Cybercrime Post-Incident Leadership Model

Cybercrimes are facts of the modern technological society. While extant literature proposes a variety of prescriptive practices to combat cybercrimes, there is scant research to address how organizational leaders should minimize the impact of cybercrimes on their companies and the community after they have occurred. This study addresses the steps leaders should take in the aftermath of cybercrimes and proposes a four-stage leadership model consisting of best practices to guide leaders in preparing, responding, and recovering from a digital or cybersecurity attack

Reliability assessment of digital forensic investigations in the Norwegian police

This case study presents a qualitative assessment of the reliability of digital forensic investigation in criminal cases in Norway. A reliability validation methodology based on international digital forensic standards was designed to assess to what extent those standards are implemented and followed by law enforcement in their casework. 124 reports related to the acquisition, examination, and analysis of three types of digital data sources - computers, mobile phones, and storage devices were examined. The reports were extracted from the criminal case management system used by the police and prosecution services. The reports were examined on technology, method, and application level in order to assess the reliability of digital evidence for criminal proceedings. The study found that digital forensic investigation in 21 randomly sampled criminal cases in Norway were insufficiently documented to assess the reliability of the digital evidence. It was not possible to trace the digital forensic actions performed on each item or link the digital evidence to its source. None of the cases were shown to comply with digital forensic methodology, justify the methods and tools used, or validate tool results and error rates

The Standardised Digital Forensic Investigation Process Model (SDFIPM)

The field of digital forensics still lacks formal process models that courts can employ to determine the reliability of the process followed in a digital investigation. The existing models have often been developed by digital forensic practitioners, based on their own personal experience and on an ad-hoc basis, without attention to the establishment of standardisation within the field. This has prevented the institution of the formal processes that are urgently required. Moreover, as digital forensic investigators often operate within different fields of law enforcement, commerce and incident response, the existing models have often tended to focus on one particular field and have failed to consider all the environments. This has hindered the development of a generic model that can be applied in all the three stated fields of digital forensics. To address these shortcomings, this paper makes a novel contribution by proposing the Advanced Investigative Process Model (the SDFIPM) for Conducting Digital Forensic Investigations, encompassing the ‘middle part’ of the digital investigative process, which is formal in that it synthesizes, harmonises and extends the existing models, and which is generic in that it can be applied in the three fields of law enforcement, commerce and incident response

The Comprehensive Digital Forensic Investigation Process Model (CDFIPM) for Digital Forensic Practice

Nowadays, as a result of the ubiquitous nature of information technology, evidence presented in court is less likely to be on paper. Evidence of computer crime also differs from that related to traditional crimes for which there are well established standards and procedures. In order for digital evidence to be admissible, investigators need to demonstrate that they have specialised knowledge and have applied reliable principles and models to acquire it. Careful notice is taken in court of the manner in which the digital investigative process has been carried out. However, despite such requisites, the field of digital forensics still lacks formal process models that courts can employ to determine the reliability of the process followed in a digital investigation. The existing models have often been developed by digital forensic practitioners, based on their own personal experience and on an ad-hoc basis, without attention to the establishment of standardisation within the field. This has prevented the institution of the formal processes that are urgently required. Moreover, as digital forensic investigators often operate within different fields of law enforcement, commerce and incident response, the existing models have often tended to focus on one particular field and have failed to consider all environments. This has hindered the development of a generic model that can be applied in all the different fields of digital forensics. In addition, the existing models often capture only one part of the investigative process as opposed to the entire process. To address these shortcomings, this research makes a novel contribution by proposing a Comprehensive Digital Forensic Investigation Process Model (the CDFIPM), encompassing the entire digital investigative process, which is formal 1 in that it synthesizes, harmonises and extends the existing models, and which is generic in that it can be applied in the three stated fields of digital forensics. The methodology used to carry out this research is the Design Science Research widely adopted in the domain of Information Systems on the basis that it is suitable for the design and development of novel artefacts and the analysis of the performance or use of such artefacts. The Peffers et al’s (2006) Design Science Research Process model is followed during the course of this research as the appropriate selection of the Design Science Research on the basis that it is inclusive of the common elements of the previous Design Science Research studies. Existing models are critically reviewed and assessed against three different assessment criteria including: Beebe and Clark’s four-point requirement, Carrier and Spafford’s fivepoint requirement and the Daubert Test. The result of the model assessment reveals that there does not exist a model that has all the three characteristics of being “comprehensive”, “formal” and “generic”. However, through the model assessment, some models are identified that can contribute to the design and development of the proposed model. Following identification of the prevailing models, their key contributions are determined based on the assessment criteria, and the necessary components for the new model are then identified. A new set of domain-specific components is then developed in addition to the already identified components. Following identification of the necessary components and the newly developed set of domain-specific components, the outcome of the design and development stage is the proposed Comprehensive Digital Forensic Investigation Process Model, the stages of which are represented through the use of the UML Activity Diagrams. Based upon the selected methodology (the DSRP), the CDFIPM is tested through both the Demonstration and Evaluation activities. The Demonstration activity involves applying the model into various cases studies and performing a walkthrough of the model, as well as conducting a forensic laboratory experimentation. The Evaluation stage involves the independent verification and validation of the model by its intended user community, including digital forensic investigators operating within the three fields of relevance for this research, namely law enforcement, commerce and incident response, as well as experts in the domain of digital forensics, legal practitioners, a judge and researchers in both academia and industry. After feeding the results of the Evaluation stage back into the CDFIPM’s design and development stage, the model is amended accordingly

