DIGITAL FORENSIC:A PANACEA FOR EVIDENCE PRESERVATION

DIGITAL FORENSIC:A PANACEA FOR EVIDENCE PRESERVATION A Project Presented to the School of Science & Technology, Nigerian National Open University, Lagos, Nigeria. In Partial Fulfilment of the Requirements for the Degree of Master of Science In Information Technology OJEDIRAN, Alaba Bolaji (NOU120101902) November, 2014. OJEDIRAN ALABA BOLAJI Approval Page This is to approve and attest to the originality of this research report carried out by OJEDIRAN ALABA BOLAJI. In my own opinion, it is adequate both in scope and quality as a project for the award of the degree of Masters of Science in Information Technology, by the School of Science and Technology, National Open University. Dr Oyelade Jelili Supervisor .….…………………….…………………………….. Date and Signature Head of Department ……………………….. .….…………………….… Date and Signature External Examiner ……………………….. .….…………………….… Date and Signature Dean of the Faculty ……………………….. .….…………………….… Date and Signature OJEDIRAN ALABA BOLAJI Dedication I dedicate this research work to God Almighty, for the wisdom and insight given to me, and also to my best friend and wife, Bolanle and my lively son, Samuel and beautiful daughter, Oluwakayowa. You are all precious to me. OJEDIRAN ALABA BOLAJI Acknowledgements My unreserved appreciation and acknowledgement goes to my supervisor, mentor and teacher, Dr. Jelili Oyelade, for his untiring support, tutoring and inspiration for this work. Also, my profound gratitude goes to my entire family, my colleagues at the Data Processing Unit of Lagos State University, Ojo. To my mentor and teacher – Dr. Moses Adebowale Akanbi, Sir your motivation and drill is responsible for me going this far. I also appreciate the input and intelligent interaction with my colleagues at the Forensic Focus Community, CyberinfoCTS Ethical Hackers and Security Community-Deborah, keep up the good work. OJEDIRAN ALABA BOLAJI Abstract Digital Forensic is the preservation, identification, recovery, documentation, analysis, and interpretation of digital evidence. Digital evidences are electronically stored records, facts, signs, information of probative value that shows clearly that an event occurred or that a crime has been committed. Preservation of Digital Evidence is the crux of Digital Forensics. As such, it must be handled in a way to ensure that it is promptly identified, preserved, collected, examined, analyzed and documented appropriately so that it is evidently weighty, authentic, reliable, believable, complete and that it passes the test of legal admissibility. Evidence Preservation is being constantly plagued with issues needed to be technically, administratively and legally resolved. Of which is, the rate of standardization of Digital Forensics Processes, particularly evidence preservation, by International standardizing bodies is slower than the challenges and continuously evolving digital technology. Consequently, Proactive, Sustained and Non-fragmented Research and Practitioner Communities must be established, where they do not exist and also supported by national and regional standardization organizations, to see to faster and up-to-date solutions. Such communities have greatly helped to sustain continuous growth and standardization in other fields such as software engineering, web frameworks, and mobile technology. A consolidated framework, the Enhanced Generic Digital Forensic Investigation Model (EGDFIM), is proposed in this work. OJEDIRAN ALABA BOLAJI TABLE OF CONTENTS Signature Page .................................................................................................... ii Dedication ........................................................................................................... iii Acknowledgements ........................................................................................... iv Abstract ............................................................................................................... v Keywords ........................................................................................................... ix List of Tables ..................................................................................................... x List of Figures .................................................................................................... xi CHAPTER ONE: INTRODUCTION............................................................. 1 1.1 Background of the Study ................................................................... 1 1.2 Research Problem and Objectives ..................................................... 6 1.3 Objective of the Study ....................................................................... 7 1.4 Significance of the Study .................................................................. 7 1.5 Organization of Work ........................................................................ 8 CHAPTER TWO: LITERATURE REVIEW ............................................... 9 2.1 Background……………………………………………………….…. 9 2.2 Reviews of the Development of Digital Forensics Investigation Model.....12 2.2.1 Computer Forensic Investigative Process ........................... 13 2.2.2 DFRWS Investigative Model ............................................. 13 2.2.3 The Integrated Digital Investigation Model (IDIP) ........... 15 2.2.3.1 Readiness Phase ………………………………….15 2.2.3.2 Deployment Phase …………....………………….16 2.2.3.3 Physical Crime Scene Investigation Phase …...….16 OJEDIRAN ALABA BOLAJI 2.2.3.4 Digital Crime Scene Investigation Phase …..…….17 2.2.4 Enhanced Digital Investigation Process Model (EDIP) ..... 19 2.2.4.1 Readiness Phases... ................................................ 20 2.2.4.2 Deployment Phases... ............................................ 20 2.2.4.3 Traceback Phases... ............................................... 21 2.2.4.4 Dynamite Phases... ................................................ 22 2.2.4.5 Review Phases... .................................................... 22 2.2.5 Abstract Digital Forensics Model (ADFM) ....................... 23 2.2.6 Digital Forensic Model based on Malaysian Investigation Process…..26 2.2.7 Scientific Crime Scene Investigation Model ...................... 27 2.2.8 End to End Digital Investigation ........................................ 28 2.2.9 Extended Model of Cybercrime Investigation .................... 28 2.2.10 A HOB Framework for the Digital Investigations Process…....29 2.2.11 Framework for a Digital Forensic Investigation ............... 29 2.2.12 Computer Forensics Field Triage Process Model ............ 30 2.2.13 Common Process Model for Incident and Computer Forensics ……31 2.2.14 Dual Data Analysis Process ............................................. 31 2.2.15 Network Forensic Generic Process Model ....................... 32 2.3 Identifying the Common Phases of the Models ................................ 33 2.4 Generic Computer Forensic Investigation Model (GCFIM) ............. 37 2.5 Literature Summary ........................................................................... 41 CHAPTER THREE: RESEARCH METHODOLOGY ............................... 42 OJEDIRAN ALABA BOLAJI 3.1 Grounded Theory............................................................................... 43 3.2 Research Methods ............................................................................. 45 3.2.1 Grounded Theory Methods .........................................….....45 CHAPTER FOUR: RESEARCH MODEL.................................................... 48 4.1 The Proposed Model.......................................................................... 48 4.2 Most Important Factors in a Digital Forensic Model ........................ 53 4.2.1 Cost... ................................................................................... 54 4.2.2 The Administration ............................................................. 54 4.2.3 Technical issues .................................................................. 55 4.2.4 Legal issues …………………………..…………………... 55 4.3 Enhanced Generic Digital Forensic Investigation Model (EGDFIM)....... 56 4.4 Applying the EGDFIM Model .......................................................... 59 CHAPTER FIVE: DISCUSSIONS AND CONCLUSIONS ......................... 63 REFERENCES ................................................................................................. 65 OJEDIRAN ALABA BOLAJI Keywords Digital Forensic, Evidence Preservation, Digital Forensic Model, Digital Investigation Process, Forensic Framework, Digital Evidence OJEDIRAN ALABA BOLAJI List of Tables Table 2.1: List of the examined Models ............................................................. 33 Table 2.2: Common Phases of the examined Models ....................................... 34 Table 2.3: Generic Phases .................................................................................. 37 Table 2.4: Phase expansion of GCFIM .............................................................. 49 OJEDIRAN ALABA BOLAJI List of Figures Figure 2.1: Computer Forensic Investigative Process ........................................ 13 Figure 2.2: DFRWS Investigative Model ........................................................... 13 Figure 2.3: Phases of the IDIP Model ............................................................... 14 Figure 2.4: Enhanced Digital Investigation Process Model .............................. 18 Figure 2.5: Abstract Digital Forensics Model ................................................... 22 Figure 2.6: DFMMIP Model .............................................................................. 24 Figure 2.7: SCSI ................................................................................................ 25 Figure 2.8: EEDI Model .................................................................................... 26 Figure 2.9: EMCI Model .................................................................................... 26 Figure 2.10: HOBF Model ................................................................................. 27 Figure 2.11: FDFI Model ................................................................................... 27 Figure 2.12: Computer Forensics Field Triage Process Model ......................... 28 Figure 2.13: CPMICF Model ............................................................................ 29 Figure 2.14: DDAP Model ................................................................................ 29 Figure 2.15: NFGP Model ................................................................................. 30 Figure 2.16: Generic Computer Forensic Investigation Model (GCFIM) ........ 38 Figure 4.1: Process Flow between the Roles in Digital Forensics Investigation….....53 Figure 4.2: Most Important Factors in a Digital Forensic Model ..................... 54 Figure 4.3: Enhanced Generic Digital Forensic Investigation Model (EGDFIM) .............. 57 OJEDIRAN ALABA BOLAJI OJEDIRAN ALABA BOLAJI CHAPTER ONE INTRODUCTION The term ‘forensic’ is derived from the Latin word ‘forensis’ and it refers to of or before the forum. “In Roman times, a criminal charge meant presenting the case before a group of public individuals in the forum. Both the person accused of the crime and the accuser would give speeches based on their sides of the story. The individual with the best argument and delivery would determine the outcome of the case”(Wikipedia, 2014) This alludes to the fact that, evidences and how well it’s been presented in a case, determine the outcome of the case. Obviously, that has mostly been the situation for centuries of court case and corporate investigation. 