Received: 8 March 2019 Revised: 1 May 2019 Accepted: 10 May 2019

DOI: 10.1002/wfs2.1350

ADVANCED REVIEW

A comparative analysis of digital forensic readiness models using

CFRaaS as a baseline

Victor Rigworo Kebande1 | Hein S. Venter2

1
IoTaP Research Center, Department of
Computer Science and Media Technology,
Malmo University, Malmö, Sweden
2
DigiFORs Research Group, Department of
Computer Science, University of Pretoria,
South Africa
Correspondence
Victor R. Kebande, IoTaP Research Center,
Department of Computer Science and Media
Technology, Malmo University, Malmö,
Sweden.
Email: vickkebande@gmail.com
Funding information
Malmo University, Sweden; University of
Pretoria; National Research Foundation,
Grant/Award Number: UID85794
Abstract
Digital forensic readiness (DFR) aims at maximizing the potential of conducting a
digital forensic investigation while minimizing the cost of conducting postevent
processes when a potential security incident is detected. Conducting digital forensic
investigation (DFI) process and changing the functionality of software architectures
and/or infrastructures while conducting these processes is a costly exercise; how-
ever, the availability of DFR processes can shorten and save the cost of these pro-
cesses. A comparative analysis of the DFR process models is given that makes a
strict comparison with the cloud forensic readiness as a service (CFRaaS) model.
The main reason the CFRaaS model has been used as a basis for comparison is
because it has been constructed by modifying the functionality of initially consid-
ered malicious botnets to allow the removal of potential digital evidence from the
cloud without changing the architecture or the infrastructure of the cloud while
conducting digital forensic processes. It is worth to note that the CFRaaS processes
have been carefully developed based on the guidelines of ISO/IEC 27043:2015
international standards for information technology, security techniques, incident
investigation principles and processes. Nevertheless, additional postevent response
processes have also been incorporated in the CFRaaS like the reconstruction of the
events and the Incident Response Procedures processes. The outcome of the com-
parison has shown promising results worth exploring.

This article is categorized under:

Digital and Multimedia Science > Cloud Forensics
Digital and Multimedia Science > Cyber Threat Intelligence
MoDigital and Multimedia Science > Forensic Visualization

KEYWORDS
CFRaaS, cloud, comparative, digital, forensic, model, readiness-as a service

1 | INTRODUCTION

Whenever there is a need to prove or disprove a hypothesis or a fact that may be deemed criminal during litigation, it is essen-
tial to create a forensic hypothesis that can allow forensic experts to analyze electronically stored information by applying dig-
ital forensic processes and principles. Normally, this is represented as a postevent response process that allow a perpetrator to
be linked with the digital crime and attribution becomes a key factor. With attribution being a key factor of consideration,

WIREs Forensic Sci. 2019;1:e1350. wires.wiley.com/forensicsci © 2019 Wiley Periodicals, Inc. 1 of 12

https://doi.org/10.1002/wfs2.1350
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
2 of 12 KEBANDE AND VENTER

scientific and a well-laid digital investigation approaches with proven methods have to be employed so that admissibility of
potential digital evidence (PDE) can prevail. While these processes are represented as postevent processes, at a particular
instance, the rules of evidence (RoE) in most cases rely on the expert witness testimony to arrive at conclusive prosecutorial
techniques. An example of this is the case law; Daubert v. Merrell Dow Pharmaceuticals Inc, 113 S. Ct. 2786 (1993, United
States Supreme Court), which in different circumstances has been used-based on the expert witness testimony to prove facts
in in a court of law.
ISO/IEC 27043:2015 international standard whose scope covers Information Technology—Security Techniques—Incident
Investigation Principles and Processes, has advocated important guidelines, where, explicitly it has outlined the need for prior
planning and preparation before a potential security incident can be detected. Basically, a number of important aspects like the
readiness process groups that have been mentioned in ISO/IEC 27043 have outlined readiness approaches that can make any
organization to be forensically ready for digital forensic investigations. Nevertheless, proactive forensics plays a very crucial
role that aims at maximizing the use of PDE when needed for forensic investigations. In fact Rowlingson (2004) has argued
that during litigation, it is important for evidence to be available to support the legal process.
Consequently, technology growth has brought about a number of innovative techniques. An example of this has been
witnessed in adversarial inventions like anti-forensics, which have also brought more challenges while conducting contempo-
rary digital investigation techniques. It is also important to note that preincident detection strategies or proactive forensics pro-
vides an easy way of reducing the cost that is needed while conducting digital investigations. Kebande and Venter (2018)
have extrapolated the novel techniques that can be used while conducting Digital Forensic Readiness (DFR). Such techniques
do not require one to reprogram the architecture and/or the infrastructure of the cloud, which is a costly exercise. Based on
these factors, this paper explores the literature and does a comparative analysis of the DFR models and it uses the Cloud
Forensic Readiness as a Service (CFRaaS) model as a baseline for the comparative analysis.
The remainder of the paper is organized as follows. In Section 2, a background study of the DFR and investigative forensic
model literature is given. Related work is covered in Section 3. This is followed by the methodology in Section 4 and an over-
view of the CFRaaS model in Section 5. After this a comparative analysis of CFRaaS with existing forensic readiness models
is given in Section 6. A discussion and an evaluation of the propositions are given in Section 7 with an expert opinion on
CFRaaS model application in Section 8. A conclusion and a mention of future work of the study is given in Section 9.

