Project topics and materials
Get Complete Project Material File(s) Now! »
Potential digital evidence identification process
This is the first process performed at the scene of the incident. Although it overlaps in time with the previous process, it should be considered a separate process because it includes different types of procedures that have the specific aim of identifying potential digital evidence. Cohen says in [47]: “In order to be processed and applied, evidence must first, somehow, be identified as evidence. It is common for there to be an enormous amount of potential evidence available for a legal matter, and for the vast majority of the potential evidence to never be identified.” Identifying potential digital evidence at the incident scene is of crucial importance for the remainder of the process, because if potential digital evidence is not identified at this point, it might not even exist at a later point during the process. This is especially important when an incident happens in a networked environment, in an environment where live investigations should be performed, in a cloud environment, or in an environment with exceptionally large amounts of data to deal with. Researchers such as [40- 42, 45-47, 51] included this process in their respective models, some under a different name or with a different scope. The author believes that the potential digital evidence identification process should be a separate process, with the sole aim to identify potential evidence.
Potential digital evidence collection process
Once potential digital evidence has been identified, it has to be collected to permit its analysis in a later process. Evidence must be collected in such a manner that its integrity is preserved. This is important if one needs to use this evidence at a later stage to draw formal conclusions, i.e. in a court of law. Adhering to strict legal regulations during the evidence collection process is of crucial importance, as digital evidence might become unusable when proper procedures are not followed. It is notable that many authors [39, 40, 47] have proposed two separate processes instead of collection process proposed by the author. In fact, they propose separate collection and preservation processes. However, the author believes that this should be a single process as it has only one aim, namely to reliably collect potential evidence. Please note that the preservation process proposed by [29,40,47] is a sequential process and it is different from the preserving digital evidence process proposed by the author, which is concurrent and runs throughout the duration of the investigation.
Potential digital evidence transportation process
During this process, potential digital evidence is transported to a location where it is to be stored and later analysed. Transportation can be done physically or electronically. If the evidence is transported electronically, special precautions have to be taken to preserve the integrity, confidentiality and chain of custody, such as encrypting and digitally signing data. In various sources [41, 45, 47] this is included as a separate process. Transportation should exist as a separate process on the basis that activities performed have a single aim (not shared with other processes), namely to securely transport the potential evidence to the location where analysis will be performed, while complying with the principle of preserving the integrity of the evidence.
Potential digital evidence storage process
The storage of potential digital evidence may be needed if analysis cannot be performed right away or if there is a legal requirement to keep the digital evidence for a certain period of time. Preservation of the integrity of the evidence and the chain of custody is of utmost importance during this process. Care must also be taken not to damage the media containing potential digital evidence through factors such as shock, temperature, humidity, pollution, loss of power, malfunction, etc. In various sources [45, 47, 51] storage is included as a separate process. It should exist as a separate process on the basis that activities performed have a single aim (not shared with other processes) to securely and safely store the potential evidence.
PART 1: INTRODUCTION
CHAPTER 1- Introduction
1.1 Introduction to the subject of the thesis
1.2 Problem statement
1.3 Motivation for the study
1.4 Objectives
1.5 Layout of the thesis
PART 2: BACKGROUND
CHAPTER 2- Background on Digital Forensics and Related Work
2.1 Introduction
2.2 On digital forensics
2.3 On digital forensic readiness
2.4 Types of digital forensic investigations
2.5 Related work on digital forensic investigation process models
2.6 Related work on digital forensic readiness investigation processes
2.7 Conclusion
CHAPTER 3- Legal Aspects
3.1 Introduction
3.2 Legal aspects in relation to the digital forensic investigation process
3.3 Conclusion
PART 3: MODEL
CHAPTER 4- A Comprehensive and Harmonised Digital Forensic Investigation Process Model
4.1 Introduction
4.2 Methodology
4.3 A comprehensive and harmonised digital forensic investigation process model
4.4 Overview of the digital forensic investigation process classes
4.5 Readiness processes
4.6 Initialisation processes
4.7 Acquisitive processes
4.8 Investigative processes
4.9 Concurrent processes
4.10 Digital forensic investigation process model schema
4.11 Conclusion
CHAPTER 5- Comparing Existing Models with the Harmonised Model
5.1 Introduction
5.2 Discussion of the comparison
5.3 Conclusion
CHAPTER 6- Analysis of the Results of Implementing the Proposed Process Model
6.1 Introduction
6.2 Case 1 – Mobile digital forensic investigation into a case of intellectual property theft
6.3 Case 2 – Mobile digital forensic investigation with regard to phishing using a scareware attack
6.4 Case 3 – Digital forensic post-mortem investigation with regard to the contravention of company user policy
6.5 Summary of the testing results
6.6 Conclusion
PART 4: PROTOTYPE
CHAPTER 7- Prototype for Guidance and Implementation of a Comprehensive and Harmonised Digital Forensic Investigation Process
7.1 Introduction
7.2 Prototype overview
7.3 Software development lifecycle
7.4 System architecture
7.5 Components
7.6 Activity diagram for the main application
7.7 Functionality of the admin module of the prototype
7.8 Information system security
7.9 Discussion on the proposed prototype
7.10 Conclusion
CHAPTER 8- Evaluation of the Proposed Prototype
8.1 Introduction
8.2 Usability testing results
8.3 Functional survey results
8.4 Discussion on the evaluation of the prototype
8.5 Conclusion
PART 5: ISO/IEC 27043:2015 INTERNATIONAL STANDARD
CHAPTER 9- ISO/IEC 27043:2015 International Standard
9.1 Introduction
9.2 About this international standard
9.3 Related standards
9.4 Comparison of ISO/IEC 27043:2015 international standard with related standards
9.5 Conclusion
PART 6: CONCLUSION
CHAPTER 10- Critical Evaluation
10.1 Introduction
10.2 Critical evaluation of the proposed model
10.3 Critical evaluation of the proposed prototype
10.4 Research questions
10.5 Conclusion
CHAPTER 11- Conclusion
11.1 Introduction
11.2 Revisiting the problem statement and research objectives
11.3 Thesis summary
11.4 Discussion on contributions and novelties
11.5 Future research work
11.6 Final conclusion
References
