Eforensics Magazine 2013 02 - DEVELOPING CYBER FORENSIC MODEL PART I

Big Data gets real
at Big Data TechCon!

The HOW-TO conference for Big Data and IT Professionals
Discover how to master Big Data from real-world
practitioners – instructors who work in the trenches
and can teach you from real-world experience!
Come to Big Data TechCon

to learn the best ways to:
• Collect, sort and store massive quantities
Ovheowr-t5o 0
of structured and unstructured data
• Process real-time data pouring s

r a c t ic a l classes
into your organization p rkshop
and wo oose
• Master Big Data tools and to ch !
technologies like Hadoop, Map/Reduce, from
NoSQL databases, and more
• Learn HOW TO integrate data-collection technologies with

analysis and business-analysis tools to produce the kind of
workable information and reports your organization needs
• Understand HOW TO leverage Big Data to help

your organization today
April 8-10, 2013

Boston, MA
www.BigDataTechCon.com
Register Early and SAVE!

A BZ Media Event
Big Data TechCon™ is a trademark of BZ Media LLC.
t t h e s c o o p on
Ge
2013!
SharePoint
Register Early and SAVE!
Th e B es t
nt T ra ining!
ShareP oi
Choose from over
90 Classes & Workshops!
Check out these NEW ! classes,
taught by the industry’s best experts!
How to Install SharePoint 2013 Without Creating Simple Dashboards Using
Screwing It Up Out-of-the-Box Web Parts
Todd Klindt and Shane Young Jennifer Mason
What IS SharePoint Development? Integrating SharePoint 2010 and Visual
Mark Rackley Studio Lightswitch
Rob Windsor
SharePoint Performance: Best Practices
from the Field Solving Enterprise Search Challenges with
Jason Himmelstein SharePoint 2010
Matthew McDermott
Creating a Great User Experience in
SharePoint Getting Stuff Done! Managing Tasks with
Marc Anderson SharePoint Designer Workflows
Chris Beckett
Ten Best SharePoint Features You’ve
Never Used SharePoint 2013 Upgrade Planning for
Christian Buckley the End User: What You Need to Know
Richard Harbridge
Understanding and Implementing
Governance for SharePoint 2010 Ten Non-SharePoint Technical Issues
Bill English That Can Doom Your Implementation
Robert Bogue
Building Apps for SharePoint 2013
Andrew Connell SharePoint MoneyBall: The Art of Winning
the SharePoint Metrics Game
SharePoint Solutions with SPServices
Susan Hanley
Marc Anderson
Intro to Branding SharePoint 2010 in the
Lists: Used, Abused and Underappreciated
Farm and Online
Wes Preston
Randy Drisgill and John Ross
Check out more than Planning and Configuring Extranets in
SharePoint 2010
How to Best Develop Requirements for
55 exhibiting companies!
SharePoint Projects
Geoff Varosky
Dux Raymond Sy
A BZ Media Event Lots more online!

Follow us: twitter.com/SPTechCon
SPTechCon™ is a trademark of BZ Media LLC.
SharePoint® is a registered trademark of Microsoft.
www.sptechcon.com
HOW TO DEVELOP A COMPUTER FORENSIC MODEL TO INVESTIGATE CYBER CRIMES – Part I IV/63
Copyright © 2013 Software Media Sp. z o.o. SK
Editor: Joanna Kretowicz jaonna.kretowicz@eforensicsmag.com
Betatesters/Proofreaders: Gavin Inns, Jeff Weaver, Nicolas Villatte
Senior Consultant/Publisher: Paweł Marciniak
CEO: Ewa Dudzic ewa.dudzic@software.com.pl
Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Production Director: Andrzej Kuca andrzej.kuca@software.com.pl
Marketing Director: Joanna Kretowicz jaonna.kretowicz@eforensicsmag.com
Publisher: Software Media Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone:1 917 338 3631
www.eforensicsmag.com
HOW TO DEVELOP A COMPUTER FORENSIC MODEL TO INVESTIGATE CYBER CRIMES – Part I 6/63
ABSTRACT
The soaring trends of cyber crimes on businesses, organizations, and individuals have raised the awareness among
these entities to implement a cyber forensic model that can assist investigating cyber incidents, and obtain the
evidence of the cyber attacks to impalement prevention or preceding prosecution.
Increasing the needs for the cyber forensic model that can stand against the cyber attacks promoted various cyber
forensic models that inhibited variety of procedures and forensic tools, where they can serve investigating the cyber
incidents. Although most of these models encompass the right approaches that can serve the purpose, these models
lack the availability of options that can extend the choices for organizations to implement whatever fit better with their
infrastructures, and budget.
In addition to the above problem, the available cyber forensic models do not promote the implementation of the
Selection Criteria that can be utilized to build other forensic models. The lack of having the Selection Criteria that
can be employed by organizations to build their own cyber forensic model creates various problems when there is a
need for changing technologies, and implementing new cyber forensic model that can emerge with new infrastructure.
Lacking the existence of the cyber forensic model that can offer various options of implementation of its procedures
and forensic tools for any organization to choose from represents a problematic issue for many organizations. Also,
lacking the existence of a Selection Criteria that is based on standards, and recommendations where it can serve to
implement various cyber forensic models represents another hurdle for any organization to address.
This article offers the solution to the above problems through the study to implement a Selection Criteria that can be
employed to build a cyber forensic model for Windows environment. The developed Selection Criteria will also serve
in creating a Cyber Forensic Model that entails various options of procedures, and forensic tools that can be utilized
by many organizations to build their own cyber forensic model. The Cyber Forensic Model will be dedicated to the
Windows environment, and cyber investigation.
INTRODUCTION
With the revolution of the Internet technology and its ease of use, the chances of such technology to open out
worldwide increased dramatically. The advancement of digital devices such as cell phones and computers allow
organizations and individuals to work from anywhere without any boundaries. However, with the critical information
and resources inhibited within such technology increases the attraction to the cyber criminals and cyber terrorist. With
the vital benefits of the Internet technology, and other technologies that helped businesses to be more productive
and more profitable, such technologies also helped cyber criminals to carry out their criminal activities in secrecy and
anonymity.
The above problem created new eras of prosecution procedures that never been used before where the
conviction, and the prosecution of these criminals are based on evidence collected from digital devices through
the implementation of standard forensics models developed during the last two decades. The digital revolution has
created the need for new laws, forensic tools, methods, investigators and techniques to enable the digital evidence to
be presentable in the court of law.
Having the digital evidence to be admissible in the court of law is a unique challenge and as such; it requires that the
digital evidence to be presentable based on step by step procedures implemented within the forensics investigation
processes and models. The forensic processes define the overall procedures that are used to conduct forensic
analysis and produce forensic reports that show the results of the investigation.
The investigation of electronic and cyber crimes require special technical setup consisting of legal, technical, and
expertise of human resources. The cyber forensic procedures define the layers starting from registration of complaints,
to producing of forensic reports, and ending with submission of the case to the court of law (Khan and Memon, 2007).
The purpose of the forensic model is to implement the processes that cover the investigation procedures from the
collection of digital evidence to the presentation of such evidence in the court. During the investigation of cyber
crimes cases, the collection, analysis, preservation and transportation of digital evidence is a vital processes that
aim to ensure that the cyber crimes cases can be presentable in the court. The cyber investigation processes include
standard procedures to collect and extract evidence from digital media that promote the best practices.
The existing solutions of the computer forensics field are largely based on the ad-hoc processes and procedures, and
as such; there is a need for meticulous framework of forensics models that can promote and outline qualities of their
processes. As a result of the ad-hoc information gathered, these systems record too much of the wrong data (false
positives) that makes the analysis of the evidence difficult, and in many cases even impossible. Implementing the right
forensic model can help balance the logged data and auditing such data to ensure the quality of the forensic analysis.
The traditional forensic analysis model has traded off accuracy with the amount of the data recorded, and such
approach jeopardized the quality of the analysis, and the accurate results (Peiser and Marzullo, 2007).
The above statement indicated that there is a need for implementing a quality forensic models that can create
accurate results, and be based on outlines recommended qualities that can adhere to the forensic principles of
accuracy, and high quality data. It is also important to measure the quality of the forensic model based on specific
recommended quality that ensures that the forensic model can deliver the quality, and the results expected based on
the previously determined abilities.
There is also a need for automated software systems that can assist in the cyber crime evidence collection/acquisition,
and these software systems used to extracting data and information from the computer’s storage media. Such
software should guarantee reliability and accuracy in the evidence collection process.
Handling electronic documents imposes challenges since such documents can be copied or modified. For example,
if a blackmailing letter was created and stored on a suspect’s computer, it is easy for the suspect to argue that such
file was planted into his/her computer after the computer had been seized by the cyber crime investigators or law
enforcement agency, and also an argument can be raised that such document has been modified (Chow and Chan,
2005).
For the above reasons, it’s important to implement the cyber crimes software systems within the forensic model
processes that can verify the file system integrity, and also ensure the reliability, and the validity of the electronic
evidence.
The goal of this article is to develop a Selection Criteria (Part I) that can implement the reliable procedures
and software forensic tools that can guarantee reliability and validity of the forensic evidence where they can be
permissible in the court of law. The recommendations that will be implemented within such criteria will ensure that the
tools has been used properly, and being compliant with the best practices that ensure that evidence collected can
potentially be acceptable in courts and any further prosecutions.
The second part (Part II) of the article will develop a Cyber Forensic Model that will be based on developed Selection
Criteria where different options of procedures and software forensic tools will be implemented within such model to
offer the choices for organizations to build their own forensic models. The developed Selection Criteria can also offer
various options to be used by organizations to build their own cyber forensic model.
CYBER CRIMES – GROWING THREAT

The rapid expansion of the Internet and its technologies has allowed us to communicate, to learn, to conduct
businesses, and to connect with each other through social networking sites. Such bright horizons of opportunities
created by the Internet have given cyber criminals highly effective avenues to take advantage of the technology users
where a variety of schemes were used to victimized or defraud innocent cyberspace users.
Regardless of the online users’ activities, cyberspace’s users continue to be fooled and victimizes by cyber criminals
through different fraud schemes such as identity theft crimes, child predators, gaining access to user’s email account
and social networking accounts, phishing scams (attempt to make online users believe that the received e-mails
are from a trusted sources), extracting sensitive information from the data mining on social networking sites, and
legitimate businesses’ sites (Snow, 2010).
In addition to the above criminal acts, cyber criminals and their groups used various sophisticated hacking techniques
to compromise different mechanisms of encryptions used to protect data, and personal information within different
businesses and organizations. Some of other activities such as computer intrusions and spread of malicious code
were created by such group and caused a massive damage to many organizations, and businesses.
Cyber crimes are treated within any modern societies as illegal activities that conduct illegal behaviors, and as
such; this explanatory approach emphasizes that at any given stage of technological development, any illegal act
represents certain challenges of social and technical problems. The computer crime may be defined broadly as
the theft, destruction or unauthorized or illegal use, copying or modification of information, programs or services, or
communication network or equipment. The cyber crime can also be classified as follows: computer hacking, financial
theft, electronic fraudulent, espionage or malicious sabotage (Mcmullan and Perrier, 2007).
The above definition of the computer crimes require a very intelligent computer programmer who has the ability to
falsify transactions and records, access source code, bypassing security, and fraudulent data to steal money from
legitimate sources such as government institutions, software procedures, banks, and gambling industry. The computer
crimes cannot always remain unknown to others, and to the law enforcement agencies, however, the success of
identifying such activities require technical competence, and organized steps and procedures that can deal with such
threat when it happens.
Computer crime legislation within many countries made a little connection between public policy and the reality of the
law. That indicative connection makes the cyber crime more problematic, where policy makers made little concerns
about the effects of such behaviours within the modern societies, organizations, and businesses (Skibell, 2003).
Although Computer Fraud and Abuse Act (CFAA) in 2002 demonstrating almost a universal agreement that computer
crime became a growing problem where its solution lies in aggressive criminal sanctions and enforcing the law to
prosecute cyber criminals with a harsh sentences, there’re still loopholes in the justice system to prosecute cyber
criminals. Many changes were made by the law makers to change the loopholes within the law that can create
potential problems in prosecuting cyber criminals.
The tragedy of 9/11 forced the Congress in USA to pass laws that changed the CFAA by making it easier to charge
computer criminals with a felony. Part of the initiatives of changing the rules is the fact that cyber crimes increased the
quality of the threat, and the penalties should rise accordingly (Skibell, 2003).
To ensure that different computer crimes are treated differently, computer criminals are divided into separate groups:
• Script-kiddies Group – Usually employ downloaded tools from the Internet to exploit common security
vulnerabilities, where the knowledge of computer programming is really limited among these groups. In most
cases the damage that can be made by such group is generally limited; and serious crimes such as stealing
sensitive data never been the intention of these groups.
• Hackers Group – Represents another group of computer intruder with more computer experience and
programming skills, where more sophisticated software tools are used to design intrusion programs.
• Crackers or cyber-terrorists Group – Represents a real danger where computer systems are attacked for
personal benefits, profit or political reasons.
The cyber-threat to individual and businesses became sophisticated, large and is real where it has grown into the
economy, and runs by an organized crime network of international groups and gangs. It is the threat that individuals
and organizations are facing as long as the Internet is used on a daily basis. Until recently, the major targets of cyber
criminals are the personal identification information associated with bank accounts (such as account information and
passwords) and credit cards. However, one of the common strategy of these groups is hacking legitimate businesses
sites, fake internet ads to commit online scams, attacking the security software ( such as legitimate anti-malware, anti-
virus programs) and encryptions mechanisms used to encrypt the data and information transferred online (Latamore,
2010).
Despite the fact that the above statement is true, the white hats groups (computer security systems developers and
security experts) were able to reduce different threats such as computer viruses and computer emails with distributed
viruses to almost zero, by implementing an advanced technologies in firewalls, and anti-viruses software. However,
the threats are real and eminent to many organizations, and individuals. The same above argument was made by Alex
de Joode in his article about the increasing activities of the cyber criminals who are making a substantial living from
the online illegal activities at the expense of the legitimate businesses.
The cyber criminals are targeting high-value businesses to steal guarded intellectual property, filch funds, gaining
access to financial data, login details and sensitive information that resides within secure corporate web applications
and corporate networks. However, as a result of conducting a high-profile investigation in 2010, major busts of criminal
network have resulted from such activities. The high threat of financial theft is not only the problem facing businesses,
but also the industrial espionage, where cyber criminals hack into systems to steal information and extort payment
from businesses by offering to conceal the data breach. In most cases such security breaches involving personal
data that has to be reported to the affected individuals that in most cases will create a negative publicity of these
businesses (Joode, 2011).
Various security implementations are in place to avoid such problems, and one of the solutions is to monitoring
corporate traffic flow by the security professionals that should trigger and provoke further investigations to any
suspicious activities. An easy route of attacks is via emails systems where most of the corporate companies rely on to
communicate with outside world. Another risk associated with the hackers group is the Distributed Denial of Service
(DDOS) attack where loss of revenues and reputations can be the heavy consequences of such attack.
Part of the security initiatives within any organization is to separate data and information based on its sensitivity and
its values. Also companies must audit their security infrastructure and security profiles on a regular basis to protect the
integrity, the availability and the confidentiality of information that represent the company’s lifeblood. It’s also important
for companies to implement the strong security measures to protect their data through various layers of protections
(Joode, 2011).
FBI computer crime and security survey that were based on responses from security practitioners in US government
agencies, US corporations, universities and financial institutions showed that the frequency of outsiders’ penetration
of these institutions has now overtaken the frequency of insiders’ penetrations. The conclusion of the study of Overill
(1998) indicated that both CAC (Computer Assisted Crime) and (Computer Related Crime) CRC are continuing
to grow, and the potential weakness of the human components of all security systems is not always adequately
effectively managed or recognized.
The 2009 Internet Crime Report was produced as a result of a project conducted by the Bureau of Justice Assistance
and Statistics, the National Institute of Justice and the Office of Juvenile Justice and Delinquency Prevention in US
(IC3.gov, 2009). The report declared that the Internet Crime Complaints Center (IC3) web site received an increase
of cyber crimes complaints by 22.3% as compared to 2008. The complaints received by IC3 included various types
of cyber frauds such as non-delivery of merchandise, auction fraud, credit card fraud, spam and unsolicited emails,
computer intrusions and child pornography within the United States Overill (1998).
The information produced within this report is available on IC3 site to states, local and federal law enforcement to
support trend analysis, active cyber investigations, awareness efforts and public outreach: http://www.ic3.gov/default.
aspx.
Another problem created by modern technology of cyberspace is the cyber-bullying. The double-edged of modern
technology continuously balancing between opportunities created by such technology, and the risks and problems
such technology brought to the modern societies. While boys are easier to sway to engage in electronic bullying,
girls are more likely to become victims of cyber-bullying. Several surveys have assessed the commonness of cyber-
bullying among school-aged youngsters. The ohAmerican study conducted in 2007 showed that 17% of school-aged
to be victims of cyber-bullying (respondents), and 18% of perpetrators. Some of the reasons for youngsters to be
involved in such activities are revenge, for fun, or he/she deserves it (Walrave and Heirman, 2011).
It is important to point out that the harm caused by such act is really underestimated. The tools used to conduct
cyber-bullying activities are: blogs, instant messaging, and chat-rooms. It becomes clear that the emerging of modern
Internet applications, and mobile technologies will increase the social problems that cyber-bullying can bring to such
societies, and young ages of such societies.
With the total magnitude of the available technologies that can be exploited across a global crime scene, investigating
cybercrimes become very complicated task. There are many robust digital investigation and cybercrime models that
can provide valuable structure and guidance. However, many of these models lack the direct support and alignment
of the law enforcement investigation, and they usually focus on the recovery of the digital evidence from already
identified technologies.
COMPUTER FORENSICS EVIDENCE COLLECTION AND FORENSIC MODELS