1.1. Background of the Study Since IBM introduced the PC to the world in 1981, down to these recent times, more records are being processed and stored digitally than on analog mediums. Computers have become an important part of our lives and as such are involved in almost everything we do from paying bills to space exploration. Government agencies now host online Open Data Portal as a data collection cum retrieval point, e.g. Edo State, Nigeria; Academic records from Educational Institutions are now stored electronically and are also accessible online too, e.g. Nigerian National Open University; and e-Governance is gaining ground daily as well. 1 OJEDIRAN ALABA BOLAJI As digital data are consistently growing in size and complexity and the amount of stored digital records is doubling at an estimated rate of every 18 to 24 months(NIJ, 2010), the majority of crimes committed today has digital component, e.g. Cybercrime, data theft, hacking, etc. However, when an individual is brought before the courts or summoned for corporate investigation, innocence or guilt is basically decided by testimonies and evidence. Of the two areas, the evidence is probably the most key area(Walker, 2007). The ISO 15489-1:2001 defines records as "information created, received and maintained as evidence and information stored by an organization for legal obligations or in the transaction of business"(Gingrande, 2013). By the above definition, we could infer that all records are evidence. Computer Forensic is frequently used interchangeably with Digital Forensic, but their exit some representative differences between them. The term Computer Forensic would conveniently represent forensic of all types of computer systems and their peripheral devices. Meanwhile, Digital Forensic covers not only computers and their peripherals, but also mobile devices, cell phones, PDAs, Game Consoles, Kindles, Network devices, and Cloud computing. For almost two decades, the field of digital forensics has greatly been helpful in identifying, preserving, recovery, validating, acquisition, examination, analysis, and interpretation of digitally stored records. 2 documentation, OJEDIRAN ALABA BOLAJI “While dictionary definitions of ‘forensics’ typically specify legal processes, it is also used (to some extents metaphorically) to allude to the notion of exhaustive investigation and argument”(John, 2012). Though the Digital Forensic Research Workshop (DFRWS) of 2001, defined digital forensic as the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations (Palmer, 2001). Digital forensics is not concerned mainly about computers and computer networks, but is rather mainly concerned with forensic procedures, rule of evidence and other legal processes as they pertain to computers and computer networks(Vacca, 2005). Digital evidences are electronically stored records, facts, signs, information of probative value that shows clearly that an event occurred or that a crime has been committed. The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning 3 OJEDIRAN ALABA BOLAJI System tracks, logs from a hotel’s electronic door locks, and digital video or audio files(Casey, 2009). In recognition of digital involvement in our daily life, with to regards law enforcement and judiciary pursuit, the Evidence Act 2011 (also referred to as the Act) which introduces the "Admissibility of Statements in Documents Produced by Computers", has become enforced on June 3rd, 2011 when it received the assent of President Goodluck Jonathan of the Federal Republic of Nigeria. Thus, evidences obtained from computers, mobile phones and other electronic gadgets/devices are now admissible in the Nigeria’s law courts. Apart from the use of digital evidence for legal cases, corporate organisations are also faced with the need to preserve evidence of actions/records for Disaster Recovery or Business Contingency Plan, so as to make their organisation proofed against unanticipated and anticipated catastrophic incidence, and even more serious, incidence whose occurrence threatens the continued existence of the organisation. However, the cost of preserving digital evidence is high and organisations are faced with the tough decision of formulating enabling policies and committing their scarce resources to ensure the appropriate preservation of digital evidence or to channel these scarce resources only to their core business. Nevertheless, if they decided to commit some of their resources to preserving digital evidence, they expect the return on such investment to be optimal, in terms of adopting a consolidated solution that will preserve evidences for Investigative Process, Regulatory Obligation, Disaster Recovery or Business Contingency Plan and Daily Transactions. 4 OJEDIRAN ALABA BOLAJI Thus, Peter Sommer in (Sommer, 2012), advocated that we embed into our regular investigative processes, the specific skills and resources needed to handle evidence in digital form. Though, the types of evidence that an organization may need to collect and the methods that it uses to carry out the acquisition emerges from the risk analysis carried out, but unfortunately, “regular risk analysis often fails to identify the types of evidence that could and should be captured”(Sommer, 2012). Likewise, to store all digital records as digital evidences generated in the course of our planned and unplanned operations, will amount to an unrealistic storage burden, with a high probability of unusable content. Despite this conundrum, a systematic framework must be developed and adopted to effectively identify the type of digital evidences that should be captured amongst the torrent of digital records that are generated daily in the course of our planned and unplanned operations. Other challenges that ensue apart from the ones stated above are: identifying the sources of the evidences, preserving identified evidences, Legal approval and constraints in evidence acquirral, determining who to collect & how to collect digital evidences and the pattern of analysing the potential digital evidences identified. ‘Digital preservation is concerned with the sustainability of digital information, notably the resilience and perceptibility of digital objects in the long term’(John, 2012). 5 OJEDIRAN ALABA BOLAJI One of the tenets of digital forensics is to assure that the original media is not altered, and the methods used to create forensic quality copies of meta data, assures that the integrity of the original is maintained(Crim, 2006). From the above paragraph, it is obvious that the quality of digital evidence hinges on the processes of Digital Forensic used to obtain, preserve and analyze it. However, “Digital Forensics as a Discipline is the Bridge from Computer Science to Judicial Science. This creates risks for both the administration of justice and confidence in the discipline of digital forensics and computer science. Thus, there are perils that must be identified and addressed”(Losavio, 2010). 1.2 Research Problem and Objectives The research problem of the study is stated as follows: How can Digital Forensic processes ensure that Digital Evidences involved, are preserved? In order to venture in solving the main research problem, the research problem is further divided into three sub-questions, the sub-questions are: 1. What is the relationship between Digital Forensic Process and Digital Evidence Preservation? 2. How should a Digital Forensic process be structured and executed to ensure that digital evidences are preserved? 3. Is it possible to have a Consolidated Digital Evidence Preservation Framework that can fit into any Digital Forensic Model? 6 OJEDIRAN ALABA BOLAJI 1.3 Objective of the Study The main objective of the research is to: Identify the key factors that a Digital Forensic Process Model must have to ensure that digital evidence involved, is effectively preserved. This objective can be reached by first dealing with the research problem subquestions. The objectives related to the sub-questions are 1. To extract the basic relationship between digital forensic process and digital evidence preservation. 2. To identify the factors within a digital forensic process that ensures that digital evidences are preserved throughout the process. 3. To construct a framework from the factors identified in (2) above, and use the framework to analyze different Digital Forensic Models for improvement or further development. Based on the knowledge gained from answering the sub-questions, the main research question can be answered and the main objective reached. 1.4 Significance of the Study The study is significant, as the resultant consolidated framework, will be very useful for the application to Digital Forensic Investigation as well as an application outside of criminal or legal investigation and computer security. 7 OJEDIRAN ALABA BOLAJI 1.5 Organization of Work This research work will start by introducing the historical background of the study in the first Chapter called Introduction. Also, in this Chapter the problems to be solved is also stated. This will be followed by the second Chapter to review literatures on our research. The Research Methodology will then be presented in the third chapter, to lay out the plan of the researcher’s investigation, aimed at identifying factors and relationship between these factors in a Digital Forensic Process aimed at obtaining evidence therein. The Grounded Theory will be used as the choice methodology during the course of the research project” The fourth chapter will be on the Implementation and Evaluation of the researcher’s investigation and an Enhanced Generic Digital Forensic Investigation Model (EGDFIM) will be proposed in this chapter. This is an improvement on the Generic Computer Forensic Investigation Model (GCFIM) proposed by Yunus Yusoff, Roslan Ismail and Zainuddin Hassan(Yusoff, Ismail, & Hassan, 2011), which is itself a distillation of several digital forensic investigation models. The last chapter, the fifth chapter, will present the researcher’s conclusions, recommendations and suggestion(s) for future research 8 OJEDIRAN ALABA BOLAJI CHAPTER TWO LITERATURE REVIEW 2.1 Background Though, several definitions have been given in the previous chapter above, it will be useful to evaluate Digital Forensic in the context of this work. (Nikkel, 2006) defined digital forensic as the use of scientifically derived and proven methods toward the identification, preservation, collection, validation, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. While the definition above is comprehensive, it is useful to consider another. In 2001, at the first meeting of the Digital Forensics Research Workshop (DFRWS), the following was adopted as a definition for digital forensics: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations(Palmer, 2001). These two definitions above clearly articulates the steps that sums up the Digital Forensic process and also with it, stipulates that these processes are scientifically derived and proven for the purpose of preserving digital evidences involved in a 9 OJEDIRAN ALABA BOLAJI Digital Forensic Investigation in order to reconstruct the events involved that is found to be criminal or disruptive to planned actions. We must note that Digital Forensic processes are not just for criminal investigations, but also for examining the disruption of planned action which may not be caused directly or indirectly by a person or machine, criminally oriented or not. The above paragraphs highlight one of the problems examined in this work, which is to examine the relationship between Digital Forensic and Digital Evidence Preservation. (Kaur & Kaur, 2012) stated that the way Digital Forensic Process is implemented has a direct impact on:  The prevention of further malicious events occurring against the intended “target".  