Abstract:
Recent decades have seen a significant increase in the importance of the field of digital
forensics as a result of the rapid development of information and communication
technologies and their penetration into every corner of our lives and society. Furthermore,
information security incidents are not only becoming more versatile every year, but are also
growing in number, thus emphasising the importance of digital forensic investigations.
Performing a digital forensic investigation requires a standardised and formalised process in
order to ensure the admissibility of digital evidence, as well as the effectiveness and
efficiency of investigations and collaboration between stakeholders. When this thesis was
being prepared, there existed neither an international standard for formalising the overarching
digital forensic investigation process, nor a process model that was accepted as a harmonised
model across different jurisdictions worldwide.
The author studied existing state-of-the-art digital forensic investigation process (DFIP)
models and concluded that there are significant disparities between them, pertaining to the
number of processes, the scope, the hierarchical levels and concepts applied (for example,
some of the models are based on the physical crime investigation processes, whereas others
focus only on the digital aspects of the investigation process). This thesis proposes a
comprehensive DFIP model that harmonises existing models for the purpose of establishing
an international standard. An effort was made to incorporate all relevant types of processes
proposed by the existing models, including those aimed at achieving digital forensic
readiness, while introducing a number of novelties.
The author introduces a novel class of processes called concurrent processes. This is a novel
contribution that should, together with the rest of the model, enable more efficient and
effective digital forensic investigations, while ensuring the admissibility of digital evidence.
The author also proposes a prototype that would guide the user through the implementation of
a standardised and harmonised DFIP, and ultimately validate the use of a proper digital
forensic investigation process.
Both the proposed model and the prototype were tested and evaluated, and the results of these
evaluations are presented in the thesis. The proposed model and the prototype contribute
significantly to the field of digital forensics. The author believes its application would render benefits that range from the higher admissibility of digital evidence and more effective
investigations to easier cross-border collaboration on international investigations, thus
fulfilling the initial reasons for creating a harmonised model. The proposed model is intended
to be used for different types of digital forensic investigation and should ultimately culminate
in an international standard. In fact, while this thesis was being written, an international
standard on digital forensic investigation process model – as developed by the author was
published as a result of the research reported on in this thesis.