2 | BACKGROUND

This section concentrates on giving a background study on the following concepts: DFR, investigative forensic models and
the impact it has on forensic readiness. A discussion on DFR has been given to help cement and show the need for the proac-
tive forensics while the investigative models depicts the approaches and the processes that have more often than not been
relied upon to deliver successful investigative hypothesis.

2.1 | Digital forensic readiness

From a security perspective, the need for implementing DFR, has been necessitated by the existence of potential incidents and
also the need for planning and preparing before these incidents can occur. DFR plays an important role of ensuring that an
environment is secured from potential attacks. Tan (2001) presents the objectives of DFR as maximizing an environment's
ability to collect credible digital evidence and minimizing the cost of conducting digital forensic investigations during an inci-
dence response. Further, Tan's views revolve around how an organization can be forensically ready through the identification
of the key elements of DFR. Rowlingson (2004), on the other hand, sees DFR as a corporate goal that facilitates an organiza-
tion's ability to use digital evidence when needed. Additionally, DFR as viewed by Rowlingson is inclined toward the organi-
zational perspective; hence it is authors' opinion that at least every organization requires an investigative capability. The key
important aspects that needs to be considered while conducting DFR is not only the collection, retention, and acquisition of
PDE that may be able to create a forensic hypothesis or that may be used to support legal processes during litigation, but also
the identification of key evidence that can be used to conduct digital investigation.

2.2 | Investigative forensic models and impact on forensic readiness

Quite a number of forensic investigative models have been proposed that have been able to address significant challenges in
different environments; however, emphasis should be given on how effective these models can be and/or have been. It is
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
KEBANDE AND VENTER 3 of 12

important to note that, the impact that these investigative models have had in forensic readiness is also discussed in this sec-
tion. Ideal forensic process models are supposed to identify the steps that are necessary to achieve investigative goals. Process
models are supposed to succeed even when there exist numerous technological changes. Normally, a process model follows a
number of iterations and these iterations represent the tasks and activities involved when conducting DFIs. Nevertheless, the
process models need to be formulated on the account of identification, preservation, analysis, and presentation which is the
scientific process of investigation. Ever since the first Digital Forensic Research Workshop conference in 2001 in Utica,
New York when the term digital forensics was coined, up to the time of writing this research article, there has not been an
accepted or partially productive standard digital forensic process model that is able to support Digital Forensic Investigations
Processes (DFIPs) (Arshad, Jantan, & Abiodun, 2018). Lack of standards has meant that it is hard for digital forensic experts
and the Law Enforcement Agencies (LEAs) to adopt or employ a model that can solve digital forensic cases with a degree of
certainty. Also, the legal establishments and the LEAs always rely on the proposed DFIPs to provide factual information as
potential evidence. As a result, PDE may be admitted in courtrooms provided that the investigation processes followed a set
of scientifically proven and accepted methods.
The existence of investigative forensic models has had a positive impact on how forensic readiness is achieved in the
cloud. Notably, most of the aforementioned models have expedited and enabled the inclusion of readiness as-a service (RaaS)
component in the cloud. In the long run, this has resulted in the saving the need for having to reprogram the cloud infrastruc-
ture every time a digital investigation that targets the cloud is conducted.