The successful tracing back of the events that occurred which led to the crime, and determining the guilty parties involved.  Bringing the perpetrators of the crime to justice.  The improvement of current prevention mechanisms in place to prevent such an event from occurring again.  Improving standards used by corporate security professionals to secure their respective corporate networks.  How everyone “plugged" into this digital environment can increase their awareness about current vulnerabilities and prevention measures. Likewise, (Nikkel, 2006), statement that digital evidence as a data that support theory about digital events, agrees with Carrier and Spafford’s(Carrier & Spafford, 2003) 10 OJEDIRAN ALABA BOLAJI definition of digital evidence as a digital data that supports or refutes a hypothesis about digital events or the state of digital data. This definition includes evidence that may not be capable of being entered into a court of law, but may have investigative value(Ademu, Imafidon, & Preston, 2011). Evidence can be gathered from theft of or destruction of intellectual property, fraud, or anything else criminally related to the use of a digital device. Evidence which is also referred to as digital evidence is any digital data that can provide a significant link between the cause of the crime and the victim(Perumal, 2009). By examining the characteristics of Digital Evidence, that is, data of investigative value that is stored or transmitted by a digital device; it found to be fragile by nature, can be easily altered, damaged or destroyed by improper handling or improper examination, it is hidden in its natural state and cannot be know by the content in the physical object that holds such evidence(Ademu et al., 2011), It is clear that a Digital Forensic Investigative reports may be required to explain the examination process or model used and identify any limitation it posses by its application to the investigation been carried out(Mark M Pollitt, 2007). This has corroborated the fact that Digital Forensic process must be structured and executed in such a way to ensure that digital evidences involved are preserved accordingly. Thus leading us to review some of the numerous literatures that have contributed to the evolution and development of Digital Forensic Process Models. However, note that in this work, Digital Forensic Process Model is used interchangeably to Digital Forensic, Digital Forensic Model and Digital Forensic Investigation Model. 11 OJEDIRAN ALABA BOLAJI 2.2 Reviews of the Development of Digital Forensics Investigation Models Computer forensics can be traced back to as early as 1984 when the USA Federal Bureau of Investigation (FBI) laboratory and other law enforcement agencies begun developing programs to examine computer evidence The relationship between Digital Forensic and Digital Evidence Preservation is so intrinsic, as Digital Forensic heavily hinges on how digital evidences are treated, i.e. preserved, extracted, identified, stored, analyzed and presented and vice versa. However, in order to address the second research question, which is to find out how Digital Forensic processes are structured and executed to ensure that digital evidences are preserved, we would review some Digital Forensic Models with its embedded processors. There are a large number of literatures on Digital Forensic Models and it will be overwhelming to review all of them within the space allowed in this work. However, out of all these numerous literatures, we have selected some of them for review, based on divers’ representation of technology in the model and abstraction in presentation. These criteria were chosen to ensure that the models reviewed are not limited in application and that it could also fit in for use in present times as technology evolves daily irrespective of the geographical location or jurisdiction. They eventually selected models do not suggest that they are better than the other models that were not. 12 OJEDIRAN ALABA BOLAJI 2.2.1 Computer Forensic Investigative Process (1995) (M. M. Pollitt, 1995) has proposed a methodology for dealing with the digital evidence investigation so that the results to be scientifically reliable and legally acceptable. It comprises of 4 distinct phases. Figure 2.1 : Computer Forensic Investigative Process In Acquisition phase, evidence was acquired in an acceptable manner with proper approval from authority. It is followed by Identification phase whereby the tasks to identify the digital components of the acquired evidence and converting it to the format understood by human. The Evaluation phase comprises of the task to determine whether the components identified in the previous phase, is indeed relevant to the case being investigated and can be considered as a legitimate evidence. In the final phase, Admission, the acquired & extracted evidence is presented in the court of law. 2.2.2. DFRWS Investigative Model (2001) In 2001, the First Digital Forensics Research Workshop (DFRWS) (Palmer, 2001), proposed a general 13 OJEDIRAN ALABA BOLAJI Purpose digital forensic investigation process. It comprises of 6 phases. Figure 2.2: DFRWS Investigative Model(Palmer, 2001) DFRWS Investigative model started with an Identification phase, in which profile detection, System monitoring, audit analysis, etc., was performed. It is immediately followed by Preserving phase, involving tasks such as setting up a proper case management and ensuring an acceptable chain of custody. This phase is crucial so as to ensure that the data is collected free from contamination. The next phase is known as Collection, in which relevant data are being collected based on the approved methods utilizing various recovery techniques. Following this phase are two crucial phases, namely, Examination phase and Analysis phase. In these two phases, tasks such as evidence tracing, evidence validation, recovery of hidden/encrypted data, data mining, timeline, etc., were performed. The last phase is Presentation. Tasks related to this phase are documentation, expert testimony, etc. 14 OJEDIRAN ALABA BOLAJI 2.2.3 The Integrated Digital Investigation Model (IDIP) This investigation process was proposed by Carrier & Spafford (Carrier & Spafford, 2003) in 2003, with the intention to combine the various available investigative processes into one integrated model. The author introduces the concept of the digital crime scene which refers to the virtual environment created by software and hardware where digital evidence of a crime or incident exists. Phases of the IDIP Model The model organizes the process into five (5) phases, consisting all in all 17 components. Figure 2.3: Phases of the IDIP Model(Carrier & Spafford, 2003) 2.2.3.1 Readiness phases The goal of this phase is to ensure that the operations and infrastructure are able to fully support an investigation. It includes two phases: 1. Operations Readiness Phase; which ensures that human capacity is fully trained and equipped to deal with an incident when it occurs. 2. Infrastructure Readiness Phase; that ensures that the underlying infrastructure is sufficient enough to deal with incidents that come. For example equipment like video cameras and card readers being there and in good working condition. 15 OJEDIRAN ALABA BOLAJI 2.2.3.2 Deployment phases The purpose is to provide a mechanism for an incident to be detected and confirmed. It includes two phases: 1. Detection and Notification phase; where the incident is detected and then appropriate people notified. 2. Confirmation and Authorization phase; which confirms the incident and obtains authorization for legal approval to carry out a search warrant. 2.2.3.3 Physical Crime Scene Investigation phases The goal of these phases is to collect and analyse the physical evidence and reconstruct the actions that took place during the incident. It includes six phases:1. Preservation phase; which seeks to preserve the crime scene so that evidence can be later identified and collected by personnel trained in digital evidence identification. 2. Survey phase; that requires an investigator to walk through the physical crime scene and identify pieces of physical evidence. 3. Documentation phase; which involves taking photographs, sketches, and videos of the crime scene and the physical evidence. The goal is to capture as much information as possible so that the layout and important details of the crime scene are preserved and recorded. 4. Search and collection phase; that entails an in-depth search and collection of the scene is performed so that additional physical evidence is identified and hence paving the way for a digital crime investigation to begin. 5. Reconstruction phase; which involves organizing the results from the analysis done and using them to develop a theory for the incident. 16 OJEDIRAN ALABA BOLAJI 6. Presentation phase; that presents the physical and digital evidence to a court or corporate management. 2.2.3.4 Digital Crime Scene Investigation phases The goal is to collect and analyse the digital evidence that was obtained from the physical investigation phase and through any other future means. It includes similar phrases as the physical investigation phases, although the primary focus is on the digital evidence. The six phases are:1. Preservation phase; which preserves the digital crime scene so that evidence can later be synchronized and analysed for further evidence. 2. Survey phase; whereby the investigator transfers the relevant data from a venue out of physical or administrative control of the investigator to a controlled location. 3. Documentation phase; which involves properly documenting the digital evidence when it is found. This information is helpful in the presentation phase. 4. Search and collection phase; whereby an in-depth analysis of the digital evidence is performed. Software tools are used to reveal hidden, deleted, swapped and corrupted files that were used including the dates, duration, log file etc. Low-level time lining is performed to trace a user’s activity and identity. 5. Reconstruction phase; which includes putting the pieces of a digital puzzle together, and developing investigative hypotheses. 6. Presentation phase; that involves presenting the digital evidence that was found in the physical investigative team. 2.2.3.5 Review phase This entails a review of the whole investigation and identifies areas of improvement. 