A Framework for the Systematic Evaluation of Malware Forensic Tools

Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (‘malware’) has been identified. A framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts. Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established. A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a tool’s ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts

Integrating Behavioural Analysis within the Digital Forensics Investigation Process

This programme of research focused on incorporating Behavioural Analysis (BA) within the digital forensics investigation process. A review of previously developed digital forensics investigation models indicated a lack of sufficient consideration of the behavioural and motivational dimensions of offending, and the way in which digital evidence can be used to address these issues during the investigation process. This programme of research aimed to build on previous work by scientific researchers and investigators by developing a digital forensics investigation model which incorporates greater consideration of the behavioural and motivational implications of case-related digital evidence based on current theoretical understandings of these aspects of offending from forensic psychology. This can aid with understanding of the crime events and reconstruction, and lead to the development of more detailed models and guidelines for examining computer-facilitated interpersonal crimes. The first study employed an abductive approach to forensically analyse individual cases (real cases obtained from the Dubai Police archives) applying BA to the online Sexually Exploitative Imagery of Children (SEIC) and cyberstalking. Its aim was to investigate what BA could contribute to the digital forensics investigation of cases within these crime categories. It identified five benefits: (1) providing focus, speed and investigative directions, (2) inferring victim/offender behaviours, (3) inferring offender motivation(s), (4) identifying potential victims, and (5) eliminating suspects. This was followed by a survey study empirically examining the perceptions of national and international digital forensics practitioners regarding the use and utility of BA during the process of investigating SEIC and cyberstalking cases. The results indicated that while the majority believed that BA has potential to contribute to many aspects of digital forensics investigations, their daily investigative activities involved a limited use of this technique. The implications of the study were outlined, and emphasised the need to design a digital forensics investigation model that provides guiding steps and illustrations on how to utilise BA in digital forensics investigations. Based on the findings from the conducted studies, a digital forensics investigation model that incorporates aspects of BA was designed. It aimed to provide a pragmatic, structured, multidisciplinary approach to performing a post mortem examination, analysis, and interpretation of the content of the digital devices associated with computer-facilitated interpersonal crimes. Two comprehensive case studies were also used to illustrate the investigative importance of the model in investigating computer-facilitated interpersonal crimes

Integrated Computer Forensics Investigation Process Model (ICFIPM) for Computer Crime Investigations

Contrary to traditional crimes for which there exists deep-rooted standards, procedures and models upon which courts of law can rely, there are no formal standards, procedures nor models for digital forensics to which courts can refer. Although there are already a number of various digital investigation process models, these tend to be ad-hoc procedures. In order for the case to prevail in the court of law, the processes followed to acquire digital evidence and terminology utilised must be thorough and generally accepted in the digital forensic community. The proposed novel process model is aimed at addressing both the practical requirements of digital forensic practitioners and the needs of courts for a formal computer investigation process model which can be used to process the digital evidence in a forensically sound manner. Moreover, unlike the existing models which focus on one aspect of process, the proposed model describes the entire lifecycle of a digital forensic investigation