3 | RELATED WORK

Not much research has been accomplished on comparing forensic readiness models as at the time of preparing this manuscript;
however, notable researches that have somewhat been used as related work are presented hereafter. Research by Jafari and
Satti (2015) has given a comparative analysis of digital forensic models based on a proposed Integrated Digital Investigation
Process (IDIP) model. This comparison was mainly based on assessing the advantages and disadvantages and the models used
in the exercise are basically postevent-based even though the IDIP mentions the operational forensic process. Also, a strategic
model for forensic readiness by Collie (2018) has categorized the approaches to forensic readiness and the main emphasis has
been on how DFR is represented. The key approaches in this discussion have been the representation of DFR as a process that
is able to conduct forensic activities, incident response, technical and human elements and to show the importance of planning.
Consequently, this work has been able to show a greater extent of similarity with a number of processes in the CFRaaS model.
Notably, research on DFR design in a cloud computing-based smart work environment that focused on showing an analysis of
components of design of a forensic model for a cloud by Park, Kim, Park, Na, and Chang (2018) has shown a number of fac-
tors that affect forensic readiness. Other relevant researches that have explored or conducted a comparative analysis of forensic
challenges and solution include Simou, Kalloniatis, Kavakli, and Gritzalis (2014) who explored major issues in cloud foren-
sics by focusing on five stages namely; Identification, preservation–collection stage, examination–analysis stage, presentation
stage, and uncategorized stage-which focuses on data retention approaches. This study had a focus on the collection or access
to evidence logs. Also, Agarwal and Kothari (2015) have presented a review of digital forensic investigation frameworks that
explores different kind of processes. A number of factors are, however, inclined to the changes in security issues. Research
presented in this paper has been able to show the need for proactive forensics through the collection and analysis of potential
evidence and the model that was designed showed a variation on policy and technical readiness.

4 | ME T HOD OL OGY

Based on the role played by the gatekeeper in the Daubert v. Merrell Dow pharmaceuticals, where a judge is recommended to
make a decision on what kind of evidence needs to be presented, so that the trier of facts is not prejudiced, this study has been
inclined toward the same techniques. In essence, the study has applied three main facts that have been highlighted by Daubert
to arrive at the comparative analysis of the forensic readiness models while using CFRaaS model as a baseline. The study has
relied on principle, method, and the method's application. Basically, in providing an assessment of the forensic readiness
models, the authors have based the study on the propositions of the Federal RoE where scientific or technical expert testimony
may rely on sufficient facts, reliable principles and application of those principles. The CFRaaS model has unique processes
which have also been developed based on the ISO/IEC 27043:2015 international standard. Based on the ISO/IEC 27043
the processes that have been developed in CFRaaS model have been mapped to a number of forensic readiness models
 4 of 12

TABLE 1 Comparing the proposed CFRaaS model with existing forensic readiness models

Proposed CFRaaS model and existing forensic readiness processes

Ngobeni,
Mouton Venter,
Forensic Pooe and and and Rahman, Do, Martini,
readiness Proposed CFRaaS Ciardhuáin Carrier and Barske, Stander, Labuschagne Venter ISO/IEC Burke Valjarevic and Trenwith and Glisson, Yang, and
models model (2004) Spafford (2004)) and Jordaan (2010) Tan (2001) (2012) Rowlingson (2004) (2011) (2015) (2012) Venter (2012) Venter (2013) and Choo (2016) Choo (2015)

Target Cloud NST NST SMEs NST NST Organization Wireless Incident Wireless Incident Cloud Cloud Mobile cloud
sensor investigation LAN investigation
networks principles principles
and and
processes processes
1 Planning and Planning Survey for digital How logging is Forensic readiness Planning and Planning and Planning
preparation evidence done planning preparing preparation
2 Scenario Awareness Determining What should be Defining business Scenario Identification Evidence sources Identification
identification scenarios that logged scenarios that definition and risk
potentially require evidence management
require digital
evidence
3 Nonmalicious botnet Injection
execution
4 Digital evidence Collection Operation Maximizing the Determining Collection of Packet Preincident Logging Evidence Collection Plan preincident Forensic
capture readiness value of logs as how logging admissible logging collection collection collection copy
potential digital is done evidence
evidence
5 Digital preservation Preservation Evidence Authenticating Preservation of Preservation Preservation of Preservation Preserving Authentication Evidence Preservation
phase preservation evidence evidence required of digital evidence to proof handling
for corporate evidence evidence integrity procedures
governance
6 Preincident analysis Examination Acquisition and Analysis Monitoring of Analysis Planning Analysis Evidence Plan preincident Examination
analysis purpose to deter pre-incident analysis analysis
security incidents analysis
7 Storage Storage Infrastructure Ensuring secure Forensic Establishing policies Storage and Evidence Storage Plan preincident
readiness digital evidence acquisition for handling and handling storage storage
storage storing evidence
securely
8 Incident detection Deployment Intrusion Stating when an Incident Incident Incident Plan preincident
phase detection escalation to a response collection detection detection
systems full investigation plan
should start
9 Event reconstruction Reconstruction
phase
10 Forensic reporting Presentation Reporting Reporting Reporting Reporting Presentation

(Continues)
KEBANDE AND VENTER

25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
 KEBANDE AND VENTER

TABLE 1 (Continued)

