so that evidence can be
later identified and collected by personnel trained in digital evidence identification.
2. Survey phase; that requires an investigator to walk through the physical crime scene
and identify pieces of physical evidence.
3. Documentation phase; which involves taking photographs, sketches, and videos of the
crime scene and the physical evidence. The goal is to capture as much information as
possible so that the layout and important details of the crime scene are preserved and
recorded.
4. Search and collection phase; that entails an in-depth search and collection of the scene
is performed so that additional physical evidence is identified and hence paving way
for a digital crime investigation to begin.
5. Reconstruction phase; which involves organizing the results from the analysis done and
using them to develop a theory for the incident.
6. Presentation phase; that presents the physical and digital evidence to a court or cor-
porate management.

2.3.4 Digital Crime Scene Investigation phases

The goal is to collect and analyze the digital evidence that was obtained from the physical
investigation phase and through any other future means. It includes similar phases as the
Physical Investigation phases, although the primary focus is on the digital evidence. The six
phases are:-
1. Preservation phase; which preserves the digital crime scene so that evidence can later
be synchronized and analysed for further evidence.
2. Survey phase; whereby the investigator transfers the relevant data from a venue out of
physical or administrative control of the investigator to a controlled location.
3. Documentation phase; which involves properly documenting the digital evidence when
it is found. This information is helpful in the presentation phase.
4. Search and collection phase; whereby an in-depth analysis of the digital evidence is
performed. Software tools are used to reveal hidden, deleted, swapped and corrupted
files that were used including the dates, duration, log file etc. Low-level timelining is
performed to trace a user’s activities and identity.

4
 5. Reconstruction phase; which includes putting the pieces of a digital puzzle together,
and developing investigative hypotheses.
6. Presentation phase; that involves presenting the digital evidence that was found to the
physical investigative team.

2.3.5 Review phase

This entails a review of the whole investigation and identifies areas of improvement.

The IDIP model does well at illustrating the forensic process, and also conforms to the
cyber terrorism capabilities [8] which require a digital investigation to address issues of data
protection, data acquisition, imaging, extraction, interrogation, ingestion/normalisation,
analysis and reporting. It also highlights the reconstruction of the events that led to the
incident and emphasizes reviewing the whole task, hence ultimately building a mechanism
for quicker forensic examinations.

However, the IDIP model is open to some criticisms. First, despite encompassing all
the earlier models, there is reason to question the IDIP model’s practicality. It for instance
depicts the deployment phase which consists of confirmation of the incident as being indepen-
dent of the physical and digital investigation phase. In practice however, it seems impossible
to confirm a digital or computer crime unless and until some preliminary physical and digital
investigation is carried out. Secondly, it does not offer sufficient specificity and does not, for
instance, draw a clear distinction between investigations at the victim’s (secondary crime)
scene and those at the suspect’s (primary crime) scene. Neither does it reflect the process
of arriving at the latter. Since a computer can be used both as a tool and as a victim [9] , it
is common for investigations to be carried out at both ends so that accurate reflections are
made. Henry Lee [10] defines the primary crime scene as the place where the first criminal
act occurred. The process of tracing back to it can be challenging when dealing with larger
networks and in particular, the Internet [9].

3 The Proposed Model

3.1 Definitions
3.1.1 Physical crime scene investigation
This is the investigation that takes place at the physical crime scene. A physical crime scene is
defined as the physical environment where physical evidence of a crime or incident exists[7].
Building from [7, 11] discussions, we propose that the physical crime scene investigation
includes five phases:-
1. Preservation phase; which preserves the crime scene so that evidence can be later
identified and collected by personnel trained in digital evidence identification. It would
consist of securing and protecting the crime scene while identifying, removing and
separating the witnesses from the scene.
2. Survey phase; whereby an investigator walks through the physical crime scene, iden-
tifies the pieces of physical evidence, determines the extent of the search, develops a
preliminary theory, identifies potential evidence and documents a narrative.
5
 3. Documentation phase; which would involve taking photographs, sketches, and videos of
the crime scene and the physical evidence. The goal is to capture as much information
as possible so that the layout and important details of the crime scene are preserved
and recorded.
4. Search and collection phase; is when an in-depth search and collection of the scene is
performed so that additional potential physical evidence is identified and hence paving
way for a digital crime investigation to begin.
5. Presentation phase; where the identified electronic evidence is transported and deliv-
ered to the digital investigation team.
3.1.2 Digital crime scene investigation
This is the investigation that will be made to the digital crime scene. The digital crime scene
has been defined as the virtual environment created by software and hardware where digital
evidence of a crime or incident exists [7]. Building from [7, 11] discussions, we propose that
the digital crime scene investigation includes four processes:-
1. Preservation phase; which preserves the digital crime scene so that evidence can be
later synchronized and analysed for further evidence. Duplication of evidence (creation
of bit-by-bit copies of the seized data) should be performed for use in multiple analysis.
2. Survey phase; whereby the investigator identifies and separates potentially useful data
from the imaged dataset; forexample the recovery of damaged, hidden, deleted, or
manipulated data.
3. Search and collection phase; whereby an in-depth analysis of the digital evidence is
performed. Software tools are used to reveal hidden, deleted, swapped and corrupted
data. Fusion, correlation, graphing, mapping and timelinning of data or files that were
used is performed while various investigative hypotheses are developed.
4. Documentation phase; involves properly documenting the digital evidence when it is
found. This information is helpful in the presentation phase.

