International Journal of Computer Science and Information Security (IJCSIS),

Vol. 14, No. 11, November 2016

Analysis of Digital Forensic Investigation Models

Sara Sarwar Mir
Department of Computer Science
University of Gujrat
[email protected]

Umar Shoaib
Department of Computer Science
University of Gujrat
[email protected]

Muhammad Shahzad Sarfraz

Department of Computer Science
University of Gujrat
[email protected]

Abstract— Digital Forensic investigation is an emerging Keywords—CART, DFI, NIJ, EEDI, IDIP, SDFIM, IDFPM,
technology, which is originated from the frequent use of GCFIM
computers and digital storage devices by criminals. All the
organizations are now extensively relying on the digital I. INTRODUCTION
media to store the information. Most of the information is
being produced, processed, stored and exchanged using Digital Forensic Investigation (DFI) is a recent
digital media. With the growing ratio for the usage of digital emerging research field which has originated from
media, the computer crimes and frauds are also growing. frequent use of computers and storage devices by
The growing fraud and security threats presented many criminals [1]. It consists of different phases like
challenges to the law enforcement organizations. identifying, preserving, analyzing and presenting digital
Digital forensics is concerned with the production, evidence in a manner that is legally acceptable [2]. Cloud
storage and use of a computer. It also relates with the
applications are facing many challenges [3] i.e. data to be
investigation and court proceedings evidence. Digital
forensics Investigation needs a framework for rapidly analyzed, encryption of data. Five percent increase in the
growing technology Forensic examiners are dealing with in the use of unique mobile devices with different
criminals in the application of digital technologies especially operating and storage systems, 21 percent increase in users
mobile devices and social media. They need the development storing data via Internet enabled applications and 12
of a proper methodology to search analytically digital percent increase in social media to store and broadcast
devices for significant evidence. So there is a need of information comprise these challenges [35]. Technology is
security mechanism to detect computer frauds. For this frequently using digital media such as laptops, notebooks
purpose Digital Forensic Investigation Models help to and smartphones. With the increasing usage of digital
investigate digital crimes in a proper manner through media, the computer crimes and frauds have accelerated
different processes.
up to 69 percent in the last five years as per latest survey
For many years, digital forensics was performed
mainly by government agencies, but in recent years it has by the cyber-attack statistics [4]. Federal Bureau of
become common in the commercial sector. Many customized Investigation (FBI) formed Investigation teams like
programs and patented software provide final professional Computer Analysis and Response Team (CART), the
analysis for both private and public sectors. This paper Working Group Scientific Evidence Digital, Council of
presents an overview of existing digital forensic investigation Laboratory Accreditation and the National Institute of
models .The paper addresses problems in the models to Justice (NIJ), to discuss digital forensics as a discipline,
highlight their loopholes and provides a new solution with including the need for a standardized method to investigate
enhancement by eliminating the discrepancies of existing cyber-crimes [2].
digital forensic investigation models.