Proposed CFRaaS model and existing forensic readiness processes

Ngobeni,
Mouton Venter,
Forensic Pooe and and and Rahman, Do, Martini,
readiness Proposed CFRaaS Ciardhuáin Carrier and Barske, Stander, Labuschagne Venter ISO/IEC Burke Valjarevic and Trenwith and Glisson, Yang, and
models model (2004) Spafford (2004)) and Jordaan (2010) Tan (2001) (2012) Rowlingson (2004) (2011) (2015) (2012) Venter (2012) Venter (2013) and Choo (2016) Choo (2015)

11 Forensic readiness Identifying the Establishing a

policy policies that are policy for secure
needed to achieve handling and
digital forensic storage
readiness
12 Digital evidence Determining Legal
collection evidence requirements
requirements collection
requirement
13 Concurrent Concurrent Actionable
processes processes principles
5 of 12

25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
6 of 12 KEBANDE AND VENTER

(see Table 1) so as to bring out the uniqueness between other models, given that up to the time of writing this article, there
existed no readiness model that has used standardized guidelines. Based on the propositions in this paper, the authors have
explored a number of processes that have addressed forensic readiness and apart from that, specific processes from the existing
readiness processes that match with processes that have been proposed in CFRaaS have been used to form the discussion.

5 | CFRaaS: A CLOUD FORENSIC READINESS AS A SERVICE MODEL

This section gives a discussion on the CFRaaS model which has been used as a baseline for the discussions in this article. A
high-level overview is given in Figure 1 which is then followed by an all-inclusive one in Figure 2.

5.1 | High-level overview of the CFRaaS model

The CFRaaS model is a well-defined recurring process model that has been used in a step-by-step approach to forensically
plan and prepare the cloud for digital forensic investigations. Additionally, the CFRaaS model has been represented as a pro-
active process, which means it deals with preincident-detection strategies. The high-level CFRaaS model is divided into five
distinct layers as shown in Figure 1, which enables communication between the other processes.
The layers in Figure 1 (labeled 1–5) include: Provider layer (PL; layer 1); Virtualization layer (layer 2); DFR layer (layer 3);
Incident Response Procedures (IRP) (layer 4); and Concurrent Processes (Layer 5). Layer 3 and 5 correspond with and adhere to
the guidance of the Incident Investigation Principles and Processes international standard (ISO/IEC 27043:2015) while layer 4 is
a reactive process. Each of these processes is mentioned briefly in this section, after which each process is discussed in detail in
the subsections to follow.
The PL ensures that the cloud service providers (CSPs) are able to provide services over the internet through virtualisation
layer. Next, digital information that can be used as PDE is captured using a bot client which forms part of a nonmalicious Bot-
net (NMB) in a DFR Layer labeled 3 in Figure 1. Note that the bot client plays the role of a “non-malicious bot” that is
deployed in the cloud environment to collect digital information legitimately. The collected PDE is digitally preserved in a
forensic database, then preanalyzed for possible incident detection purposes in a DFR approach layer in the process (labeled
3). Finally, the IRP layer (labeled 4) is a reactive process that allows proper forensic examination and analysis of evidence by
DF investigators and LEAs.
The arrow pointing downward in the process (labeled 5), represents concurrent processes that are taken verbatim from
ISO/IEC 27043 (2015). The concurrent processes are executed simultaneously alongside the other processes shown in
Figure 1. According to ISO/IEC 27043 (2015), the main aim of the concurrent processes is to assure the admissibility of digi-
tal evidence in a given legal system. This can only be achieved by following proper digital-evidence-handling techniques as
highlighted by these processes in ISO/IEC 27043 (2015). If these concurrent processes are not employed in a model like this,
then PDE may be regarded as unsuitable due to potential improper handling thereof. The Concurrent Processes are meant to
run in parallel, that is, concurrently with the other processes. The reason for this parallelism will become apparent when dis-
cussed later. Additionally, more details on the concurrent processes are discussed later in the detailed CFRaaS model.
The CFRaaS model represents a proactive approach that allows collection of digital evidence from the cloud environment.
Such an approach assists organizations to prepare and plan before a security incident can occur. Thus, in the event of one

FIGURE 1 High-level overview of the CFRaaS model (Kebande, 2018)

25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
7 of 12

Block diagram of the detailed CFRaaS model (Kebande, 2018)

KEBANDE AND VENTER

FIGURE 2
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
8 of 12 KEBANDE AND VENTER

actually occurring, it is possible to gather enough intelligence and store it forensically so that it will not be lost due to the
cloud's normally volatile nature. The author has employed the notion of a modified form of a botnet through which a bot cli-
ent, collects PDE based on the digital evidence collection requirements. More high-level details of the composition of the
CFRaaS model are given in the detailed CFRaaS model that is discussed next.