17 OJEDIRAN ALABA BOLAJI The IDIP model does well at illustrating the forensic process, and also conforms to the cyber terrorism capabilities(Rogers, Goldman, Mislan, Wedge, & Debrota, 2006), which require a digital investigation to address issues of data protection, data acquisition, imaging, extraction, interrogation, ingestion/normalisation, analysis and reporting. It also highlights the reconstruction of the events that led to the incident and emphasizes reviewing the whole task, hence ultimately building a mechanism for quicker forensic examinations. However, the IDIP model is open to some criticisms. First, despite encompassing all the earlier models, there is reason to question the IDIP model’s practicality. It for instance depicts the deployment phase which consists of confirmation of the incident as being independent of the physical and digital investigation phase. In practice however, it seems impossible to confirm a digital or computer crime unless and until some preliminary physical and digital investigation is carried out. Secondly, it does not offer sufficient specificity and does not, for instance, draw a clear distinction between investigations at the victim’s (secondary crime) scene and those at the suspect’s (primary crime) scene. Neither does it reflect the process of arriving at the latter. Since a computer can be used both as a tool and as a victim(Perumal, 2009), it is common for investigations to be carried out at both ends so that accurate reflections are made. Henry Lee(Ciardhuain, 2011) defines the primary crime scene as the place where the first criminal act occurred. The process of tracing back to it can be challenging when dealing with larger networks and in particular, the Internet(Perumal, 2009). 18 OJEDIRAN ALABA BOLAJI 2.2.4. Enhanced Digital Investigation Process Model (EDIP) (2004) As the name implies, this investigative model is based on the previous model, Integrated Digital Investigation Process (IDIP), as proposed by Carrier & Spafford. The Enhanced Digital Investigation Process Model, also known as EDIP (Baryamureeba & Tushabe, 2004), introduces one significant phase known as Traceback phase. This is to enable the investigator to trace back all the way to the actual devices/computer used by the criminal to perform the crime. Figure 2.4: Enhanced Digital Investigation Process Model(Baryamureeba & Tushabe, 2004) The investigation process started with Readiness phase and the tasks performed are the same as in IDIP. The second phase, Deployment phase, provides a mechanism for an incident to be detected and confirmed. It consists of 5 sub-phases namely Detection & Notification, Physical Crime Scene Investigation, Digital Crime Scene Investigation, Confirmation and lastly, Submission. Unlike DIP, this phase includes both physical and digital crime scene investigations and presentation of findings to legal entities (via Submission phase). In Traceback phase, tracking down the source crime scene, including the devices and location is the main objective. It is supported by two sub-phases, namely, Digital Crime Scene Investigation and Authorization 19 OJEDIRAN ALABA BOLAJI (obtaining approval to perform investigation and accessing information). Following Traceback phase is Dynamite phase. In this phase, investigation are conducted at the primary crime scene, with the purpose of identifying the potential culprit(s). Consist of 4 sub-phases, namely, Physical Crime Scene Investigation, Digital Crime Scene Investigation, Reconstruction and Communication. In Reconstruction sub-phase, pieces of information collected are put together so as to construct to possible events that could have happened. The Communication sub-phase is similar to the previous Submission phase. The investigation process ended with Readiness phase and the tasks performed are the same as in IDIP. Phases of the EIDIP Model 2.2.4.1 Readiness phases The goal of this phase is to ensure that the operations and infrastructure are able to fully support an investigation. It includes two phases: 1. Operations Readiness Phase; which ensures that human capacity is fully trained and equipped to deal with an incident when it occurs. 2. Infrastructure Readiness Phase; that ensures that the underlying infrastructure is sufficient enough to deal with incidents that come. For example equipment like video cameras and card readers being there and in good working condition. 2.2.4.2 Deployment phases The deployment phases provide a mechanism for an incident to be detected and confirmed. They take place at the place where the crime was detected and consist of five phases:20 OJEDIRAN ALABA BOLAJI 1. Detection and Notification phase; when an incident is detected and the appropriate people notified. 2. Physical Crime Scene Investigation; when a physical examination of the scene is performed and potential digital evidence identified. 3. Digital crime scene investigation phase; when an electronic examination of the scene is performed and digital evidence obtained with possibly an estimation of the extent of the impact or damage. 4. Confirmation phase; when the incident is confirmed and authorization given to obtain legal approval to carry out a search warrant and further investigations at suspect premises. 5. Submission phase; which involves presenting the physical and digital evidence to legal entities or corporate management. 2.2.4.3 Traceback phases Within these phases, the perpetrator’s physical crime scene of operation is tracked down, leading to identification of the devices that were used to perform the act. They consist of:1. Digital crime scene investigation; whereby primary crime scene is traced from the clues obtained from the previous phases. For example acquiring public and private IP addresses and mapping them to the country and institution will eventually lead to the host computer. IP addresses can be easily obtained by using the following commands: ping, nslookup, dig, tracert from a DNS server(N. L. Beebe & Clark, 2005). Locating the country and institution is simplified by various tools and websites like ip-to- 21 OJEDIRAN ALABA BOLAJI location.com and whatismyipaddress.net(Freiling & Schwittay, 2007; Köhn, Olivier, & Eloff, 2006). 2. Authorization phase; when authorization from local legal entities is obtained to permit further investigations and access to more information. 2.2.4.4 Dynamite phases These phases investigate the primary crime scene. They aim at collecting and analysing the items that were found at the primary crime scene to obtain further evidence that the crime originated from there and they help identify the potential culprits. They would consist of:1. Physical Crime Scene Investigation phase; when a physical examination of the scene is carried out to identify potential digital evidence. 2. Digital crime scene investigation phase; when an electronic examination of the scene is performed to obtain digital evidence of the incident and possibly an estimation of the time and dates when the incident was launched. 3. Reconstruction phase; that includes putting the pieces of a digital puzzle together and identifying the most likely investigative hypotheses. 4. Communication phase; which involves presenting the final interpretations and conclusions about the physical and digital evidence that has been investigated to a court or corporate management. 2.2.4.5 Review phase The whole investigation is reviewed and areas of improvement identified. 22 OJEDIRAN ALABA BOLAJI 2.2.5. Abstract Digital Forensics Model (ADFM) (2002) Drawing from the previous forensic protocols, there exist common steps that can be abstractly defined to produce a model that is not dependent on a particular technology or electronic crime. The basis of this model is to determine the key aspects of the aforementioned protocols as well as ideas from traditional forensics, in particular the protocol for an FBI physical crime scene search(Reith, Carr, & Gunsch, 2002a). This proposed model can be thought of as an enhancement of the DFRW model since it is inspired from it. Figure 2.5: Abstract Digital Forensics Model(Reith, Carr, & Gunsch, 2002b) The key components of this model include the following: 1. Identification – recognizing an incident from indicators and determining its type. This is not explicitly within the field of forensics, but significant because it impacts other steps. 23 OJEDIRAN ALABA BOLAJI 2. Preparation – preparing tools, techniques, search warrants, and monitoring authorizations and management support. 3. Approach strategy – dynamically formulating an approach based on potential impact on bystanders and the specific technology in question. The goal of the strategy should be to maximize the collection of untainted evidence while minimizing impact to the victim. 4. Preservation – isolate, secure and preserve the state of physical and digital evidence. This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within an affected radius. 5. Collection – record the physical scene and duplicate digital evidence using standardized and accepted procedures. 6. Examination – in-depth systematic search of evidence relating to the suspected crime. This focuses on identifying and locating potential evidence, possibly within unconventional locations. Construct detailed documentation for analysis. 7. Analysis – determine significance, reconstruct fragments of data and draw conclusions based on evidence found. It may take several iterations of examination and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case. 24 OJEDIRAN ALABA BOLAJI 8. Presentation – summarize and provide explanation of the conclusions. This should be written in a layperson’s terms using abstracted terminology. All abstracted terminology should reference the specific details. 9. Returning evidence – ensuring physical and digital property is returned to proper owner as well as determining how and what criminal evidence must be removed. Again, not an explicit forensics step, however, any model that seizes evidence rarely addresses this aspect. Note that these steps are not unlike traditional methods used to collect physical evidence, but in fact the abstraction of current practices applied to crimes that involve digital evidence(Reith et al., 2002a). “A large body of proven investigative techniques and methods exists in more traditional forensic disciplines. Most are applicable in cyberspace, but are not yet considered strongly”(Reith et al., 2002a). Also observe that the type of digital technology involved in these steps can be abstractly defined up to this point. This is important because it allows a standardized process to be defined without specifying the exact technology involved. This allows a consistent methodology for dealing with past, present, or future digital devices in a wellunderstood and widely accepted manner. For example, this methodology can be applied to a range of digital devices from calculators to desktop computers, or even unrealized digital devices of the future. Using this model, future technologies and the technical details required to forensically analyse them, can be instantiated to provide a consistent and standardized methodology for providing electronic evidence. This would enhance the science of forensics because it provides a basis for analysing new 25 OJEDIRAN ALABA BOLAJI digital/electronic technology while at the same time providing a common framework for law enforcement and the judicial system to feasibly work within a court of law. 2.2.6. Digital Forensic Model based on Malaysian Investigation Process (DFMMIP) In 2009, Perumal, S. (Perumal, 2009) proposed yet another digital forensic investigation model which is based on the Malaysian investigation processes. The DFMMIP model consist of 7phases Figure 2.6: DFMMIP model(Yusoff et al., 2011) Upon completion of the 1st phase, Planning, the next phase, Identification, followed. After that, Reconnaissance phase is conducted. This phase deals with conducting the investigation while the devices are still running (in operation) which is similar to performing live forensics. The author argued that the presence of live data acquisition that focuses on fragile evidence does increase the chances of positive prosecution. Before data can be 26 OJEDIRAN ALABA BOLAJI analyzed, they must be securely transported to the investigation site and be properly stored. This is indeed done in Transport & Storage phase. Once the data is ready, Analysis phase is invoked and the data will be analyzed and examined using the appropriate tools and techniques. Similar to the Presentation phase in the previous models, the investigators will be required to show the proof presented to support the case. This is done in Proof & Defense phase. Finally, Archive Storage phase is performed, whereby relevant evidence are properly stored for future references and perhaps can also be used for training purposes. 