DF-C²M² Six Steps Forensic Process Model

An assessment of the participating labs showed that examination request typically went through six distinct stages of processing within the labs. These six distinct stages identified were analysed and translated into a simplified model that were viewed by participants to be best suited to digital forensic laboratories and digital forensic investigations. In contrast, a review of existing digital forensic and incident response models found that these typically involved 4, 8, or 12 steps, and were viewed by the majority of participants as being either too broad and generic, or too technical process-focussed, or too information security/security incident response focussed rather than digital forensics lab specific The resulting six steps model helped to identify and document the various stages of an examination, and later assisted in helping define the required skills to perform the various distinct tasks required at each stage. Decisions as to what include within the model drawn from initial experience on the process of following an artefact from initial planning for a seizure through to reporting and review. These elements were then validated based on findings such as interviews, assessments, and participant review of the model many of whom viewed it as a training tool for new personnel to explain basic lab examination processes from ‘A to Z’.

The DF-C²M² Six Steps Forensic Process Model (see Figure 4) assisted in identifying key process elements related to digital forensic examinations, their input sources, and specific steps involved at each stage of processing.

100

The six key process elements as depicted in the DF-C²M² Six Steps Forensic Process Model are:

 Assessment - areas of concern identified included process-related case acceptance, investigative planning strategy, and resource allocation.  Collection – includes processes and best practices to identify, document,

collect, and maintain chain of custody, and preserve digital forensic evidence. This process element was identified as an ongoing iterative task to be included in all subsequent tasks hereafter. Collection includes documenting the said evidence, and forensic imaging or extraction of the exhibits submitted for examination

 Examination – included processing steps, extraction of data and inclusions of best practice methods and process elements required for evidential and ISO 17025 purposes such as technical notes, documentation of actions taken, and verification of tools as the start of each examination.

 Analysis – includes best practices and guidelines required to ensure impartial, complete, and sound evidentiary analysis of results used to produce any derivative evidence.

 Reporting - includes reporting guidelines (determined by Organisation Type), structure, format, and rules governing how to present the evidence in an unambiguous, impartial, and non-technical manner.  Review – includes quality management elements that may include

lessons learnt, performance statistics generation, and technical and administrative peer reviews.

The DF-C²M² Six Steps Digital Forensic model enables planned/future standards to be mapped into the Six Step model, which largely already covers the majority of the requirements of the planned future standards related to digital forensics. For example, the requirements for ISO 27037 for digital evidence handling and preservation requirements could easily be incorporate into the Collection, Examination, Analysis and reporting stages of the six-step model. Likewise, ISO 27042 for analysis and interpretation of digital evidence results could be integrated as requirements into the Analysis stage of eth six step model if so required.

101

5.4.1.1 Summary notes regarding the Six Steps Model:

Level One: Identifies the key, distinct stages of Assessment, Collection, Examination, Analysis, Reporting, and Review.

Level Two: Identifies inputs, decision criteria/factors, and specific processes such as Incident Facts and related events.

Level Three – depicted at the bottom of the Six Steps model illustration: Identifies what is being worked on during each of the six steps, and ties in with the six steps identified in Level One, for example:

1. Assessment of case requirements, 2. Collection of media,

3. Examination of data, 4. Analysis of Information, 5. Reporting on evidence, and

102 Assessment Incident Facts and Related Events Case Objectives Incident Prioritisation Impact Investigation Strategy and Resources Verify Evidence Factual and Unbiased Recomendations Executive and Technical Validate Findings Activity Records Correlating Data System Records Audit Trails Supporting Information Devices Tools to Acquire Forensic Image(s) Target Information System

Information Timestamps and

Hashes

Collection Examination Reporting

Report Forensic Readiness Lessons Learnt Tools Techniques Review

Media Data Evidence

Analysis Time Lines Application Data System Data Network Data Findings Information

Six Step Forensics Model

Preserve and Document Evidence

Level 1 Level 3 L e v e l 2

103

5.4.1.1 Incorporating and Mapping Standards into the Six Steps Model

Presently, the task of trying to map existing with proposed ISO-related standards (and overlapping functions,excluding ISO 17025) is quite complex, as depicted in the ISO mapping shown in Figure 5:

Figure 5: ISO 27000 series planned inter-relationships (Source: International Standards Organisation)

The DF-C²M² Six Steps Model, by design, already addresses the majority of the requirements in the draft versions of these proposed standards. A mapping of the present and planned ISO standards within the DF-C²M² Six Steps Model is shown in Figure 6, with planned/proposed ISO standards shown in parentheses.

The DF-C²M² Six Steps model provides a structured digital forensic specific process model that identifies the key phases during an examination, the inputs and expected outputs allowing for streamlining of processes across digital forensics labs, and to provide a common framework upon which examination can be performed, as well as to help to address the issues previously identified in Chapter 1. The DF-C²M² Six Steps Model serves as a key source of inputs used as a guide for helping to define and create the various criteria required for the delivery of each service within the DF-C²M² Service Catalogue.

104 Assessment (ISO 27035) Incident Facts and Related Events Case Objectives Incident Prioritisation Impact Investigation Strategy and Resources Verify Evidence Factual and Unbiased Recomendations Executive and Technical Validate Findings Activity Records Correlating Data System Records Audit Trails Supporting Information Devices Tools to Acquire Forensic Image(s) Target Information System

Information Timestamps and _Hashes Collection (ISO 27037) Examination (ISO17025 ISO 27043) Reporting (ISO 30121) Report Forensic Readiness Lessons Learnt Tools Techniques Review (ISO 17025)

Media Data Evidence

Analysis (ISO 27042) Time Lines Application Data System Data Network Data Findings Information Six Step Forensics Model DF-C²M² Quality Assessment & Best Practices

Interpretation of Results Investigation Planning

Triage

Investigation Planning

Figure 6: A mapping of planned and future ISO standards within the DF-C²M six steps process model

To help address the issue of lack of planning and assessment tools as identified in Chapter 1, for each sub-element listed above, a bespoke set of assessment and planning criteria were created within the DF-C²M² Planning and Assessment Tool.The process elements identified included both technical and non-technical processes that would need to be sufficiently documented to enable an organisation to maintain a standard unified method of processing examinations, and to enable compliance with both ISO 17025 and Process Capability Maturity.

Validation of the mapping of ISO standards was performed based on a review of each standard and draft outlines of planned standards. Note that several of the stated ISO standards were released after the lab assessments conducted and therefore the mapping of these standards was not reviewed nor validated as part of the lab assessments and DF-C²M² evaluation, Independent detailed validation of these mappings may still be required to identify any possible oversights. As of the time of this research this mapping to ISO standards referenced above was complete and

105

validated by the author, based on ISO published list of available and planned (draft) standards.

To help address issues related to the lack of uniformity in the way in which tasks are performed, a related digital forensic Case Progress Checklist was created as part of the knowledge base as a guide for digital forensic examiners to ensure that all examinations are performed uniformly with the same key steps, across the evidence collection, processing and analysis through to reporting stage of the six-step model. The Case Progress Checklist is part of the Body of Knowledge process domain.

Additional tools for each of the Six Steps areas were created to help address the gaps within the existing standards and best practices and to help achieve process uniformity across digital forensic labs.