5.2 | Detailed view of CFRaaS model

In this section, a detailed CFRaaS model is presented, which is an expansion of the high-level model in Figure 1. (The detailed
CFRaaS model is later shown as a block diagram in Figure 2). It consists of the following processes that represent the expan-
sion of the high-level model that was presented in Figure 1. The high-level CFRaaS model comprised of five major processes
which are broken down with respective subprocesses explained next. The provider layer comprises of the services that are pro-
visioned by the CSPs over the Internet. In this layer, convenient, secure, and reliable services are provisioned to different
cloud clients in terms of properly agreed service level agreements. Next is virtualization layer that gives room for the separa-
tion of VMs from the physical infrastructure, allows PDE to be collected and it comprises of the following subprocesses: Vir-
tual machines, operating systems, hypervisors, and hardware. This is followed by the digital forensic readiness layer that has
the following subprocesses: Forensic readiness policy, CFRaaS approach strategy, digital evidence collection, preincident
analysis, incident detection and event reconstruction, forensic readiness report. The fourth layer is incident response procedure
layer that comprise of DF investigators, policies, standards and procedures, LEAs, incident response teams, legal compliance,
constitutional and statutory provisions, and the reactive processes. Concurrent processes are also explained further in the
section to follow. Figure 2 shows the CFRaaS model with its associated processes. A discussion on the comparative analysis
is given next.

6 | COMPARING THE CFRaaS MODEL W ITH EXISTING DIGITAL FORENSIC

R E A D I N E S S MO D E L S

The section gives a comparative analysis of different forensic readiness models that have been explored by different
researchers. It is important to note that the author has used the CFRaaS model as a baseline and the comparison has entirely
been made based on the number of processes that are able to match the CFRaaS model. This is done in order to be able to
relate the effectiveness and usefulness that exists of the additional processes. To check the effectiveness of the proposed
model, the researcher compared and mapped the CFRaaS models' processes to other existing forensic readiness model's pro-
cesses to highlight scientific principles that will contribute to a better understanding of the CFRaaS model. The results of this
comparison between the proposed CFRaaS model and different proposed forensic readiness models are presented in a summa-
rized format in Table 1.
None of the models used in the comparison—apart from the proposed CFRaaS model—were at the time of writing this
research article focused on the cloud environment while employing botnets as forensic agents. The CFRaaS model adopted a
holistic approach, in order to cover a majority of the processes contained in the other forensic readiness models. Consequently,
the CFRaaS model employs the execution of a botnet with modified functionalities as a forensic agent to collect digital evi-
dence that can further be applied in a reactive process. This is one of the novelties of this research, which (according to
Table 1) has not been explored in any of the existing forensic readiness models as yet.
A number of the existing forensic readiness frameworks shown in Table 1 target different environments. For example Bar-
ske et al. (2010) framework targeted forensic readiness for small to medium enterprises (SMEs), Rowlingson (2004) defined
forensic readiness focused on the corporate environment, Mouton and Venter (2011) targeted forensic readiness of wireless
sensor networks, while Ngobeni et al. (2012) modeled forensic readiness for wireless local area networks. Ciardhuáin (2004)
has no specific target (NST), however, the author has focused general information flows in a forensic model while Valjarevic
and Venter (2012) targeted incident investigation principles and processes. Trenwith and Venter (2013) targeted DFR in the
cloud. Additionally, Rahman et al., 2016) have targeted the cloud and lastly Do et al. (2015) have targeted mobile cloud in
their research. Carrier and Spafford (2004), Tan (2001), and Pooe and Labuschagne (2012) do not have specific target (NST).
Still, none of the processes that were defined in this model comprehensively covers the entire proposed CFRaaS model.
Table 1 shows the comparison between the existing forensic readiness models and the proposed CFRaaS model (shaded
green) together with what each model targets (Shaded blue). The target in this context represents the infrastructure or the plat-
form that each model has been applied on. From Table 1, the row (shaded) blue represent the target, while each column
(shaded green) below shows the process that have been applied in each forensic readiness model. The target labeled NST
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
KEBANDE AND VENTER 9 of 12

shows that there is No Specific Target for the respective forensic readiness model. The gray shading shows that there is no
process that matches/mapped with the CFRaaS model.
In view of the above, it is the researcher's opinion that the modification of botnets to act as forensic agents for purposes of
forensic readiness is an important contribution. This is because the processes proposed in the CFRaaS model facilitate proac-
tive activities that allow for an effective response to potential security incidents when the cloud environment is digital forensi-
cally ready. In fact, the availability and isolation of forensically collected potential evidence also allow companies to have
litigation preparedness without disrupting any business processes. Based on this holistic approach, the researcher strongly
believes that the scope covered by the proposed model is worth being explored by digital forensic practitioners and forensic
experts.
The researcher also managed to compute the total number of processes that each of the compared forensic readiness models
possesses (see Figure 3). This figure shows the variations that exist between the proposed CFRaaS model and other existing
forensic readiness models.
Figure 3 illustrates that the proposed CFRaaS model consists of 13 processes, which is slightly more than the other models.
There is, however, a number of common processes. Some of the models have fewer processes because their readiness process
starts from a collection of PDE—unlike the proposed model, which begins with planning and preparation. It is worth noting
again that none of the models highlighted in Figure 3 focuses on the cloud environment like the CFRaaS it does-employing
the NMB. The proposed model is also an ad hoc model, which means other relevant processes can be incorporated easily.
Having considered the comparison of the proposed model with other existing forensic readiness model, the next
section gives a discussion and an evaluation of the propositions.