2.2.7 Scientific Crime Scene Investigation Model (SCSI) -2001 Figure 2.7: SCSI Model(Yusoff et al., 2011) 27 OJEDIRAN ALABA BOLAJI 2.2.8 End to End Digital Investigation Model (EEDI) – 2003 Figure 2.8: EEDI Model(Yusoff et al., 2011) 2.2.9 Extended Model of Cybercrime Investigation (EMCI) - 2004 Figure 2.9: EMCI Model(Yusoff et al., 2011) 28 OJEDIRAN ALABA BOLAJI 2.2.10 A Hierarchical, Objective-Based Framework for the Digital Investigations Process (HOBF) Figure 2.10: HOBF Model(Yusoff et al., 2011) 2.2.11 Framework for a Digital Forensic Investigation (FDFI) - 2006 Figure 2.11: FDFI Model(Yusoff et al., 2011) 29 OJEDIRAN ALABA BOLAJI 2.2.12. Computer Forensics Field Triage Process Model (CFFTPM) The CTTTPM (Rogers et al., 2006) proposes an onsite approach to providing the identification, analysis and interpretation of digital evidence in a relatively short time frame without the need to take back the devices or media back to the lab. Nor does it require taking the complete forensic images. The CFFTPM consist of 6 primary phases that are then further divided into another 6 sub-phases. Figure 2.12: Computer Forensics Field Triage Process Model(Yusoff et al., 2011) 30 OJEDIRAN ALABA BOLAJI 2.2.13 Common Process Model for Incident and Computer Forensics (CPMICF) Figure 2.13: CPMICF Model(Yusoff et al., 2011) 2.2.14 Dual Data Analysis Process (DDAP) Figure 2.14: DDAP Model(Yusoff et al., 2011) 31 OJEDIRAN ALABA BOLAJI 2.2.15 Network Forensic Generic Process Model (NFGP) Figure 2.15: NFGP Model(Yusoff et al., 2011) It is of uttermost importance to know that all the above highlighted models operated within the confines of the legal rule of the region or geographical location it is been applied. Thus a clear understanding of what the legal requirements are must be established right at the start of the investigation and this will informs each subsequent step or phase. By focusing on this end goal and deciding what legal norms are to be used, the most applicable framework and integral steps will become clear(Köhn et al., 2006). 32 OJEDIRAN ALABA BOLAJI However, since the Generic Computer Forensic Investigation Model (GCFIM) is a distillation of all the models reviewed in the literature review, we start by an exegesis of the Generic Computer Forensic Investigation Model (GCFIM). In furtherance to our review, we will also review the previous digital forensic model comparison tables, in order to identify the factors within the digital forensic process that ensures that evidences are preserved throughout the process. Considering the fifteen (15) models reviewed above in this chapter, we therefore begin by identifying the common phases in each model. 2.3 Identifying the Common Phases of the Models listed above In order to identify the common phases shared by all of the presented models, we started by assigning the investigation models with unique id and sorted them in chronological order. The result is displayed in the table below; Table 2.1: List of the examined Models(Yusoff et al., 2011) ID Year Name M01 1995 Computer Forensic Investigative Process M02 2001 DFRWS Investigative Model M03 2001 Scientific Crime Scene Investigation Model M04 2002 Abstract Digital Forensic Model M05 2003 Integrated Digital Investigation Process M06 2003 End to End Digital Investigation M07 2004 Enhance Digital Investigation Process 33 OJEDIRAN ALABA BOLAJI M08 2004 Extended Model of Cybercrime Investigation M09 2004 A Hierarchical, Objective-Based Framework for the Digital Investigation M10 2006 Computer Forensic Field Triage Process Model M11 2006 Framework for a Digital Forensic Investigation M12 2007 Dual Data Analysis Process M13 2007 Common Process Model for Incident and Computer Forensics M14 2009 Digital Forensic Model based on Malaysian Investigation Process (DFMMIP) M15 2010 Network Forensic Generic Process Model The next step is to Qualitized, that is, changing variables into Codes, we extract all of the phases within each of the digital forensic investigation process models. The extracted phases were also assigned with unique ID. Phases with similar tasks are grouped together. Table 2.2: Common Phases of the examined Models(Yusoff et al., 2011) ID Name of phases Available in P01 Access M12 P02 Acquisition M01,M12 P03 Admission M01 P04 Analysis M02,M04.M13, M14,M06,M09,M15 P05 Approach Strategy M04 34 OJEDIRAN ALABA BOLAJI P06 Archive Storage M14 P07 Authorization M08 P08 Awareness M08 P09 Case Specific Analysis M10 P10 Chronology Timeline Analysis M10 P11 Collection M02,M04.M06.M08,M09,M15 P12 Deployment M05,M07 P13 Detection M15 P14 Digital Crime Investigation M05 P15 Dissemination of Information M08 P16 Dynamite M07 P17 Evaluation M01 P18 Examination M02,M04,M06,M08,M15 P19 Hypothesis creation M08 P20 Identification M01,M02,M04, M14,M03,M06 P21 Incident Closure M09 P22 Incident Response M09,M15 P23 Individualization M03 P24 Internet Investigation M10 P25 Investigation M11, M15 P26 Notification M08 P27 Physical Crime Investigation M05 35 OJEDIRAN ALABA BOLAJI P28 Planning M10, M14,M08 P29 Post-Analysis M13 P30 Pre-Analysis M13 P31 Preparation M04,M09,M11,M15 P32 Presentation M02,M04,M06,M08,M09,M11,M15 P33 Preservation M02,M04,M06,M15 P34 Proof & Defense M14,M08 P35 Readiness M05,M07 P36 Recognition M03 P37 Reconnaissance M14 P38 Reconstruction M03 P39 Report M12 P40 Returning Evidence M04 P41 Review M05,M07 P42 Search & Identify M08 P43 Traceback M07 P44 Transport & Storage M14,M08 P45 Triage M10 P46 User Usage Profile Investigation M10 Based on the above list of phases (Table 2.2), Yunus, Roslan and Zainuddin(Yusoff et al., 2011) stated that it is apparent that a number of those phases do indeed duplicated or overlapped each other. Taking into account of the tasks performed in 36 OJEDIRAN ALABA BOLAJI each of the phases, and not just relying on the actual naming, we were able to observe that the phases can be grouped into 5 generic grouping namely, pre-process, acquisition & preservation, analysis, presentation and post-process. Table 2.3 below demonstrates how the phases were grouped into their respective generic grouping. Table 2.3: Generic Phases(Yusoff et al., 2011) Generic Phases Available phases Pre-Process P01, P05, P07, P08, P26, P28, P30, P31, P35, P36, Acquisition & P02, P11, P12, P13, P20, P30, P33, P42, P44 Preservation Analysis P04. P09, P10, P13, P14, P16, P17, P18, P19, P23, P24, P25, P27, P37, P38, P42, P43, P45, P46 Presentation P03, P29, P32, P34, P39, Post-Process P06, P15, P21, P22, P40, P41, 2.4 Generic Computer Forensic Investigation Model (GCFIM) Considering the generic phases identified above, a generic investigation process, known to be Generic Computer Forensic Investigation Model (GCFIM) was developed by Yunus,Roslan and Zainuddin. Figure 2.16 below, illustrate the proposed GCFIM. 37 OJEDIRAN ALABA BOLAJI Figure 2.16: Generic Computer Forensic Investigation Model (GCFIM)(Yusoff et al., 2011) Phase 1 of GCFIM is known as Pre-Process. The tasks performed in this phase relates to all of the works that need to be done prior to the actual investigation and official collection of data. Among the tasks to be performed are getting the necessary approval from relevant authority, preparing and setting-up of the tools to be used, etc. Phase 2 is known as Acquisition & Preservation. Tasks performed under this phase related to the identifying, acquiring, collecting, transporting, storing and preserving of data. In general, this phase is where all relevant data are captured, stored and be made available for the next phase. Phase 3 is known as Analysis. This is the main and the center of the computer forensic investigation processes. It has the most number of phases in its group thus reflecting the focus of most models reviewed are indeed on the analysis phase Various types of analysis are performed on the acquired data to identify the source of crime and 38 OJEDIRAN ALABA BOLAJI ultimately discovering the person responsible of the crime. Phase 4 is known as Presentation. The finding from analysis phase are documented and presented to the authority. Obviously, this phase is crucial as the case must not only be presented in a manner well understood by the party presented to, it must also be supported with adequate and acceptable evidence. The main output of this phase is either to prove or refute the alleged criminal acts Phase 5 is known as Post-Process. This phase relates to the proper closing of the investigation exercise. Digital and physical evidence need to be properly returned to the rightful owner and kept in a safe place, if necessary. Review of the investigative process should be done so that the lesson can be learnt and used for improvement of the future investigations. Instead of moving sequentially from one phase to another, the ability to go back to the previous phases must always be present. We are dealing with the situations that are forever changing in terms of the crimes scenes (physical and digital), the investigative tools used, the crime tools used and the level of expertise for the investigators. As such, it is much desired to be able to go back to the previous phases that we have done, not only to correct any weaknesses but also to acquire new things/information. We wish to note that phase numbered P22 (in Table 2.2) was put in Post-Process phase (in Table 2.3) which is due to the fact that action or response to any incident should be done after the incident was properly analyzed and presented to the authority. Nevertheless, should the investigator find a very risky and high impact incident, prerogative is up to the investigator to take any proper immediate actions. However, 39 OJEDIRAN ALABA BOLAJI this is a deviation to a normal process and should be treated on a case to case basis. The GCFIM has illustrated the process of digital forensic in a generic and simple way. Each of the steps can be well adapted for previous, recent and emerging digital terrains. It also allows for the dynamic interaction of the Physical Crime Scene with the Digital Crime Scene which is often a major source of confusion in applying most models to solve digital forensic issues. Also,” instead of moving sequentially from one phase to another, the ability to go back to the previous phases must always be present. We are dealing with the situations that are forever changing in terms of the crimes scenes (physical and digital), the investigative tools used, the crime tools used and the level of expertise for the investigators. As such, it is much desired to be able to go back to the previous phases that we have done, not only to correct any weaknesses but also to acquire new things/information”. However, the GCFIM model is open to some criticisms. As general as the model is, it only considered technologies that are currently existing and did not include emerging digital technologies, as new or emerging technologies will engender new processes of investigation, which may not fall into the current processes of the GCFIM generic model. Likewise, with the need for extending non-digital concepts (legal, accreditation, etc.) to the digital domain(N. Beebe, 2009), models borne out from non-technical sources like legal, but has a strong input in digital forensic investigation - in proving the 40 OJEDIRAN ALABA BOLAJI eventual evidence, must actively considered in formulating a model to be truly considered to be generic. 