Professional Documents
Culture Documents
SLR - The Proactive and Reactive Digital Forensics
SLR - The Proactive and Reactive Digital Forensics
Abstract. Recent papers have urged the need for new forensic techniques and
tools able to investigate anti-forensics methods, and have promoted automation
of live investigation. Such techniques and tools are called proactive forensic
approaches, i.e., approaches that can deal with digitally investigating an
incident while it occurs. To come up with such an approach, a Systematic
Literature Review (SLR) was undertaken to identify and map the processes in
digital forensics investigation that exist in literature. According to the review,
there is only one process that explicitly supports proactive forensics, the multi-
component process [1]. However, this is a very high-level process and cannot
be used to introduce automation and to build a proactive forensics system. As a
result of our SLR, a derived functional process that can support the
implementation of a proactive forensics system is proposed.
1 Introduction
Computer crimes have increased in frequency, and their degree of sophistication has
also advanced. An example of such sophistication is the use of anti-forensics methods
as in Zeus Botnet Crimeware toolkit that can sometimes counter-act digital forensic
investigations through its obfuscation levels. Moreover, volatility and dynamicity of
the information flow in such a toolkit require some type of a proactive investigation
method or system. The term anti-forensics refers to methods that prevent forensic
tools, investigations, and investigators from achieving their goals [2]. Two examples
of anti-forensics methods are data overwriting and data hiding. From a digital
investigation perspective, anti-forensics can do the following [2]:
• Prevent evidence collection.
• Increase the investigation time.
• Provide misleading evidence that can jeopardize the whole investigation.
• Prevent detection of digital crime.
T.-h. Kim et al. (Eds.): ISA 2011, CCIS 200, pp. 87–100, 2011.
© Springer-Verlag Berlin Heidelberg 2011
88 S. Alharbi, J. Weber-Jahnke, and I. Traore
According to the literature, only a few papers have proposed a proactive digital
forensics investigation process. Some of these papers have mentioned the proactive
process explicitly, while in others the process is implicit, but all have indicated the
need for such a process.
In [6], Rowlingson stated that in many organizations , incident response team
already performs some activities of evidence collection. But he added, that the need
for collecting those evidence and preserving it in a systematic proactive approach still
an open issue.
In [2], Garfinkel implicitly suggested that in order to investigate anti-forensics,
organizations need to decide early what information to collect and preserve in a
forensically sound manner.
In [1], Grobler et al. noted that live (proactive) forensic investigations are hindered
by lack of definitions of live forensics and standard procedures in live investigations.
In addition, the authors suggested the automation and activation of evidence-
collection tools in live investigations. This automation should involve minimal user
intervention to improve the integrity of the evidence. Thus, a multi-component view
of the digital forensics investigation process has been proposed. However, it is a high-
level view of the investigation and, as such, cannot directly be operationalized to
The Proactive and Reactive Digital Forensics Investigation Process 89
create automated tools. Additionally, the process described in [2] contains phases,
such as service restoration, that lie outside the scope of the investigation.
In [3], Garfinkel summarized digital forensics investigation processes that have
been published in literature. In his summary, he stated that it would be unwise to
depend upon “audit trails and internal logs” in digital forensics investigation. In
addition, he noted that a future digital forensics investigation process will only be
possible if future tools and techniques make a proactive effort at evidence collection
and preservation.
In [4], Orebaugh emphasized that the quality and availability of the evidence
collected in the reactive stage of the investigation is more time consuming to
investigate. Conversely, the proactive stage collects only potential evidence, which is
less time consuming to investigate. In addition, a high-level proactive forensics
system is proposed as ideal. As future work, the author suggested that in order to
address anti-forensics crimes, methods should be identified to handle evidence
collection and proactive forensics investigation.
In summary, previous papers have shown the importance of a proactive digital
forensics investigation process. The proposed notion of proactiveness is, however,
still insufficient and imprecise, and more work needs to be done. To this end, we will
follow a systematic literature review and derive the missing components.
This step defines the goal of the SLR by selecting the research question that has to be
answered by the review. The research question is: “What are all the processes in
digital forensics investigation?”
Processes include the phases of any digital forensics investigation. According to
[7], the six phases of digital forensics investigation are: identification, preservation,
collection, examination, analysis, and presentation. The reader can refer to [7] for
elaboration of these phases.
