Testing and Evaluating The Harmonised Digital Forensic Investigation Process in Post Mortem Digital Investigation

Existing digital forensic investigation process models have provided guidelines for identifying and preserving potential digital evidence captured from a crime scene. However, for any of the digital forensic investigation process models developed across the world to be adopted and fully applied by the scientific community, it has to be tested. For this reason, the Harmonized Digital Forensic Investigation Process (HDFIP) model, currently a working draft towards becoming an international standard for digital forensic investigations (ISO/IEC 27043), needs to be tested. This paper, therefore, presents the findings of a case study used to test the HDFIP model implemented in the ISO/IEC 27043 draft standard. The testing and evaluation process uses an anonymised real-life case to test each subprocess (grouped in classes) of the HDFIP model to show that it maintains a structured and precise logical flow that aims to provide acceptance, reliability, usability, and flexibility. The case study used also helps to analyse the effectiveness of the HDFIP model to ensure that the principles of validity and admissibility are fulfilled. A process with these properties would reduce the disparities within the field of digital forensic investigations and achieve global acceptance and standardization. Keywords: Digital forensics (DF), harmonized digital forensic investigation process (HDFIP), ISO/IEC 27043, investigation process

Significance of Semantic Reconciliation in Digital Forensics

Digital forensics (DF) is a growing field that is gaining popularity among many computer professionals, law enforcement agencies and other stakeholders who must always cooperate in this profession. Unfortunately, this has created an environment replete with semantic disparities within the domain that needs to be resolved and/or eliminated. For the purpose of this study, semantic disparity refers to disagreements about the meaning, interpretation, descriptions and the intended use of the same or related data and terminologies. If semantic disparity is not detected and resolved, it may lead to misunderstandings. Even worse, since the people involved may not be from the same neighbourhood, they may not be aware of the existence of the semantic disparities, and probably might not easily realize it. The aim of this paper, therefore, is to discuss semantic disparity in DF and further elaborates on how to manage it. In addition, this paper also presents the significance of semantic reconciliation in DF. Semantic reconciliation refers to reconciling the meaning (including the interpretations and descriptions) of terminologies and data used in digital forensics. Managing semantic disparities and the significance of semantic reconciliation in digital forensics constitutes the main contributions of this paper. Keywords: Digital forensics, semantic disparity, managing semantic disparity, semantic reconciliation, significance of semantic reconciliatio

A model for digital evidence admissibility assessment

Riding on the tide of the current development in computing and internet technologies, criminals have transitioned to the use of computer systems and digital channels to commit crimes. This transformation of crime requires criminal justice actors to investigate, produce and present digital evidence through a process that is scientifically proven and legally admissible, but also capable of securing successful prosecutions. Even though previous efforts by criminal justice practitioners and researchers have contributed to the standardisation of digital forensics in a manner that has consolidated the scientificity1 of digital forensics as a forensic science, these approaches, processes and techniques have not addressed adequately the issue of admissibility of digital evidence in judicial proceedings. In other words, existing models and standards are generally investigative-focused, which has significantly ensured that digital forensics processes follow a specific scientific order. Despite these advances, the existing techno-legal dilemma pertaining to the admissibility of digital evidence in judicial proceedings remains unresolved. In order to address this techno-legal dilemma, the thesis presents a Harmonised Model for Digital Evidence Admissibility Assessment (HM-DEAA), a model that integrates both technical and legal determinants to establish digital evidence admissibility in judicial proceedings. In order to operationalise the HM-DEAA, this research introduces an algorithm to assess digital evidence admissibility and to determine the evidential weight of a piece of digital evidence, which is tendered in a court of law. This algorithm has been tested on both hypothetical and real cases as part of the HM-DEAA’s evaluation for its potential use in legal proceedings. In addition, an expert system has been introduced to automate the operationalization of the HM-DEAA. In practice, the HM-DEAA framework is expected to provide a harmonised techno-legal foundation for assessing digital evidence admissibility in the criminal justice sector. The model is expected to be used primarily by judges as a judicial tool in legal proceedings. The expert system is also expected to serve as an assessment tool for investigators, prosecutors and defence lawyers to evaluate digital evidence with regard to its potential use in court.Thesis (PhD)--University of Pretoria, 2018.Computer SciencePhDUnrestricte