292 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

It is very important to understand the digital cell phones, memory cards PDAs are also utilized for this
forensic investigation models currently in practice for the purpose.
sake of active research. The crime can be successfully
traced by teams formed by FBI with the events identifying
the perpetrators involved [11]. In this paper, different existing models for digital
forensic investigation are discussed. The paper is
Digital Forensics can be defined as the structured into five sections. First section includes the
investigation of a crime as an object, or as evidence Introduction of Digital Forensic Investigation. This section
through a computer system [3]. An important element of is followed by background and some of the related work
digital forensics is the credibility of digital evidence. that has been done previously on the forensic
Digital evidence including digital audio, digital video, cell investigations. Section II is the discussion upon developed
phones, fax machines and other legal digital sets have the Digital Forensic Investigation Process models that have
integrity, authenticity, reproducibility and mutual non- been developed till today. Section III describes the
interference [10] . common DFI model and existing Digital Forensic
Investigation Models and their comparison. Section IV
Digital forensic analysis requires digital evidence presents the new proposed model and its comparison with
like physical forensic analysis has physical evidence. existing models. Section V narrates the conclusion of all
Digital evidence is any sustaining information stored or the discussion and research that has been carried out in this
transmitted in binary or in digital form. Digital forensic Research Work.
investigation models create digital evidence via different
phases in models. Digital forensic process has a wide II. BACKGROUND
range of possible data. Files can be stored on a computer
hard drive and evidential data may be temporarily found in The first initial process was proposed in 1995 [12], in
the RAM [4]. On the other hand, the basic forensic which four step processes was introduced to store the
principles and processes are applicable in a cloud evidence so that it may be used later. A different approach
environment [6]. It is identified that law enforcement was used having the secure stage and isolate stage to get
agencies need to access data stored in the cloud [7]. the evidence. This research was limited to UNIX forensic
[14]. Mandia and Prosise extended the research which was
The augmented ratios in modern crimes are not limited to UNIX platform as it facilitated windows
becoming harder to detect [8]. Technology is playing a platform as well [9].
vital role in security breaching incidents [9]. Different
methodologies for digital forensic investigation have been An abstract model was prepared for all types of
developed in the last few years. Scope for potential electronic and digital devices but was not clearly defined
evidence has been wide enough that it is not limited to by the authors [12]. Enhanced Digital Investigation
some machines. It has been spread over the networks with Process Model was proposed consisting of seven phases
high storage capacity [8].So it is not simple to estimate namely Identification, preservation, collection,
digital evidence on a large network. There is a need of examination, analysis, presentation and decision [17]
such DFI model that fulfils requirements to collect Stephenson proposed a model named End to End
evidence of big datasets. Digital Investigation Process [36]. This research was
basically focused on analysis process and this model was
Digital forensics uses the identification, preservation, suitable for large scale networks. Ranveet proposed a new
collection, verification, analysis, interpretation and Integrated Digital Investigation Model consists of
effective method of digital evidence from a digital source. Operation Readiness Phase and Infrastructure Readiness
It promotes and facilitates the reconstruction of the object phase [20].
of the documents and presentations of scientific evidence
considered crime [14]. The term includes a wide range of Rowlingson pointed out that company’s policy can
digital forensics team activity. Digital forensic experts improve Computer and network forensics [21]. In
defeat crimes not simply through the use of computers but addition, he made six Category Directives (Retaining

293 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Information, Planning the Response, Training, In this paper we have selected fifteen models
Accelerating the Investigation, Preventing Anonymous which are currently widely adopted by most of the
Activities, Protecting the Evidence) to help enterprises to enterprises. These models are presented with their
account security attacks by improving their ability for shortcomings in the next section.
conducting DFI.. These Directives are designed to help
prevent computer crime. Fariha and Rabail presented III. EXISTING DIGITAL FORENSIC
Comparative analysis of different digital forensic INEVSTIGATION MODELS
investigation models [15] in which they concluded that
Systematic Digital Forensic Investigation Model This section presents the common phases of DFI
(SRDFIM) is the best among all the models they selected Model. The section also addresses the pros and cons of
for comparison. Because SRDFIM includes the phase existing DFI models. Each model has its own
Communication Shield which makes the process secure. importance according to the frame work being used.
Nehra and Chetna provided an insight view of DFI Models Furthermore the comparison of these models is
with the measurements to control and handle digital crimes presented.
in their country [33]. Khuram Mushtaque stressed the
importance of different security elements in the favor of Digital Forensic Investigation Model consists of
Digital Forensic Investigation [13].He addressed these several common processes. Figure 1 shows the major
elements on the basis of the survey of large enterprises stages of forensic model. The first stage as shown in the
who actually did not have Information Technology figure 1 is to Save/Freeze the crime scene, which is
professionals having knowledge of this domain. collected by the prevention of any activity or to prevent
damage to digital information. This stage checks the
A model named New Approach of Digital collection process through the computer and prevents the
Forensic Model for Digital Forensic Investigation use of computer by others to enable the investigation team
(NADFMDFI) has four tiers for investigation processes to choose the safest way to collect the required
[29]. All levels have different steps including the information. The second stage is the collection phase. It
identification, collection, examination and presentation may include relevant figures from the survey in the
tiers. The weakness of this model is that it is not tested on discovery and gathering information. The next stage is the
any of the cases related to forensic investigation and just examination phase. It consists of the relevant facts which
based on the given hypotheses and generalization of the are being investigated through systematic search for
model is not clear as well. evidences. These evidences may include the log files, data
files and time stamp. The analysis phase is designed to
Integrated Digital Forensic Process Model (IDFPM) find conclusions based on the evidences collected form
model was proposed [31]. It was progressive after examination stage. Last stage is the reporting phase to
considering different forensic investigation process write a report with the review process and restore data
models. The shortcoming of IDFPM was it could not be from the entire survey.
advantageous to all type of investigations.