7 | D I S C U S S I O N S A N D E V A L U A T I O N O F T H E PR O P O S I T I O N S

While it is possible to have abstraction inconsistencies when dealing with abstract layers like models, it is also important to
note that the stepwise representation of process models presents a significant approach for assessing the potential quality of a
model. Notably, the processes that have been presented in the CFRaaS model represent layers have been used as a build-up
toward the acceptability of potential evidence in a DFR approach. Even though there exists a variety of already proposed
forensic readiness models that could easily be used to prepare different environments for investigation, it is imperative to note
that, the challenge that the forensic community faces nowadays is that a majority of the forensic readiness models (Table 1)
have been fine-tuned or specialized to collect or prepare DFR process in specific environments. Additionally, most of the exis-
ting forensic readiness models in Table 1 only accumulates specified kind of evidence and not much literature exists on what
is done to potential evidence thereafter.
Nonetheless, the author has put forward an argument that taking CFRaaS model as a baseline, the existing forensic readi-
ness models in Table 1 are not based on the interpretability of potential evidence, which is a key aspect that the CFRaaS model

FIGURE 3 Comparisons of proposed CFRaaS and existing forensic readiness models

 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
10 of 12 KEBANDE AND VENTER

has focused on bringing out. The CFRaaS model introduced an event reconstruction process. More often than not, this process
has been included in the reactive process, however, being included in a DFR approach further shortens the investigation pro-
cess. By comparing the other existing forensic readiness models with CFRaaS, the authors find out that the multiple sources
of evidence allow for a more rigorous analysis of evidence that may be streaming in from various places and this can be a set-
back for the investigation process. More so, by employing the CFRaaS model, there is no modification of the cloud architec-
ture and/or infrastructure whatsoever while it permits preincident analysis in a holistic manner. Specifically, the models that
have been proposed by Trenwith and Venter (2013), Rahman et al. (2016), and Do et al. (2015) have targeted the cloud envi-
ronment in different aspects; however, the model by Rahman et al. (2016) that targets the cloud has suggested that planning as
a process could be used as a preparation approach which directly maps to the planning and preparation phase of the CFRaaS.
While this shows some similarity, the CFRaaS has employed a forensic agent (NMB execution) to aid in the process of
achieving DFR, relatively in Do et al. (2015) this has been identified as injection phase in their adversary model for mobile
devices.
The aforementioned three forensic models that have targeted the cloud have not addressed event reconstruction like the
CFRaaS model has and other processes that have been left out include forensic readiness policy, the need for digital evidence
collection requirements and the concurrent processes which have been taken verbatim from the ISO/IEC 27043 and the
Valjarevic and Venter (2012) process model. The CFRaaS model significantly diversifies its importance given its holistic
nature and the impact it is destined to have to the LEAs, digital forensic experts, and the legal practitioners.
More so, the proposed CFRaaS model not only provides a well-coordinated proactive approach that has a comprehensive
view of cloud security, it is also able to orchestrate digital forensic activities through the following approaches: collecting
PDE; digitally preserving the collected information; storing the collected digital evidence; reconstructing potential security
events; and reporting the results of potential security incidents.
The advantages of the proposed CFRaaS model (based on its processes) are summarized below:

1. The methodologies used in the CFRaaS model are applicable and relevant, and they will be able to support future digital
forensic investigative capability and technologies.
2. The CFRaaS model complies with the standard of ISO/IEC 27043:2015 on PDE collection processes, thus ensuring higher
admissibility of digital evidence.
3. The proposed CFRaaS model is interactive and provides multijurisdictional collaboration, which implies that it can easily
be integrated with the applicable laws. This will help during the investigation of cloud-based incidents.
4. The structure of the proposed CFRaaS, which allows deliberate infection of botnets, is very effective when performing a
DFR process.
5. The proposed model provides an easy way of conducting DFR in the cloud environment without tampering with or modi-
fying the existing architecture/infrastructure of the cloud environment.