Evidences of the cyber crimes committed by cyber criminals are neither human nor physical, but if it exists; it is more
than programming codes and electronic impulses where such evidence can take different forms. Evidence can take
the form of digital data stored as graphics files, text files, motion pictures, database, sounds, erased files, temporary
files, and data dumped by the operating system on a storage device. With such variations of the evidence formats, it
is not an easy task for a normal person to visualize such data with the normal activities of the computer tools offered
by the most operating systems. Computer evidence has both a nonphysical component (magnetic orientation and
electronic impulse) and a physical component “the storage media” (Merce, 2004).
The digital evidence by its nature proves to be vulnerable to alteration either purposely or accidently. For the above
reasons, computer forensic examiners must safe guard, and use the methodologies that ensure the preservation
of digital evidence to hold out against any judicial scrutiny. Understanding how such data is stored in the computer
devices is the most important step to avoid contamination of such sensitive data unintentionally. It is also important to
maintain a chain of custody of the digital evidence to maintain the originality of the data captured during the forensic
investigation (Merce, 2004).
The above explanation of the evidence collection indicates that copies of images of original digital evidence are
valuable for the accuracy of the forensic investigation. Such practice ensures protecting the original evidence from
any accidental damage to the original of such evidence, and also ensures the evidence is in the best possible state for
authentication purposes. Handling the original forensic evidence requires a chain of custody to ensure proper handling
of the evidence from its initial seizure to the final of its disposition. It is also imperative that the duplication method
used must produce an accurate reproduction of the original, and as such; failure to authenticate the duplicate of the
evidence may negate any results produced.
For the admissibility of the evidence in court of law, a proof of the evidence authenticity has to be presented in court.
Mercer (2004) argued that the computer forensic evidence collection process requires the following guidelines:
• The process should adhere to a set of standards that include a chain of policy that encompasses the preservation
of the originality of the digital evidence.
• Using the standard operating procedures that can ensure known results of authentication and duplication of the
collected evidence.
• Follow the forensic policies that meet the forensic science standards that can stand, and be admissible in the court
of law.
As the dependency of information technology and computing in commerce, businesses and society increase, the
vulnerability of the unauthorized access or attack or system failure. Having the computers to manage records and
store information they become vulnerable to alteration, tempering, potential misuse, destruction, and unauthorized
access. The techniques, the principles and the tools of the computer forensics can provide support for the records
management in determining unauthorized transactions and obtaining digital evidence to indicate the nature of the
transaction, help restoration of the original record, and help in the digital recovery when digital record has been
compromised (Irons, 2006).
Computer forensics use the fundamental principles of computer science such as how data are managed and stored,
how information is organized, and how computers communicate over the networks. It is important to point out that
during the collection of evidence process, computer forensic make use of the transactions records, log files, and
operating system time stamp. Another important aspects used in evidence collection by the forensic science is the
ability to recover deleted and hidden files. Computer software forensic tools such as EnCase can be used to recover
the original files from being deleted, flag the changes to the file extensions or find the hidden images.
The first step in computer forensic analysis is the preservation of the original device or file with carefulness and
caution. To ensure that the originality of the evidence is not tempered or contaminated, and to ensure that the
evidential integrity, the forensic examiner must create an exact image of the device, or the file using techniques and
tools that facilitate such process. For example write-blocker is used to ensure that the destination media doesn’t write
back to the original source of the evidence (Irons, 2006).
The above techniques are used to ensure that the application of computer forensic and the seizure of the evidence
can be admissible to court of law or employment tribunal for disciplinary cases of computer misuse. The digital
forensic evidence to be valuable to the forensic investigation, it must be accurate, authentic, have the evidential
integrity, complies with common law and legislative rules and also convincing to the juries in the court of law.
Tanner and Dampier (2009) explained that the digital forensic investigation defines six phases for the digital forensic:
• Identification Phase – The main goal in this phase is to determine the data, and the components associated
with a crime, where evidence has to be documented and photographed in details using the proper procedures.
Before the beginning of the details investigation, the entire computer system, the computer screen (including open
files), and all other potential evidence will be documented and photographed. Checklists and a chain of custody
documents are used to achieve this phase.
• Preservation Phase – One of the most important tasks associated with this phase is the chain of custody where it
helps eliminate any claims of evidence tampering, and ensures the authenticity of evidence. Such documentation
provides complete details about the location, and the possession of the evidence during the lifetime of the digital
crime case. Other information associated with this phase is how the evidence was stored, protected, who removed
from the storage, and how the evidence was transferred to a secure location with limited access.
• Collection Phase – In this phase the approved recovery tools and techniques and details documentation are
used in the collection efforts. Tools such as forensic toolkit (FTK) and EnCase software are used in the evidence
collection.
• Examination Phase – In this phase, special techniques and tools are used to search and identify digital evidence.
Evidence may exist in email, files, folders, images, and hidden space on the storage media such as a computer
hard drive. Hidden spaces on the disk drive could be swap space, stack space or free space. Tools such as
EnCase or Forensic Toolkit (FTK) are used to examine these hidden areas more accurate than normal operating
systems tools.
• Analysis Phase – In this phase all the evidentiary findings are to be reconstructed. The collected evidence during
the examination phase is used to create relationships among the evidentiary items, event timelines, and criminal
intention or target. It is also important in this phase that the mappings concept is used in this phase to create event
timelines of events, and also help to clarify the relationship among evidentiary items.
• Presentation Phase – This phase is the overall result of all of the previous investigation where the legal
consequence or outcome of the suspect’s actions is determined. The result of the investigation should show
exactly what occurred during the previous phases, and usually special techniques and tools are used to present
the findings in the court proceedings.
The above model identifies the general processes involved within most of the models of the digital forensic
investigation, where the mappings concept of the digital investigation can enhance the forensic processes’ results.
It is also important to point out, that such concept can provide a framework for creating a digital forensic repository
and improve the ability to uncover misinterpretation in the investigative process. However, there are some other
models that are suggesting the use of a process flow framework that can be used to assist the first response during
the identification and the collection phases of the digital forensic investigation. It is also imperative that the forensic
laboratory should be equipped with the right software tools that can conduct the analysis process offsite, and in the
field. Attempting to conduct computer forensic analysis in the field is not the safest, and not the practical method to
employ. The first step in the forensic investigation is to obtain an exact image or copy of the media where it can be
examined in a secure laboratory. It is also recommended that the laboratory workstation to be portable to reduce the
possibility of system intrusive using software tools to look for information or for specific file types. Portable workstation
should allow examiners to perform analysis at remote locations (e.g. remote division office), and also should be
equipped with a variety of storage device options that can allow the retrieval of disk images in a short period of time
(Lanny, 2000).
The progress of techniques and methods to conceal digital evidence has increased dramatically. In addition, new
information suggested that downloading of software tools that perform these functions are in great interest of the cyber
criminals, and used as a cyber weapons to conceals digital evidences. Such problems require the forensic software
tools that can uncover theses evidences, and to be able to go behind such technologies to seizure evidences. The
software forensics tools must favor false positives over false negatives to avoid missing evidence, and the forensic
expert can later eliminates the false positives from the final results. It is also important that the forensic tool to be
fast, but accurate. One of the critical missions in the forensic investigation involved the crime incident using mobile
handheld where it requires tools that can allow speedy examination, and proper extraction of any digital evidence
(Ziedman, 2010).
Over the course of use of such devices, they can accumulate tremendous amount of personal information that can
provide substance of digital evidence. Although forensic examiner can obtain evidence through the browsing of the
device, such approach is highly problematic, impractical, and should be used as a last resort of the investigation
methods, and applying the right forensic software tools is the preferred alternative, and can definitely produce
accurate results.
Jansen and Ayers (2005) explained that the forensic tools acquire data from a digital device through various methods:
logical acquisition or physical acquisition:
• Physical acquisition – implies a bit-by-bit copy of an entire physical storage (e.g. RAM chip, or disk drive).
• Logical acquisition – implies a bit-by-bit copy of logical storage objects (e.g. files and directories).
• Physical acquisition has better benefits over the logical acquisition where it allows deleted data and files to be
examined, and also physical device image can be easily imported into another tool for reporting and examination.
However, the logical structure offers more natural and organizational usage that can be more comprehensive
during the digital examination. Using both types of acquisition will allow better results during the evidence seizure
process.
The above argument demonstrates two important facts about the forensic software tools:
• It is required that the forensic tools offer solutions that can provide actionable data consistently.
• There are no single forensic tools that can perform all the required functionality.
The final conclusion indicates that there is always a need for forensic toolkits where forensic examiners can find their
own applicable functionality that can be suitable for their own fields.
In an effort to create the Selection Criteria, the article will investigate different processes implemented within
the cyber forensic models. These processes are used to obtain the digital evidence during the digital forensic
investigation.
Digital evidence represents an interpretation of data that can be either in motion (e.g. network communication), at rest
(e.g. hard drives, or flash drives) or a combination of both. Digital evidence is derived from physical properties whether
it is the charge state of a transistor in memory, of magnetic fields on the platter of a hard disk, or the electromagnetic
waves in a wireless network (Schatz, 1995).
To obtain digital evidence from digital device, several standard processes have to be performed, and the common
digital forensic processes included in the most of the forensic models are:
• Identification Process – Where the possible containers of related evidence are identified for the investigation
process (e.g. log files, floppy disks, hard drive flash drive, memory, network communications)
• Preservation (Collection) Process – Where the original data, and media should be preserved for the
investigation process. A copy of the original media is used for conducting the analysis.
• Extraction (Examination) Process – Where the working copy media will be used to extract evidence found that
is relevant to the situation at hand.
• Interpretation (Analysis) Process – Where the evidence found were properly interpreted through GUIs tools
used for the investigation, and the results from such tools are being thoroughly checked.
• Documentation (Reporting) Process – Where the digital evidence processes and findings are documented and
recorded from the beginning of the investigation to the end of such processes.
In an effort to construct the Selection Criteria framework different case studies, surveys results, best practices, test
results, and statistical reports will be introduced that can be used as common recommendations for forensic tools and
procedures. The research will carry out such research for each process within the forensic model. All the findings will
be flagged with “Recommended” icon within the research document as a record that can be used later within the
Selection Criteria framework implementation.
The completion of the Selection Criteria framework will mark the beginning of conducting the research required
to create the Cyber Forensic Model framework (Part II) of this article. In (part II) of this article, the research will
investigate various cyber forensic models that currently available.
IDENTIFICATION PROCESS
Computer systems stored information in log files can be crucially important in gathering forensic evidence for the
investigated attacks or actions. The nature of cyber attacks is borderless, and as such; cyber criminals have been able
to escape responsibility due to the lack of supporting evidence to convict them.
One of the common cyber forensic analysis approaches is the baseline analysis where an automated tool is used to
check for differences between the state during the incident, and a baseline of the safe state of the system. Monroe
and Bailey (2006) explained that the baseline processes can be used to detect changes in the system, and one of
these processes can be summarized as follows:
• Define a set of attributes that are relevant to the type of changes that required to be detected.
• Obtain a tool with minimal invasive capability, and high accuracy. Such tool should be able to traverse specified
files and directories and collects the chosen attributes.
• Archive the results in a technique that preserves, and maintains integrity.
• At any point in the future, a snapshot can be created, and can be used to be compared with the baseline, and
identify changes.
• Repeat step (1-3) whenever a new baseline is desired.
The above approach represents a proactive mechanism for forensic analysis that can be used to detect a cyber
attack. The approach relies on important forensic point of view – the ability to detect changes consistently and
correctly is a high priority. Also, such approach relies on important fact in any computer systems where the state of
various files will change when such system will be accessed in an unauthorized manner. The approach relying on
proactive forensic investigation rather than incident response approach, and promotes the technique of identifying
what has been compromised by creating the system baseline that can be compared with system’s changes.
Recommended
• System baseline approach is a recommended mechanism that can be used to quickly identify and analyze the
changes. Once the baseline attributes are identified, it is easy to obtain a snapshot of the system, and compare
such results with the baseline to identify changes, and obtain forensic evidence from such discrepancies.
Digital forensic analysis is process used as part of the digital forensic investigation where scientific procedures and
tools are used to find a conclusion. The main goal of the forensic analysis is to obtain the digital evidence that can
be later admissible in the court of law. In this process the forensic examiner determines the significance of the crime,
construct the information or the data and obtain the conclusion that is based on the digital evidence against a specific
crime (Yaddav and Shekhar, 2011).
The following table shows the summary of the different forensic tools that can be used in the forensic investigation
for acquisition, analysis and reporting. The table is the result of the research paper created by Yaddav and Shekhar
(2011):
Table-1 Shows the functional comparison of digital forensic tools
Recommended
• Forensic analysis process should include the right tools to obtain the forensic evidence for the cyber crime
incident. Recommended tools used for the evidence acquisition, analysis and reporting in forensic investigation
are: Encase, DFF, FTK for Windows, TSK, Helix. Liveview.
The network forensics is the science that deals with recoding, capturing, and analyzing of the network traffics for the
purpose of investigating such traffics, or for detecting network intrusions. The research paper created by Pilli and Joshi
(2010) represents a survey on various network forensic framework implementation, and network forensic analysis
tools (NFATs) that can be used to investigate network attacks by tracing the attack back to the source, and attribute
the crime activity to a network, host or a person. Such investigation will have the ability to predict future attacks by
implementing the right attack patterns which are based on the existing traces of intrusion’s collected data.
Pilli and Joshi (2010) argued that the functionality of the network security monitoring, and the various Network
Forensic Analysis Tools (NFATs) can be used via different forensic techniques that can enable investigator to track
back cyber criminals involved in the network crimes, and provide sufficient evidence to help prosecuting the cyber
criminals. Network forensic systems can be classified as follows:
• General Network Forensics systems that are dedicated to get evidence that can satisfy the legal principles
requirements, and enhance the network security.
• Collection of traffic systems where all packets of traffic are captured, and stored for further forensic analysis.
The above statement shows that the cyber attacks are the main driving force behind the implementation for the
network forensic. While network security such as Intrusion Detection Systems (IDS); and firewalls represent the
defensive approaches to prevent, and detect attacks, network forensics ensures that the attack on such network is
costly since the attackers will spend a lot of time covering their tracks.
Pilli and Joshi (2010) pointed out that Network Forensic Analysis Tools (NFATs) allows network administrators to
gather and monitor network traffics, assist in the network forensic investigation, help generate a suitable incident
response to the network attacks, and also help analyzing the attacks, perform risk assessment to the future attacks.
Some of these tools are: NetInercept, Netwitness, NetDetector, OmniPeek, SilentRunner, and NetworkMiner. Also,
many built-in commands are available in modern operating systems that can be used to assist the network forensics
process, and some of these commands are:
• Traceroute – Command tool used to determine the packets route taken across an IP network.
• Netstat – command tool used to display routing tables, network connection (outgoing/incoming), and other
network interface statistics.
Recommended
• Implementing the right network forensic model that can be deployed in the right framework will ensure that the
investigation of the attacks can be traced back to the source of the crime (e.g. specific network, host, a person).
• The following built-in command tools for Windows operating system can be used in the forensic analysis:
nslookup/ traceroute/ tcpslice /netstate /nbtstate /whois /ping/dig.
• Some of the forensic analysis tools used for Windows that are recommended to conduct network forensic analysis
are: NetIntercept/ Netwtiness/ NetDetector/ Iris/Infinistream/OmniPeek.SilentRunner/NetworkMiner/Xplico. These
tools capture network traffic for further analysis during the forensic investigation.
Date and time are the fundamental elements of the forensic investigation. Ay misinterpretation of their values may lead
to a case dismissal in the court of law, and forensic investigators can be accused of tampering the forensic evidence.
In every computer there is simple clock function that calculates current time. That function is implemented in on-
board semiconductor chip called CMOS (Complementary Metal Oxide Semiconductor). Most of the applications and
operating system installed on any computer machine access the CMOS clock by calling the date function via interrupt.
In a 32 bit Windows/DOS environment, the Date/Time information is stored in a 32 bit structure; in a 64 bit Windows
environment the Date/Time information is stored in a 64 bit structure. Dealing with forensic evidence, it is important
that the forensic examiner capture the right time zones or daylight saving time, and that such time is translated to the
right Coordinated Universal Time (UTC) if the local time has been used (Boyd and Foster, 2004).
Time bias is identifiable on any machine that is running Windows Operating System via the System’s registry
Information. Such information can be accessed using non-forensic technique via ‘regedit’ program run from the
command prompt. If the Registry file were exported forensically, a forensic tool such as ‘regdat’ can examine the file
to search for information. In the case of the Microsoft Internet Explorer, the URLs of web pages and other records
are stored in index.dat files. The main types of index.dat records are: the cache, the cookies, and the history. Encase
can be used to interpret file Date/Time information, and also extract registry data contains the time zone bias. Also, a
forensic software tool such as NetAnalysis can be used to analyze the Internet activities. Such tool will require setting
the time zone bias, and importing the index.dat files (Boyd and Foster, 2004).
Boyd and Foster (2004) suggested the following Checklist to be used during investigation:
• CMOS time in relation to the actual time should be recorded on the examined or seized system.
• The computer’s current time zone should be established from the system Registry hives.
• It is imperative for the forensic investigator to establish any effect of the daylight saving times on the times relevant
to the investigation.
• It is imperative for the forensic investigator to identify the type of time structure such as UTC or local time.
• The same applications’ versions, and the Operating Systems used by the computer being examined should be
used to test the results of the forensic investigation.
It is imperative for the forensic investigator to establish exactly what happened in the digital forensic case. The availability
and the ease of use of the forensic software tools make the forensic investigation more accurate, and more efficient
process in reporting the achieved procedures and their results. However, the above case study shows that forensic
software tools can’t make a complete substitution to the human understanding of the forensic case, and its events. Also,
the case study shows that Date/Time of the forensic evidence is questionable issues in the court of law, and as such;
having the right forensic software during the investigation will guarantee the right interpretation of the raw data.
Recommended
• It is important that the forensic examiner capture the right time zones or daylight saving time used by the suspect’s
computer. And that such time is translated to the right Coordinated Universal Time (UTC) if the local time has been
used.
• Forensic software tool such ‘regdat’ is a recommended tool to examine the Registry file, and search for information
within the Registry Hives.
• CMOS time in relation to the actual time should be recorded on the examined or seized system.
• The computer’s current time zone should be established from the system’s Registry hives.
• It is imperative for the forensic investigator to identify the type of time structure such as UTC or local time.
• The same application’s versions and the operating systems used by the computer being examined should be used
to test the results of the forensic investigation
The case study conducted by Reust (2006) investigated the trace of forensic evidences that can be found in America
Online Instant Messenger (AIM). The case study is an effort to investigate the trace of communications, and other
linkages that might be found in the computers using the (AIM). It is important to point out at this stage that AIM has the
same features available in Microsoft Instant Messenger (MIM), and as such; the lessons learned from Reust (2006)
research are applicable to be used in investigating cyber crimes in MIM.
Recovering IM communications for specific conversation can become difficult, if the computer were seized after a long
period of time from when the conversation of interest took place. If such conversation not deliberately saved, evidence
of the communication may be found in unallocated space on the computer hard drive or swap file unreadable format.
Some of the forensic analyses that can be done to find these files are: review of file system activities, keyword
searching, and inspection of profiles, Buddy Lists, and away messages. AIM is highly configurable software program,
and as such; certain types of evidence can be available based on the features available via such configurations
(Reust, 2006).
When a keyword search is conducted during the forensic investigation for IM communications, there are a number of
issues that should be considered. For example, a widespread of informal language that is used in IM conversations;
and a number of acronyms have been created by the IM community (e.g. acronyms that are used to reduce the
keystrokes) that should be considered when the search tasks are conducted. An important keyword search is the IM
screen name (The screen name is often in the format “<Screen name> (<timestamp>).<text of conversation>”). The
Buddy List window lists the other AIM users whom usually communicate with the suspected user. Such list usually
saved in a default file “userinfo.bag”. Also, a Registry setting can contain the last ten (10) screen names that the
suspected user communicated with, and such information can be a starting point for the forensic examiner to conduct
the forensic search (Reust, 2006).
The above result found by the case study identified many resources of evidence in IM, however, one of the argument
that can be raised during the cross examination in courtroom is the fact that such findings are not associated with
dates.
Recommended
• Research keywords used during investigating of evidences in the Instant Messenger communications should
consider the informal language and acronyms used during the conversation.
• Screen names, Buddy List and Registry setting are very important resources of evidence investigation for instant
messenger.
• Dates and times associated with the findings should be considered during the evidence acquisition process.
Lee and Oh (2011) explained that the web browser is the source of information that can be collected as evidence.
If the suspected user access the Internet seeking for information, all the cyber activities of the crime will be saved
in the log file of the browser. Forensic investigation can collect information relevant to cyber crime case via the web
browser’s log file, and searching for evidence left by web browsing activities can be a crucial component in the digital
investigation. It is possible for the forensic examiner to investigate evidence for web sites visited by the suspected
user once data such as cookies, history, download list where retrieved from the suspect’s computer.
It is important to point out that Internet services can be provided via many kinds of web browsers, and as such; a
single user can use various types of web browser at the same time. In the forensic investigation different analysis can
be conducted for each browser, however, Lee and Oh (2011) argued that such approach in the forensic investigation
is not appropriate method to detect evidence of the criminal activity. It is also insufficient for the forensic examiner
to investigate a single log file from a single browser since the evidence may be existed within several log files. The
study conducted by Lee and Oh (2011) focuses on the most frequently used web browsers such as Firefox, Internet
Explorer, Opera, Safari, and Chrome. Figure-2 shows a recent statistics about the common web browser and the
percentage of their usage by most of the global users:
Figure-1 Global usage of the web browsers
The study conducted by Lee and Oh (2011) proposed a new analysis and evidence collection methodology to
overcome the deficiencies exist in the collection, and analysis tools used in investigating the web browsers crime
evidence. The methodology proposed that the tools used for the investigation should be able to achieve the following:
• The forensic tools should be able to offer integrated analysis of multiple web browsers.
• The forensic tools should be able to help the forensic examiner to determine the correct time zone of the suspect’s
activities online.
• The ability of such tools to extract information such as user activities, and search words.
• The tools should be able to decode encoded words for any URL.
• The tools should be able to recover deleted web browser information, and log information.
Lee and Oh (2011) argued that Encase and Cacheback are a good example of the tools that do not provide an
integrated analysis of various web browsers. However, the lack of such capability will prevent the forensic examiner
from deleting evidence of the suspect’s activities when several web browsers were used to commit a crime. They
also argued that a tool such as Cacheback can perform integrated analysis of several web browsers, however, the
tool uses uncomplicated parsing process to analyze history files, and cache of the web browsers which may lead to
missing a crucial evidences.
The majority of web browsers are using different time formats, and for the forensic examiner to be able to conduct
integrated analysis among different browsers, a single time format should be used. Also, during the timeline analysis
of the suspect’s activities online across different browsers, the different UTC time for each browser should be
considered. Therefore, the forensic examiner must apply the time zone correction of the time information collected
during the digital investigation.
Lee and Oh (2011) explained that the search words used by the suspect in the search engine to be investigated. The
keywords used in the search engine can be an evidence of the suspect’s efforts to gather information about the cyber
crime. Such search words usually saved as HTTP URL information. Every search engine has search words saved
location in the suspected computer (e.g. Google, Yahoo, and Bing) and as such; a single method can’t be used to
extract the search words.
Lee and Oh (2011) also indicated that the majority of the web browsers provide the capability to erase information
such as history, cache, cookies and download list, and once the log information was erased or reinitialized
(overwritten) it will be difficult to retrieve such information during the digital investigation. If the log files were deleted,
it is possible to recover the deleted files, and retrieve the log information. Also, recovering data from overwritten file
can be recovered from the session, and history information files related to specific browser. Generated information by
the web browser, are saved and installed into a partition of the operating system, and as such; deleted files can be
recovered as long as their relevant metadata are not overwritten by other new file’s metadata.
Lee and Oh (2011) introduced a browser forensic tool that can be used under Windows XP, Windows 7, Windows
Vista, and Windows 2000. The WEFA (Web Browser Forensic Analyzer) is forensic browser tool that target the
forensic analysis of the common used browsers. Figure-2 shows the WEFA forensic tool structure:
Figure-2 WEFA Forensic Tool Structure
All the information extracted from the analysis module will be used to start the searching process of the digital
investigation. WEFA provides regular expression search, keyword search, and the search by time for various web
browsers. The following table represents the functional comparison among existing forensic tools used to investigate
browsers:
Table-2 the functional comparison among existing forensic tools used for investigating browsers
Recommended
• The investigation conducted for the Internet criminals’ activities shouldn’t be confide for a single file for specific
browser, since the suspected user can use various web browsers to commit the crime.
• In searching for cyber activities, log files cookies, history, and downloads is a crucial component in investigating
online activities.
• The WEFA (Web Browser Forensic Analyzer) is an integrated forensic tool that can be used to investigate the
online activities of the suspected machine. The tool also generates reports based on the selected information
requested during the digital investigation by the examiner. The tool represents an improvement to the weak points
of the other forensic tool that are used for collecting, and analyzing browser information related to a cyber crime
case.
• In conducting an investigation related to collecting web browser evidence, it is essential that investigation performs
integrated analysis for various browsers at the same time using timeline analysis that can detect the suspect
movement over time.
• The search words must be included in the investigation to conclude the objectives, and the characteristics of the
suspect.
The good starting point for dealing with any suspicious file is to determine its functionality, and its purpose. Aquilina
(2008) called this process as a “File Profiling” and in this process the following questions should be answered:
• What is the file type
• What is the file intended to achieve?
• What is the capability and functionality of the file?
• What does the file suggest about the level of the complexity of the attacker?
• How does the file affect the system?