Figure.1 Common Digital Forensic Investigation Model

294 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

i. Enhanced Digital Investigation Process model is that sub-phases are objective based rather than
activity based.
Baryamureeba, V., & Tushabe, F actually modified
the Integrated Digital Investigation Process (IDIP) [14] iv. An Event Based Digital Forensics
which was developed in 2003 [17]. They basically Investigation Framework
differentiated the investigation into two categories i-e
primary and secondary. They added “Trace Back Phase Event Based Digital Forensics Investigation
and Dynamite Phase”. The phases were separated to Framework was designed and proposed [21]. It was based
remove contradictions which exist in the investigation on the events having Readiness phase, Deployment phase
phases. This model is limited to computer-fraud Physical Crime Scene Investigation, Digital Crime Scene
investigation. Investigation phase and Presentation Phase. However, this
framework was flexible for the requirement of each phase
but did not augur well for investigations [7].

Figure: 2 Enhanced Digital Investigation Processing Model

ii. Extended Model of Cyber Crime

Investigation

Ciardhuain gave the different steps from the starting of

the crime investigation till the end [19]. Phases that were
defined in the model were awareness, authorization,
Figure: 3 An Event Based Digital Forensics Investigation Framework
planning, notification, Search and Identify Collection,
transport, storage, examination, hypotheses, presentation, v. Case Relevance Information Investigation
proofs, defense and dissemination. The model actually
captures all the information flow. This model is In 2005 three concepts including seek knowledge,
comprehensive in different aspects including evidence case-relevance and knowledge reuse were used in
process but was only focused on management processes investigation process [20]. Seek knowledge is used in
and requires the information about legal investigators to having the analysis of data. But it’s a high level concept
record step by step activities which is hard to find. and is not easily understandable.

iii. A Hierarchical Objectives Based vi. Visual Forensic Techniques and

Framework for the Digital Investigations Processes
Process
Erbacher, Sunderburg and Christensen used the visual
Beebe and Clark introduced a multi-tiered architecture forensic techniques for investigation [37]. This framework
instead of a single one [18]. First tier includes the phases includes the Data Duplication Phase, Data Imaging, Text
of incident response, presentation, incident closure, data Based Analysis, Visualization Based Analysis, Analysis
analysis and data collection. The second tier had survey, Validation, Legal Presentation and Legal results. The
extract and examine phase. In this model, each phase is drawback of this framework is that it’s a case specific
divided into multiple sub-phases. The limitation of this model and suitable for large scale datasets.

295 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Figure: 4 Visual Forensic Techniques and Processes

properly mapped into computer forensics using the
vii. Framework For a Digital Forensic proposed framework but limitation of this model is that it
Investigation requires full scale forensic investigation analysis.

Kohn gave a framework with only three basic phases x. Digital Forensic Model based on
namely preparation, investigation and presentation [22]. It Malaysian Investigation Process
was most likely the framework, which was discussed in
[8]. In this process data has to be collected from any type Perumal suggested a model having the steps of
of media and then have to be examined in any machine planning, analysis, Defense and Archive storage [26]. The
readable format. After analysis phase the report has to be model deals with data acquisition process and fragile
generated. The data loss is expected in this model if the evidence. In this framework an emphasis was carried out
type of media is not reliable. on live data acquisition and static data acquisition. But this
model does not include collection, examination and
viii. Computer Forensics Field Triage Process presentation phase which can make it more suitable for
Model digital forensic investigation process.