2.5 Literature Summary From the literature review, it was seen that there exists an abundance of process models for digital forensic investigations. The number of forensic models that have been proposed reveals the complexity of the computer forensic process. The following can be seen quite clearly: - Each of the proposed models builds on the experience of the previous; - Some of the models have similar approaches; - Some of the models focus on different areas of the investigation”(Köhn et al., 2006). However, this work seek to identify the factors within a digital forensic process that ensures that digital evidences are preserved throughout the process in order to achieve the leading goal of digital forensic, which is to produce concrete evidence suitable for presentation in a court of law. 41 OJEDIRAN ALABA BOLAJI CHAPTER THREE RESEARCH METHODOLOGY Leedy (Remenyi, 1998) formally defines research methodology as an operational framework within which the facts are placed so that their meaning may be seen more clearly. Research methodologies can also be viewed as ways of thinking about and studying social reality(Corbin & Strauss, 2008). That is, they can be viewed as stands towards the question of how can researchers find out what they believe can be known of social reality. Moreover, methodologies can be considered as overlapping viewpoints on the study of social reality(Mäkelä & Turcan 2007). Selection of research methodology depends on the research questions and objectives (Remenyi, 1998). The selection is affected by the following factors: - A topic to be researched and the specific research question - Methodologies which have been applied to similar type of research questions in previous research projects - Strengths and weaknesses of the methodologies - Researcher’s own preferences - Interests of stakeholders such as sponsors, companies/institutes under research, university and supervisor - Time and money restraints In the literature review, it was established that most of the digital forensic models proposed have its merits, yet requires that the main goal of forensic: evidence preservation and presentation, take priority over every other goal, irrespective of the 42 OJEDIRAN ALABA BOLAJI type and area of focus of the process used. This requirement calls for models that are not too complex to be realistically used to solve real-world digital forensic issues, as well as not too abstract to be void of bearing. Though we do not attempt to “re-invent the wheel”, we want to ensure the focal point of forensic is achieved in our proposed model in this work, by identifying clearly the factors that must be included in the process to achieve this. Therefore, a grounded theory, methodology is chosen to develop a suitable theoretical model for analysing these factors. 3.1. Grounded Theory Grounded theory, methodology was first developed by Barney G. Glaser and Anselm L. Strauss(Strauss & Corbin, 1990). They presented the first account of how to build grounded theory in their book “The discovery of grounded theory” in 1967(Mäkelä & Turcan 2007). Grounded theory is defined as theory derived inductively from the studied phenomenon. The theory is thereby discovered, developed and preliminary verified by systematically gathering and analysing information concerning the phenomenon. Therefore, data collection, analysis and theory are in a reciprocal relationship(Strauss & Corbin, 1990) Strauss and Corbin (1990) state that a well-developed, grounded theory fulfils four central criteria when the relationship of the theory and the phenomenon it describes 43 OJEDIRAN ALABA BOLAJI are assessed. These criteria are: (1) fit, (2) understanding, (3) generality and (4) control. If the theory is believable in relation to the day-to-day reality of the substantive area and is carefully derived from diverse raw data, then the theory should fit that substantive area. Because theory represents that reality, it should have a wide scope and feel sensible, thus supporting understanding of the persons studied and who practice in that area. If the raw data upon which the grounded theory is based is wide, and the interpretations conceptual and diverse, the theory should be abstract enough and include enough generality to be applicable to contexts similar to the phenomenon. Finally, the theory should offer the possibility of actions to control the phenomenon(Järvinen, 2004). Theoretical sensitivity, then again, refers to the awareness of the researcher to the subtleties of meaning of data. It means the ability to give meaning to data, the capacity to understand, and capability to separate the pertinent from that which is not. Theoretical sensitivity arises from knowledge in literature, professional experience, personal experience and the analytic process itself(Strauss & Corbin, 1990). Theoretical sensitivity can be increased by: (1) periodically stepping back and asking what is really going on, (2) maintaining an attitude of scepticism and (3) following the research procedures(Järvinen, 2004). 44 OJEDIRAN ALABA BOLAJI 3.2 Research Methods Research methods are a set of procedures and techniques for collecting and analysing data (Strauss & Corbin, 1998). These are for example, interviewing, collecting documents, observational techniques, personal experience methods, various visual methods and coding and iteration procedures (Mäkelä & Turcan 2007). 3.2.1 Grounded Theory Methods In grounded theory, Strauss & Corbin (1990) consider technical literature to include research reports and theoretical or philosophical discussions that have been made professionally and according to scientific rules. These serve as background material to which the researcher compares the results of his own empirical study. Other, nontechnical literature is considered to include biographies, diaries, documents, manuscripts, records, reports, catalogues and other material that can be used as source material or to complement interviews and field observations. The empirical data material is gathered using various data collection methods, usually interviews and observations (Järvinen, 2004). The literature and existing theory were searched using journal databases (EBSCOHost, ScienceDirect, etc.), books and finally Internet search for proper coverage. The searches were made using keywords such as virtual community, online community, and so on. Searches were expanded as significant quotations and references were found. 45 OJEDIRAN ALABA BOLAJI The analysis of grounded theory is constructed of three coding steps. These are: (1) open coding, (2) axial coding and (3) selective coding (Järvinen, 2004; Strauss & Corbin, 1990) Open coding means the analysis process of the data material. Concepts are conceptual assignments, which are attached to separate events and other representations of the phenomenon. Properties are characteristics, which relate to a category. A category, then again is a classification of concepts, which has been found by comparing concepts and by stating that some concepts relate to similar kind of phenomena. Concepts are grouped under a more abstract concept of a higher degree, which is called a category(Järvinen, 2004). The second phase of the analysis process is called axial coding. It means a group of procedures with which the categories are linked together by examining conditions, contexts, interrelationships and causality regarding the phenomenon. Axial coding includes constant change between inductive and deductive thinking. When the data material is studied, relationships or possible properties are deductively suggested, which are then related to the whole material and checked the expression by expression. Suggesting and checking is constantly made. That way it is assured that the emerging theory is based (grounded) on the material(Strauss & Corbin, 1990). Finally, selective coding means the search process for finding a core category, and in which other categories are related to the core category, relations are validated and categories are specified if necessary. Core category is a category that centrally relates to the phenomenon and integrates other categories around it. Throughout the analysis 46 OJEDIRAN ALABA BOLAJI and proposition formulation stages of the process, intensive rotation between data, the emerging theory and earlier literature has to be sought(Strauss & Corbin, 1990). 47 OJEDIRAN ALABA BOLAJI CHAPTER FOUR RESEARCH MODEL As earlier stated that we do not attempt to “re-invent the wheel”, we want to ensure the focal point of forensic is achieved in our proposed model in this work, by identifying clearly the factors that must be included in the digital forensic process to achieve this. Therefore, a grounded theory, methodology is chosen to develop a suitable theoretical model for analysing these factors. 4.1 The Proposed Model As it is noted, that if previous research had identified particular variables or constructs, but no theory had been generated that speculated on the relationship between those variables or constructs(Kelleher, 2010) a grounded theory can be employed to deduce a relationship between those variables or construct. Yunus Yusoff, Roslan Ismail and Zainuddin Hassan, have identified some common phases that constitute a Generic Computer Forensic Investigation Model (GCFIM), see Table 2.2 above. This was done by Open Coding, the first of the three coding steps for analysis of our research problem using the grounded theory methodology described in chapter 3. Moving on to the second step of the analysis, which is axial coding of the generic phases. Yunus Yusoff, Roslan Ismail and Zainuddin Hassan(Yusoff et al., 2011) also took into account of the tasks performed in each of the phases, and not just relying on 48 OJEDIRAN ALABA BOLAJI the actual naming, it is apparent that a number of those phases do indeed duplicated or overlapped each other. As shown in Table 3 above, they were able to observe that the phases can be grouped into 5 generic grouping namely, pre-process, acquisition & preservation, analysis, presentation and post-process. In order to identify the relationship between these phases, we will forge further in this work, using the third step of the analysis; that is, the Selective Coding. This is the search process for finding a core phase amongst all digital forensic investigation phases. The Core Phase is a phase that centrally relates to the phenomenon and integrates other phases around it. We will commence this process by considering table 2.3 with our methodology, from the literature review above, which has identified the basic processes of the Generic Computer Forensic Investigation Model. By expanding the table 2.3 in relation to table 2.2, from the literature review in chapter 2, we have the table 4.1, which expanded the phases of the Generic Computer Forensic Investigation Model (GCFIM). Table 4.1: Phase expansion of the Generic Computer Forensic Investigation Model (GCFIM) Generic Feasible Processes Per Phase Phases Pre-Process Access, Approach Strategy, Authorization, Awareness, Notification, Planning, Pre-Analysis, Preparation, Readiness, Recognition. 