File profiling is essential malware analysis for the forensic examiner to gain enough information about the nature of
the file to be able to make an intelligent decision about how such file should be categorized, and what is the file. File
profiling entails the cursor static analysis of the suspected code of that file. Static analysis entails the analyzing of the
executable binary code without executing the suspicious file. Another approach is the behavioral analysis where the
suspicious file will be executed, the code execution, and the file interaction with the host system will be monitored
(Aquilina, 2008).
Aquilina (2008) described the general file profiling approach in the following steps:
• Obtain detailed documentation, and identification of the location of the obtained suspected file.
• Obtain Hash Cryptographic on the suspected file.
• Compare indexing of the file against the original file.
• Classify and identify the type of the file (i.e. file format, the target platform or architecture).
• Determine if the file has known malicious code by scanning the suspected file with anti-spyware and anti-virus.
• Use executable file analysis tools to examine if the file has malware properties.
• Extract and analyze the suspected file by reviewing any embedded Unicode string, ASCII within the file, or by
identifying any symbolic information or any file metadata.
• Determine if the file has any dependencies or if it is linked statically or dynamically to ay system’s application.
Identifying the file dependencies will provide early guidance about the functionality of the file, and what can be
expected running the analysis phase of the file, its libraries, and the system calls during the execution. One of
the tools that can help the forensic examiner to quickly assess whether a suspect binary file is linked dynamically
or statically is DUMBIN Command-line utility that is part of Microsoft Visual Studio tools. The tool can parse the
suspected binary file to provide valuable information about the file structure, format, embedded symbolic information
as well as the library files required by such file. For example to identify the suspected binary file’s dependencies, the
examiner should query the target file using “/dependents” arguments (Aquilina, 2008).
Maintain the integrity of the suspected file, a digital fingerprint or unique identifier should be assigned to the file. The
Message-Digest5 (MD5) can be used to generate 128-bit has value for malicious executable identification. Generating
an MD5 hash can be very helpful during the dynamic analysis of the code. Executing malicious code exists in the
suspected file can cause that file to relocate itself or assign itself random character name to different location to hide.
Also these locations often non-standard locations on the system that can make it difficult for the forensic examiner to
detect the new location of the suspected file unless a proper hashing was applied to allocate the file. Another action
that can be happen upon the execution is a process known as a camouflaging (an anti-forensic technique) where the
code renames itself to appear as common or a legitimate process. To avoid the above problems, maintain a public or
private repository for reference via MD5 and SHA-1 hashing is an important step in the file identification process “Also
called file indexing” (Aquilina, 2008).
Aquilina (2008) suggested some of excellent GUI-based file classification and identification programs that can be used
under Windows platform such as TrlDNeT, Digital Record Object Identifier (DROID), and FileAlyzer.
Recommended
• The forensic examiner can’t perform the investigation based on the fact that the file type presented is accurate,
and extra examination has to be done within the file header to identify the actual file type.
• File profiling is an import procedure used in the file identification process, the file type, the capability, and the
functionality of the file will be identified.
• It is important to identify the suspected file dependencies during the file identification process. One of the tools
that can be used to identify if the file is linked dynamically or statically is DUMPBIN Command-line utility.
• Before the file examination process, it is paramount for the forensic examiner to perform the following:
• Maintain the integrity of the file by assigning a digital fingerprint or unique identifier to such file using a tool such as
Message-Digest5 (MD5) where hash can be generated.
• For the file identification, and classification tools such as TrlDNet, Digital Record Object Identifier (DROID) and
FileAlyzer can be used for such processes.
PRESERVATION (COLLECTION/ACQUISTION) PROCESS

The current trend of the organizations network architecture is shifting toward the Service-Oriented Architecture (SOA),
and as such; the need for new digital forensic approach that would promote admissible evidence for litigation is highly
required. Such architecture raises a potential risk of having personal information, and proprietary data to be shared
among different service providers. Another risk raised by such architecture is the fact that it is difficult to address the
external and internal threat that can compromise confidential information within any organization (Trcek and Starc,
2010).
The research paper created by Trcek and Starc (2010) discussed a conceptual framework for forensic procedures
which addresses the ability of organizations to collect and preserve potential digital evidence proactively within
the Service-Oriented Architecture, where it can be used later for the digital forensic investigation. The framework
allows adapting service organizations to configure their systems for proactive collection and preservation of potential
digital evidence in a structure manner. The framework suggested by Trcek and Starc (2010) called “Digital Forensic
Readiness – DFR” adapting two major objectives:
• Incident response to cybercrime should be minimized.
• The ability to collect the digital evidence should be maximized.
To achieve the above objectives special techniques were used such as implementing network traffic records log files,
telephone and emails records, and ensuring that hardware devices embedded within such architecture are capturing
forensic evidence, and reliable enough to enforce the Digital Forensic Readiness framework concept (Trcek and Starc,
2010).
Once the misuse has been identified or detected over the network architecture, Trcek and Starc (2010) recommended
that the preservation of data must take place by having the original data to be copied, and the investigation has to be
conducted on such copies. The original data have to be preserved safely through a predefined procedures where the
original media has to be sealed and a chain of custody process has to be followed and documented to indicate how
the original evidence were handled. A strong one-way hash functions are used to obtain fingerprints of directories, files
and the whole media and its partitions as a proof of integrity.
With Service-Oriented Architecture (SOA) becomes essential architecture within many organizations, the forensic
framework that promotes proactive techniques to collect digital forensic evidence is highly required. Such techniques
should implement network traffic records log files system, and also ensure that the hardware devices deployed within
the architecture are capturing forensic evidences. The preservation of data must take place before any investigation
where the original data has to be copied and sealed using one-way hash functions to ensure the proof of data integrity.
Mukasey and Hagy (2001) explained that the following general forensic principles should be applied when dealing with
digital evidence:
• Evidence should not change during the process of collecting, securing and transporting digital forensic evidence.
• Collected digital evidence should be only examined by skilled computer forensic investigator.
• All the forensic evidence handling processing (e.g. seizure, Transporting, and storage of digital evidence) should
be fully preserved, documented, and be available for review.
• Handling digital evidence at the scene required that the first responders to bear in mind the following steps:
• Identify, recognize, seize, and secure all digital evidence at the scene.
• The specific location of the evidence and the entire scene should be documented and photographed.
• The digital evidence should be collected, labeled, and preserved.
• The digital evidence should be packages and transported in a secure manner.
Digital evidence must be carefully preserved and handled in a way that maintain the integrity of the data it contains as
well as the physical condition of the digital device. Some digital evidence requires special transportation techniques,
special collection and packaging (Mukasey and Hagy, 2001).
Mukasey and Hagy (2001) illustrated some guidelines to be considered when the digital examiner handling digital
evidence; and some of these guidelines are:
• Digital evidence should be kept away from magnetic fields.
• The exposure of digital evidence to extensive cold, heat and humidity can destroy or damage evidence, and as
such; these conditions should be avoided when the evidence is handled or transported.
• Electronic devices and computers should be packed in a way that can be secured during the transportation of the
evidence to prevent damage due to vibration or shocks.
• The digital evidence should be documented and maintained through a chain of custody during the transportation
from one location to another.
Recommended
• During the digital forensic investigation, the digital evidence must be fully reserved, documented.
• The seizure and the transportation process of digital evidence should be reported in a chain of custody document.
• The digital evidence is fragile, and can be altered, modified, or damaged, and as such; evidence media should be
handled in antistatic packaging.
• The exposure of extensive cold, heat, and humidity should be avoided when the digital evidence is handled or
transported.
Despite the fact that Intrusion Detection Systems (IDSs) are used to detect intrusions as evasive measures such
systems can also be used to provide digital evidence in criminal proceedings. However, the features implemented
in IDS products may render less information that can be useful for evidence-acquisition tool. The criteria used to
evaluate the right IDS products as a source of the right admissibility of legal evidence are including the correct
preservation of evidence, the transparency of forensic method, and the continuity of evidence. The key success of
providing admissible evidence is providing multiple independent streams of intrusions evidences which give support
or corroborate with one another (Sommer, 1999). In the event of computer intrusion, collecting information, and
protecting the chain of evidence, has been always a challenge to stand up in the court of law. The current intrusion
detection systems are not designed for such purpose where the integrity of the collected information is required
through the procedures conducted during the investigation. There is a lack of directions to employ such systems to
respond to intrusions, and also be able to capture the required information and evidences that can be used for the
digital investigation. Sommer (1999) explained that to turn the output of an Intrusion Detection System into reliable,
legal, admissible evidence, the following recommendations can offer the steps required to re-design Intrusion
Detection Systems to be a source of evidence: Evidence acquisition is best to be carried out against a checklist that
can identify the major problems of admissibility in the court of law, and that can focus on how such acquisition can be
presented, and explained in the court.
• It is recommended that IDS collect multiple independent streams of evidence which validate each other instead
of single stream of evidence that are unlikely to be admissible in the legal action. The features that link these
independent streams will be day-time clock data.
• If the IDS tools product logs, the digital should be able to disclose in details the complete information about how
such tool build its log files.
• IDSs should be configured to prevent the evidence logging captured during the attack from being compromised by
the attackers.
• Continuity of evidence or chain of custody should be maintained by entries created by a computer software
technology to prevent tampering.
• Intrusion Detection Systems should be configured to create multiple independent streams of evidences that can
corroborate each other.
• Evidence collection via IDS should be carried out against checklist that allows such evidence to be admissible in
the court of law.
• IDS should be configured to prevent any tampering of the log files produced by its capabilities.
New methods of acquisition have become available for forensic investigation where access to information and deleted
files on these devices can be acquired. However, tools for analyzing and interpreting data on Windows Mobile devices
are struggling to keep up with the ever changes technology. Forensic analysis tools need to understand the nature
of the file formats used on the mobile devices, and the underlying technology prior to employing a variety of tools to
extract useful information. For example, some files that might contain forensic artifacts on Windows Mobile devices
are locked by the operating system, and it will be difficult to obtain a duplicate copy of these files. Furthermore, the
interpretation of data attributes among tools showed discrepancies and many tools have difficulty interpreting data
acquired which can result misrepresentation of important evidences (Casey and Doyle, 2010).
The forensic acquisition don’t have direct access to flash memory available on the Mobile device, and as such; it
represents acquisition limitations presented by the forensic acquisition tools (Casey and Doyle, 2010).
Current tools run a customized software agent on the target in order to acquire information on the storage areas on
the Windows Mobile devices. Such acquisition requirement can represent another limitation. Some mobile devices
do no permit unregistered programs to run on the device, and as such; the devices must be reconfigured to allow
the forensic acquisition tools to be installed, and to run properly. Two forensic acquisition tools can be used to collect
information from the Windows Mobile devices: XACT, and ITSUILS. Both tools will require software to be on the
acquired devices (using ActiveSync) before data can be acquired (Casey and Doyle, 2010).
Although that the forensic tools may be able to acquire data from the removable media through the Mobile device,
such process may alter data on the storage media (i.e. micro SD). Also, the device will not allow access to the deleted
data via forensic analysis tools. Other information can be accessed by the forensic acquisition tools are: Information
encapsulated in multiple embedded databases that carry details about calls, contracts, and communication – Windows
Registry Hives – artifacts created by the devices when MMS and email messages are received and opened (Casey
and Doyle, 2010).
Recommended
• XACT and ITSUILS are both recommended forensic acquisition tools for Windows Mobile devices. Both tools
will require a software (ActiveSync) installation on the device for performing data acquisition process. This
requirement represents a limitation to such tools since such installation will change the Windows registry on the
device.
• The limitation of the above forensic software tools should be considered where the Mobile device may prevent
such tools to access the deleted files on the removable storage on such devices.
• The resources of information available on the Mobil devices are: main storage, removable storage, embedded
database on the main storage that may carry details artifacts about calls, contacts, and communications – MMS
and email messages – Windows Registry.
Pan and Batten (2009) explained that questions might come up in the courtroom around the forensic software tools
performance and accuracy such as:
• Did the forensic expert use tool A?
• Did the forensic expert use tool B because it is faster than tool A?
• Among the forensic tools A, B, and C, which tool performs better in aiding the case?
The lawyers and the judge may be very interested to get the answers to the above questions in order to find possible
errors or flaws in these answers. Also, questions about the usage of most appropriate approach and maintaining
the integrity and the accuracy during the acquisitions of the evidence can come up in the courtroom. In addition,
specifications about the forensic tools stated in the tools’ manuals don’t always match the actual behavior of the
software. Such discrepancies can always create problems during the forensic investigation, and being aware of such
details can make such problems be avoided by the forensic experts (Pan and Batten, 2009).
Pan and Batten (2009) argued that both heavy workloads, and different skill levels that forensic expert have are
conducive to inaccurate results, and errors during the testing of the forensic tools. To guarantee the quality of the
testing results, the benchmarking of the forensic tools that is based on performance and accuracy should rely on
replicated observations, and don’t handle exceptional results.
Currently various official organizations are leading effort for testing the digital forensic tools, and they are focusing on
the correctness testing (accuracy), and some of these conducted testing are:
• The Computer Forensic Tool Testing (CFTT) conducted correctness tests against writes blocking tools and disk
imaging tools.
• The Scientific Working Group on Digital Evidence (SWGDE). However, the tests and their results are not publicly
accessible.
• The Department of Defense in the USA. However, the tests don’t provide guaranteed outcomes, and the project is
not publicly accessible.
The government-based testing (e.g. CFTT and SWGDDE) unable to satisfy the increasing needs for testing different
purposes digital forensic tools. Such testing doesn’t address the increasing requirements for measuring, and adjusting
the performance degradation in high volume, and complex forensic investigation environment. Also, the unavailability
of government-based tests can be a potential reason for further declining in the quality of the test results. Digital
forensic investigation relies on the evidential facts delivered by various forensic tools, and as such; testing these
tools should be based on scientific methods. It is crucial for forensic experts to conduct their tests based on the
guidelines published by the agencies mentioned earlier (e.g. CFTT and SWGDE). Also, testing criteria should be free
of ambiguity, and be limited to specific parameters used in the previous tests (Pan and Batten, 2009).
Recommended
• In testing the forensic software tools, tests guidelines, and criteria conducted by both CFTT and SWGDE should
be used.
• It is imperative that the testing criteria to be free of ambiguity, and should be limited to specific parameters used in
the previous tests.
The Computer Forensic Tool Testing (CFTT) program is the joined effort of the research and development organization
of the U.S. Department of Justice (DOJ), the National Institute of Justice (NIJ), Office of Law Enforcement Standards
and Information Technology Laboratory, and the National Institute of Standards and Technology’s (NIST’s). The project
is supported by other organizations including the U.S. Department of Defense Cyber Crime Center, the Federal
Bureau of Investigation, the U.S. Department of Homeland Security Bureau of Immigration and Customs Enforcement,
and U.S. Internal Revenue Services. The objectives of such project effort is to provide measurable assurance to
researchers, practitioners, other concern groups that such tools can produce accurate results during the computer
forensic investigations. In achieving such goals, the development of test methods’ specifications for computer
forensics’ tools was required for subsequent testing of tools against those specifications. The outcomes of such project
are the test results that provide the information necessary for users to make informed choices, for software developers
to improve their tools, and for the legal community and others to comprehend and grasp the capabilities of such tools.
The CFTT project’s approach is based on well-defined methodologies used in testing the computer forensic tools in
efforts to achieve quality testing. The CFTT project’s reports represented in five sections:
• The summary of the test results that assess the readers with the suitability of the tool for the intended use.
• The rest of the sections in these reports represent information about how the tests were conducted, the details of
the test cases, and the justification of selecting these test cases, the software and hardware used to run the test
cases, and the description of each use case.
• The following are the test results of some of the tools that were tested in (CFTT) project:
• Holder and Rose (2010) Test Results for Forensic Media Preparation Tool: LogicCube Omniclone 2xi
• Omniclone 2xi hard drive duplication system was engineered for high volume hard drive cloning (duplication). It
supports cloning UDMA, EIDE, IDE and SATA drives at over 4 GB/min. The Omniclone system also offers an
optional database software program for logging, and scanning the hard drive cloning sessions (e.g. hard drive
model, the maker, serial number). The system is compatible with most of the operating systems (logicube.com,
2010).
Holder and Rose (2010) indicated that the logicube Omniclone was tested for its ability to overwrite sectors. The main
function of the device is the ability to duplicate a hard drive for cloning a master drive to one or more target drives. The
device has a secondary option function that can wipe any of the target drives. The test conducted through the (CFTT)
project covers the results of testing the wipe function.
Results Summary
After running all the test cases designed by the (CFTT) project on the logicube Omniclose 2xi, it was found that all
visible sectors were successfully overwritten, the tool behaved as designed by the vendor, and hidden sectors were not
overwritten by the tools. Secure erase mode were omitted from the tests, since the tool doesn’t support such option.
Recommended
• Logicub Omniclone 2xi is a recommended tool for the preservation (collection) process.
• Mukasey and Hagy (2008) Test Results for Digital Data Acquisition Tool: Encase Linen 5.05f
Encase is a tool used for acquiring a hard drive data. The tool can recognize removed partitions that are not
recognized by DOS and other Windows operating systems. Despite the fact that EnCase dedicated to examine the
contents within the evidence files, it has the feature to sterilize/wipe the hard drives used as the forensic evidence
collection repository. It’s a good forensic practice to wipe the forensic drive before reusing such drive.
Results Summary
The EnCase tool acquired all hidden and visible sectors on the tested media during the test. The tool was able to
acquire the data from the test media, the tool can be used for acquiring data from Windows and Linux operating
systems.
Recommended
• EnCase tool is a reliable acquiring tool that can have access to the hidden and visible sectors on the media
subjected to the digital investigation.
• It’s a good forensic practice to wipe the forensic drive before using such drive. EnCase has the capability to
sterilize or wipe the forensic drive before it is used in the forensic acquiring process.
Ashcroft and Hart (2004) Test Results for Software Write Block Tools: RCMP HDL VO.8
RCMP HDL VO.8 is a software tool that is used during the digital forensic investigation for data acquisition. Write block
software allows acquisition of data on any media with preventing any possibility of accidently write, change or damage
the acquired drive. Such software apply the above approach by allowing reading commands to the acquired media
while blocking write commands to such media.
Results Summary
• All the test cases ran against the software tool concluded that the tool always block commands that would have
changed the protected drives.
• All the test cases ran against the software tool concluded that the tool always allow commands to obtain
information from the protected drives.
• All the test cases ran against the software tool always allow commands to access the unprotected drives.
• The Software tool functioned during the testing as it was documented, and no anomalies were observed.
Recommended
• RCMP HDL Vo.8 software write block tool are recommended to be used during the data acquisition of any media.
The tool is reliable and it functions as per its documented behaviors.
Daniels and Hart (2004) Test Results for Software Write Block Tools: dd
Daniels and Hart (2004) explained that dd disk imaging software tool is used for disk cloning process. The tool can
copy computer hard drive content to another disk or create an image file. Such approach is useful in the digital
forensic acquisition process where a copy of the suspected computer hard drive can be obtained, and loaded to the
forensic drive for further analysis and examination. The disk drive copying process can be performed through disk
imaging or bit-stream duplication process.
Results Summary
• The dd utility software tool obtained an accurate image on disks or disk’s partitions of all disk sectors or bit-stream
duplicate for the test cases run against the tool.
• During the test cases the tool created SHA-1 hash to prevent alter the original disk on the source. Another SHA-1
hash was created on the source after the test case was completed, and both has codes matched (i.e. this process
proved that the source media was intact during obtaining an image or bit-stream duplication of the original disk).
Such process verifies the integrity of the disk image file.
• The dd utility software tool produced I/O errors log.
Recommended
• The dd utility software tool is recommended for digital forensic acquisition process where disk image or bit-stream
duplicate can be obtained from the source media of the suspected computer.
• Bit-stream is more accurate than disk imaging, and it will provide high percentage of data integrity.
Sedgwick and Hagy (2008) Test Results for Mobile Device Acquisition Tool: Paraben Device Seizure 2.1
Sedgwick and Hagy (2008) explained that device seizure 2.1 is a digital forensic tool that can examine PDA data
and cell phones. The tool can be used in the digital forensic acquisition process to gain access to deleted data, data
recovery, and full data dumps. The tool is capable to verify the integrity of the collected data through the use of DM5
and SHA-1 hash values. The tool supports multi-language searching capability. The tool also produces comprehensive
reporting of the collection results (HTML format), Encrypt image files to maintain integrity, text searching, export data
to PC, and provide the capability for the forensic examiners to view acquired data via external viewer.
Results Summary
• The tool was able through the test cases to acquire data from the Mobile device internal memory, SIM internal
memory, and the physical storage on the device.
• The tool was able to generate report that provides information about the device internal memory, SIM internal
memory, and the physical storage on the device.
Recommended
• Paraben device seizure 2.1 tool is a recommended tool for the Mobile devices acquisition process during the
digital forensic investigation. The tool can maintain data integrity during the acquisition process of the Mobile
devices internal memory, and physical storage media on the devices.
Brown (2005) explained that the collection of evidence will be controlled and limited to the country legislation or the
constitution of this country. For example, such limitation defined in United States by the Fourth Amendment to the
Constitution. When the forensic investigation is based on consent given, two important facts govern such consent:
Who gave the consent, and the scope of such consent. One of the challenges to computer evidence is the authenticity
which has to answer any question around the fact that if the data collected as evidence was altered? Was the program
responsible for generated such data was reliable?
To provide good answers to the above questions, a good forensic methodology should be used to promote the
documentation of chain of custody, and applying the cryptographic hash verification to ensure the integrity of the
process and avoid alteration.mBrown (2005) also explained that another challenging area of computer forensic
evidence is related to the way that such evidence was presented. The focus of the forensic examiner should be
toward collecting data that can represent facts rather than drawing quick conclusions to what actually happened in
the cyber criminal case. Also, understanding the forces that can act on evidence is important element in the forensic
investigation (also called evidence dynamics), and some of these forces are:
• Human forces – human acts on the digital evidence, and can affect the evidence collection, and its preservation
in various ways. The forensic examiners are part of the force of evidence dynamics. The suspect of the crime is
another force affects the evidence collection where usually the suspect always has the desire to hide and eliminate
the crime traces, and restrict access to any potential evidence.
• Identification – A common complaint from the computer forensics examiners is the fact that the first responder
to the digital crime incident turned on the suspected computer searching for evidence, and contaminate the
crime scene, or powering off the computer thinking such action will preserve the evidence. Adherence to the
first responding rules will eliminate a lot of issues that might contaminate the digital evidence while attempting
to identify evidence. In an effort to identify the digital evidence for collection, it is always important that the first
responders to identify more digital evidences rather than less evidences. Identifying volatile data that can be in the
suspected machine’s memory or the printer’s memory is important part of the investigation.
• Collection – What first responders should focus on in this phase is to maintain the initial state of the evidence for
the forensic examiners to collect these evidences instead of simply identify the evidence, and bag and tag such
evidence. Maintaining the volatile data for subsequent processing is an important rule for the first responders.
Recommended
• The first responders to digital crime scene should adhere to the rules that eliminate evidence contamination.
• Identifying the containers of the volatile data by the first responders is very important process in digital forensic
investigation. Some of these containers are: computer’s memory, printer’s memory or printer’s hard disk or
permanent storage.
In the early ages of the computer forensic evidence collection process in forensic investigation focused on the
decision of whether or not to initiate an orderly shutdown or to pull the plug of the computer in question. In most
cases the investigators chose their shutdown method and proceeded with simply bagging and tagging the entire
system or proceeding with a bit-stream image of the disk. Today’s forensic investigation includes volatile data in the
physical memory for a chance to collect useful information. It is important that the forensic investigator to act as a first
responder to collect volatile data from the computer in question since the longer a forensic investigator waits to collect
such data, the greater the chance to lose such useful data from the physical memory (Brown, 2009).
Brown (2009) argued that forensic science in digital investigation is continuing to come up with innovative ways to
harvest information from computer RAM even though when the system has been shut down. Using a method such
as cold booting that is used to retrieve information (e.g. encryption keys from the memory, and passwords) are often
available for imaging for several seconds after the system has been shutdown. Such approach received a great
attention from the researchers in the digital forensic fields especially that such technique can expand the time frame
greatly by the simple cooling technique of the physical memory.
In collecting volatile data from memory in a raw format an application method of dumping raw physical memory to a
file is the best approach. Such process is similar to the disk bit-stream imaging. Harvesting the data via this method
avoid the fact that the forensic examiner has to know information about the system in question such as currently
running operating system, the CPU architecture. Memory dump approach provides simplicity, and reduces the ways
in which the investigator is interacting with the system. One of the common ways of performing a memory dump is to
use application already installed on the system or to use CD-Rom to run a memory resident agent. In both cases, the
application should perform the physical memory dump to external media through I/O port such as Universal Serial Bus
or Fire-wire (Brown, 2009). Although the application or the agent used for the memory dump requires interacting with
the physical memory, the displacement of such program in the physical memory is relatively small, and in most cases
is considered a reasonable step to take in an effort to recover valuable information such as encrypted password or
encryption keys. Some other researchers suggested a Peripheral Component Interconnect (PCI) card called Tribble
to be used to dump the contents of the physical memory without displacing or disturbing any data in the physical
memory. The only drawback of such approach is the fact that such device has to be installed prior to the need for
data collection. The collection of the processed volatile physical memory, the data obtained from a live system where
the forensic application is being employed by the forensic examiner, and run from the system to collect such data is
considered to be a supplement of the collection of the raw physical memory. Despite the fact that processed volatile
physical memory is a great approach, forensic examiners should take into account that such data is not complete, and
can be altered during the collection process. Therefore, using the processed volatile physical memory contents should
be treated as a supplement of the collected raw contents of the physical memory (Brown, 2009).
Recommended
• Volatile data that can be collected from the physical memory during the forensic investigation usually contains
valuable information such as passwords and encryption keys, and it should be considered as an essential part of
the evidence acquisition.
• Processed volatile physical memory contents should be treated as a supplement of the collected raw physical
memory during the forensic investigation.
Mobile devices represent challenges and complexity during the forensic acquisition, decoding, and the presentation
processes. In most cases, mobile devices memory is integrated into the device, and as such; making isolation of
data container prior to its recovery becomes difficult. In addition to the above challenges, the manufacturers of such
technology have adapted a variety of file formats, and file systems that made the decoding, and the presentation of
acquired data more difficult (Grispos and Glisson, 2011).
To achieve the memory chips isolation from the mobile device, such chips have to be disconnected from the device
which can lead to a risk of permanent damage. Grispos and Glisson (2011) pointed out that forensic examiner should
avoid the isolation approach, and the memory can be accessed via Firmware or by interacting with the operating
system of the device instead to gain access to the data stored in the device’s file system. However such approach
relies on the constancy of the software on the device, and the firmware on the device. Once the acquisition process
has been successfully completed, the acquired data must be decoded. However, there is no standard format of such
data, and no standard file system that can be used during the decoding process of the acquired data.
For the above reasons, recovering evidence from mobile devices represent challenges and complexity to the
established principles of the forensic evidence acquisition. Various toolkits and approaches may recover artifacts
or subset of data on mobile devices inaccurately. The research paper conducted by Grispos and Glisson (2011)
compared several methods that can be used to recover evidence from Windows Mobile SmartPhone (WMV). The
paper presents different techniques for a single device. The paper also is trying to answer the following questions:
• What is the possibility of recovering deleted data from a binary image stored in the Windows Mobile device
memory?
• What is the type of artifacts or embedded databases that can be retrieved from a physical acquisition but can’t be
retrieved from a logical acquisition?
• What are the current efficient digital forensic products that can be used to locate all the evidence on the Windows
Mobile device?
Grispos and Glisson (2011) argued that there are a number of similarities between Windows desktop operating
system, and Windows Mobile operating system, and some of these similarities are:
• Grispos and Glisson (2011) Windows Mobile use the Transaction SAF-FAT (TFAT) file system to manage the
persistent memory installed on the device. The file system structure is similar to the layout that FAT file system
used in Windows desktop.
• Grispos and Glisson (2011) The directory structure on Windows Mobile is similar to the directory structure in
desktop windows including “My Documents”, “Document and Settings”, and “Program Files”.
Grispos and Glisson (2011) stated some facts about the Windows Mobile devices and some of these facts are:
• Short-Message Service (SMS), phone cells record, and the personal contact records are stored in embedded
databases in the file (pim.vol) and (Cemail.vol) in the root directory.
• The forensic tools such as Xpdumpcedb.exe tool, wmdumpedb.exe tool, and Python Script tool can be used to
forensically investigate the embedded database files (pim.vol), and (cemail.vol).
• Python Scripts tool called Msgcrving.py tool is used to recover message directory structure, reconstruct the TFAT
file system, and recover deleted contents from (Cemail.vol) database file.
• Windows Mobile devices use registry hives to house information about the mobile device. Information such as
device configuration and user settings is stored in the registry. Microsoft Remote Registry Editor can be used to
examine various registry hives stored on the device (Grispos and Glisson,2011).
Recommended
• The following forensic tools can be used in the Windows Mobile devices:
• Xpdumpcedb.exe tool, Wmdumpedb.exe tool, and Python Script tool can be used to investigate the embedded
database file (Pim.vol), and (Cemail.vol).
• Python Scripts tool called Msgcrving.py tool can be used to recover message directory structure, reconstruct the
TFAT file system, and recover deleted contents from (Cemail.vol) database file.
• Microsoft Remote Registry Editor can be used to examine various registry hives stored on the device.
• In investigating Windows Mobile device, it is important for the forensic investigator to utilize diverse range of tools
for the acquisition, and the examination of the information held on the mobile device. It is important that the results
obtained from different tools to be compared for differences, and such differences can be used to be part of the
evidence presentation process.
The research paper created by Kenneally and Brown (2005) addressed the risk involved in the bit-streaming
methodology of large media capacity (e.g. hard drive with more 200 GB) during the evidence acquisition process of
the forensic investigation. Also, the paper explores a methodology that can achieve evidentiary reliability, and also
balances the risks of selective imaging. The primary risk associated with the current bit-stream imaging is the result
of the fact that computer forensic acquisition is no longer performed to small data storage capacities on a single
machine. Rather the scope of the potential evidence enlarged to networks of interconnected computers with large
storage capacities.
To overcome the new challenges of ever changing technology, the forensic profession has to answer a very important
question. The question has become whether forensic professional will continue to force an ineffective methodology to
meet evidentiary standards or to adapt the strategy that can offer a better solution that can reduce acquisition time,
and resources. Current methodology used by the forensic professionals offer the bit-streaming to image the entire
drives, however, the fast changing in computer technology demands revising the computer data evidence collection
methodologies to balance the resource cost, time, and the challenges with evidentiary demands for completeness,
reliability, accuracy and verifiability established by the Federal Rules of Evidence (Kenneally and Brown, 2005).
Using the traditional digital evidence collection methodology raise a convincing argument for the forensic examiners to
not perform analysis on the original evidence, since the volatile nature of the disk and network evidence is potentially
destructive in its nature. Also, such practice supports the elimination of the challenges that any evidence can face
in the court of law. To support such requirement in preserving original evidence, the traditional evidence collection
procedure emphasizes the process of taking the computer in question offline, and creating the bit-stream image of
the entire original evidence disk. In such process, the data from the original disk will be copied sector-by-sector to the
target image file or a disk. In such technique write-blocking is enforced to protect the original disk and error recovery
and logging is considered to be part of such process. Cryptographic hash value of the target and source is used in
parallel to the bit-stream image process for the purpose of integrity verification.
Kenneally and Brown (2005) argued that the benefits of the traditional bit-stream image methodology is fact that
such process is well understood among forensic professionals, and also it reduces the risk involved in the acquisition
process such as hardware failures or evidence spoilage. However, the cost in time to image using such methodology
is proportional to the size of the target disk in question. In addition to the challenges in traditional acquisition process,
the complexity of the distributed data stores and the digital media devices harboring potential evidence represents
another challenge to the forensic investigation. Once the digital evidence media is identified the forensic investigator is
faced with the following steps that have to be performed:
• Emergency measures and photography has to be performed as a standard crime scene processing.
• All the items to be collected during the investigation should initiate the chain of custody document.
• Tamper proof bags should be used to support verifiable chain of custody of any loose media. All items should be
tagged and bagged.
• Hard disks and other storage media should be identified, and the method of collection should be determined.
• Volatile data such as physical memory contents, system clock, and running processes should be collected as
required. Such process should be performed prior the imaging process.
Kenneally and Brown (2005) pointed out that in responding to the current changes in the computer technology,
and the distribution of evidence in the computer network, a Risk Sensitive Evidence Collection methodology was
suggested. This methodology promotes a pre-acquisition evidence filtering, and search for the purposes of minimizing
the collection of irrelevant data. The methodology approach is opposite to the approach followed by the traditional
bit-stream methodology where the filtering and the search occur as post-acquisition process during the examination
phase of the forensic evidence. Two critical components of the Risk Sensitive Evidence collection methodology:
• Live search and identification of the digital evidence used as a basic approach used by such methodology.
• Selective extraction of the evidence where artifact from the digital media can support such selection.
The suggested approach of the Risk Sensitive Evidence Collection methodology is designed for more cost-sensitive
through the reduction of resources and time requirements of the forensic investigation. Subsequently the approach
reduced the time required for the forensic analysis since the collection of irrelevant data where filtered during the
evidence acquisition process. However, some critics argued that the methodology failed to provide verifiable, complete
and accurate results since the approach promotes the dynamic selective search, collection, and extraction of live data
which make such evidence unverifiable and inaccurate. Also, the authenticity of such approach can be challenged
since the digital data could have been altered after it was collected. Such arguments are proven wrong since Risk
Sensitive methodology promotes the use of hashing techniques which is sufficient to prove the integrity of the digital
data. Regarding to the authenticity challenges, it is impossible to verify the lack of the existence of evidence since it is
difficult to define the parameters of the digital crime scene in a dynamic environment (Kenneally and Brown, 2005).
Recommended
• The traditional digital evidence collection methodology (bit-stream or sector-by-sector) can be used for small
volumes media where cost and resources can be relatively suitable for such process.
• Risk Sensitive Evidence Collection methodology (applying search and filtering on live data for selective evidence
data set) can be used for large volumes media (e.g. mounted volumes that are greater than 200 GB) where the
cost and resources can be optimized since irrelevant data can be minimized by applying filtering and searching of
live data before evidence collection.
The popularity of the network technology is causing a dramatic shift in the digital investigation, and in the process
of the evidence acquisition what was once an investigation of a disk tied to a single individuals, now becoming an
investigation of a distributed system across remote networked machines. The network interactions among these
machines become source of network evidence, and as such; it brings additional challenges to the method of the
evidence collection process from live network resources. The area of network forensics encompasses many sources
of evidence collection including data collected from remote network services, captured network traffic, logs from
network infrastructure devices (firewall, switches, routers, etc.), intrusion detection systems (IDs), and logs from
the network services. Both data collected from remote network services, and captured network traffic share many
similarities, and as such; they can be generalized as sources of live network evidence (Nikkel, 2006).
The research paper created by Nikkel (2006) discussed the improvement of the evidence acquisition process of
the live network, and it represents a build-up of previous work investigating different improvement that can be
implemented in capturing network traffic and remote network services as a source of evidence collection containers.
Collecting evidence from live network such as the Internet represents difficulties where reliability and authenticity of
the collected evidence will be missing from the acquisition process. Source of evidence such as Media Access Control
(MAC) or Internet Protocol (IP) can be spoofed, the content transmitted can be fabricated, and various protocol
headers can be faked. Also, the source of evidence that can be collected from messages, connections and network
packets can be hidden using various techniques. In addition to the above challenges, certain forms of anti-forensic
activity can be also a big hurdle to the evidence collection of live network and live sources. For the above reasons,
several methods can be introduced to improve the detection of untrustworthy evidence, and also improve the reliability
of evidence collection (Nikkle, 2006).
The research paper conducted by Nikkle (2006) offers some improvements to the current methods used of live
network acquisition, and it doesn’t guarantee the reliability or the authenticity of the collection process for the network
forensic evidence. However, the steps recommended through the research can help reduce the risk of collecting
inaccurate data, and also can help evaluating the aspects of evidence certainly, and also provides some practical
guidelines for preserving and handling of evidential data during, and after the evidence collection.
Nikkle (2006) argued that the evidence collection process can be impacted by the location of the evidence collector and
in some cases such location can affect the credibility, and the authenticity of collected evidence. Both logical distance
(can be measured by a path of boarder Gateway Protocol (PGP) or TCP/IP network_ and physical distance (line
between two geographical locations) can affect the evidence collection process, and as such; minimizing the distance
between the evidence, and the investigator can be an advantageous to such process, and also reduce the error rate.
For example, the signal quality in a wireless network can be affected by increasing the distance. Also, the ability for the
forensic examiner to collect lower level information such as a MAC address can be affected by such distance.
Nikkle (2006) also pointed out that various problems can be presented during the preservation and collection process,
and some of these problems are:
• The reserved IP ranges in the collection devices could cause certain difficulties.
• Port Forwarders and Proxies are potential source of problems for the evidence collection process of live network
where such devices could prevent certain evidence from being collected. In many cases evidence can be
destroyed, stale (from caching) or modified.
• Firewalls can be configured restrictively which may block certain infrastructure traffic that may be of interest of the
forensic investigation.
Nikkle (2006) offers some of the solutions and guidelines to the above problems. The solution offered represents an
effort to improve the collection of evidence from un-trusted network such as the Internet. Such guidelines can increase
the compellation of data collection, reliability, and reduce errors. Some of these solution and guidelines are:
• Multiple corroborating of evidence collection will increase the chances of acquiring a complete set of evidence. In
addition, specific deceptive behaviors may be revealed when several source of collections are in place.
• In an effort to protect the integrity of collected evidence, a network write-blocking should be the basic principles
in the evidence collection process (e.g. stealth mode operation or one-way Ethernet cables). Using read-only
forensic tools will guarantee such results. For example, a read-only File Transfer Protocol (FTP) client tool doesn’t
have the ability to modify data, upload data or delete data.
To maintain evidence collection integrity, the forensic tools used for the live network evidence collection process must
adhere the following characteristics:
• The tool should provide a precise network timestamp for the collected data.
• The tools should adhere resistant to the corruption of the collected data or malicious attack.
• The tools must provide a signing, and hashing capability for the data collected.
• The tools must adhere to sensitivity toward encrypted data.
• The tools should have the capability for validating the evidence collection.
• The tool must provide a logging capability.
• The collection process must implement the principles of chain of custody, and the preservation for the collected
network forensic evidence.
• All acquired data obtained through the forensic acquisition must include the cryptographic hashing using standard
algorithms such as SHA-1 or MD5 at the time of acquisition.
If different forensic teams are used for the forensic investigation such as a team for data acquisition, and another for
analyzing such data, it is recommended that the previously saved data should be encrypted, and the decryption keys
should be handed via formal approval process among the forensic teams. In performing a selective acquisition from a
live network source, a well defined set of what will be ignored or will be collected should be designed beforehand.
Retrieving multiple instances from the data sources can be useful in the forensic collection to ensure the
completeness of the acquisition process, and also will help as a proof of authenticity.
Collecting data from specific protocol may help provide a more comprehensive description of the collected evidence.
For example, TCP, IP or HTTP headers can help verify authenticity, and consistency. Such information can also show
the due diligence of the forensic investigation, and that such investigation adhering the acceptable forensic principles,
and methods.
Documenting the acquisition of the live network process will help create a qualitative description of the acquisition.
Such documentation can use the detailed technical description of the acquisition process, and some of these details
might include:
• Precise recoding of what was ignored, and what was acquired.
• Any modification that was made to the network layers during the collection.
• Provide enough technical details that can reveal suspicion regarding reliability or authenticity or problems occurred
during the acquisition. A useful method of documenting live network evidence collection is to use a packet sniffer,
and the built in logging capabilities exist in the most acquisition tools.
During the acquisition process recording an accurate timestamps of the collected evidence is very important.
Time-stamping will provide more accurate correlation with other independent sources of evidence, and also
help establishing accurate sequential ordering of the data collection events. It is also important for the forensic
investigator to be able to distinguish between errors generated by the live network sources being acquired, and the
errors generated by the acquisition tools. The acquisition process for the forensic purposes should acquire its data
from authoritative sources (e.g. Instance contains the most updated or the best set of data). The complexity of the
technology implemented in the live networks made it more difficult for specific evidence to be fabricated or faked by
any malicious parties. Also, the advantage of such complexity made any inconsistencies in the collection activities can
be used in evaluating reliability, and authenticity.
The use of cryptography offers a high degree of authenticity, and encryption during the forensic investigation where it
can help overcome many network acquisition problems. Some of the values that cryptography can offer are:
• Showing non-modification of data during the data transition over the live network layers.
• Showing the authentic of the origin of the network.
• Showing the completion state of the set of data collected.
Recommended
To improve the process of the forensic acquisition in the live network the following guidelines should be considered:
• Multiple corroborating of evidence collection will increase the chances of acquiring a complete set of evidence. In
addition, specific deceptive behaviors may be revealed when several source of collections are in place.
• In an effort to protect the integrity of collected evidence, a network write-blocking should be the basic principles in
the evidence collection process.
• To maintain evidence collection integrity, the forensic tools used for the live network evidence collection process
must adhere the following characteristics:
• The tool should provide a precise network timestamp for the collected data.
• The tools should adhere resistant to the corruption of the collected data or malicious attack.
• The tools must provide a signing, and hashing capability for the data collected.
• The tools should have the capability for validating the evidence collection.
• The collection process must implement the principles of chain of custody, and the preservation for the collected
network forensic evidence.
• All acquired data obtained through the forensic acquisition must include the cryptographic hashing using standard
• It is recommended that the previously saved data should be encrypted, and the decryption keys should be handled
via formal approval process.
• Documenting the acquisition of the live network process will help create a qualitative description of the acquisition.
Such documentation can use the detailed technical description of the acquisition process, and some of these
details might include:
• Any modification that was made to the network layers during the collection.
• Provide enough technical details that can reveal suspicion related to reliability or authenticity or problems
occurred during the acquisition. A useful method of documenting live network evidence collection is to use a
packet sniffer, and the built-in logging capabilities exist in the most acquisition tools.
• During the acquisition process recording an accurate timestamps of the collected evidence is very important.
Time-stamping will provide more accurate correlation with other independent sources of evidence, and also
help establishing accurate sequential ordering of the data collection events.
EXTRACTION (EXAMINATION) PROCESS