The process model discussed was a bit unusual from xi. Towards a Science of Digital Forensic
previous ones as it did not require the suspected system to Evidence Examination
take to the laboratory [24]. However, it has to be examined
in the field. The phases in this process model include Cohen focused on the examination phase of evidence
planning, Triage, User Usage Profile, Chronology [27]. This model has seven phases thus leads to the better
Timeline, Internet and Case Specific. The disadvantage of implementation of the process model but the generality of
this model is that without forensic experts, examination the model is not clearly explained and not suitable for all
cannot be done in the field directly. aspects of digital forensic investigation process.

ix. A Common Process Model for Incident xii. The Systemic Digital Forensic
Response and Computer Forensics Investigation Model SRDFIM

Freiling and Schwittay proposed a new model and it Agarwal proposed a model with 11 phases [28]. The
was unique in the case that they combined the two model consists of exploratory tests and has structured
concepts including Incident Response and Computer framework. A systematic approach was used to develop
Forensics [25]. All investigation steps were combined in the phases that can be used in Cybercrimes and Computer
three phases that are Pre-Analysis, Analysis and Post frauds. It was however the drawback that it was limited to
Analysis. In this process model Incident Response is such kinds of cases.

296 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

xiii. A New Approach For Digital Forensic

Investigation
xiv. Harmonized Digital Forensic
Chris, David and Ademu suggested a new approach Investigation Process Model
having four tiers for investigation processes [29]. All tiers
have different steps including the identification, collection, Valjarevic, A., & Venter identified the need of
examination and presentation tiers. The model is well harmonizing previously defined models [30]. They
structured and consistent for the development of digital introduced the term “parallel Actions” for the presentation
forensic investigation process. The flaw in this model is of new methods. Parallel actions are basically defined
that it is not tested on forensic investigation cases and is rules that must be followed which mean that evidence’s
based on the given hypotheses. integrity must be preserved and transformed into actions.
It had twelve phases including potential Evidence,
transportation of potential evidence, presentation and
reports having conclusions. This is model is iterative and
multi-tiered. The major drawback for this framework is
that it is not tested and thus its accuracy is in doubt.

xv. Integrated Digital Forensic Process

Model

Integrated Digital Forensic Process Model (IDFPM)

model was suggested in [31]. It was developed after
considering different forensic investigation process
models. The disadvantage of IDFPM was it cannot be
Figure: 5 A New Approach For Digital Forensic Investigation applied to all type of investigations.

Figure: 6 Integrated Digital Forensic Process Model

IV. PROPOSED MODEL process and do not take care of all the cyber-crime
investigation aspects.
This section provides the description about the new
model developed for digital forensic investigation which Perumal’s [26] model deals with the data acquisition
addresses the flaws of existing models which are being process and fragile evidence. In data acquisition process,
highlighted in the previous sections. The Proposed model the evidence can be gathered statically and live as well. On
is mainly based on the Perumal [26] and Cohen’s [27] the other hand, Cohen’s [27] model is focused on
models. It is developed by the combination of these two examination process. Our proposed model has wider scope
models in order to improve digital forensic investigation and range as compared to existing models. This model
process and achieve the better result from this process. covers three aspects of digital forensic investigation
Most of the existing digital forensic investigation models process namely data acquisition, fragile evidence and
have limited scope and cover only its digital evidence examination, unlike other existing models which deal with

297 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

one aspect and cover one perspective at a time. By phases our proposed model is not limited to data
combining the phases, this proposed model would be more acquisition. It is also focusing on collection phase and
secure and time effective and will improve the digital result and presentation phase. Although this model is not
forensic investigation process. The phases in the proposed checked for real time investigations, it may work well in
model are shown in Figure 7. By adding different new all types of digital forensic investigations.

Figure.7 Proposed Model for Digital Forensic Investigation

298 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Table I. Comparison of Existing Digital Forensic Investigation Models

Table 1 presents the comparison of existing Digital comparison of existing models with our proposed
Forensic Investigation Models. Models are given model.
numbering system for i to xv that have been explained in
the previous section.The model VI contains only three Table 2. Comparison of Proposed Model
parameters given in the table which shows that model VI
is the weakest model of this research. On the other hand
model xv is the best model among all on the basis of study
conducted in this research. This model covers most of the
characteristics shown in the table. All the models covered
in this research work only focus on one or two aspects of
digital forensic investigation process. Our proposed model
overcomes the weaknesses of these models and provides a
better design of digital forensic investigation model with
focus on data acquisition, fragile evidence and
examination process.