The review protocol is outlined in steps 4.1 through 5.2 below. These steps show how
data for the review is selected and summarized.
The review protocol was validated by querying the selected databases and looking at
the search results. Those results were meaningful and showed the feasibility of the
developed protocol.
90 S. Alharbi, J. Weber-Jahnke, and I. Traore
Finally, the primary studies that were collected from running all the above queries are
[1], [8-26]. Additional primary studies were collected by examining the previous
primary studies [7, 27-31].
The quality of the primary studies was assessed according to the following
categorizations, starting from the highest level to the lowest:
Table 1 shows the summary of the primary studies genre. Nine of the 18 primary
studies were journals; these reveal the maturity of the processes listed in this paper
and its patterns.
The Proactive and Reactive Digital Forensics Investigation Process 93
The processes of digital forensics investigation that were extracted from the total 26
primary studies are grouped in Table 2.
The same review protocol was used to validate the systematic literature review twice
during execution of the review.
6 Research Findings
All the processes of digital forensics investigation in Table 3 shows that they all share
the reactive component, but only one [1] includes the proactive component. (In [1],
this proactive component has been named the active component.) The reactive
component of all processes was inspired by [7]. Recent papers such as [2], [1], [3],
and [4] have suggested that there is a need for advancement in the area of proactive
forensic systems.
In [1], a multi-component view of digital forensics process is proposed. This
process is at a high level and consists of three components: proactive, active, and
reactive. The term “proactive” as it is used in [1] deals with the digital forensics
readiness of the organization as well as the responsible use of digital forensics tools.
The active component, termed the proactive component in the current study, deals
94 S. Alharbi, J. Weber-Jahnke, and I. Traore
with the collection of live evidence in real time while an event or incident is
happening. The active component of the investigation is not considered to be a full
investigation since it lacks case-specific investigation tools and techniques. The
reactive component is the traditional approach to digital forensics investigation.
The process proposed in this study is derived from [1], but has only two
components, proactive and reactive (see Figure 1). Even though Figure 1 shows that
the investigation process is a waterfall process, in real-life it has some iteration. The
proposed proactive component is similar to the active component in [1].
,QYHVWLJDWLYH3URFHVVIRU'LJLWDO)RUHQVLF
3DOPHU>@ &RQIHUHQFH 3KDVHV
6FLHQFH
5HLWK&DUUDQG*XQVFK>@
$Q$EVWUDFW'LJLWDO)RUHQVLFV0RGHO 3KDVHV
-RXUQDO
SKDVHV
&DUULHUDQG6SDIIRUG>@ $Q ,QWHJUDWHG 'LJLWDO ,QYHVWLJDWLRQ
RUJDQL]HGLQWR
-RXUQDO 3URFHVV
PDMRUSKDVHV
6WHSKHQVRQ>@ -RXUQDO (QGWR(QG'LJLWDO,QYHVWLJDWLRQ3URFHVV SKDVHV
%DU\DPXUHHEDDQG7XVKDEH 7KH (QKDQFHG 'LJLWDO ,QYHVWLJDWLRQ PDMRUSKDVHV