Peep attack is the application of a botnet (a collection of compromised computers connected to the Internet). The
common types of Botnet attacks are malware, the structure of Distributed Denial of Service, and the activity of spam
mail. A Botnet attacks are used for malicious purposes. The attack programs organized by the Botnet are usually run
under the control of managed network infrastructure. Such attack is hard to be identified, since the group of computers
used for the attack is rarely to be identified geographically through the distribution pattern of the infected computers.
Also, firewalls cannot be directly configured using the information obtained from previous attacks to react to a botnet
attacks (Kao and Wang, 2006).
Digital forensic analysis is any presentation that is based on knowledge or the principle of diverse sciences applied
to identify criminal offenders. The digital analysis goal is to define relationship, and applicable information of the
event. The peep attacks required the forensic analysis of cyber intrusion that can help analyzing, and obtaining
digital information as evidence in criminal cases. A Trojan horse is a term for a malicious piece of software that
pretends to be a harmless program. Peep attack is a Win32 based Trojan program that runs on a client system. Such
malicious program has unique features that form a signature, and such signature can be analyzed during the forensic
investigation to identify the attack, and its features event.
Kao and Wang (2006) described that investigating the Peep attacks during the digital forensic examination take place
in two phases:
• Off-line examination of abnormal files – The forensic investigation in this phase occurs after a malicious attack
has taken place, and encompasses the following steps:
Step 1 – Perform a basic examination
a To correlate events in time to trace intruders, the system clock required to be checked.
b During the investigation it is highly required that the forensic examiner determine the network settings, and the
network configuration environment.
c The forensic investigator must examine the processes currently running to determine if any malicious programs
are running. Every process represents a single program that required support files, and Dynamic Link Libraries
(DLL) to run.
c The forensic investigator must examine the system directories for unusual files. In most cases, attackers often
hide their files in the system directories.
d The forensic investigator must gain a good level of understanding of the system’s special default settings.
These settings must be examined to determine if a problem exists.
Step 2- Check the original settings
In this step, the system startup contents must be examined (e.g. startup scripts, and Windows Registry). Malicious
programs are set to give intruders control over the compromised victim computers.
Step 3 – Look for suspicious malware
Although the behavior of malicious programs is unpredictable, they remain possible to be detected. By searching,
and scanning for unusual executable files, and their method of operations, such malicious programs can be
detected. For example, a good starting point would be searching for recently modified files. Also, attackers often
rename malicious programs to look like standard system files. Such behavior can increase the difficulty for
forensic investigator to discover security problems.
Using forensic techniques such as CAM (Create – Access – Modify) times or Hash Analysis to analyze the
digital evidence will eliminate such difficulties. Efforts such as decoding, and inspecting the malware for
hidden information such as original messages from the author, can be valuable resources during the forensic
investigation.
• On-line analysis of sniffing packets
Attackers usually launch their cyber attacks from behind a Peep attack which can be originated from different
points. Such techniques make the forensic investigation hard, and to examine such large volume of network traffic
will make such investigation much harder. For the examiner to catch the attacker, it must be determined where that
attacker gets the connectivity, which traffic is relevant to the investigation, and how does the network activity look
like. Once all the above questions were answered, the forensic examiner uses this information to trace back to the
upper tiers of the suspected machines.
The above procedures used in the Peep attack can lead to discovering the upper-tier host(s) behind the Peep
attack can be achieved by analyzing the network packets. Also, applying sniff packets on the life network can
help to apply computer-forensic techniques to the cyber crime investigation, and also discover unknown data
regarding further attacks. Packet sniffing is the most effective way to analyze what data was stolen, and where
such data was sent. Implementing silent sniffer on the network packets will allow observing data passing between
computers, and network traffic, and observing the intrusion activities that will provide the forensic investigators a
level of understanding of the intrusion activities, and the techniques employed by the attackers.
Recommended
• To increase the findings of the accumulated information about the Peep attack during the forensic investigation,
the following techniques must be employed:
• Off-line examination of abnormal files – where network defaults settings, and configuration are examined,
processes currently running are examines against any malicious programs running, unusual files are examined,
and unusual executable files and their method of operations are examined.
• On-line analysis of sniffing packets – where the network connectivity and network traffic are examined in an effort
to trace back the upper tiers of suspected machines. Also, applying silent packets sniffing on the network will help
collect information about the intrusion activities, and the further attacks.
Digital investigation seeks to collect or recover information from digital devices in order to confirm or refute allegations
of wrong-doing or reconstruct events. Digital forensic searches are usually conducted at the physical media level (e.g.
hard drive), and it can include unallocated data (e.g. deleted files and free disk space) and allocated files (file saved
on the physical media). Text searches are essential process in the digital forensics, since text-based documents, and
readable text are important artifacts in the digital forensic investigation. The search results may include high number
of different data files such as Internet communications, emails, spreadsheets, word processing documents, and
unrelated data to the case (Beebe and Clark, 2011).
Digital forensic investigators are unable to meticulously review all keyword search hits files by the file types despite
the fact that the searches improve the ability to answer key investigation questions. However, current digital
forensic search approaches implemented in the forensic tools exhibit poor information retrieval (IR) effectiveness.
IR effectiveness is a function of query precision, where precision represents the percentage of hits retrieval that is
relevant to the search criteria. IR overhead represents a combination of the time spent by the human analysis to
review the irrelevant search hits, and the computational time required to execute the required search. The recall
precision is the percentage of relevant hits retrieved in comparison to the total number of relevant hits within the data
set (Beebe and Clark, 2011).
The main goal of the case study created by Beebe and Clark (2011) is to apply text mining techniques to the digital
forensics domain that will reduce the IR overhear while achieving 100% of the recall-precision. The use-case
suggested that implementing the right text mining and the right information algorithms can improve the information
retrieval effectiveness of the digital forensic text string search, and also reducing the IR overhead associated with
reviewing non-relevant search hits. The use-case concluded that applying the clustering approach will improve the
search results for EnCase and FTK forensic tools.
Recommended
• Applying the clustering approach on both EnCase and FTK forensic tools will improve the information retrieval
effectiveness, and reduce the IR overhead associated with reviewing non-relevant search hits.
Increasing trend of the Full Disk Encryption (FDE) can significantly affect the digital investigation, and potentially
block access to all digital evidence in any digital case. When dealing with FDE or even volume encryption it is not
acceptable technique for the forensic investigation to shut down an evidential computer. Such practice may result in
having the data on the device inaccessible for the forensic examination. To address such challenge there is a need
for more effective practice that can promote the capabilities of the forensic investigation to detect, and preserve
encryption information prior to shutting down the computer in questions (Casey and Stellatos, 2011).
In dealing with full disk encryption (FDE) or volume encryption, guidance for gathering data at the crime scene will
help the forensic investigator to employ specific techniques required for accessing encrypted data, and allow the
investigator to perform on-scene forensic acquisitions of live computer in question. Such measures proposed by
Casey and Stellatos (2011) research paper can increase the chances of acquiring digital evidence collection that can
capture an encryption key or passphrase, and also can help acquiring evidence in an unencrypted state.
When the digital investigation encounters encryption it is not possible to recover any encrypted data. The encryption
usually applied at the file system level, and it may be possible to acquire digital evidence from only the unencrypted
areas of the storage media that can be sufficient to support prosecution. However, with full encryption of the storage
media, it is impossible to recover any digital evidence. Collecting the potential FDE passphrases or recovery leys
(potentially required acquiring volatile data) may exist in memory, or written digital form on the recovery disk. Other
challenges that may encounter during the investigation are when the encryption product such as TrueCrypt allows
users to create separate storage areas within an encrypted container with two separate passphrases. There are a
growing number of FDE products such as Symantec’s PGP, WInMagic’s SecureDoc, TrueCrypt, Guardian Edge,
McAfee’s Safeboot, and Microsoft Windows BitLocker Drive Encryption available for Windows 7, and Windows Vista in
Ultimate and Enterprise edition. The FDE solution is not limited to the hard drives but also, the encryption of volumes
on removable media (Casey and Stellatos, 2011).
Casey and Stellatos (2011) research paper described many use cases where the encryption was used in offender’s
machine, and in most cases the suspect was asked in interview for the full passphrase, and the forensic investigator
request were rejected by the offender, and many other cases the passphrase was provided, and it didn’t work. Such
use cases demonstrated to the reader the serious challenge that FDE poses for the digital forensic investigation.
It is not acceptable approach to pull the plug on the suspected computer that identified with PDE or volume
encryption. To increase the chances to collect, and recover encryption keys or passphrases, the forensic investigator
should preserve the non-volatile, and volatile data from live system. Live imaging of the non-volatile data will give
access to content that would otherwise be encrypted on unplugged system. Also, there is a big chance that volatile
memory may provide access to encrypted container on the suspected system’s media. Acquisition tools such as
MoonSols Windows Memory Toolkit, HBGary’s Fastdump Pro, and GMG System’s KnTTools canbe used for the
preservation of volatile memory for many versions of Windows operating systems. Firewire direct memory access
tools are another method of acquiring physical memory dumps. Tools such as remote forensic tools (F-Response),
and Passware kit forensic can be used for physical memory dumps. Physical memory dumps can be examined using
forensic examination tools such as volatility, HBGray’s Responder, MoonSols Windows Memory ToolKit, KnTList, and
Mandiant’s Memoryze (Casey and Stellatos, 2011).
Tool such CyberHunt can alert the forensic examiner to FDE, and mounted encrypted media on the running systems.
The purpose of this tool is to flag for more complex acquisition procedures during the forensic investigation. Another
technique that can be adapted during the acquisition process offers the collection and the transportation of live
system when the system is encrypted and password protection is applied to the locked user-account. Tool such as
the HotPlug offers no interactive access to the system while allowing the forensic examiner to obtain backup of the
running system (Casey and Stellatos, 2011).
Recommended
• The identification of encrypted systems is an important step in the forensic investigation. Once an encrypted media
is identified in a live system, pulling the plug is not acceptable approach since valuable information about the
encryption key, and passphrase may be lost when the system is off.
• Best approach for the forensic investigator to follow is to acquire data from FDE system via live imaging of the
volatile and non-volatile data from the system in question.
• Acquisition tools such as MoonSols Windows Memory ToolKit, HBGray’s Fastdump Pro, and GMG Sysem’s
KnTTools can be used for preservation of volatile memory for many versions of Windows operation systems.
• Firewire direct memory access tools are another method of acquiring physical memory dumps. Tools such as
remote forensic tools (F-Response), and Passware kit forensic can be used for physical memory dumps.
• Physical memory dumps can be examined using forensic examination tools such as volatility, HBGray’s
Responder, MoonSols Windows Memory toolkit, KnTList, and Mandiant’s Memoryze.
• CyberHunter tool can be used to alert the forensic examiner to any full disk encryption (FDE), and mounted
encrypted media on the running systems. The purpose of this tool is to flag for more complex acquisition
procedures during the forensic investigation.
• Hotplug tool offers no interactive access to the live system, while allowing the forensic examiner to obtain backup
of the running system.
Marshal (2008) explained that evidence examination of a digital device process must ensure that the procedures
within such process will be performed with minimum possibility of digital contamination. To employ such rule, the
forensic examination should be carried out on a copy of storage media acquired from the suspect’s computer rather
than the original storage media. However there are some situations where it is not possible to seize suspect’s
equipment, and obtain a complete forensic copy of the suspect’s storage media. Action taken in such situation (also
called previewing) must be justified, and the proper procedures have to be performed to eliminate any evidence’s
contamination.
The previewing process described by Marshal (2008) if it is conducted in some situation it is considered to be a high
risk of violating the forensic principles since it requires a direct examination the suspect’s digital device. Marshal
(2008) explained that to avoid such violation, the offline previewing procedure is used. To perform such procedure the
digital device usually disconnected from the suspect’s machine or the network, and the device will be connected via a
write-blocking device to a trusted preview machine used by the forensic examiner.
Figure 3- A tableau T8 USB write-blocker used to avoid accidental data writing.
The previewing process is conducted via software that can allow the examiner to evaluate any evidential value of the
device, and gather information about the data held on the device. Offline previewing gives the opportunity to allow
the forensic examiner to use physical methods to prevent contamination of possible evidence. The major drawback of
such process is the fact that the suspected device has to be shutdown, and the forensic examiner has to gain physical
access to the storage device. Other alternative of such process is online previewing.
Marshal (2008) described that the online preview is considered a risky activity in the digital evidence examination
where the forensic examiner will carry out such process on a live system. Forensic examiner can avoid any risky
business by conducting the examination with a trusted forensic tool that promotes a read-only media such as CD.
Such software also is written in such way to protect the system in question from accidently changing day or primary
RAM. Some of these tools are: EnCase, Forensic ToolKit (FTK), SMART, Sleuthkit and Autopsy.
Although offline previewing and imaging is one of the forensic procedure used to acquire evidence from the suspected
media, one of the data container is ignored in this process is the RAM, where valuable evidentiary can be found in
the live systems. Although the live systems represent a risk in the forensic acquisition and examination, valuable
information can be obtained when the right forensic tools are used during this process which can maintain evidence
integrity and reliability.
Marshal (2008) described that in examining any device there’re four primary types of data that can be examined
during the forensic investigation. One of the important elements of the evidential data is the metadata that represents
information about the data files such as the timestamps which defined when the file was created, modified and
accesses. The following are the data types that can be obtained during the digital forensic investigation:
• Live data – represents the data that can be accessible form live systems directly to the software. The live data
have greater evidential value since more data containers can be available in live systems.
• Deleted data – represent materials that once were live on the system. Since most operating systems don’t
completely erase deleted data, such feature represents a good opportunity for the forensic examiners to recover
such data using the proper tools.
• Swap space – Modern operating systems use part of the machine’s storage devices as primary RAM (Virtual Memory).
The disk space used for such function can be configured to allow specific space on the hard drive. When the main
memory becomes too crowded to store data and software, the operating system can choose which part of such
memory to be stored temporary on the disk to re-allocate the free spaces of memory to other programs and data.
• Slack space – represents the data which are stored alongside the system’s live data and such data are not
managed by the system’s user. The slack space is dictated by the properties of the file-systems and storage
devices.
Recommended
• Although the offline imaging is the simplest procedure in the forensic acquisition, it can be a time consuming.
However, the procedure has no risk involved since the suspected device usually connected to the forensic
machine using a write-blocker device.
• Online previewing required the suspect’s system to be live, and read-only software can be used to obtain an
imaging to the system in question using one of the following tools: EnCase, Forensic Toolkit 9FTK), SMART,
Sleuthkit and Autopsy.
• In searching for data acquisition and examination, there are four types of evidential data that can contain valuable
forensic information: live data, deleted data, swap space, and slack space.
Solomon & Broom (2005) explored some of the common forensic tools that can be used for disk imaging, and
validation. Solomon & Broom (2005) explained that the choice of which tool to be used for the specific process
depends on the various factors such as:
• The operating system and the file-systems that can support such tools.
• Price can be an important factor when the budget is limited.
• The functionality of such tools can be important when specific procedures are required to be achieved.
• Personal preference is another factor where the forensic investigator can have specific preference for specific tool.
Some of the tools that can be used during the forensic investigation are:
• ByteBack – used for disk copying, and data recovery. The tool provides a simple interface for operation, and runs in DOS.
• dd – The tool converts and copied files. The tool is commonly used in the forensic investigation to copy an entire
environment of the media in question.
• DriveSpy – The tool provides an interface that is similar to the Ms-DOS command line, and it is a DOS-based
forensic tool. The tool provides many functions that are necessary to examine and copy the drive contents.
• EnCase – Provides an exact copy of the drive, and validates the image automatically. The tool also takes a
snapshot of the Windows Registry, Random Access Memory (RAM), running applications, and open ports.
• Forensic Replicator – The tool provides a disk imaging where it acquires imaging from various electronic media,
and also handles most removable media such as Universal Serial Bus (USB).
• FTK Imager – The tool provides a powerful media duplication features. The tool can create media images from
many different source formats, including: NTFX and NTFS Compressed, FAT12, FAT16, and FAT32. The tool also
generates MD5 hash values, and provides full searching capability.
• Norton Ghost – It is not a forensic tool, however it provides the ability to create the exact copies of the original
disk. The tool commonly returns a different hash value than a hash of the original drive. However, the tool is not
suitable to provide evidence that is admissible in a court of law, and the tool is optimal for providing a backup/
restore and creating installation images for multiple computers.
• ProDiscover – The tools has the ability to create a bit stream copy of the entire disk in question including the HPA
sections (HPA is an area of a hard disk drive that doesn’t report to the operating system or to the BIOS). The tools
also automatically records and creates MD5 or SHA1 hashes of evidence files to prove data integrity.
• SafeBack – The tool creates bit-stream images of hard disk drives, and drive contents. The tool create evidence-
grade backups of hard drives, and it creates such imaging through self authenticating disk imaging with hashing
processes (SHA256 hash values) to eliminate any evidence alteration.
• SMART – the tool provides two features: SMART Acquisition which provides disk imaging, and SMART
Authentication which provides imaging verification.
• WinHex – The tools provides recovery from damaged and lost files, and general editing of disk contents. The tool
also provides disk cloning features.
Recommended
• The choice of which tool to be used for the specific process depends on the various factors such as:
a The operating system and the file-systems that can support such tools.
b Price can be an important factor when the budget is limited.
c The functionality of such tools can be important when specific procedures are required to be achieved.
d Personal preference is another factor where the forensic investigator can have specific preference for specific
tool.
• The following tools can be used during the forensic investigation for disk imaging, hashing, keyword searching, file
recovery, and forensic analysis: ByteBack, dd, DriveSpy, EnCase, Forensic Replicator, FTK Imager, ProDiscover,
SafeBack, SMART, and WinHex.
INTERPRETATION (ANALYSIS) PROCESS