The emphasis on event reconstruction gives a lot of insights in the CFRaaS model, the researcher introduced an event
reconstruction process in the model for purposes of revisiting the characteristics and properties of accumulated PDE while
reconstructing the sequence of events—which is another novelty employed in the CFRaaS model. The event reconstruction
process, together with the rest of the processes, constitutes a holistic and effective approach to the process of DFR in the cloud
environment. In the proposed model, different measures, such as the ESM, were used to check inconsistencies in potential evi-
dence. In addition, the researcher introduced concurrent processes, which previously were employed in ISO/IEC 27043:2015
to allow the CFRaaS model processes to be executed continuously so as to increase the admissibility of digital evidence. The
researcher trusts that employing the CFRaaS approach may help to reduce the difficulties faced by forensic communities and
digital forensic investigators in the cloud environment.
At the time of writing this research article, there existed no cloud forensic readiness model that does not require the cloud
infrastructure to be changed. Thus, the researcher is convinced that the order of the processes provided in this research article
is suitable for supporting future proactive investigative technologies in the cloud environment. Having evaluated the CFRaaS
model, the reader needs to evaluate and gain insight into the CFRaaS prototype.

8 | E X P E R T O P I N I O N ON CF R a a S M O D E L A P P L I C A T I O N

The analysis of the forensic models gives a reflection of the significant characteristics that helps in determining the effective-
ness and the validity of a forensic model. In nature, the CFRaaS model carries a preemptive approach that together with the
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
KEBANDE AND VENTER 11 of 12

legal connotation could proactively prepare an environment for digital forensic investigations. Additionally, the need to evalu-
ate the authenticity of PDE from the cloud resources during litigation has meant that, it is needful to incorporate international
standards. ISO/IEC 27043 international standard has given techniques over which the validity of PDE can be assessed, it is
through the employment of this investigative techniques that the scientific validity of digital forensic domain could be upheld.
Notably, the clear-cut CFRaaS processes present logical steps toward comprehending how PDE could be gathered in a foren-
sic manner without tampering with the cloud architectures and/or infrastructures (Box 1).

BOX 1 PRELIMINARY OF CFRaaS MODEL USING NMBs AS SOFTWARE AGENTS

The novelty that holds while designing CFRaaS has concentrated on employing digital information collecting soft-
ware agents. The connotation associated with these agents is generally negative; however, this has been employed in
a more pragmatic approach, that is, without having to change the functionality of the cloud infrastructure, the botnet's
functionality is changed and the botnet binaries are engineered to collect digital information from the cloud in a foren-
sic readiness approach (Kebande & Venter, 2018).

9 | CONCLUSION

The continuous need for Proactive forensics has seen a number of forensic technologies being proposed. However, no much
focus has been put toward proactive approaches in the cloud environment, hence CFRaaS has been used as a baseline of con-
ducting a comparative analysis for forensic readiness in this article. Given that a majority of forensic readiness models have
specific processes that are able the proactively gather potential digital evidence, this comparative analysis that uses CFRaaS as
a baseline has shown that CFRaaS is able to present a very realistic approach that is able to incorporate event reconstruction
immediately after incident detection. The comparative analysis shows a promising approach for CFRaaS because using it as a
baseline has shown that it is harmonized proactive forensic approach in the cloud that can potentially solve information secu-
rity problems with a degree of certainty.

ACKNOWLEDGMENTS
This work is based on research supported by the National Research Foundation of South Africa (Grant-specific unique refer-
ence number UID85794) and Malmo University, Sweden. The grant holder acknowledges that opinions, findings and conclu-
sions or recommendations expressed in any publication generated by the NRF-supported research are those of the author(s)
and the NRF accepts no liability whatsoever in this regard. The authors wish to thank Malmo Universitet, Sweden and the
DigiFORS Research Group of the Department of Computer Science at the University of Pretoria, South Africa for the support
toward coming up with this research.

C ON F L I C T O F IN T E RE S T
The authors have declared no conflicts of interest for this article.

O R C ID

Victor Rigworo Kebande https://orcid.org/0000-0003-4071-4596

Hein S. Venter https://orcid.org/0000-0002-3607-8630

FU RT HE R R EA DING
Kebande, V. R., & Venter, H. S. (2018). On digital forensic readiness in the cloud using a distributed agent-based solution: Issues and challenges.
Australian Journal of Forensic Sciences, 50(2), 209–238.
 25739468, 2019, 6, Downloaded from https://wires.onlinelibrary.wiley.com/doi/10.1002/wfs2.1350 by Department Of Geological Sciences, Wiley Online Library on [13/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
12 of 12 KEBANDE AND VENTER