>@ -RXUQDO 3URFHVV LQFOXGLQJVXESKDVHV
&LDUGKXDLQ>@ -RXUQDO 7KH ([WHQGHG 0RGHO RI &\EHUFULPH SKDVHV
,QYHVWLJDWLRQV
&DUULHUDQG6SDIIRUG>@ $Q (YHQW%DVHG 'LJLWDO )RUHQVLF PDMRUSKDVHV
&RQIHUHQFH ,QYHVWLJDWLRQ)UDPHZRUN LQFOXGLQJVXESKDVHV
+DUULVRQ>@ -RXUQDO 7KH/LIHF\FOH0RGHO SKDVHV
%HHEHDQG&ODUN>@ -RXUQDO 7KH +LHUDUFKLFDO 2EMHFWLYH%DVHG SKDVHV
)UDPHZRUN
.RKQ(ORIIDQG2OLYLHU>@ 7KH,QYHVWLJDWLRQ)UDPHZRUN SKDVHV
&RQIHUHQFH
.HQW&KHYDOLHU*UDQFHDQG 7KH)RUHQVLF3URFHVV SKDVHV
'DQJ>@ -RXUQDO
5RJHUV*ROGPDQ0LVODQ 7KH &RPSXWHU )RUHQVLFV )LHOG 7ULDJH PDMRUSKDVHV
:HGJHDQG'HEURWD>@ 3URFHVV0RGHO LQFOXGLQJVXESKDVHV
&RQIHUHQFH
,HRQJ>@ -RXUQDO )25=$±'LJLWDO)RUHQVLFV,QYHVWLJDWLRQ SKDVHV
)UDPHZRUN,QFRUSRUDWLQJ/HJDO,VVXHV
)UHLOLQJDQG6FKZLWWD\>@ 7KH&RPPRQ3URFHVV0RGHOIRU,QFLGHQW PDMRUSKDVHV
&RQIHUHQFH 5HVSRQVHDQG&RPSXWHU)RUHQVLFV LQFOXGLQJVXESKDVHV
.KDWLU+HMD]LDQG6QHLGHUV 7ZR'LPHQVLRQDO (YLGHQFH 5HOLDELOLW\ PDMRUSKDVHV
>@ :RUNVKRS $PSOLILFDWLRQ3URFHVV0RGHO LQFOXGLQJVXESKDVHV
6KLQ>@ &RQIHUHQFH 'LJLWDO)RUHQVLFV,QYHVWLJDWLRQ3URFHGXUH SKDVHV
0RGHO LQFOXGLQJVXESKDVHV
%LOODUG>@ %RRN&KDSWHU $Q ([WHQGHG 0RGHO IRU ('LVFRYHU\ SKDVHV
2SHUDWLRQV
*UREOHU/RXZUHQVDQG6ROPV $ 0XOWLFRPSRQHQW 9LHZ RI 'LJLWDO PDMRUSKDVHV
>@ &RQIHUHQFH )RUHQVLFV LQFOXGLQJVXESKDVHV
The Proactive and Reactive Digital Forensics Investigation Process 95
,GHQWLILFDWLRQ 3URDFWLYH&ROOHFWLRQ
3UHVHUYDWLRQ (YHQW7ULJJHULQJ)XQFWLRQ
3URDFWLYH&RPSRQHQW
5HDFWLYH&RPSRQHQW
&RQWLQXH,QYHVWLJDWLRQ
&ROOHFWLRQ 3URDFWLYH3UHVHUYDWLRQ
$QDO\VLV 3URDFWLYH$QDO\VLV
)LQDO5HSRUW
3UHOLPLQDU\5HSRUW
([LVW
'HFLVLRQ
,QYHVWLJDWLRQ
Fig. 1. Functional process for proactive and reactive digital forensics investigation system
Both the proposed process and the multi-component process share the reactive
component. Table 3 maps phases of the proposed proactive and reactive digital
forensics investigation process to phases of the existing processes.
Description of the two components in the proposed process is as follows:
1) Proactive Digital Forensics Component: is the ability to proactively collect,
trigger an event, and preserve and analyze evidence to identify an incident as it
occurs. In addition, an automated preliminary report is generated for a later
investigation by the reactive component. The evidence that will be gathered in this
component is the proactive evidence that relates to a specific event or incident as it
occurs [4]. As opposed to the reactive component, the collection phase in this
component comes before preservation since no incident has been identified yet.
Phases under the proactive component are defined as follows:
• Proactive Analysis: automated live analysis of the evidence, which might use
forensics techniques such as data mining to support and construct the initial
hypothesis of the incident.
• Preliminary Report: automated report for the proactive component.
This proactive component differs from common Intrusion Detection Systems (IDS)
by ensuring the integrity of evidence and preserving it in a forensically sound manner.
In addition, the analysis of the evidence will be done in such a way as to enable
prosecution of the suspect and admission to court of law.