The case study created by Broucek and Turner (2004) examined the Intrusion Detection Systems (IDS) using SNORT
IDS, and the network monitoring security in terms of its evidence acquisition capabilities. IDS can help improving the
forensic investigation and ensure that its results will be legally admissible in the court of law. The data collected by
this study is based on the data collected via running SNORT network Intrusion Detection system. The study doesn’t
evaluate the SNORT IDS or make any comparison with other IDSs products. The study is based on evaluating the
nature of IDS in terms of evidence acquisition, and the legal admissibility of generated digital evidence. The study
examines the data collected by this system, and its implications on the evidence acquisition and its analysis.
Broucek and Turner (2004) explained that with the cyber-warfare and the dangers of hacking become a reality, the
need for the computer system, and network to be able to generate admissible evidence of online illegal or criminal
activities is highly required. In assessing the nature, and the value of the data generated by the network monitoring,
and intrusion detection system, the following factors should be considered:
• These systems are subject to attacks, and as such; the data collected can be inaccurate.
• These systems can collect partial data that can be flawed or tampered.
The major issues with IDS are the fact that such systems are not able to collect all the data they are promised to
collect. To overcome such problem, IDs should promote better pattern matching algorithms, data capturing methods,
and anomaly detection to keep up with the ever increasing speed of networking equipment. Also, IDS may collect only
partial information that in most cases is insufficient to identify details of the attack. For example, IDS may collect IP
address of the attacker however, the IP address is rarely enough to positively identify the attacking machine since the
majority of ISPs and sites’ hosts usually assigning a various dynamic IP addresses (Broucek and Turner, 2004).
The case study conducted on the SNORT IDS running on production server that provide non-anonymous file transfer
protocol (ftp), and Web Services. The study concluded significant findings reported by Broucek and Turner (2004), and
some of these findings are:
• While the system raised alarms on one particular rule set correctly, the reporting part of the process was not
correct. From the network administrator prospective such problem can be eliminated by identifying the potential
problem and examining the captured network packets using ‘tcpdump’ or other tools to provide the correct
information. However, from the forensic science perspective, this bug can jeopardize the admissibility, and the
validity of driven evidence from the capture data. Such finding supports the view that IDS are problematic as tools
that can be used to collect forensic data sets. However, such problem was fixed in SNORT improved versions (The
recent versions of SNORT eliminated this bug).
• The rule sets and the configuration of IDS have to be highly fine-turned and customized to avoid the large amounts
of data that might be collected, and stored in log file that can face storage limitations.
• IDS can help protect the web servers against various attacks, however fine tuning and alert monitoring is highly
required to avoid false positive alarms. It is also important to collect all the traffic in the ‘tcpdump’ format for the
possibility of examining such data by other tools.
The case study has highlighted the use of IDS from the legal perspective, and their data produced that can be later
analyzed and examined. The study showed that IDS pose numerous challenges in evidence acquisition where legal
admissible evidence can be produced, and also there is a high possibility of tampering the data. It is imperative
that tampering of the collected data to be avoided by complying with the rules of evidence collection, and minimize
handling of the original data set.
Recommended
• Intrusion Detection Systems (IDS) can be used for evidence collection, however, certain steps should be used to
guarantee accurate data collections, and some of these steps are:
• Fine-tuning to the IDS can be achieved by analyzing alerts, and regular monitoring to such systems.
• Continuous fine-tuning of the rule sets of such systems and their configuration to limit their log files for further
forensic analysis.
• Regular updates for IDS rules are highly required to keep up with ever changing information systems environment.
• SNORT is a recommended Intrusion Detection System that can be used to collect network attacks data that can
be further analyzed by the forensic tools.
The study initiated by the Vomel and Freiling (2011) introduced the prevailing methods and techniques used to collect
and analyze computer systems’ memory. The paper described a comprehensive overview of proven approaches for
inspecting and obtaining information from the computer’s memory. The paper explained the technical foundation of
existing methodologies and tools, and outlined the strengths and the weaknesses of such tools. The research was
dedicated to the Microsoft Windows operating systems due to their dominant market position, and the high popularity
of their usage among users and organizations. In conducting such study, it was required a high level of understanding
of the internal system structures to collect digital evidence form a volatile storage.
The rapidly increase of the memory-resident malicious software application, and the storage capabilities of the
computer systems, and the growing use of encryption led to difficulty in the forensic investigation processes. Such
changes also led the computer forensic professionals to emphasize the value of volatile system information that might
exist in the systems RAM, and alternative data sources. The traditional approaches in computer forensic emphasize
the approach of the acquisition and the analysis of the persistent system data where in most cases such approach
involved powering off the suspect machine, and creating an identical bit-by-bit image of the acquired hard disk of
such system and other storage media, and examine the collected information. However, such approach frequently
neglected the possibility of obtaining a copy of physical Random Access Memory (RAM) by the first responders
despite the fact that the guidelines of the first respond process stressed the necessity of securing the digital evidence
of the volatile data exist in the RAM (Vomel and Freiling, 2011).
The above statement described the problem with the traditional practice of the computer forensic; however there are
tremendous efforts from the computer forensic professionals that emphasize the analysis of the computer systems
media in time (e.g. volatile memory), and such shift in practice is due to the following:
• Pulling the plug on any organization’s servers may cause substantial losses due to unexpected down times, and
can negatively affect the productivity of such organization.
• During the shutdown process of such systems, the file system journals may be damaged (Depending on the
configuration of such systems), and it will be difficult for such systems to restart.
• Some programs are explicitly designed to leave little footprints or no changes on the hard disk (e.g. Mozilla Firefox web
Browser), and as such; forensic examiners must adapt the right approach and strategies to include the volatile storage
systems in their approach in an effort to search for information such as passwords, usernames, and text fragments.
• Today’s operating systems offer support for full disk encryption, and similar functionality are offered by open
source tools (e.g. TrueCrypt) or commercial products (e.g. PGP) where the traditional forensic investigation can
be infeasible in such situations, and restoring the cryptographic key from memory could be the only option for the
forensic examiner to gain access to specific areas on the hard drives, and other mounted volumes on the system
in question.
• Malware software typically employs armoring, and compression techniques to make the idea of analyzing the
malicious code a difficult process when the reverse engineering is applied, and volatile memory can be the only
option to decrypt executable files directly from RAM. Such information can be lost once the suspected machine is
powered off, and failing to preserve the content of volatile media may destroy a significant information and evidence.
Over the past years considerable research has been conducted in effort to promote the importance of the memory
forensic where different methods used to capture and examine the volatile storages were adapted. However,
many of these techniques were targeted specific computing architectures and operating systems. Moreover, these
methods trustworthiness, and reliability of generated results may vary based on the technology used, and as such;
understanding the limitations the capabilities of the provided solutions is the key of successful collection of evidence
that can be legally admissible (Vomel and Freiling, 2011).
Vomel and Freiling (2011) also argued that acquisition of volatile memory techniques can be divided into software-
based, and hardware solutions. While the software-based solutions rely on functions provided by the operating
system, the hardware-based solutions have a direct access to the computer’s memory for creating a forensic image
and as such; have been regarded as more reliable and secure. However, such assumptions are no longer holds
true, and recently, various concepts have been proposed to rely on a combination of both software and hardware
mechanisms, and the above categories are no long valid. The more viable characteristic of such techniques can be
achieved through the assessment of the different technologies with respect to the necessary requirements that can
obtain a memory copy of the target machine. Three major criteria that can be used to identify such requirements:
• Constancy (fidelity) of the generated image of the memory copy – Constancy enforces the fact that the
mechanism used can create an image that is precise copy of the original host’s memory. Such criteria depends on
the memory snapshot as well as the integrity of the host OS’s memory, and unallocated memory regions.
• The reliability of produced results – Such criteria dictates that the results are either a trustworthy or none at all.
• The availability of the used mechanism – Such criteria specify that the method must be working on the targeted
computers or devices.
Vomel and Freiling (2011) described the following different approaches for memory acquisitions, their characteristics,
and their drawbacks:
• Memory acquisition using a dedicated hardware card – This approach requires access to the Direct Memory
Access (DMA) operation via special hardware card to obtain a copy of the physical memory. The hardware card
by pass the operating system and the card usually required to be installed in a dedicated PCI device and upon
pressing an external switch, the card will be activated, and copying the memory image procedure will be initiated.
During such procedure, the target host’s CPU is temporarily suspended to avoid any attacks through malicious
code or modify the status of the system. Since the processor of the host under the investigation is halted, and all
the information is directly retrieved from the physical RAM, the procedure considered to be accurate, and free from
any malicious codes. One of the limitations of such approach is the fact that the PCI card must be setup before it is
used, and the device is not designed for an incident response, and as such; the process should be considered as
part of the forensic readiness plan.
• Memory acquisition via a special hardware bus – In this approach the volatile memory can be read via fire-
wire bus. Such approach also indicates that physical memory access can be potentially achieved via any hardware
bus. For example, such memory access process can be achieved via PCMCIA (PC Card). However, the use of
such technique may cause the random system to crash, and the same problem can occur in the Upper Memory
Area (UMA). Also, some experiments shows a discrepancy between the create image using such approach, and
the raw memory dumps. For the above reason, the fire-wire based technique is not sufficient enough to obtain a
reliable copy of the computer’s RAM.
• Memory acquisition with the help of virtualization – This approach creates a virtual machine via a special
software layer that can be used to emulate replicas of the various physical components as a top layer on the
suspected system such as memory, virtual processor, graphic adapter, network, and I/O interface. Applying such
approach will freeze the state of the host system, and its virtual memory will be saved to hard drive of underlying
host. Therefore, by simply creating a copy of the respective file (i.e. memory dumps on the hard drive of the host
system) will obtain a snapshot of the main memory of the suspected computer. Such approach is recommended in
the memory acquisition that is forensically sounds, and requires a little effort.
• Memory acquisition using software crash dumps – This approach uses one of the Windows’ characteristics
where the operating system can be configured to write debugging information (i.e. memory dump files), and to
store it to the hard drive when the machine stops working unexpectedly. Information related to the CPU and
memory is saved in the system root directly for later examination. The same scenario can be used in the forensic
investigation where the system services can be intentionally interrupted via third-party application or by using
built-in crashOnCtrlScroll feature. The dump is generated as soon as the combination of the keys is pressed.
However, such capability is disabled by default via the operating system, and the activation procedure is required
via the Windows Registry to enable such feature. Due to the above required modification to the suspected system,
the technique is forensically suitable in specific situations. Also, although the memory snapshot is automatically
created by such approach, parts of the system page file are overwritten by such approach. The technique
considered harmful compared to the other approaches, and in most cases leads to a high degree of evidence
contamination.
• Memory acquisition with user level applications – In this approach, software solutions used to acquire a copy
of physical memory contents such as Data-Dumper (dd) which is part of the forensic acquisition utilities. However,
system administration privilege is required to run such utility. Other software such as PMDump, Process Dumper
utility (PD) can be used for such approach. Some of the drawbacks of these applications are the fact that they
require being loaded to the suspected computer before they can be executed, and as such; valuable evidence
might be destroyed before it can be preserved. Another fact is that other processes are not prohibited from altering
the volatile storage during the acquisition of the memory snapshot operation.
• Memory acquisition with kernel level applications – This approach uses the kernel level drivers to create
a snapshot of the physical memory contents. Some of the drivers available to be used for such approach are:
Mantech’s Memory DD (mdd), Memoryze, Moonsol’s Windows Memory Toolkit, WinEn, Encase, AccessData
Toolkit, KnTTools, Fastdump Pro. Such approach suffers from the previous problem described above, where these
drivers will be running concurrently with the system’s processes, and that will lead to evidence contamination.
• Memory acquisition via operating system injection – This approach presents a new technique called Body-
Snatcher where independent operating system is injected to the kernel of the target machine. The host operating
system will freeze, and the target machine will rely on the injected operating system that will provide an acquisition
of reliable snapshot of the volatile data from the host’s memory be executed, and as such; valuable evidence might
be destroyed before it can be preserved. In addition, other processes in this approach are not prohibited from
altering the volatile storage during the acquisition of the memory snapshot operation.
• Memory acquisition via cold booting – This approach takes advantage on the fact that the volatile information
is not immediately erased once the target machine is powered off. The memory of the target machine can be
recovered from non-negligible amount of time by using liquid nitrogen to artificially cool down the RAM module.
The target machine can then be restarted (Cold booted) with a custom kernel to access the retained memory, and
acquire the memory’s contents. However, such approach is not commonly used.
• Memory acquisition using the hibernation file – This approach uses the Windows hibernation file as a source
of valuable information, the file contains runtime-specific information. During the hibernation state (sleep state),
the system is in the frozen state, and a snapshot of the existing processes is preserved, and as such, an image
of volatile data can be captured. However, the captured information doesn’t contain the full state of the physical
memory during the system hibernation, and as such; the quality and the quantity of the extracted evidence will be
limited. In addition, the hibernated file is compressed in order to save disk space.
Vomel and Freiling (2011) suggested alternative approach recommended by the forensics professionals that promotes
more structured methodology to find valuable traces in memory. The approach involves examining the types of
data that will be investigated; and to allocate such data in different containers within the suspected system. Such
information can be either stored directly in the RAM or on the local page file, and can include the following information:
• Possibly installed malicious software applications, and the list of running system processes.
• Cryptographic keys.
• Network-related data such as port information, IP addresses, and established network connections.
• Open files.
• Application-related data such as date and timestamp information.
The above approach represents a better technique to investigate the data captured within the volatile storage such as
system’s RAM. Conducting a research for such information within the RAM, or the page file, and then following such
process with investigating different locations of such data within the system resources will definitely be more accurate
approach to reach better results in investigating the data captured within the system’s RAM.
Recommended
• Memory acquisition with the help of the virtualization represents accurate approach to obtain a copy of the
memory dumps of the suspected machine. The approach will obtain a snapshot of the main memory of the host
system with a little forensic effort.
• Memory acquisition with user-level application technique is a recommended approach that can be used to
obtaining information from machine in question. Software forensic tools such as data-Dumper (dd), and Process
Dumper (PD) are recommended for such approach.
• The approach involves examining the information that can be either stored directly in the RAM or on the local page
file is the recommended approach to obtain the information maintained in such evidence containers.
• The following kernel level drivers such as Mantech’s Memory DD (mdd), Memoryze, Moonsol’s Windows Memory
Toolkit, WinEn, Encase, AccessData Toolkit, KnTTools, Fastdump Pro used via the memory acquisition with kernel
level applications approach is recommended tools for the memory acquisition.
Schweitzer (2003) explained that there are many techniques involved in data analysis during the forensic examination
and analysis process. One of these techniques that can uncover targeted information is the keyword search.
For example, the forensic examiner might try to determine if the suspected computer was used for offensive or
inappropriate messages. In investigating such incident, the Internet usage may require being re-created, recovering
deleted Internet files, and keyword searches might be used to search for the information that appears in the offending
messages. Keyword searches are used for the following purposes:
• To locate occurrences of strings and word within the data stored in unallocated file space, slack or files.
• Used as an internal audit methods to identify any corporate policy violations.
• To find evidence within the computer in question.
• To find embedded text in documents or fragments of documents.
Modern hard drives usually have quite large sizes, it is difficult for the forensic investigator to assess every stored
data on the drive, and as such; forensic text search tools can easily and quickly help find relevant evidence. Having
automated software that utilizes keywords to search for all types of computer storage media can reduce significantly
the amount of time to find and collect evidence.
Using the search tools, the forensic examiner should avoid using common words, and also the keyword should be
as short as possible. Some of the common freeware utilities that can be used in the forensic keyword search are:
BinText, Disk Investigator, and SectorSpyXP (Schweitzer, 2003).
Schweitzer (2003) argued that with the popularity of the e-messaging as a communication tool, it is not surprising
that searching and examining e-mails messages is part of the discovery process during the forensic investigation.
However, e-mail poses several challenges to the forensic investigation, and some of these challenges are:
• Attachments in the email messages can contain vital evidence.
• E-mail messages can be found in different areas in the computer systems (e.g. backup media, network server’s
mailbox, Inbox/outbox.
• Search keywords often used to overcome the high volume of email message.
Despite the fact that email messages and their attachments represent challenges to the forensic investigator; most of
the email messages can be located in one of these locations: Inbox/Outbox/Draft/Sent Messages.
Because of the high cost involved in e-mail retention, many organizations fail to backup or archive the old emails
messages. Once the email message has been permanently deleted, it becomes complicated to the forensic
investigator to retrieve such message, and data recovery procedure has to be used to retrieve deleted messages.
Using forensic tools such as Disk Investigator or SectorSpy to perform the keyword search will attempt to recover
some of the specific deleted email messages that might be left on the media of the suspected computer. Other
recovering evidence can be allocated from the Web Browser where recently visited web pages are stored in the web
browser’s cache (Schweitzer, 2003).
The forensic examiner can find traces to the suspect’s surfing habits via the web browser’s caches. The cached web
pages are stored in a special folder by the browsers on the computer’s hard drives. However, some web browsers
store the caching information in the computer’s memory. Once the cache file is located under the cache folder,
the forensic examiner should copy these files to the forensic disk for further examination. A forensic tool such as
CacheMonitor can be used to browse the caches files contents (Schweitzer, 2003).
Another important source of the information is the print spooler files that can be recovered from the suspect’s
computer hard drive. Schweitzer (2003) pointed out that Windows operating system creates a temporary copy of the
file (called enhanced metafile – EMF) to be printed on the hard drive called spooling even though the user never saves
the file, and such copy usually sent to the printer. Once the printing process is complete, the EMF file usually deleted
by the operating system; and such process is often invisible to the user. Under certain circumstances, the suspect
might decide to configure the operating system via the spooler option to set such temporary files to retain instead of
automatically delete the temporary files once the printing process is completed. A simple search of the suspect’s hard
drive can find such files (*.emf), and the forensic examiner can move these files to the forensic hard drive for further
investigation.
Potential crime evidence can be hidden in the suspect’s computer and protected via encryptions, and password-
protection using a various types of freeware programs. Cyber criminals also often manipulate file extensions to
disguise the file’s true attributes or use steganography (hiding file or a message within a file or a message – known
as carrier file) to hide their criminal activities. Once the protected files are located, different software can be used for
password cracking and recovery such as: Password Crackers, Discount Password Recovery, Zip Password Finder,
and Ultimate Zip Cracker (Schweitzer, 2003).
Recommended
• In recovering email messages, forensic examiner can locate email messages in one of these locations: Inbox/
Outbox/Draft/Sent Messages.
• Once the email messages are deleted from the e-mail applications, forensic tools such as: Disk Investigator or
SectorSpy can perform a key search to recover the e-mails messages from the media of the suspected computer.
• Once the cache files are located, a forensic tool such as CacheMonitor can be used to browse the cache file
content.
• Potential evidence can be found in hidden files with password-protection in the suspect’s computer. Once the files
are located, special forensic software can be used to crake the password, and recover the files contents. Some of
these applications are: Password Crackers, Discount Password Recovery, Zip Password Finder, and Ultimate Zip
Cracker.
Weise and Powell (2005) explained that the following questions have to be considered whenever the computer
forensic analysis is conducted:
• What is the link between the hacker, and the data obtained during the acquisition process?
• What is the organization liability that might have been undermined?
• Is the system really been attacked or compromised?