49 OJEDIRAN ALABA BOLAJI Acquisition & Acquisition, Collection, Deployment, Detection, Identification, Preservation Pre-Analysis, Preservation, Search & Identify, Transport & Storage. Analysis Analysis, Case Specific Analysis, Chronology Timeline Analysis, Detection, Digital Crime Investigation, Dynamite, Evaluation, Examination, Hypothesis creation, Individualization, Internet Investigation, Investigation, Physical Crime Investigation, Reconnaissance, Reconstruction, Search & Identify, Traceback, Triage, User Usage Profile Investigation. Presentation Admission, Post-Analysis, Presentation, Proof & Defense, Report. Post-Process Archive Storage, Dissemination of Information, Incident Closure, Incident Response, Returning Evidence, Review. By critical examination of the table 4.1 above, the generic phases would have meaning and connection if we consider the feasible process per each phase. Should/Can the Pre-Process phase commence with or without an investigation in sight? It is observed that the Pre-Process phase has processes that are carried out as the investigation commences. The process; Access, Approach Strategy, Authorization, Awareness, Notification, Planning, Pre-Analysis, Preparation and Recognition, all suggest that an investigation is in sight for them to commence. However, the process; 50 OJEDIRAN ALABA BOLAJI Readiness suggests that this process can be carried out with or without a digital forensic investigation in sight at the moment. Forensic Readiness, alternatively cited as proactive digital forensics (P. G. Bradford, M. Brown, Perdue, & Self, 2004), ensures that a system that has digital forensic readiness integrated into it, is better positioned to guarantee digital evidence preservation, as the system will be ready to support evidence acquisition and preservation than a system that is not ready. This Readiness Phase is indeed an ongoing phase throughout the Lifecycle of an organization. It also consists of 2 sub-phases, namely, Operation Readiness and Infrastructure Readiness(Carrier & Spafford, 2003).This approach is in tandem with fact that each phases of a digital forensic model should be structured such that it solves a problem(s) consistently and continuously. Mark Pollitt highlighted in (Mark M Pollitt, 2007) that digital forensics is not an elephant; it is a process and not just one process, but a group of tasks and processes in the investigation. Consequently, since its only Readiness that stands out, as a continuous and constant process with or without an investigation in view, of all the other processes of the Pre-Process phase, we have decided to separate it out of the Pre-Process phase, in order to further examine its possibility of it being a phase in a digital forensic investigation (DFI). Forensic Readiness is the ability of an organization to maximize its potential to use digital evidence while minimizing the cost of an investigation(Murphy, 2006). 51 OJEDIRAN ALABA BOLAJI Also, readiness ensures a proactive establishment of capability to securely gather scientifically and legally admissible evidence and as well put in place, sure legal review to facilitate action in response to an incident. This enhances the timely commencement of the other Pre-process processes. When this capability is built into a model, it ensures that not just a technical model has been established for a DFI but also a legally-sound model put in place, which keeps too many hands off the evidence and alleviates any chain of custody concerns while ensuring minimal disruption to the business in the event of an incident. After all, the actual purpose and core concept of digital forensics investigation is acquisition, preservation and presentation of legally admissible evidence. Likewise, with the need for extending non-digital concepts (legal, accreditation, etc.) to the digital domain, models borne out from non-technical sources like legal, but has a strong input in digital forensic investigation - in proving the eventual evidence, must actively consider in formulating a model to be truly considered to be generic. We considered the Zachman framework derivatives – FORensics ZAchman framework (FORZA) framework, a technology-independent digital forensics investigation framework which bind roles, responsibilities and procedures together. The entire process flow is described in the figure below. We considered this particular model, due to its coverage. 52 OJEDIRAN ALABA BOLAJI Figure 4.1: Process flow between the roles in digital forensics investigation(Ieong, 2006). Through this framework, different standards and procedures could be linked together in a more holistic way. Digital forensics investigation is no longer viewed from pure technical aspects. Business, system and legal aspects are incorporated. 4.2. Most Important Factors in a Digital Forensic Model From the further examination of the above, we were able to summarise that there are some major factors, if not handled properly, could mar the whole process of executing a successful Digital Forensic Investigation (DFI). These factors are; Legal Issues, Technical issues, Administrative Issues and Cost. 53 OJEDIRAN ALABA BOLAJI Of the four (4) most important factors of executing a successful DFI, as noted above, the survey we conducted amongst DF Practitioners reveals interestingly that Technical, Administrative and Cost issues have the same percentage of importance. Meanwhile, Legal issues are observed to be the most important. The above outcome has successfully answered our research objective which is to identify the key factors that a Digital Forensic Process Model must have to ensure that digital evidence involved, is preserved. Figure 4.2: Most Important Factors in a Digital Forensic Model 4.2.1 Cost Cost is very critical, especially in developing nations like Nigeria, where the other several national agenda seems to be more pressing and Digital Forensic as not fully been institutionalized. This cost could either be cost of hardware, software, training, certifications, time, hiring personnel and infrastructure, even though the eventual result may not justify the cost involved. Thus DFI models must be cost effective. 54 OJEDIRAN ALABA BOLAJI 4.2.2 The Administration The Administration, which means getting through administrative bottlenecks, obtaining approval and bureaucracy, as a DF Investigators probe into an organization or system under investigation. Also, getting the administrator of DF investigators to acquire updated or more tools for DF investigations could also be challenging, as the cost and annual subscription fees for tools that are needed are not getting any cheaper. Except that you decide to go the way of open source tools, which may not be adequate to be solely used to collect, preserve and analyse digital evidences. These administrative issues can halt or delay a digital forensic process if not carefully handled, or more importantly affect the quality of evidence to be presented at the end of the investigation. Thus DFI models must be DF ready to pre-address this issue even before the initiation of an investigation. 4.2.3 Technical issues Technical issues, assert the fact that the rate of technological innovation is faster than the pace of evolution of digital forensic models. Thus, models should be reviewed and implemented in line with technological advancement. 4.2.4 Legal issues The Legal issues are very germane to the successful execution of DF investigation. Simson L. Garfinkel reported that “legal challenges increasingly limit the scope of forensic investigations” as well as “a variety of legal challenges are combining to 55 OJEDIRAN ALABA BOLAJI make the very process of computer forensics more complicated, time consuming, and expensive” (Garfinkel, 2010). How should a Digital Forensic process be structured and executed to ensure that digital evidences are preserved? Digital Forensic processes are to be structured to allow connections and quick reviews in each process steps and well as adaptability and flexibility of the process to changing technological platforms. 4.3 Enhanced Generic Digital Forensic Investigation Model (EGDFIM) An Enhanced Generic Digital Forensic Investigation Model (EGDFIM) is hereby proposed. It is presented in Figure 4.3 below. 56 OJEDIRAN ALABA BOLAJI Figure 4.3: Enhanced Generic Digital Forensic Investigation Model (EGDFIM) 57 OJEDIRAN ALABA BOLAJI The First Phase of the Enhanced Generic Digital Forensic Investigation Model (EGDFIM) is Readiness. The phase is a proactive phase. The activities involve in this phase include setting up of both personnel and technological systems to Identify possible situations that Evidence is required; Recognize sources of evidence; Collect Information; Preserve the gathered Information; Planning the Response; Personnel Training and Roles delegation; Ensure effective Information Retrieval to Fast-track Investigation; Preventing Anonymous Activities; Protecting the Evidence. The Readiness Phase being introduced as the first is an enhancement to the previously described phases of the Generic Computer Forensic Investigation Model (GCFIM) proposed by Yunus Yusoff, Roslan Ismail and Zainuddin Hassan. When an incident is reported and DFI is to commence, it affords the benefit of having a means of acquiring and preserving evidence, in a way that is legally admissible, precollected even before an incident occurs or reported. Since in executing the Readiness Phase, the legal advisor would have given his/her legal advice and determine which range of evidence set would be required to initiate or defend a litigation. Of which if the readiness phase can meet at earlier stage of an investigation, time and expenses could be reduced. However, if not sufficient, the investigator can then concentrate more on seeking data from the devices that are relevant to the dispute. Forensic readiness planning ensures legal issues do not hamper future investigations. The Pre-Process, Acquisition & Preservation, Analysis, Presentation and PostProcess Phases have been earlier described in chapter two. 58 OJEDIRAN ALABA BOLAJI Is it possible to have a Consolidated Digital Evidence Preservation Framework that can fit into any Digital Forensic Model? YES, if the Model is not rigid. If the model is generic, allow for quick reviews and not cumbersome. Taking a clue from Software Engineering; back in the 1970s, 'Software Engineering' was thought to be about fairly large development models in projects with unchanging phases, and relative lack of concern about cost efficiency. However software development today is very much different. Rapid prototyping (short bursts of work, followed by reviews), but even that has been modified on, and seemingly occasionally also improved on. 4.4 Applying the EGDFIM Model We hereby tested the validity and applicability of the EGDFIM Model on a Data alteration fraud in Data Processing Center. A student record was altered; in which scores were credited in two courses he had previously failed. The department discovered this alteration and raised the alarm. Though, prior to this incidence, there have been speculations of attempts to alter students' records unlawfully, there has not been a formal report in this regards. However, the Readiness Phase has put in place; 1. Windows Active Directory Login on all computers in the Data Center. 