Up-dating investigation models for smart phone procedures

The convergence of services in Smart Technologies such as iPhones, Androids and multiple tablet work surfaces challenges the scope of any forensic investigation to include cloud environments, devices and service media. The analysis of current investigation guidelines suggests that each element in an investigation requires an independent procedure to assure the preservation of evidence. However we dispute this view and review the possibility of consolidating current investigation guidelines into a unified best practice guideline. This exploratory research proposes to fill a gap in digital forensic investigation knowledge for smart technologies used in business environments and to propose a better way to approach smart technology investigations

Digital Forensic Readiness in Organizations: Issues and Challenges

With the evolution in digital technologies, organizations have been forced to change the way they plan, develop, and enact their information technology strategies. This is because modern digital technologies do not only present new opportunities to business organizations but also a different set of issues and challenges that need to be resolved. With the rising threats of cybercrimes, for example, which have been accelerated by the emergence of new digital technologies, many organizations as well as law enforcement agencies globally are now erecting proactive measures as a way to increase their ability to respond to security incidents as well as create a digital forensic ready environment. It is for this reason that, this paper presents the different issues and challenges surrounding the implementation of digital forensic readiness in organizations. The main areas of concentration will be: the different proactive measures that organizations can embrace as a way to increase the ability to respond to security incidents and create a digital forensic ready environment. However, the paper will also look into the issues and challenges pertaining to data retention and disposition in organizations which may also have some effects on the implementation of digital forensic readiness. This is backed up by the fact that although the need for digital forensics and digital evidence in organizations has been explored, as has been the need for digital forensic readiness within organizations, decision-makers still need to understand what is needed within their organizations to ensure effective implementation of digital forensic readiness

Mobile bullying : investigating the non-technical factors that influence forensic readiness in township schools in South Africa

The increasing use of mobile devices by high school learners has resulted in increased networking activities for learners who take advantage of opportunities presented by mobile technologies. Mobile technology continues to play a key role in facilitating online interactions amongst South African youth, and some learners use mobile technology to enhance their learning capabilities. However, such electronic operations have also presented new risks particularly in the developing countries where online bullying is on the rise and investigations of such incidents or threats are expensive. Mobile bullying and lack of discipline of bullies, for instance, are major concerns in the society at large. To control these incidents, learners and teachers need to know what to do when incidents arise. The process of digital forensic investigation is typically left for those specialising in the field of digital forensics. Those responsible for learner's safety in schools are often faced with situations where they have to perform basic investigations or preserve evidence for incident escalation to the specialists. However, schools often do not prepare themselves well enough for the challenges relating to mobile bullying. They find themselves not knowing where to start or how to preserve evidence. Digital forensic investigations are even more challenging in school settings because of the dynamic nature of these environments. While studies have been conducted in the developed countries, little is still known about how schools in the developing world, for instance South Africa, may handle mobile bullying. Very little is known about how schools in the developing countries may maximise their potential to use digital evidence while minimising the impact resulting from the incident. There is limited guidance on how to be digital forensic ready in schools where teachers, learners, principals, and other role players are not trained well enough to deal with mobile bullying. The objective of this study was to provide insight into factors that enhance the non-technical forensic readiness program in township schools and the ability of teachers to investigate mobile bullying incidents. The study aimed at employing concepts of forensic readiness to ignite schools' ability to prepare for response to mobile bullying incidents and create a digital forensic ready learning environment. The study was conducted in South Africa, Limpopo and North West provinces. Five schools agreed to participate in this study; eighty-two valid responses were obtained from teachers. The study followed mixed methods approach to the theory

Detecting Slow DDos Attacks on Mobile Devices

Denial of service attacks, distributed denial of service attacks and reflector attacks are well known and documented events. More recently these attacks have been directed at game stations and mobile communication devices as strategies for disrupting communication. In this paper we ask, How can slow DDos attacks be detected? The similarity metric is adopted and applied for potential application. A short review of previous literature on attacks and prevention methodologies is provided and strategies are discussed. An innovative attack detection method is introduced and the processes and procedures are summarized into an investigation process model. The advantages and benefits of applying the metric are demonstrated and the importance of trace back preparation discussed

Evaluation of Integrated Digital Forensics Investigation Framework for the Investigation of Smartphones Using Soft System Methodology

The handling of digital evidence can become an evidence of a determination that crimes have been committed or may give links between crime and its victims or crime and the culprit. Soft System Methodology (SSM) is a method of evaluation to compare a conceptual model with a process in the real world, so deficiencies of the conceptual model can be revealed thus it can perform corrective action against the conceptual model, thus there is no difference between the conceptual model and the real activity. Evaluation on the IDFIF stage is only done on a reactive and proactive process stages in the process so that the IDFIF model can be more flexible and can be applied on the investigation process of a smartphone