A comprehensive and harmonised digital forensic investigation process model

Abstract

Recent decades have seen a significant increase in the importance of the field of digital forensics as a result of the rapid development of information and communication technologies and their penetration into every corner of our lives and society. Furthermore, information security incidents are not only becoming more versatile every year, but are also growing in number, thus emphasising the importance of digital forensic investigations. Performing a digital forensic investigation requires a standardised and formalised process in order to ensure the admissibility of digital evidence, as well as the effectiveness and efficiency of investigations and collaboration between stakeholders. When this thesis was being prepared, there existed neither an international standard for formalising the overarching digital forensic investigation process, nor a process model that was accepted as a harmonised model across different jurisdictions worldwide. The author studied existing state-of-the-art digital forensic investigation process (DFIP) models and concluded that there are significant disparities between them, pertaining to the number of processes, the scope, the hierarchical levels and concepts applied (for example, some of the models are based on the physical crime investigation processes, whereas others focus only on the digital aspects of the investigation process). This thesis proposes a comprehensive DFIP model that harmonises existing models for the purpose of establishing an international standard. An effort was made to incorporate all relevant types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness, while introducing a number of novelties. The author introduces a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective digital forensic investigations, while ensuring the admissibility of digital evidence. The author also proposes a prototype that would guide the user through the implementation of a standardised and harmonised DFIP, and ultimately validate the use of a proper digital forensic investigation process. Both the proposed model and the prototype were tested and evaluated, and the results of these evaluations are presented in the thesis. The proposed model and the prototype contribute significantly to the field of digital forensics. The author believes its application would render benefits that range from the higher admissibility of digital evidence and more effective investigations to easier cross-border collaboration on international investigations, thus fulfilling the initial reasons for creating a harmonised model. The proposed model is intended to be used for different types of digital forensic investigation and should ultimately culminate in an international standard. In fact, while this thesis was being written, an international standard on digital forensic investigation process model – as developed by the author was published as a result of the research reported on in this thesis.