Table 3. Mapping phases of the proposed proactive and reactive digital forensics investigation
process to phases of the existing processes
3URDFWLYH,QYHVWLJDWLRQ 5HDFWLYH,QYHVWLJDWLRQ
,GHQWLILFDWLRQ
&ROOHFWLRQ
'LJLWDO)RUHQVLF,QYHVWLJDWLRQ
3UHVHUYDWLRQ
3UHVHUYDWLRQ
3UHOLPLQDU\
$QDO\VLV
&ROOHFWLRQ
3URFHVV1DPH 5HIHUHQFH
5HSRUW
3URDFWLYH
3URDFWLYH
3URDFWLYH
)XQFWLRQ
$QDO\VLV
7ULJJLQJ
5HSRUW
(YHQW
,QYHVWLJDWLYH3URFHVVIRU'LJLWDO
3 3 3 3 3
)RUHQVLF6FLHQFH>@
$Q$EVWUDFW'LJLWDO)RUHQVLFV
3 3 3 3 3
0RGHO>@
$Q,QWHJUDWHG'LJLWDO,QYHVWLJDWLRQ
3 3 3 3 3
3URFHVV>@
(QGWR(QG'LJLWDO,QYHVWLJDWLRQ
3 3
3URFHVV>@
7KH(QKDQFHG'LJLWDO,QYHVWLJDWLRQ
3 3 3 3 3
3URFHVV>@
7KH([WHQGHG0RGHORI&\EHUFULPH
3 3 3 3 3
,QYHVWLJDWLRQV>@
$Q(YHQW%DVHG'LJLWDO)RUHQVLF
3 3 3 3 3
,QYHVWLJDWLRQ)UDPHZRUN>@
7KH/LIHF\FOH0RGHO>@ 3 3 3 3 3
7KH+LHUDUFKLFDO2EMHFWLYH%DVHG
3 3 3 3 3
)UDPHZRUN>@
7KH,QYHVWLJDWLRQ)UDPHZRUN
3 3 3 3 3
>@
7KH)RUHQVLF3URFHVV>@ 3 3 3 3
7KH&RPSXWHU)RUHQVLFV)LHOG
3 3 3 3
7ULDJH3URFHVV0RGHO>@
)25=$±'LJLWDO)RUHQVLFV
,QYHVWLJDWLRQ)UDPHZRUN
3 3 3 3 3
,QFRUSRUDWLQJ/HJDO,VVXHV
>@
7KH&RPPRQ3URFHVV0RGHOIRU
,QFLGHQW5HVSRQVHDQG&RPSXWHU 3 3 3 3 3
)RUHQVLFV>@
7ZR'LPHQVLRQDO(YLGHQFH
5HOLDELOLW\$PSOLILFDWLRQ3URFHVV 3 3 3 3 3
0RGHO>@
'LJLWDO)RUHQVLFV,QYHVWLJDWLRQ
3 3 3 3 3
3URFHGXUH0RGHO>@
$Q([WHQGHG0RGHOIRU(
3 3 3 3 3
'LVFRYHU\2SHUDWLRQV>@
$0XOWLFRPSRQHQW9LHZRI'LJLWDO
3 3 3 3 3 3 3 3 3 3
)RUHQVLFV>@
98 S. Alharbi, J. Weber-Jahnke, and I. Traore
The advantages of the proposed process over the multi-component process are as
follows:
7 Conclusion
In order to investigate anti-forensics methods and to promote automation of the live
investigation, a proactive and reactive functional process has been proposed. The
proposed process came as result of SLR of all the processes that exist in literature.
The phases of the proposed proactive and reactive digital forensics investigation
process have been mapped to existing investigation processes. The proactive
component in the proposed process has been compared to the active component in the
The Proactive and Reactive Digital Forensics Investigation Process 99
multi-component process. All phases in the proactive component of the new process
are meant to be automated.
For future work, the proposed process will be used to develop and implement the
proactive and reactive systems using domain-specific modeling language and
automated code generation. This new method will help in creating the skeleton of the
new digital investigation tools and techniques. Two major issues will be addressed in
the implementation of the new process: 1) the ability to predict an event (an attack)
proactively, and 2) optimizing the proactive component by providing a feedback loop
whenever the proactive or the reactive component is concluded.
References
[1] Grobler, C.P., Louwrens, C.P., von Solms, S.H.: A Multi-component View of Digital
Forensics. In: ARES 2010 International Conference on Availability, Reliability, and
Security, pp. 647–652 (2010)
[2] Garfinkel, S.: Anti-forensics: Techniques, detection and countermeasures. In: 2nd
International Conference on i-Warfare and Security, p. 77 (2007)
[3] Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7,
S64–S73 (2010)
[4] Orebaugh, A.: Proactive forensics. Journal of Digital Forensic Practice 1, 37 (2006)
[5] Brereton, P., Kitchenham, B.A., Budgen, D., Turner, M., Khalil, M.: Lessons from
applying the systematic literature review process within the software engineering
domain. Journal of Systems and Software 80, 571–583 (2007)
[6] Rowlingson, R.: A ten step process for forensic readiness. International Journal of
Digital Evidence 2, 1–28 (2004)
[7] Palmer, G.: A road map for digital forensics research-report from the first Digital
Forensics Research Workshop (DFRWS), Utica, New York (2001)
[8] Mark, R., Clint, C., Gregg, G.: An Examination of Digital Forensic Models.