Kebande, V. R. & Venter, H. S. (2019). CFRaaS: Architectural design of a Cloud Forensic Readiness as-a-Service Model using NMB solution as a
forensic agent. African Journal of Science, Technology, Innovation and Development. http://doi.org/10.1080/20421338.2019.1585675
Kebande, V. R. & Venter, H. S. (2016). Requirements for achieving digital forensic readiness in the cloud environment using an NMB solution. In
11th International Conference on Cyber Warfare and Security: ICCWS (p. 399).
Kebande, V. R., & Venter, H. S. (2015). Adding event reconstruction to a Cloud Forensic Readiness model. In 2015 Information Security for South
Africa (ISSA) (pp. 1–9). IEEE.
Mouton, F. (2012). Digital forensic readiness for wireless sensor network environments. (Masters dissertation). University of Pretoria.
Palmer G. A. (2001). Roadmap for digital forensic research. Paper presented at Digital Forensics Research Workshop (DFRWS). Utika, New York.
Watkins, H. (1994). Daubert v. Merrell Dow pharmaceuticals, Inc.: General acceptance rejected. Santa Clara Computer & High Technology Law
Journal, 10, 259.

R E F E REN CE S
Agarwal, R., & Kothari, S. (2015). Review of digital forensic investigation frameworks. In Information science and applications (pp. 561–571).
Berlin, Germany: Springer.
Arshad, H., Jantan, A. B., & Abiodun, O. I. (2018). Digital forensics: Review of issues in scientific validation of digital evidence. Journal of Infor-
mation Processing Systems, 14(2), 346–376.
Barske, D., Stander, A., & Jordaan, J. (2010). A digital forensic readiness framework for south African SME's. In Information security for
South Africa (ISSA) (pp. 1–6). Johannesburg, SA: IEEE.
Carrier, B, and Spafford, E. H. (2004). An event-based digital forensic investigation framework. Paper presented at Digital Forensic Research Work-
shop (pp. 11–13), Baltimore, MD.
Ciardhuáin, S. Ó. (2004). An extended model of cybercrime investigations. International Journal of Digital Evidence, 3(1), 1–22.
Collie, J. A. (2018). Strategic model for forensic readiness. Athens Journal of Sciences, 5(2), 167–182.
Do, Q., Martini, B., & Choo, K. K. R. (2015). A forensically sound adversary model for mobile devices. PLoS One, 10(9), e0138449.
ISO/IEC. (2015). ISO/IEC 27043:2015: Information technology–Security techniques–Incident investigation principles and processes.
Jafari, F., & Satti, R. S. (2015). Comparative analysis of digital forensic models. Journal of Advances in Computer Networks, 3(1), 82–86.
Kebande, V. R. (2018). A novel cloud forensic readiness service model. (Doctoral dissertation). University of Pretoria.
Kebande, V. R., & Venter, H. S. (2018). Novel digital forensic readiness technique in the cloud environment. Australian Journal of Forensic Sci-
ences, 50(5), 552–591.
Mouton, F., & Venter, H. S. (2011). A prototype for achieving digital forensic readiness on wireless sensor networks. In IEEE Africon'11 (pp. 1–6).
Johannesburg, SA: IEEE.
Ngobeni, S., Venter, H. S., & Burke, I. (2012). The modelling of a digital forensic readiness approach for wireless local area networks. Journal of
Universal Computer Science, 18(12), 1721–1740.
Park, S., Kim, Y., Park, G., Na, O., & Chang, H. (2018). Research on digital forensic readiness Design in a Cloud Computing-Based Smart Work
Environment. Sustainability, 10(4), 1203.
Pooe, A., & Labuschagne, L. A. (2012). Conceptual model for digital forensic readiness. Paper presented at Information Security for South Africa
(ISSA), Johannesburg, SA: IEEE.
Rahman, A., Glisson, W. B., Yang, Y., & Choo, K. K. R. (2016). Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud
Computing, 3(1), 50–59. https://doi.org/10.1109/MCC.2016.5
Rowlingson, R. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence, 2(3), 1–28.
Simou, S., Kalloniatis, C., Kavakli, E., & Gritzalis, S. (2014). Cloud forensics: Identifying the major issues and challenges. In International confer-
ence on advanced information systems engineering (pp. 271–284). Cham, Switzerland: Springer.
Tan, J. (2001). Forensic readiness (pp. 1–23). Cambridge, MA: Stake.
Trenwith, P. M., & Venter, H. S. (2013). Digital forensic readiness in the cloud. Paper presented at Information Security for South Africa (pp. 1–5).
Johannesburg, SA: IEEE.
Valjarevic, A., & Venter, H. S. (2012). Harmonised digital forensic investigation process model. Paper presented at Information Security for
South Africa (ISSA) (pp. 1–10). Johannesburg, SA: IEEE.

How to cite this article: Kebande VR, Venter HS. A comparative analysis of digital forensic readiness models using
CFRaaS as a baseline. WIREs Forensic Sci. 2019;1:e1350. https://doi.org/10.1002/wfs2.1350