3.2 PHASES OF THE EIDIP MODEL

The proposed EIDIP model consists of five major phases:-

Figure 2: Phases of the EIDIP Model

6
3.2.1 Readiness phases
These phases are described in Sub-section 2.3.1 on page 3.
3.2.2 Deployment phases
The deployment phases provide a mechanism for an incident to be detected and confirmed.
They take place at the place where the crime was detected and consist of five phases:-
1. Detection and Notification phase; when an incident is detected and the appropriate
people notified.
2. Physical Crime Scene Investigation; when a physical examination of the scene is per-
formed and potential digital evidence identifified.
3. Digital crime scene investigation phase; when an electronic examination of the scene
is performed and digital evidence obtained with possibly an estimation of the extent
of the impact or damage.
4. Confirmation phase; when the incident is confirmed and authorization given to obtain
legal approval to carry out a search warrant and further investigations at suspect
premises.
5. Submission phase; which involves presenting the physical and digital evidence to legal
entities or corporate management.
3.2.3 Traceback phases
Within these phases, the perpetrator’s physical crime scene of operation is tracked down
leading to identification of the devices that were used to perform the act. They consist of:-
1. Digital crime scene investigation; whereby primary crime scene is traced from the
clues obtained from the previous phases. Forexample acquiring public and private
IP addresses and mapping them to the country and instituion will eventually lead
to the host computer. IP addresses can be easily obtained by using the following
commands: ping, nslookup, dig, tracert from a DNS server[12]. Locating the country
and institution is simplified by various tools and websites like ip-to-location.com and
whatismyipaddress.net[13, 14].
2. Authorization phase; when authorization from local legal entities is obtained to permit
further investigations and access to more information.
3.2.4 Dynamite phases
These phases investigate the primary crime scene.They aim at collecting and analysing the
items that were found at the primary crime scene to obtain further evidence that the crime
originated from there and they help identify the potential culprits. They would consist of:-
1. Physical Crime Scene Investigation phase; when a physical examination of the scene is
carried out to identify potential digital evidence.
2. Digital crime scene investigation phase; when an electronic examination of the scene
is performed to obtain digital evidence of the incident and possibly an estimation of
the time and dates when the incident was launched.
3. Reconstruction phase; that includes putting the pieces of a digital puzzle together and
identifying the most likely investigative hypotheses.
4. Communication phase; which involves presenting the final interpretations and conclu-
sions about the physical and digital evidence that has been investigated to a court or
corporate management.
7
3.2.5 Review phase
The whole investigation is reviewed and areas of improvement identified.

4 MODEL DISCUSSION
The Enhanced Digital Investigation model (EIDIP) separates the investigations at the pri-
mary and secondary crime scenes while depicting the phases as iterative instead of linear. It
is based on the IDIP model and expands the deployment phase in the IDIP model to include
the physical and digital crime investigations while introducing a new phase dedicated to
tracing back to the computer(the primary crime scene) that was used as a tool to commit
the offense. In this proposed model the reconstruction is only made after all investigations
have taken place instead of having two reconstructions which might be inconsistent.

5 CONCLUSION
The Enhanced Integrated Digital Investigation Process (EIDIP) model is an enhanced version
of the Integrated Digital Investigation Process Model and seeks to redefine the forensic
process and its progression. It describes the development right from the point when the
initial infrastructure is put in place, to investigations when the incident is reported, through
the traceback phases that would lead to the point where the crime was committed and finally
to the ultimate investigations that would lead to conclusive interpretations of the evidence
collected. Thus EIDIP model is suitable for cyber crime investigations.

References
[1] InterGOV International(2002). International Web statistics report 2002.
http://www.intergov.org/public information/general information/latest web stats.html.
[2] Michael Noblett, Mark.M.Pollitt and Lawrence Presley. (2000) Recovering and Ex-
amining Computer Forensic Evidence, Forensic Science Communications, Volume
2, Number 4.
[3] Gary L Palmer.(2001). A Road Map for Digital Forensic Research. Technical Re-
port DTR-T0010-01, DFRWS. Report for the First Digital Forensic Research Workshop
(DFRWS).
[4] Kruse II, Warren and Jay, G. Heiser (2002) Computer Forensics: Incident Re-
sponse Essentials. Addison-Wesley.
[5] National Institute of Justice.(July 2001) Electronic Crime Scene Investigation A
Guide for First Responders. http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
[6] Mark Reith, Clint Carr and Gregg Gunsch.(2002)An Examination of Digital Foren-
sic Models International Journal of Digital Evidence, Fall 2002,Volume 1, Issue 3.
[7] Brian Carrier and Eugene H Spafford,(2003) Getting Physical with the Investiga-
tive Process International Journal of Digital Evidence.Fall 2003,Volume 2, Issue 2.
[8] National Institute of Justice. (2002).Results from Tools and Technology Working
Group, Governors Summit on Cybercrime and Cyberterrorism, Princeton NJ.

8
 [9] Joseph Migga Kizza. (2003) Ethical and Social Issues in the Information
Age,Second Edition, Springer .
[10] Henry Lee, Timothy Palmbach, and Marilyn Miller(2001)Henry Lee’s Crime Scene
Handbook, Academic Press.
[11] Criminal Justice Academy notes available at http://scdps.org/cja/csr-csmgmt.htm.
[12] Michael Pastore,(2003),Security + Study Guide,SYBEX Inc
[13] http://www.ip-tp-location.com
[14] http://whatismyipaddress.net.