| Abstract | Nowadays, as a result of the ubiquitous nature of information technology, evidence presented in court is less likely to be on paper. Evidence of computer crime also differs from that related to traditional crimes for which there are well established standards and procedures. In order for digital evidence to be admissible, investigators need to demonstrate that they have specialised knowledge and have applied reliable principles and models to acquire it. Careful notice is taken in court of the manner in which the digital
investigative process has been carried out. However, despite such requisites, the field of digital forensics still lacks formal process models that courts can employ to determine the
reliability of the process followed in a digital investigation. The existing models have often been developed by digital forensic practitioners, based on their own personal experience and on an ad-hoc basis, without attention to the establishment of standardisation within the field. This has prevented the institution of the formal processes that are urgently required. Moreover, as digital forensic investigators often operate within different fields of law
enforcement, commerce and incident response, the existing models have often tended to focus on one particular field and have failed to consider all environments. This has hindered the development of a generic model that can be applied in all the different fields of digital forensics. In addition, the existing models often capture only one part of the
investigative process as opposed to the entire process. To address these shortcomings, this research makes a novel contribution by proposing a Comprehensive Digital Forensic
Investigation Process Model (the CDFIPM), encompassing the entire digital investigative process, which is formal 1 in that it synthesizes, harmonises and extends the existing
models, and which is generic in that it can be applied in the three stated fields of digital forensics. The methodology used to carry out this research is the Design Science Research widely adopted in the domain of Information Systems on the basis that it is suitable for the design and development of novel artefacts and the analysis of the performance or use of such artefacts. The Peffers et al’s (2006) Design Science Research Process model is followed
during the course of this research as the appropriate selection of the Design Science Research on the basis that it is inclusive of the common elements of the previous Design
Science Research studies. Existing models are critically reviewed and assessed against three different assessment
criteria including: Beebe and Clark’s four-point requirement, Carrier and Spafford’s fivepoint requirement and the Daubert Test. The result of the model assessment reveals that
there does not exist a model that has all the three characteristics of being “comprehensive”, “formal” and “generic”. However, through the model assessment, some models are identified that can contribute to the design and development of the proposed model. Following identification of the prevailing models, their key contributions are determined based on the assessment criteria, and the necessary components for the new model are then identified. A new set of domain-specific components is then developed in addition to the already identified components. Following identification of the necessary components and the newly developed set of domain-specific components, the outcome of the design and development stage is the proposed Comprehensive Digital Forensic Investigation Process
Model, the stages of which are represented through the use of the UML Activity Diagrams. Based upon the selected methodology (the DSRP), the CDFIPM is tested through both the
Demonstration and Evaluation activities. The Demonstration activity involves applying the model into various cases studies and performing a walkthrough of the model, as well as
conducting a forensic laboratory experimentation. The Evaluation stage involves the independent verification and validation of the model by its intended user community,
including digital forensic investigators operating within the three fields of relevance for this research, namely law enforcement, commerce and incident response, as well as experts in the domain of digital forensics, legal practitioners, a judge and researchers in both academia and industry. After feeding the results of the Evaluation stage back into the CDFIPM’s design and development stage, the model is amended accordingly. |
|---|