i. Comparison of Proposed Model with Existing

Models

Table 2 presents the comparison of our proposed

model with respect to eleven factors listed in the table.
The proposed model contains the nine of the factors
given in the table while table 1 showed that the IDFI
model had 8 factors among them. The comparison
shows that our proposed model is best among all
existing model selected in this research and provides
enhanced solution to improve DFI process. We have
also displayed a graph in figure 8 which shows the

299 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Figure. 8 Comparison of Proposed Model with Existing Models

V. CONCLUSION

Digital forensics Investigation needs a framework REFERENCE

for rapidly growing technology. In this research, fifteen
Digital Forensic Investigation Models have been reviewed. 1. Mell, P & Grance, T (2011), 'The Nist Definition of Cloud
Computing: Recommendations of the National Institute',
The comparison of these models indicates that our
NIST Special Publication 800-145.
proposed Model is best among these ones, as it eliminates
the duplicating phases from different Digital Forensic 2. McKemmish, R (1999), 'What Is Forensic Computing?',
Process Models and focuses on three aspects namely Trends and Issues in Crime and Criminal Justice, Australian
Institute of Criminology, vol. 118, pp. 1-6.
examination, data acquisition and fragile evidence at one
platform. 3. Ravneet Kaur, Amandeep Kaur, “Digital Forensics”,
International Journal of Computer Applications ( IJCA)` , vol
On the basis the study conducted, a new Digital 50, pp.5-9 July 2012
Forensic Investigation Model having ten phases has been 4. http://www.hackmageddon.com/category/security/cyber-
attacks-statistics/
proposed which will not only improve digital forensic
investigation process but also addresses the shortcomings 5. Reilly, D, Wren, C & Berry, T (2011), 'Cloud Computing:
of existing models. Harmonized DFI model introduced Pros and Cons for Computer Forensic Investigations',
some rules that must be followed in the model but the International Journal of Multimedia and Image Processing
(IJMIP), vol. 1, pp. 26-34
model is not accurate. Visual Forensic Techniques and
Processes developed by Erbacher is suitable for large scale 6. Guo, H., Jin, B., & Shang, T. (2012, August). Forensic
data sets but a case specific model. Our proposed model investigations in cloud environments. In Computer Science
and Information Processing (CSIP), 2012 International
contains the nine factors among eleven listed in table 2. Conference on (pp. 248-251). IEEE.
This research actually focuses on existing Digital Forensic
Investigation Models with their pros and cons and strongly 7. Mason, S & George, E (2011), 'Digital Evidence and
‘Cloud’computing', Computer Law & Security Review, vol.
suggests that these models receive further research work
27, no. 5, pp. 524-528.
through the growing technology.
8. Den Hengst, M., & Warnier, M. (2013, August). Cyber Crime
in Privately Held Information Systems: Personal Data at
Stake. In Intelligence and Security Informatics Conference
(EISIC), 2013 European (pp. 117-120). IEEE.