• Are there system’s audit logs, and can such logs be trusted?
• Are the system’s data files backed up, and can be used as baseline references?
Answering the above questions will help the forensic investigator to have a clear vision of the work that should
be done to obtain the correct evidence. Nothing can be assumed in this phase from the forensic examiner, and
actions planned, and rational is highly required in this phase since any quick responses might damage evidence.
Documentation is every important step during the analysis process, and data such as times, dates, locations and
activities involved with the investigation is highly recommended to be included in such documentation.
Weise and Powell (2005) pointed out that there are certain primary steps that should be followed to conduct a
successful forensic investigation, and some of these steps are:
• The system and data should be isolated to reduce the risk of a cascading failure, and prevent the corruption of
other systems.
• The state of the system should be maintained so that an exact image of the system can be preserved for any
further analysis and prosecution.
• The system (s) in question should be disconnected physically from the network to eliminate any connectivity of the
infected system.
• It is essential to collect some non-technical information such as time and date when the incident occurred and
times and dates when the investigation started and ended.
• A separate system copy should be obtained for further investigation, searching, and analyzing.
• Validating the copy obtained from the original system is an important process to ensure that a legitimate and
confirmed copy of the system has been made. MD5 checksum can be used to verify that the copy of the system is
an exact match of the original state of the system in question.
Recommended
• The following questions have to be considered whenever the computer forensic analysis is conducted:
a What is the link between the hacker, and the data obtained during the acquisition process?
b What is the organization liability that might have been undermined?
c Is the system really been attacked or compromised?
d Are there system’s audit logs and can such logs be trusted?
e Are the system’s data files backed up and can be used as baseline references?
• The following steps have to be considered to achieve a successful analysis process:
a The system and data should be isolated to reduce the risk of a cascading failure, and prevent the corruption of
other systems.
b The state of the system should be maintained so that an exact image of the system can be preserved for any
further analysis and prosecution.
c The system (s) in question should be disconnected physically from the network to eliminate any connectivity of
the infected system.
d It is essential to collect some non-technical information such as time and date when the incident occurred and
times and dates when the investigation started and ended.
e A separate system copy should be obtained for further investigation, searching, and analyzing.
f Validating the copy obtained from the original system is an important process to ensure that a legitimate and
confirmed copy of the system has been made. MD5 checksum can be used to verify that the copy of the
system is an exact match of the original state of the system in question.
Middleton (2005) argued that obtaining a bit-stream backup of compromised system more efficient than the regular
copy operation. While imaging operation is merely copying files from one media to the forensic media, the bit-stream
obtains a bit-by-bit copy of the media in question and not just files. One of the forensic tools that can perform the
bit-stream is SafeBack. Another important tools used for the forensic analysis is the GetTime tool which is used to
document the date and the time settings of the system in question by reading the system date/time from CMOS. Once
the bit-stream backup is complete, the forensic examiner can use FileList tool to catalogue the contents of the disk.
Some of the other tools that can be used during the forensic analysis process are:
• GetFree – The tool can be used to obtain the content of all unallocated space (deleted files) on the media in
question.
• GetSwap – The tool provides a bit-stream backup during the forensic acquisition. The tools can obtain data found
in computer’s page files or swap files that can be later analyzed during the forensic investigation. The GetSwap is
DOS tool, and as such; the computer in question has to be boot to the Ms-DOS mood.
• GetSlack – The tool can be used to obtain slack files in the computer hard drives and other media. The slack
space represents a portion of a cluster on the hard drive that the file does not completely fill up. The tool has the
capability to view the slack space on hard drives and other media.
• Filter_I – The tool has the ability to extract potential data from a large volume of binary data, and also make
binary data printable. The tools also aid in the creation of a keywords list that can be used for the media content
search during the forensic analysis process where a tool such as TextSearch Plus can be used for such purpose.
The tools also can be used to analyze the data acquired from swap space (using GetSwap), free space (Using
GetFree), and the slack space (Using GetSlack), and temporary files.
• TextSearch Plus – The tools is used to perform a keyword search on the acquired data dataset. The tool will
create a log file that contains the keyword search results. The Forensic examiner can browse the log file using any
text editor such as Microsoft Word.
• CRCMD5 – The tool calculates a CRD-32 checksum for a group of files or DOS file with 128-bit MD5 digest. The
purpose of the MD5 and CRC checksum digest is to verify the integrity of the acquired evidence files.
• DiskSig – The tool is used to compute MD5 digest and a CRD checksum for an entire hard drives. The digest and
the checksum include all the data type on such drive including unused and erased areas.
• DOC – The tool is used to document the contents of the directory where the output provides listing of the directory/
file names, filed dates, file sizes, and file time.
• Mcrypt – The tool can provide an encryption and decryption to the files, and compression techniques to the
acquired evidentiary contents. The tool can provide three levels of encryption: Proprietary encryption (low-level –
default), DES (data Encryption Standard) CBF (high-level default), and Enhanced DES (dual encryption first using
DES)
• Micro-Zap – The tool is used to recover deleted files on the media in question.
• AnaDisk – The tool is a utility used for analyzing diskettes. The tool can offer the following functionalities:
a Section of a diskette can be copied to a file.
b Data errors on any diskettes can be repaired.
c Perform text searches on the diskettes.
d Can modify data on a diskette.

Recommended
• One of the forensic tools that can perform the bit-stream is SafeBack. Another important tools used before for the
forensic analysis is the GetTime tool which is used to document the date and the time settings of the system in
question by reading the system date/time from CMOS.
• Once the bit-stream backup is complete, the forensic examiner can use FileList tool to catalogue the contents of
the disk.
• Other forensic tools that can be used for obtaining imaging to the media in question, and also conduct analysis on
the data acquired are: GetFree, GetSwap, GetSlack, Filter_I, TextSearch Plus, CRCMD5, DiskSig, DOC, Mcrypt,
Micro-Zap, and AnaDisk.
Steel (2006) demonstrated different techniques that can be used during the forensic analysis process in the digital
forensic investigation. Some of these techniques are:
• Live system analysis – Such technique is used before imaging and shutting down the system in question.
Technique also provides information about the currently logged-in users, running programs, and other activities
that may be lost in an off-line analysis. The technique take advantage of the volatile containers such as CPU’s
registers, CPU’s cache, RAM, disk cache, temporary files, unallocated space, and permanent files.
• Forensic duplication – Such technique creates forensically sound images of the suspected system’s content
using one of the imaging forensic techniques that can provide data reliability, and validation to the imaging
process. The failure in such process can be due to the following reasons:
a Lack of authenticity where no verification of authenticity were provided in the standard file copy procedure. This
problem can be avoided by using a tool such as MD5sum.
b Loss of non-file data where information stored in un-partitioned space, slack space, or free space is not copied.
c Alteration of metadata where the metadata associated with the file may be lost, altered or deleted when the file
is copied.
d Failure to copy all data streams where copying files to a non-NTS file system could cause such loss, while the
primary stream is retained.
• File System analysis – In this technique the forensic analysis concentrates on recovering files, finding files,
providing details about the file ownership, creation, and modification. Keyword search and analysis tools are used
in such technique.
• Internet analysis – such technique perform analysis of the Internet activities where web browsing, and instant
messaging usage can provide a detailed record of the past Internet activities.
• Email forensics – Such technique will provide records of communications performed by the suspect of the cyber
crime, and such records can be identified and recovered from the e-mail applications (e.g. Microsoft Outlook
Express, Microsoft Outlook, and Lotus Notes), e-mail servers, and saved messages in the suspect’s system.
• Log file analysis – such technique analyze the log file acquired from the system’s in question that can contain
recorded data from various application used by such system. Records of the past actions and events can be found
in Microsoft even log analysis application, Event Viewer, and through the examination of the server logs.
• Network monitoring – Such technique provides information about the suspected system activities via sniffing
network tools, and intrusion Detection Systems (IDS) where their log files are analyzed to trace back the suspect’s
activities, and how the crime was committed.
Recommended
• During the forensic analysis process different techniques can be used to obtain conclusions and results in the
cyber forensic case. Some of these techniques used to achieve such process are: live system analysis, file System
analysis, Internet analysis, email forensics, log file analysis, and network monitoring.
• A combination of above techniques is recommended to obtain accurate results and also to validate such results
from different evidence containers.
DOCUMENTATION (REPORTING) PROCESS