2. Authorization level to alter records was restricted to few supervisors only. 3. For every alteration made on a student, the database keeps a log of the user that executed the alteration. 59 OJEDIRAN ALABA BOLAJI 4. Physical security was put in place to prevent unauthorized personnel from entering the Data Center. All the above readiness measures were carried out with or without a digital forensic investigation in sight at the moment. These actions were more of a broad systemic step rather than a narrow preparation for a particular incident. When an awareness and notification came up about the incident, the Pre-Process Phase was initiated. This phase ensured: 1. An Investigation panel was step up with Authorisation of the Head of the Data Center, the Department Head and the organisation’s Central Investigation Unit. 2. An approach strategy was drafted. 3. Plans were developed according to pre-analysis of the incident. 4. Then all possible evidence sources recognized. Note that the Pre-process phase is narrowed towards a particular incidence. The pre-analysis of the incident has the log on the server reveals that the login detail of a particular male staff of the Data Center was responsible for the alteration. Hence, the accused male staff was investigated for a start. This phase was followed quickly by the Acquisition & Preservation Phase, which included: 1. Search and Identification of digital from the computer of the male staff and the server and non-digital evidences from the personnel of the Data Center. On scanning the desktop of the male personnel, a PDF that showed the records 60 OJEDIRAN ALABA BOLAJI was altered, was discovered in the Recycle bin with the “Date Modified” been the said date that the server also reported that the alteration was done. 2. The discovered PDF should not be restored, as these will change the “Date Modified” of the PDF file and thus destroy the legal admissibility of the evidence, hence, deployment of mechanism to collect the evidences and as well preserving it was setup. 3. Transportation of digital evidences found on the computer that was logged into and used to alter the record, which was tracked by the windows active directory server. 4. Then storage of the evidence in such a way that its legal admissibility is not lost. The Analysis Phase then followed to: 1. User Usage Profile Investigation. 2. Legal and Technical Analyse of the evidences acquired thus far, to determine the actual culprits. 3. Chronology Timeline Analysis, Trace back and Reconstruction of the incidence. 4. Case Specific Analysis and Hypothesis creation 5. Evaluation and determining if further evidences are required. The evidences of the generated PDF found in the Recycle bin, together with other digital and non-digital sources were analysed accordingly. 61 OJEDIRAN ALABA BOLAJI The Presentation Phase followed the analysis phase, where the Reports of the analysis were presented to the Investigation sponsor. The presentation phase was then preceded by the Post-Process Phase, which Archive the evidence collected, Returning the computer on which digital evidences were found, the culprit was dismissed from the organization, dissemination of necessary information as regards the Closure of this Incident and a Review of the incident was done, with due check on the phases used to investigate the incident, to ensure that it is in tandem with best practices and organizationally and legally admissible. The outcome of these reviews was integrated into Readiness Phase for the Organization. Thus, we see that the EGDFIM Model is a continuum with phases that are subject to review, rather been a rigid straight-through process. It was however noted that the stages of the EGFIM is a technically independent framework, as the various personnel and concerned bodies that are involved in the stages of the model could easily understand and relate to the activities therein without forgetting the actual purpose and core concept of digital forensics investigation. 62 OJEDIRAN ALABA BOLAJI CHAPTER FIVE DISCUSSIONS AND CONCLUSIONS The Enhanced Generic Digital Forensic Investigation Model (EGDFIM) proposed in this work can robustly fit in and consistently resolve any Digital Forensic search for Digital Evidence. This Model is also abstracted to accommodate application to current and future digital technologies, as well as incorporating steps to assure complete interpretations and presentation of the evidence collected; a great need for Judiciary members and corporate management, for just and effective decisions. Howbeit, with further implementation and evaluation, the EGDFIM framework will is suitable for cyber and emerging cloud-computing crime investigation, and it is practically applicable in Nigeria. Also as a follow-up to this proposed model, we propose to start incorporating the framework questions together with the necessary workflow into an intelligence data acquisition scripts generator. Using this model, questions and answers in a digital forensics investigation could be systematically simulated. Then based on the analysis of the simulation, scripts would be tuned to assist digital forensic investigators, legal practitioner, law enforcement agents in a semiautomatic analysis of digital forensic investigations. By these automatic scripts, investigators can perform fast and zeroknowledge digital forensic acquisition and analysis. Thus, Enhanced Generic Digital Forensic Investigation Model (EGDFIM) will be formulated as a semiautomatic investigation toolbox. Summarily, for Digital Forensic to be a true panacea for evidence preservation; 1. An effective digital forensic process must be used, 63 OJEDIRAN ALABA BOLAJI 2. There must be strict compliance to the rule of evidence, and 3. A Systematic follow-through of relevant legal process should be incorporated into the digital forensic processes. 64 OJEDIRAN ALABA BOLAJI References Ademu, I. O., Imafidon, C. O., & Preston, D. S. (2011). A new approach of digital forensic model for digital forensic investigation. IJACSA) International Journal of Advanced Computer Science and Applications, 2(12). Baryamureeba, V., & Tushabe, F. (2004). The enhanced digital investigation process model. Paper presented at the Proceedings of the Fourth Digital Forensic Research Workshop. Beebe, N. (2009). Digital forensic research: The good, the bad and the unaddressed Advances in digital forensics V (pp. 17-36): Springer. Beebe, N. L., & Clark, J. G. (2005). A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation, 2(2), 147-167. Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2), 1-20. Casey, E. (2009). Handbook of digital forensics and investigation: Academic Press. Ciardhuain, S. (2011). An extended model of cybercrime investigation Accessed on 20th October 2011 Available(online): www. ijde. org/citeseerx. ist. psu. edu/viewdoc/download? doi= 10.1. 1.80. A ccessed on 11th August. Corbin, J., & Strauss, A. (2008). Basics of qualitative research: Techniques and procedures for developing grounded theory: Sage. Crim, J. (2006). Digital Forensics: Tools & Identification Retrieved July, 2013, from http://www.vascan.org/webdocs/06confdocs/Day1-TechnicalTrackDONE/CrimJesseDigital%20Forensics.pdf Freiling, F. C., & Schwittay, B. (2007). A Common Process Model for Incident Response and Computer Forensics. IMF, 7, 19-40. Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7, S64-S73. Gingrande, A. (2013). The Long-term Preservation of Digital Evidence. Retrieved July, 2014, from http://www.cnblogs.com/ysun/archive/2013/04/09/3010345.html Ieong, R. S. C. (2006). FORZA – Digital forensics investigation framework that incorporate legal issues. ELSEVIER(3 S ( 2 0 0 6 )), S 2 9 – S 3 6. Järvinen, P. J. (2004). Annikki (2004) Tutkimustyön metodeista. Opinpajan kirja, Tampere. John, J. L. (2012). Digital Forensics and Preservation. Digital Preservation Coalition. Kaur, R., & Kaur, A. (2012). Digital forensics. International Journal of Computer Applications, 50(5), 5-9. Kelleher, K. (2010). Grounded Theory Research Tutorial. Retrieved September, 2013, from http://researchcenter.waldenu.edu/Documents/Grounded_Full_Captions.pdf Köhn, M., Olivier, M. S., & Eloff, J. H. (2006). Framework for a Digital Forensic Investigation. Paper presented at the ISSA. Losavio, M. (2010). What Is Digital Evidence:The Forms, Loci And Metadata Of Electronic Evidence. THE SCIENCE OF DIGITAL FORENSICS, 5. Mäkelä, M. M., & Turcan , R. V. (2007). Building Grounded Theory in Entrepreneurship Research: Edward Elgar Publishing. Murphy, J. (2006). Forensic readiness. Dexisive, Accessed, 201003(06). NIJ. (2010). Digital Evidence Analysis Tools. Retrieved July, 2014, from http://www.nij.gov/nij/topics/forensics/evidence/digital/analysis/welcome.htm Nikkel, B. J. (2006). The role of digital forensics within a corporate organization. Paper presented at the May 2006, IBSA Conference, Vienna. Palmer, G. (2001). A road map for digital forensics research-report from the first Digital Forensics Research Workshop (DFRWS). Utica, New York. 65 OJEDIRAN ALABA BOLAJI Perumal, S. (2009). Digital forensic model based on Malaysian investigation process. International Journal of Computer Science and Network Security, 9(8), 38-44. Pollitt, M. M. (1995). Computer Forensics: An Approach to Evidence in Cyberspace. Paper presented at the National Information Systems Security Conference, Baltimore,USA. Pollitt, M. M. (2007). An ad hoc review of digital forensic models. Paper presented at the Systematic Approaches to Digital Forensic Engineering, 2007. SADFE 2007. Second International Workshop on. Reith, M., Carr, C., & Gunsch, G. (2002a). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1-12. Reith, M., Carr, C., & Gunsch, G. (2002b). An Examination of Digital Forensic Models International Journal of Digital Evidence, Fall 2002: Volume. Remenyi, D. (1998). Doing research in business and management: an introduction to process and method: Sage. Rogers, M. K., Goldman, J., Mislan, R., Wedge, T., & Debrota, S. (2006). Computer forensics field triage process model. Journal of Digital Forensics, Security and Law, 1(2), 19-37. Sommer, P. (2012). Digital Evidence, Digital Investigations and E-Disclosure: A Guide to Forensic Readiness for Organisations, Security Adviders and Lawyers. Information Security Guide. Strauss, A., & Corbin, J. M. (1990). Basics of qualitative research: Grounded theory procedures and techniques: Sage Publications, Inc. Vacca, J. R. (2005). Computer Forensics: Computer Crime Scene Investigation (Networking Series)(Networking Series): Charles River Media, Inc. Walker, C. (2007). Computer forensics: bringing the evidence to court. Online: http://www. infosecwriters. com/text_resources/pdf/Com puter_Forensics_to_Court. pdf as on, 12. Wikipedia. (2014). Forensic Science. Retrieved 4 April, 2014, from http://en.wikipedia.org/wiki/Forensic_science Yusoff, Y., Ismail, R., & Hassan, Z. (2011). Common phases of computer forensics investigation models. International Journal of Computer Science & Information Technology (IJCSIT), 3(3), 17-31. 66