300 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

9. Mandia, Kevin. Incident response: investigating computer 24. Rogers, M. K., Goldman, J., Mislan, R., Wedge, T., &
crime. McGraw-Hill Professional, 2001. Debrota, S. (2006, January). Computer forensics field triage
process model. In Proceedings of the conference on Digital
10. Shrivastava, G., Sharma, K., & Dwivedi, A. (2012). Forensic Forensics, Security and Law (p. 27). Association of Digital
Computing Models: Technical Overview. CCSEA, SEA, Forensics, Security and Law.
CLOUD, DKMP, CS & IT, 5, 207-216. 25. Freiling F, Schwittay B, “ A common Process Model for
11. Agarwal, Ritu, and Suvarna Kothari. "Review of Digital Incident Response and Computer Forensics”, Conference on
Forensic Investigation ." Information Science and IT Incident Management and IT forensics, 2007.
Applications. Springer Berlin Heidelberg, 2015. 561-571.
26. Perumal, Sundresan. "Digital forensic model based on
12. Pollitt, M. (1995, October). Computer forensics: An approach Malaysian investigation process." International Journal of
to evidence in cyberspace. In Proceedings of the National Computer Science and Network Security 9.8 (2009): 38-44.
Information Systems Security Conference (Vol. 2, pp. 487-
491).. 27. Cohen, F. (2010, January). Toward a science of digital
forensic evidence examination. In IFIP International
Conference on Digital Forensics (pp. 17-35). Springer Berlin
13. Khuram Mushtaque Kamran Ahsan, Ahmer Umer “DIGITAL Heidelberg.
FORENSIC INVESTIGATION MODELS: AN 28. Agarwal, Ankit, et al. "Systematic digital forensic
EVOLUTION STUDY” Journal of Information Systems and investigation model."International Journal of Computer
Technology Management Vol. 12, No. 2, May/Aug., 2015 pp. Science and Security (IJCSS) 5.1 (2011): 118-131.
233-244 29. Ademu, Inikpi O., Chris O. Imafidon, and David S. Preston.
"A new approach of digital forensic model for digital forensic
14. Nikkel, B. the role of digital forensic with a corporate investigation." Int. J. Adv. Comput. Sci. Appl 2.12 (2011):
organization 175-178.
Available(online):www.digitalforensics.ch/nikkel/06a.pdf
Accessed on 25th February 2010 30. Valjarevic, A., & Venter, H. S. (2012, August). Harmonised
digital forensic investigation process model. In 2012
15. Fakeeha Jafari, Rabail shafique, “Comparative analysis of
Information Security for South Africa(pp. 1-10). IEEE.
Digital Forensic Models”, Journal of Advances in Computer
Networks, Vol. 3, No. 1, March 2015 pp.82-86 31. Kohn, Michael Donovan, Mariki M. Eloff, and Jan HP Eloff.
"Integrated digital forensic process model." Computers &
16. Digital forensics research Workshop,” A roadmap for digital
Security 38 (2013): 103-115.
forensics research” 2001.
32. Daryabar, Farid, Ali Dehghantanha, and Nur Izura Udzir. "A
17. Baryamureeba, V., & Tushabe, F. (2004, August). The review on impacts of cloud computing on digital
enhanced digital investigation process model. In Proceedings forensics." International Journal of Cyber-Security and
of the Fourth Digital Forensic Research Workshop (pp. 1-9).. Digital Forensics (IJCSDF) 2.2 (2013): 77-94..
18. Beebe, Nicole Lang, and Jan Guynes Clark. "A hierarchical, 33. Kishore, N., C. Gupta, and D. Dawar. "An insight view of
digital forensics." International Journal on Computational
objectives-based framework for the digital investigations
Sciences & Applications (IJCSA) 4 (2014): 89-96.
process." Digital Investigation2.2 (2005): 147-167.
19. Ciardhuáin, Séamus Ó. "An extended model of cybercrime
34. Birk, Dominik. "Technical challenges of forensic
investigations in cloud computing environments." In
investigations."International Journal of Digital Evidence 3.1
workshop on cryptography and security in clouds, pp. 1-6.
(2004): 1-22.
2011.
20. Ruibin, Gong, T. Yun, and M. Gaertner. "Case-relevance
35. http://wearesocial.com/sg/special-reports/digital-social-
information investigation: binding computer intelligence to
mobile-2015
the current computer forensic framework." International
Journal of Digital Evidence 4.1 (2005): 1-13. 36. Stephenson, Peter. "A comprehensive approach to digital
incident investigation." Information Security Technical
21. Carrier, Brian, and Eugene H. Spafford. "An event-based
Report 8.2 (2003): 42-54.
digital forensic investigation framework." Digital forensic
research workshop. 2004. 37. Erbacher, Robert F., Kim Christiansen, and Amanda
. Sundberg. "Visual network forensic techniques and
processes." 1st Annual Symposium on Information Assurance:
22. Köhn, M., Olivier, M. S., & Eloff, J. H. (2006, July).
Intrusion Detection and Prevention. 2006.
Framework for a Digital Forensic Investigation. In ISSA (pp.
1-7).
23. Kent K, Chevalier S Grance T, Dang H. “Guide to Integrating
Foensics into Incident Response”, NIST Special Publication
800-86-2006.

301 https://sites.google.com/site/ijcsis/
ISSN 1947-5500