Brown (2009) argued that documenting the forensic examiner’s action during the forensic investigation is an essential
process, and it can’t be emphasized enough. Forensic examiners take different approaches to document the forensic
investigation processes. Some of these approaches are:
• Pre-formatted worksheets that can be used to document the evidence collection findings.
• Chain-of-custody that is used to report the evidence handling steps and their participants.
• Examination forms used to report evidence collection, and examination procedures.
• Digital photos that record the evidence collection and examination.
• Notebook to keep a log of records for the casework.
Brown (2009) also argued that all digital investigation components that can be used in maintaining chain of custody,
testimony, and mitigating the authenticity challenges are:
• A photographic record that shows from which the data is being collected, or in general the collection process.
• Placing temper-proof with a serial number on the system being collected, or the original disk.
• Small items collected as evidence should be kept in tamper-proof evidence collection bags.
• A standard composition notebook where it provides a log of the investigation procedures.
• Forms that contain a chain of custody to document the transfer of evidence from one location to another.
• Original media forms that are used to track any access to the disk media of the original system.
• Analysis worksheets to track, and manage the investigation case processing.
Brown (2009) explained that implementing the digital log-keeping mechanism in the forensic investigation can be
beneficial especially for large-system seizure where inventory system and bar-coded tracking can be used to speed
up the forensic collection process. Other methods for keeping a record of the forensic processing are: Microsoft Word,
Notepad, and digital voice. To avoid the attack on evidence and the digital documentation authenticity, the following
steps should be considered:
• An Access Control List (ACL), and operation system security should be used to protect the file access.
• Successful and failed access of the file should be logged.
• Digital time stamping should be used on any file access.
• A backup process of the log file should be established periodically.
• A Print out of the case should be done periodically.
Recommended
• Documenting the forensic investigation processes using preformatted worksheets, chain-of-custody to report the
evidence handling steps, digital photos, and voice recording are recommended methods to keep records of all
evidence collection and handling.
• Digital log of the forensic investigation process is a recommended method for keeping a track record of the
forensic investigation. It is important for such file to be protected through an implementation of security mechanism
that can ensure authenticity, and avoid evidence tampering.
Solomon and Broom (2005) explained that the success of a forensic investigation not only relies on the ability to
collect evidence but also to follow the right methodology during the course of evidence collection, and handling that
can stand in the court of law. Also, documentary evidence (printed reports or data in log files) is an important part of
any digital forensic case, and must be authenticated. The authentication of documentary evidence should be proven
to be inclusive to only the forensic examiner access, and any alteration should be avoided. Some of the steps that the
forensic examiner should follow while looking for documentary evidence is:
• All programs installed on the target system should be documented.
• All activity log, and audit file must be harvested.
• All the application configuration files, and examined operating system must be documented.
• Any files that are created as a result of using any identified program should be documented.
• Computer usage, and files access should be time-lined (dates/times) for each evidence. Also documenting the
system data and time settings at the time the evidence is collected during the forensic investigation is crucial.
• The accuracy of the date and time stamps on computer’s files is dependent on the accuracy of the date and time in
the CMOS chip of the computer. It is important to document the accuracy of such setting in the seized computer to
validate the accuracy of the date and time associated with any relevant computer files.
• If the forensic investigation case intends to stand in the court of law, additional documentations related to damage
caused to an organization should be included in the case, and some of these documents are:
a Estimated number of hours spent in incident response, and evidence recovery.
b The cost of damaged equipment involved in the case.
c The estimated value of data lost.
d The estimated cost of loss of revenue.
e The estimated value of any trade secret information.
Solomon and Broom (2005) pointed out that the forensic examiner should establish a standardized template for the
forensic report that can contains information that focuses on the forensic case. The forensic report should include the
following information:
• Name of the case investigation, and the reporting agency.
• Case number
• Data of the report
• List of the items examined
• Description of the examination process
• The results and/or conclusion of the investigation.
Solomon and Broom (2005) described typical report format that consist of several independent sections. These
sections are broken down into the following order:
• Summary of findings – where it describes a brief explaining of the circumstances that required for the
investigation and the names of the individuals involved in the case.
• Objectives – where the purpose of the report, the name of the investigator, and the reporting agency is specified.
• Analysis – where the description of the evidence, and the steps taken to process the evidence is provided in this
section.
• Findings – where specific information listed in an order of relevance or importance to the case. Information such
as data, evidence analysis, and techniques used during the investigation should be included in this section.
• Supporting Documentation – this section represent the longest section of the report where information such as
printouts of items of evidence, and chain of custody documentation are included in this section.
Recommended
• The documentary evidence should gathers information about the programs installed, investigation activities,
application configurations, and log files of the system in question.
• Additional documentation related to the damage caused by the forensic incident that includes the number of hours
spent in the incident response, the cost of damaged equipment, the cost of loss of data revenue, and the trade
secret should be part of such document.
• The final conclusion report of the case should be constructed where it includes the summary of findings, and any
support documents that can be presented at the end of the investigation process.
Forte (2008) explained that digital investigation follows certain principles that promote an accurate documentation of
the computer forensics operations of a media acquisition, and these principles are:
• It is important that the forensic examiner documenting the forensics operational phases that include date and time
of each operation, and the information of all possible action taken.
• The difference between the actual time, the system’s clock in question, and the time zone should be documented
during the forensic investigation.
• The changes to the collected data during the forensic investigation should be minimized and documented.
• A bit-level copying should be used during the forensic evidence duplication and such process should be document.
• To maintain the reliability and the authenticity of the evidence acquisition, and subsequently how it was handled,
essential documents must be maintained through these phases. These documents are Timetable and Chain of
Custody. The Chain of Custody (CoC) must include the following information:
a Acquisition information – explained when, where, and who acquired the evidence and what method was used.
b Custody – what method where used for evidence preservation, and who had possession of the evidence.
c Processing – how the evidence cloning, and analysis were done.
d Transfer – evidence transfers from one possessor to another should be recorded with the signature of the new keeper.
e Final fate – any information about securing deletion or destruction of evidence or return evidence to the owner
should be reported.
• The Timetable document should be used to track down all the operations carried out on the evidence in a
sequential order. Each operation is combined with date and time associated with each event, and the description
of each operations along with the name of the person performed these events.
• To ensure the integrity of acquired evidence, and the data throughout all phases of the forensic processes, read-
only software and hardware tools will assist to fulfill these requirements.
• Hash verification process is an important process that ensure the accuracy of the evidence duplication process,
and the following properties should adhere to the following hash algorithm principles:
a One-way property – this property will ensure that it will be impossible to generate the input data from the hash
value.
b Uniqueness – this property will ensure that two different inputs will never generate the same hash value using
the same algorithm.
c Repeatability – this property will ensure that a given input will always produce the same hash value.
The hash verification process should be carried out when the duplication process of the evidence was performed.
Both SHA-1 and MD5 maintain the above properties. The same procedures must be applied during the reversing
process of the evidence acquisition.
• The acquisition report should maintain a record of the hash value used during the evidence cloning process
where such report will be submitted to the people involved in the forensic investigation. Such procedure maintains
transparency to the team involved in the investigation, and also ensures that no changes were made to the
acquired evidence.
Recommended
• During the forensic investigation both the Timetable, and Chain-of-Custody documents should be updated for each
event, and its associated time and date and the people performed the events.
• SHA-1 and MD5 are both very essential and reliable tools that implement the basic evidence cloning process such
as: One-way property, Uniqueness, and Repeatability. The same procedures must be applied during the reversing
process of the evidence acquisition.
• The acquisition report should be used during the forensic investigation where it maintains a record of the hash
value used during the cloning process. The report maintains transparency to the team involved in the investigation,
and also ensures that no changes were made to the acquired evidence.
Steel (2006) defined the Chain of Custody document as a document that is maintain a records of the possessor, and
the location of each piece of evidence from its initial collection through the potential court case use. The first custodian
in the chain of custody is the initial individual who secures the evidence. When such evidence is presented in court,
the chain of custody form represents a piece of evidence that can prove validity, and it should show the following
information:
• The evidence that is presented in court is the same evidence collected during the investigation’s acquisition
process.
• At all points in time, the location of the evidence was known to the forensic team.
• At all points in time an evidence custodian was signed.
• No individuals outside of the forensic team had access to the evidence.
• During the forensic investigation processes, the evidence was not inadvertently or intentionally modified.
Figure 4- A sample of the Chain of Custody Form

Chain of Custody
Collected by:
Signature:
Date:
Original Location of the Evidence:
Evidence # Quantity Description
Custody Log
Evidence # Quantity Received By Received By
Name: Name:
Signature: Signature:

Name: Name:
Name: Name:
Name: Name:

Once the forensic investigation is completed the forensic examiner has to deal with the non-technical part of the process
which is the reporting. However, the reporting in the forensic investigation represents a crucial part since it relates facts
and results of the investigation to the audience of the case. The purpose of the report is to be used to discuss the findings
of the investigation, and as such; the most important feature of such report is to be concise, clear and factual. The report
represents a communication channel between the investigator and the audience of the case, and as such; what’s written in
such report should be understood and supported with evidence. Only the events that can be re-created or reconstructed or
can gain its credibility from reliable sources should be represented in this report (Philipp and Davis, 2010).
Philipp and Davis (2010) pointed out that different types of reports are required for different situations, and should
indicate the magnitude of the effort required for the undertaken tasks. The following are the types of these reports:
• Internal Reports – represents informal presentation of the investigation’s findings where it explains any risks that
may result from the evidence or the legal assumptions that will be encountered for the case. The report is intended
for the internal use only. Most of these reports begin with the statement that can describe the case within the
executive summary, and the high level of the facts gathered during the investigation.
• Affidavits – Represents declarations that required a notarized signature. The request of such document will be
based on the court’s needs, and the type of motion the case will be supporting in court.
• Declarations – If the forensic case is required to proceed with legal action, such document will be used by the
attorneys to support the legal actions and the motions they present in the court. The Difference between the
Internal Report and the Declaration is the fact that the Declaration should be understood, and viewed by the
opposing counsel and the judge.
• Expert Reports – represents a formal report that will be presented in court. The document stands alone to be
submitted to the courts, where it states facts, clearly supports conclusions, opinion, and explained details of the
case.
Recommended
• Once the forensic investigation is complete, different types of reports can be produced by the forensic examiner
that represents facts, and details about the investigation results and findings. The types of such reports are:
• Internal Report – shows informal presentation of the investigation’s findings, and details results of the
investigation’s evidence.
• Export Report – is a formal report that can be presented to the court of law. The report states facts, opinion,
supports conclusions, and explained details of the case.
CONCLUSION
• The research effort conducted through this article represents a literature review of the basic principles of the digital
forensic investigation processes. The literature review encompasses various views of the forensic processes
through various resources of the digital forensic researches such as: Use Cases, Surveys, Test Results, and Best
Practices and Recommendations suggested by the forensic experts, and forensics researchers. The main goal of
such effort is to create the framework for the cyber forensic Selection Criteria that can be used for either creating
the Cyber Forensic Model the article is intended to achieve, or for utilizing such criteria to help construct a cyber
forensic model that can be used by any organization.
• It is important to point out that the literature review was dedicated to the Windows environment as a basic platform
for such criteria. The final product of this article is the framework of the Selection Criteria where it can be used as
a basic foundation for other researches to add on.
• In an effort to have a close look through the literature review of the digital forensic processes, the research
encompasses different forensic containers such as: Desktop, Storage Media, Live networks, Browsers, and Mobil
Devices. The main reason of including such containers is the fact that the forensic evidence in any cyber crime
can occur in any of these containers.
• The reader of the article will find a comprehensive summary of the outcome of each segment of the literature
review that is used to conduct this research. The summary of such outcome can be found under the
“Recommended” section for each end of the literature review segment. These recommendations were used to
construct the framework of the Selection Criteria where the recommended procedures and tools of the forensic
processes were fostered within the framework.
The conclusion of this article represented in the Framework of the Selection Criteria. Table-3 shows the layout of such
framework.
• The Framework encompasses the digital forensic process, and the recommendations suggested through the
research of the procedures involved in these processes, and the recommendations of the tools that can be utilized
within these procedures to achieve the tasks, and the steps required to obtain, analyze and present the digital
forensic evidence.
• The recommendations summarized in the layout of the framework can be used as a baseline for many
organizations which can help choose the right tools and procedures for the task. The constructed framework has
the potential to be extended to include more platforms and more tools that can include the commercial and the
open source tools.
• Finally, it is important to point out that all the recommendations included within the Selection Criteria are based on
the outcomes of the literature review, and also all the recommended tools within the Selection Criteria are based
on a test results reviewed through the literature review conducted by this research.
Table 3- The framework of the selection criteria
Process Name Recommendations for the used Procedures Recommendations for the used tools
• All forensic investigation should provide an automated auditing • Forensic software tool such ‘regdat’ is a
process to avoid any human errors during the evaluation of the recommended tool to examine the Registry
Identification forensic tools results. file, and search for information within the
• Auditing tools should be independent from the forensic tools. Registry Hives.
• Write-Blocker should be applied during the forensic • The WEFA (Web Browser Forensic Analyzer)
investigation to prevent the forensic tools from altering is an integrated forensic tool that can be
evidence’ artifacts. used to investigate the online activities of the
suspected machine. The tool also generates
• All forensic investigations’ processes and procedures have to reports based on the selected information
be recorded in audit log. requested during the digital investigation
• All forensic investigations have to be performed on identical by the examiner. The tool represents an
copy of the media in question. improvement to the weak points of the other
• Memory analysis will allow a higher success rate to locating forensic tool that are used for collecting, and
encryption keys. analyzing browser information related to a
cyber crime case.
• Memory dumping procedure should be part of the forensic
identification process. • It is important to identify the suspected file
dependencies during the file identification
• When cold booting method is used to dump data from a system process. One of the tools that can be used
memory, it is essential that the forensic examiner control the boot to identify if the file is linked dynamically or
sequence to load the custom Operating System (OS). statically is DUMPBIN Command-line utility.
• It is imperative to identify if a digital crime scene contains a • Before the file examination process, it is
system that uses cryptography at the point of acquisition. Failing paramount for the forensic examiner to
to detect that the volume mounted on the target computer is perform the following:
encrypted can potentially prevent crucial digital evidence from
being accessible. • Maintain the integrity of the file by assigning
a digital fingerprint or unique identifier to
• It is important that the forensic examiner capture the right time such file using a tool such as Message-
zones or daylight saving time used by the suspect’s computer. Digest5 (MD5) where hash can be generated.
And that such time is translated to the right Coordinated
Universal Time (UTC) if the local time has been used. • For the file identification, and classification
tools such as TrlDNet, Digital Record Object
• CMOS time in relation to the actual time should be recorded on Identifier (DROID) and FileAlyzer can be used
the examined or seized system. for such processes.
• The computer’s current time zone should be established from
the system’s Registry hives.
• It is imperative for the forensic investigator to identify the type
of time structure such as UTC or local time.
• The same application’s versions and the operating systems
used by the computer being examined should be used to test
the results of the forensic investigation.
• Research keywords used during investigating of evidences in
the Instant Messenger communications should consider the
informal language and acronyms used during the conversation.
• Screen names, Buddy List and Registry setting are very
important resources of evidence investigation for instant
messenger.
• Dates and times associated with the findings should be
considered during the evidence acquisition process.
• The investigation conducted for the Internet criminals’ activities
shouldn’t be confide for a single file for specific browser, since
the suspected user can use various web browsers to commit
the crime.
• In searching for cyber activities, log files cookies, history,
and downloads is a crucial component in investigating online
activities.
• In conducting an investigation related to collecting web
browser evidence, it is essential that investigation performs
integrated analysis for various browsers at the same time using
timeline analysis that can detect the suspect movement over
time.
• The search words must be included in the investigation to
conclude the objectives, and the characteristics of the suspect.
• The forensic examiner can’t perform the investigation based
on the fact that the file type presented is accurate, and extra
examination has to be done within the file header to identify the
actual file type.
• File profiling is an import procedure used in the file identification
process, the file type, the capability, and the functionality of the
file will be identified.
• System Administrator-Level access is required to preserve • The Servlet can be deployed desktop
Preservation evidence from the suspected computer over the network management solution. If such tool is
(Remote Access). unavailable, forensic examiners can use
(Collection/ tools such as Dameware, Psexec or Secure
• To establish the connection between the suspected computer
Acquisition) and the forensic examiner, a software (Servlet) must be Shell (SSH).
uploaded to the suspected computer’s memory. • Both ProDiscover IR 3.5 (PDIR) and
• Installing the Servlet software can be deployed on a removable EnCase Enterprise Edition 4.19a (EEE)
hard drive to avoid storing the software required files into the are recommended for the remote access
suspected computer, and modifying its registry. for incident response for digital evidence
acquisition.
• The Servlet should be installed as a service to maintain the • XACT and ITSUILS are both recommended
Preservation connection between the examiner’s machine and the suspected forensic acquisition tools for Windows
(Collection/ computer. Mobile devices. Both tools will require a
Acquisition) • The network connection used between the suspected computer’s software (ActiveSync) installation on the
and the examiner’s machine should use unrestricted port. device for performing data acquisition
• With Service-Oriented Architecture (SOA) becomes essential process. This requirement represents
architecture within many organizations, the forensic framework a limitation to such tools since such
that promotes proactive techniques to collect digital forensic installation will change the Windows registry
evidence is highly required. Such techniques should implement on the device.
network traffic records log files system, and also ensure that the • In testing the forensic software tools, tests
hardware devices deployed within the architecture are capturing guidelines, and criteria conducted by both
forensic evidences. CFTT and SWGDE should be used.
• The preservation of data must take place before any investigation • Logicub Omniclone 2xi is a recommended
where the original data has to be copied and sealed using one- tool for the preservation (collection) process.
way hash functions to ensure the proof of data integrity.
• EnCase tool is a reliable acquiring tool that
• During the digital forensic investigation, the digital evidence can have access to the hidden and visible
must be fully reserved, documented. sectors on the media subjected to the digital
• The seizure and the transportation process of digital evidence investigation.
should be reported in a chain of custody document. • It’s a good forensic practice to wipe the
• The digital evidence is fragile, and can be altered, modified, or forensic drive before using such drive.
damaged, and as such; evidence media should be handled in EnCase has the capability to sterilize or wipe
antistatic packaging. the forensic drive before it is used in the
• The exposure of extensive cold, heat, and humidity should be forensic acquiring process.
avoided when the digital evidence is handled or transported. • RCMP HDL Vo.8 software write block tool
• Intrusion Detection Systems should be configured to create are recommended to be used during the data
multiple independent streams of evidences that can corroborate acquisition of any media. The tool is reliable
each other. and it functions as per its documented
behaviors.
• Evidence collection via IDS should be carried out against checklist
that allows such evidence to be admissible in the court of law. • The dd utility software tool is recommended
for digital forensic acquisition process
• IDS should be configured to prevent any tampering of the log where disk image or bit-stream duplicate can
files produced by its capabilities. be obtained from the source media of the
• The limitation of the above forensic software tools should be suspected computer.
considered where the Mobile device may prevent such tools to • Paraben device seizure 2.1 tool is a
access the deleted files on the removable storage on such devices. recommended tool for the Mobile devices
• The resources of information available on the Mobil devices acquisition process during the digital
are: main storage, removable storage, embedded database on forensic investigation. The tool can maintain
the main storage that may carry details artifacts about calls, data integrity during the acquisition process
contacts, and communications – MMS and email messages – of the Mobile devices internal memory, and
Windows Registry. physical storage media on the devices.
• It is imperative that the testing criteria to be free of ambiguity, • The following forensic tools can be used in
and should be limited to specific parameters used in the the Windows Mobile devices:
previous tests. • Xpdumpcedb.exe tool, Wmdumpedb.exe
• Bit-stream is more accurate than disk imaging, and it will tool, and Python Script tool can be used to
provide high percentage of data integrity. investigate the embedded database file (Pim.
vol), and (Cemail.vol).
• The first responders to digital crime scene should adhere to the
rules that eliminate evidence contamination. • Python Scripts tool called Msgcrving.py tool
can be used to recover message directory
• Identifying the containers of the volatile data by the first structure, reconstruct the TFAT file system,
responders is very important process in digital forensic and recover deleted contents from (Cemail.
investigation. Some of these containers are: computer’s memory, vol) database file.
printer’s memory or printer’s hard disk or permanent storage.
• Microsoft Remote Registry Editor can be
• Volatile data that can be collected from the physical memory during used to examine various registry hives
the forensic investigation usually contains valuable information stored on the device.
such as passwords and encryption keys, and it should be
considered as an essential part of the evidence acquisition.
• Processed volatile physical memory contents should be treated
as a supplement of the collected raw physical memory during
the forensic investigation.
• In investigating Windows Mobile device, it is important for the
forensic investigator to utilize diverse range of tools for the
acquisition, and the examination of the information held on the
mobile device. It is important that the results obtained from different
tools to be compared for differences, and such differences can be
used to be part of the evidence presentation process.
• The traditional digital evidence collection methodology (bit-stream
or sector-by-sector) can be used for small volumes media where
cost and resources can be relatively suitable for such process.
• Risk Sensitive Evidence Collection methodology (applying
search and filtering on live data for selective evidence data set)
can be used for large volumes media (e.g. mounted volumes that
are greater than 200 GB) where the cost and resources can be
optimized since irrelevant data can be minimized by applying
filtering and searching of live data before evidence collection.
• To improve the process of the forensic acquisition in the live
network the following guidelines should be considered:
• Multiple corroborating of evidence collection will increase the
chances of acquiring a complete set of evidence. In addition,
specific deceptive behaviors may be revealed when several
source of collections are in place.
• In an effort to protect the integrity of collected evidence, a
network write-blocking should be the basic principles in the
evidence collection process.
Preservation • To maintain evidence collection integrity, the forensic tools

used for the live network evidence collection process must
(Collection/ adhere the following characteristics:
Acquisition) • The tool should provide a precise network timestamp for the
collected data.
• The tools should adhere resistant to the corruption of the
collected data or malicious attack.
• The tools must provide a signing, and hashing capability for the
data collected.
• The tools should have the capability for validating the evidence
collection.
• The collection process must implement the principles of chain
of custody, and the preservation for the collected network
forensic evidence.
• All acquired data obtained through the forensic acquisition
must include the cryptographic hashing using standard
• It is recommended that the previously saved data should be
encrypted, and the decryption keys should be handled via
formal approval process.
• Documenting the acquisition of the live network process will
help create a qualitative description of the acquisition. Such
documentation can use the detailed technical description of the
acquisition process, and some of these details might include:
• Any modification that was made to the network layers during
the collection.
• Provide enough technical details that can reveal suspicion
related to reliability or authenticity or problems occurred during
the acquisition. A useful method of documenting live network
evidence collection is to use a packet sniffer, and the built-in
logging capabilities exist in the most acquisition tools.
• During the acquisition process recording an accurate
timestamps of the collected evidence is very important. Time-
stamping will provide more accurate correlation with other
independent sources of evidence, and also help establishing
accurate sequential ordering of the data collection events.
• There is a huge potential of evidence that can be collected • To extract and interpret the information that
Extraction during the forensic investigation, and such information can’t can be found in the Windows Registry both
be ignored and should be considered as essential part of the Register Viewer and AccessData’s Registry
(Examination) forensic investigation. Viewer are good tools to be used during the
• To increase the findings of the accumulated information about forensic investigation.
the Peep attack during the forensic investigation, the following • Applying the clustering approach on both
techniques must be employed: EnCase and FTK forensic tools will improve
• Off-line examination of abnormal files – where network defaults the information retrieval effectiveness, and
settings, and configuration are examined, processes currently reduce the IR overhead associated with
running are examines against any malicious programs running, reviewing non-relevant search hits.
unusual files are examined, and unusual executable files and • Acquisition tools such as MoonSols
their method of operations are examined. Windows Memory ToolKit, HBGray’s
• On-line analysis of sniffing packets – where the network Fastdump Pro, and GMG Sysem’s KnTTools
connectivity and network traffic are examined in an effort to trace can be used for preservation of volatile
back the upper tiers of suspected machines. Also, applying silent memory for many versions of Windows
packets sniffing on the network will help collect information operation systems.
about the intrusion activities, and the further attacks. • Firewire direct memory access tools are
• The identification of encrypted systems is an important step another method of acquiring physical memory
in the forensic investigation. Once an encrypted media is dumps. Tools such as remote forensic tools
identified in a live system, pulling the plug is not acceptable (F-Response), and Passware kit forensic can
approach since valuable information about the encryption key, be used for physical memory dumps.
and passphrase may be lost when the system is off. • Physical memory dumps can be examined
• Best approach for the forensic investigator to follow is to using forensic examination tools such as
acquire data from FDE system via live imaging of the volatile volatility, HBGray’s Responder, MoonSols
and non-volatile data from the system in question. Windows Memory toolkit, KnTList, and
Mandiant’s Memoryze.
• Although the offline imaging is the simplest procedure in the
forensic acquisition, it can be a time consuming. However, the • CyberHunter tool can be used to alert the
procedure has no risk involved since the suspected device usually forensic examiner to any full disk encryption
connected to the forensic machine using a write-blocker device. (FDE), and mounted encrypted media on
the running systems. The purpose of this
• In searching for data acquisition and examination, there are tool is to flag for more complex acquisition
four types of evidential data that can contain valuable forensic procedures during the forensic investigation.
information: live data, deleted data, swap space, and slack space.
• Hotplug tool offers no interactive access to the
• The choice of which tool to be used for the specific process live system, while allowing the forensic examiner
depends on the various factors such as: to obtain backup of the running system.
a. The operating system and the file-systems that can support • Online previewing required the suspect’s
such tools. system to be live, and read-only software
b. Price can be an important factor when the budget is limited. can be used to obtain an imaging to the
c. The functionality of such tools can be important when system in question using one of the following
specific procedures are required to be achieved. tools: EnCase, Forensic Toolkit 9FTK),
SMART, Sleuthkit and Autopsy.
d. Personal preference is another factor where the forensic
investigator can have specific preference for specific tool.
• System baseline approach is a recommended mechanism • Forensic analysis process should include the
Interpretation that can be used to quickly identify and analyze the changes. right tools to obtain the forensic evidence
(Analysis) Once the baseline attributes are identified, it is easy to obtain for the cyber crime incident. Recommended
a snapshot of the system, and compare such results with the tools used for the evidence acquisition,
baseline to identify changes, and obtain forensic evidence from analysis and reporting in forensic
such discrepancies. investigation are: Encase, DFF, FTK for
• Implementing the right network forensic model that can be Windows, TSK, Helix. Liveview.
deployed in the right framework will ensure that the investigation • The following built-in command tools for
of the attacks can be trace back to the source of the crime (e.g. Windows operating system can be used in
specific network, host, a person). the forensic analysis: nslookup/ traceroute/
• Intrusion Detection Systems (IDS) can be used for evidence tcpslice /netstate /nbtstat /whois /ping/dig.
collection, however, certain steps should be used to guarantee • Some of the forensic analysis tools used for
accurate data collections, and some of these steps are: Windows that are recommended to conduct
• Fine-tuning to the IDS can be achieved by analyzing alerts, and network forensic analysis are: NetIntercept/
regular monitoring to such systems. Netwtiness/ NetDetector/ Iris/Infinistream/
OmniPeek.SilentRunner/NetworkMiner/
• Continuous fine-tuning of the rule sets of such systems and Xplico. These tools capture network traffic
their configuration to limit their log files for further forensic for further analysis during the forensic
analysis. investigation.
• Regular updates for IDS rules are highly required to keep up • SNORT is a recommended Intrusion
with ever changing information systems environment. Detection System that can be used to collect
• Memory acquisition with the help of the virtualization represents network attacks data that can be further
accurate approach to obtain a copy of the memory dumps of the analyzed by the forensic tools.
suspected machine. The approach will obtain a snapshot of the • Memory acquisition with user-level
main memory of the host system with a little forensic effort. application technique is a recommended
• The approach involves examining the information that can be approach that can be used to obtaining
either stored directly in the RAM or on the local page file is the information from machine in question.
recommended approach to obtain the information maintained in Software forensic tools such as data-
such evidence containers. Dumper (dd), and Process Dumper (PD) are
• In recovering email messages, forensic examiner can locate recommended for such approach.
email messages in one of these locations: Inbox/Outbox/Draft/ • The following kernel level drivers such as
Sent Messages. Mantech’s Memory DD (mdd), Memoryze,
• The following questions have to be considered whenever the Moonsol’s Windows Memory Toolkit, WinEn,
computer forensic analysis is conducted: Encase, AccessData Toolkit, KnTTools,
Fastdump Pro used via the memory
a. What is the link between the hacker, and the data obtained acquisition with kernel level applications
during the acquisition process? approach is recommended tools for the
b. What is the organization liability that might have been memory acquisition.
undermined? • Once the email messages are deleted from
c. Is the system really been attacked or compromised? the e-mail applications, forensic tools such
d. Are there system’s audit logs and can such logs be trusted? as: Disk Investigator or SectorSpy can
perform a key search to recover the e-mails
e. Are the system’s data files backed up and can be used as messages from the media of the suspected
baseline references? computer.
• The following steps have to be considered to achieve a • Once the cache files are located, a forensic
successful analysis process: tool such as CacheMonitor can be used to
a. The system and data should be isolated to reduce the risk browse the cache file content.
of a cascading failure, and prevent the corruption of other • Potential evidence can be found in hidden
systems. files with password-protection in the
b. The state of the system should be maintained so that an suspect’s computer. Once the files are
exact image of the system can be preserved for any further located, special forensic software can be
analysis and prosecution. used to crake the password, and recover the
files contents. Some of these applications
c. The system (s) in question should be disconnected physically
are: Password Crackers, Discount Password
from the network to eliminate any connectivity of the infected
Recovery, Zip Password Finder, and Ultimate
system.
Zip Cracker.
d. It is essential to collect some non-technical information such
• One of the forensic tools that can perform
as time and date when the incident occurred and times and
the bit-stream is SafeBack. Another
dates when the investigation started and ended.
important tools used before for the forensic
e. A separate system copy should be obtained for further analysis is the GetTime tool which is used to
investigation, searching, and analyzing. document the date and the time settings of
f. Validating the copy obtained from the original system is an the system in question by reading the system
important process to ensure that a legitimate and confirmed date/time from CMOS.
copy of the system has been made. MD5 checksum can be • Once the bit-stream backup is complete, the
used to verify that the copy of the system is an exact match forensic examiner can use FileList tool to
of the original state of the system in question. catalogue the contents of the disk.
• During the forensic analysis process different techniques can be • Other forensic tools that can be used for
used to obtain conclusions and results in the cyber forensic case. obtaining imaging to the media in question,
Some of these techniques used to achieve such process are: live and also conduct analysis on the data
system analysis, file System analysis, Internet analysis, email acquired are: GetFree, GetSwap, GetSlack,
forensics, log file analysis, and network monitoring. Filter_I, TextSearch Plus, CRCMD5, DiskSig,
• A combination of above techniques is recommended to obtain DOC, Mcrypt, Micro-Zap, and AnaDisk.
accurate results and also to validate such results from different
evidence containers.
Documentation • During the digital forensic investigation, it is important for the • Once the information is extracted from
the Registry, such information should be
forensic examiner to create a complete document of the crime
(Reporting) scene. The document will include records of the scene; notes; presented for non-technical individual
sketches, and details records that can help recreate the crime to understand, and since Registry
scene later. viewer doesn’t have such capability, the
AccessData’s Registry Viewer is the best tool
• It is imperative to use the digital forensic tools that can for such tasks.
produce an evidence assurance document that can maintain
the evidence chain of custody document. Such tool should
be integrated with other forensic tools to maintain full
documentation tasks of the forensic investigation.
• Documenting the forensic investigation processes using • SHA-1 and MD5 are both very essential
Documentation preformatted worksheets, chain-of-custody to report the and reliable tools that implement the basic
(Reporting) evidence handling steps, digital photos, and voice recording are evidence cloning process such as: One-way
recommended methods to keep records of all evidence collection property, Uniqueness, and Repeatability.
and handling. The same procedures must be applied
• Digital log of the forensic investigation process is a during the reversing process of the evidence
recommended method for keeping a track record of the forensic acquisition.
investigation. It is important for such file to be protected through
an implementation of security mechanism that can ensure
authenticity, and avoid evidence tampering.
• The documentary evidence should gathers information about
the programs installed, investigation activities, application
configurations, and log files of the system in question.
• Additional documentation related to the damage caused by the
forensic incident that includes the number of hours spent in the
incident response, the cost of damaged equipment, the cost of
loss of data revenue, and the trade secret should be part of such
document.
• The final conclusion report of the case should be constructed
where it includes the summary of findings, and any support
documents that can be presented at the end of the investigation
process.
• During the forensic investigation both the Timetable, and Chain-
of-Custody documents should be updated for each event, and its
associated time and date and the people performed the events.
• The acquisition report should be used during the forensic
investigation where it maintains a record of the hash value used
during the cloning process. The report maintains transparency to
the team involved in the investigation, and also ensures that no
changes were made to the acquired evidence.
• Once the forensic investigation is complete, different types
of reports can be produced by the forensic examiner that
represents facts, and details about the investigation results and
findings. The types of such reports are:
1 Internal Report – shows informal presentation of the
investigation’s findings, and details results of the investigation’s
evidence.
2 Export Report – is a formal report that can be presented to
the court of law. The report states facts, opinion, supports
conclusions, and explained details of the case.
REFRENCES CITED
Aquilina, J. (2008) File Identification and Profiling: Initial Analysis of a Suspect File on a Windows System [Online].
Available from: http://www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/B9781597492683000074 (Accessed
18 January 2012).
Boyd, C. & Forster P. (2004) Time and date issues in forensic computing – a case study [Online]. Available from: http://
www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287604000076 (Accessed: 04 January 2012).
Brown, C. (2005) Computer Evidence: Collection & Preservation, Charles River Media, Inc. [Online]. Available from:
http://site.ebrary.com.ezproxy.liv.ac.uk/lib/liverpool/docDetail.action?docID=10228243 (Accessed: 12 January 2012).
Brown, C. (2009) Computer Evidence: Collection and Preservation, Second Edition, Charles River Media [Online].
Available from: http://site.ebrary.com.ezproxy.liv.ac.uk/lib/liverpool/docDetail.action?docID=10359308 (Accessed: 14
January 2012).
Beebe, N. & Clark, J. (2011) Post-retrieval search hit clustering to improve information retrieval effectiveness: Two
digital forensic case studies [Online]. Available from: http://www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/
S0167923611000388 (Accessed: 27 December 2011).
Broucek, V. & Turner, P. (2004) Intrusion Detection: Issues and Challenges in Evidence Acquisition [Online]. Available
from: http://ehis.ebscohost.com.ezproxy.liv.ac.uk/eds/pdfviewer/pdfviewer?sid=deb92292-7bc9-49e1-afea-ca629f488e
1d%40sessionmgr14&vid=2&hid=22 (Accessed: 08 January 2012).
Casey, E. & Doyle, J. (2010) Introduction to Windows Mobile Forensics [Online]. Available from: http://www.
sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S174228761000006X (Accessed: 22 December 2011).
Casey, E. & Stellatos, G. (2011) The growing impact of full disk encryption on digital forensics [Online]. Available from:
http://www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287611000727 (Accessed: 20 January 2012).
Forte, D. (2008) Volatile data vs. data at rest: the requirements of digital forensics [Online]. Available from: http://www.
sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1353485808700771 (Accessed: 27 January 2012).
Grispos, G. & Glisson, W. (2011) A Comparison of forensic evidence recovery techniques for a windows mobile smart
phone [Online]. Available from: http://www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287611000417
(Accessed: 21 January 2012).
Irons, A. (2006) Computer forensics and records management – compatible disciplines [Online]. Available from: http://
www.emeraldinsight.com.ezproxy.liv.ac.uk/journals.htm?articleid=1558563&show=abstract (Accessed: 21 November
2011).
Joode, A. (2011) Effective corporate security and cybercrime [Online]. Available from: http://www.sciencedirect.com.
ezproxy.liv.ac.uk/science/article/pii/S1353485811700976 (Accessed: 08 November 2011).
Jansen, W. & Ayers, R. (2005) An overview and analysis of PDA forensic tools [Online]. Available from: http://www.
sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287605000319 (Accessed: 22 November 2011).
Kenneally, E. & Brown, C. (2005) Risk sensitive digital evidence collection [Online]. Available from: http://www.
Latamore, B. (2010) Cyber Threat Growing More Focused and More Sophisticated [Online]. Available from: http://ehis.
ebscohost.com.ezproxy.liv.ac.uk/eds/pdfviewer/pdfviewer?sid=b24cf92f-d6be-4086-b152-f0088f916de7%40sessionm
gr14&vid=2&hid=23 (Accessed: 08 November 2011).
Lanny, N. (2000) Cyber Crime and the Courts-Investigation and Supervising the Information Age Offender [Online].
Available from: http://ehis.ebscohost.com.ezproxy.liv.ac.uk/eds/detail?sid=b08a1c4c-9847-4d44-a62f-740e22b840e
8%40sessionmgr113&vid=2&hid=109&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=psyh&
AN=2002-08002-002 (Accessed 22 November 2011).
Lee, S. & Oh, J. (2011) Advanced evidence collection and analysis of web browser activity [Online]. Available from: http://
www.sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287611000326 (Accessed: 28 December 2011).
Logicube.com (n.d.) OmniClone 2Xi Features [Online]. Available from: http://www.logicube.com/products/hd_

duplication/omniclone2u.asp (Accessed: 03 January 2012).
Marshall, A. (2008) Digital Forensics: Digital Evidence in Criminal Investigation. UK: John Wiley & Sons, Ltd.
Mcmullan, J. & Perrier, D. (2007) Controlling Cyber-Crime and Gambling: Problems and Paradoxes in The Mediation
of Law and Criminal Organization [Online]. Available from: http://ehis.ebscohost.com.ezproxy.liv.ac.uk/eds/pdfviewer/
pdfviewer?sid=e94b78f3-5534-4f6d-9421-75216165d915%40sessionmgr11&vid=2&hid=3 (Accessed: 08 November
2011).
Mercer, L. (2004) Computer Forensics Characteristics and Preservation of Digital Evidence [Online]. Available from:
http://ehis.ebscohost.com.ezproxy.liv.ac.uk/eds/pdfviewer/pdfviewer?sid=5b4e027c-65ae-4063-bac2-fad3c9e78630%
40sessionmgr111&vid=2&hid=102 (Accessed: 20 November 2011).
Monroe, K. & Bailey D. (2006) System Baselining – A Forensic Perspective [Online]. Available from: http://ftimes.
sourceforge.net/Files/Papers/baselining.pdf (Accessed: 12 December 2011).
Middleton, B. (2005) Cyber Crime Investigation’s Field Guide. 2nd ed. New York: Auerbach Publications.
Nikkel, B. (2006) Improving evidence acquisition from live network sources [Online]. Available from: http://www.
Overill, R. (1998) ‘Trends in Computer Crime’, Journal of Financial Crime, 6(2), pp. 157-162 [Online]. Available from:
http://www.emeraldinsight.com.ezproxy.liv.ac.uk/journals.htm?articleid=1650490&show=abstract (Accessed: 08
November 2011).
Pan, L. & Batten, L. (2009) Robust performance testing for digital forensic tools [Online]. Available from: http://www.
sciencedirect.com.ezproxy.liv.ac.uk/science/article/pii/S1742287609000279 (Accessed: 22 December 2011).
Philipp, A. & Davis, C. (2010) Hacking Exposed: Computer Forensics. 2nd ed. USA: The McGraw-Hill Companies.
Mukasey, M. & Hagy, D. (2008) Test Results for Digital Data Acquisition Tool: EnCase Linen 5.05f [Online]. Available
from: https://www.ncjrs.gov/pdffiles1/nij/221167.pdf (Accessed: 03 January 2012).
Pilli, E. & Joshi, R. (2010) A Generic Framework for Network Forensics [Online]. Available from: http://www.ijcaonline.
org/journal/number11/pxc387408.pdf? (Accessed: 21 November 2011).
Reust, J. (2006) Case Study: AOL instant messenger trace evidence [Online]. Available from: http://www.
Skibell, R. (2003) Cyber Crimes & Misdemeanors: A re-evaluation of the Computer Fraud and Abuse Act [Online].
Available from: http://ehis.ebscohost.com.ezproxy.liv.ac.uk/eds/pdfviewer/pdfviewer?sid=e4ea18f4-bf7b-4ea5-8883-
4e05de4b0eee%40sessionmgr4&vid=2&hid=3 (Accessed: 08 November 2011).
Schatz, B. (1995) Digital Evidence: Representation and Assurance [Online]. Available from: http://eprints.qut.edu.
au/16507/1/Bradley_Schatz_Thesis.pdf (Accessed: 15 December 2011).
Sedqwick, J. & Hagy, D. (2008) Test Results for Mobile Device Acquisition Tool: Paraben Device Seizure 2.1 [Online].
Available from: https://www.ncjrs.gov/pdffiles1/nij/224149.pdf (Accessed: 04 January 2012).
Steel, C. (2006) Windows Forensics: The Field Guide for Conducting Corporate Computer Investigation. Indianapolis:
Wiley Publishing, Inc.
Sommer, P. (1999) Intrusion detection systems as evidence [Online]. Available from: http://www.sciencedirect.com.
ezproxy.liv.ac.uk/science/article/pii/S1389128699001139#vitae (Accessed: 20 December 2011).
Solomon, M. & Broom, N. (2005) Computer Forensics Jumpstart. Alamada, CA: SYBEX Inc.
Sommer, P. (1999) Intrusion detection systems as evidence [Online]. Available from: http://www.sciencedirect.com.
ezproxy.liv.ac.uk/science/article/pii/S1389128699001139#vitae (Accessed: 20 December 2011).
Schweiltzer, D. (2003) Incident Response: Computer Forensics Toolkit. Indianapolis: Wiley Publishing, Inc.
Trcek, D. & Starc, I. (2010) Advanced Framework for Digital Forensic Technologies and Procedures [Online].
Available From: http://onlinelibrary.wiley.com.ezproxy.liv.ac.uk/doi/10.1111/j.1556-4029.2010.01528.x/pdf (Accessed: 9
December 2011).
Walrave, M. & Heirman, W. (2009) Cyber-bullying: Predicting Victimization and Perpetration [Online]. Available from:
http://onlinelibrary.wiley.com.ezproxy.liv.ac.uk/doi/10.1111/j.1099-0860.2009.00260.x/pdf (Accessed: 08 November
2011).
Weise, J. & Powell, B. (2005) Using Computer Forensics When Investigating System Attacks. Santa Clara, CA: Sun
Microsystems, Inc.
Yadav, S. & Shekhar, J. (2011) Analysis of Digital Forensic Tools and Investigation Process [Online]. Available from:
http://www.springerlink.com.ezproxy.liv.ac.uk/content/p6728r45q5050256/fulltext.pdf (Accessed: 22 November 2011).
Zeidman, B. (2010) ‘Software vs. Software’, IEEE, pp. 32-53 [Online]. Available from: http://ieeexplore.ieee.org.
ezproxy.liv.ac.uk/stamp/stamp.jsp?tp=&arnumber=5583460 (Accessed: 22 November 2011).
Bryan Soliman is a Senior Solution Designer currently working with Ontario Provincial Government of
Canada. He has over twenty four years of Information Technology experience with Bachelor degree in
Engineering, bachelor degree in Computer Science, and Master degree in Computer Science.
The Premier International Forensics Event for Police, Military, Intelligence Agencies, Lawyers,
Corporate Forensic Analysts, Laboratories, Government Bodies and Agencies together with
leading suppliers, services, equipment and practitioners from across the world.
Conferences – Workshops – Training – Networking – Exhibition
REGISTER FOR FREE ENTRY TODAY

www.ForensicsEuropeExpo.com/digital
Co-located with Sponsored by In Collaboration with Organised in

Partnership with

Eforensics Magazine 2013 02 - DEVELOPING CYBER FORENSIC MODEL PART I

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eforensics Magazine 2013 02 - DEVELOPING CYBER FORENSIC MODEL PART I

Uploaded by

Copyright:

Available Formats

Big Data gets real

at Big Data TechCon!

Come to Big Data TechCon

• Process real-time data pouring s

• Learn HOW TO integrate data-collection technologies with

• Understand HOW TO leverage Big Data to help

April 8-10, 2013

Register Early and SAVE!

Register Early and SAVE!

A BZ Media Event Lots more online!

Copyright © 2013 Software Media Sp. z o.o. SK

Editor: Joanna Kretowicz jaonna.kretowicz@eforensicsmag.com

Betatesters/Proofreaders: Gavin Inns, Jeff Weaver, Nicolas Villatte

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzic ewa.dudzic@software.com.pl

Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl

DTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Marketing Director: Joanna Kretowicz jaonna.kretowicz@eforensicsmag.com

Publisher: Software Media Sp. z o.o. SK

02-682 Warszawa, ul. Bokserska 1

Phone:1 917 338 3631

CYBER CRIMES – GROWING THREAT

COMPUTER FORENSICS EVIDENCE COLLECTION AND FORENSIC MODELS

waves in a wireless network (Schatz, 1995).

• Archive the results in a technique that preserves, and maintains integrity.

• Repeat step (1-3) whenever a new baseline is desired.

Table-1 Shows the functional comparison of digital forensic tools

Figure-1 Global usage of the web browsers

Figure-2 WEFA Forensic Tool Structure

• What is the file type

• What is the file intended to achieve?

• What is the capability and functionality of the file?

• How does the file affect the system?

• Obtain Hash Cryptographic on the suspected file.

• Compare indexing of the file against the original file.

PRESERVATION (COLLECTION/ACQUISTION) PROCESS

• Incident response to cybercrime should be minimized.

• The ability to collect the digital evidence should be maximized.

• The digital evidence should be collected, labeled, and preserved.

• The digital evidence should be packages and transported in a secure manner.

• Digital evidence should be kept away from magnetic fields.

• Did the forensic expert use tool A?

• The dd utility software tool produced I/O errors log.

• The tools must adhere to sensitivity toward encrypted data.

• The tool must provide a logging capability.

• Precise recoding of what was ignored, and what was acquired.

• Showing the authentic of the origin of the network.

• Showing the completion state of the set of data collected.

• The tools must adhere to sensitivity toward encrypted data.

• The tool must provide a logging capability.

• Precise recoding of what was ignored, and what was acquired.

EXTRACTION (EXAMINATION) PROCESS

Step 1 – Perform a basic examination

Step 2- Check the original settings

Step 3 – Look for suspicious malware

• On-line analysis of sniffing packets

Figure 3- A tableau T8 USB write-blocker used to avoid accidental data writing.

• Price can be an important factor when the budget is limited.

b Price can be an important factor when the budget is limited.

INTERPRETATION (ANALYSIS) PROCESS

• Application-related data such as date and timestamp information.

• Used as an internal audit methods to identify any corporate policy violations.