International Journal of Digital Evidence 1, 1–12 (2002)
[9] Carrier, B., Spafford, E.: An event-based digital forensic investigation framework. In:
Proceeding of the 4th Digital Forensic Research Workshop, pp. 11–13 (2004)
[10] Baryamureeba, V., Tushabe, F.: The Enhanced Digital Investigation Process Model.
Asian Journal of Information Technology 5, 790–794 (2006)
[11] Kohn, M., Eloff, J., Olivier, M.: Framework for a digital forensic investigation. In:
Proceedings of Information Security South Africa (ISSA) 2006 from Insight to
Foresight Conference (2006)
[12] Stephenson, P.: A comprehensive approach to digital incident investigation.
Information Security Technical Report 8, 42–54 (2003)
[13] Stephenson, P.: Completing the Post Mortem Investigation. Computer Fraud &
Security, 17–20 (2003)
[14] Harrison, W.: The digital detective: An introduction to digital forensics. Advances in
Computers 60, 75–119 (2004)
[15] Beebe, N.L., Clark, J.G.: A hierarchical, objectives-based framework for the digital
investigations process. Digital Investigation 2, 147–167 (2005)
[16] Ieong, R.S.C.: FORZA - Digital forensics investigation framework that incorporate
legal issues. Digital Investigation 3, 29–36 (2006)
100 S. Alharbi, J. Weber-Jahnke, and I. Traore
[17] Khatir, M., Hejazi, S.M., Sneiders, E.: Two-Dimensional Evidence Reliability
Amplification Process Model for Digital Forensics. In: Third International Annual
Workshop on Digital Forensics and Incident Analysis, WDFIA 2008, pp. 21–29 (2008)
[18] Pollitt, M.M.: An Ad Hoc Review of Digital Forensic Models. In: Second International
Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2007,
pp. 43–54 (2007)
[19] Yong-Dal, S.: New Digital Forensics Investigation Procedure Model. In: Fourth
International Conference on Networked Computing and Advanced Information
Management, NCM 2008, pp. 528–531 (2008)
[20] Billard, D.: An Extended Model for E-Discovery Operations. In: Peterson, G., Shenoi,
S. (eds.) Advances in Digital Forensics V, vol. 306, pp. 277–287. Springer, Boston
(2009)
[21] Tanner, A., Dampier, D.: Concept Mapping for Digital Forensic Investigations. In:
Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V, vol. 306, pp. 291–300.
Springer, Boston (2009)
[22] Ruan, C., Huebner, E.: Formalizing Computer Forensics Process with UML. In: Yang,
J., Ginige, A., Mayr, H.C., Kutsche, R.-D. (eds.) Information Systems: Modeling,
Development, and Integration, vol. 20, pp. 184–189. Springer, Heidelberg (2009)
[23] Slay, J., Lin, Y.-C., Turnbull, B., Beckett, J., Lin, P.: Towards a Formalization of
Digital Forensics. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V,
pp. 37–47. Springer, Boston (2009)
[24] Kizza, J.: Computer Crime Investigations-Computer Forensics. In: Ethical and Social
Issues in the Information Age, pp. 343–358. Springer, London (2007)
[25] Selamat, S., Yusof, R., Sahib, S.: Mapping process of digital forensic investigation
framework. IJCSNS 8, 163 (2008)
[26] Perumal, S.: Digital forensic model based on Malaysian investigation process.
IJCSNS 9, 38 (2009)
[27] Carrier, B., Spafford, E.: Getting physical with the digital investigation process.
International Journal of Digital Evidence 2, 1–20 (2003)
[28] Ciardhu·in, S.: An extended model of cybercrime investigations. International Journal
of Digital Evidence 3, 1–22 (2004)
[29] Rogers, M., Goldman, J., Mislan, R., Wedge, T., Debrota, S.: Computer forensics field
triage process model. Journal of Digital Forensics, Security and Law 1, 27–40 (2006)
[30] Freiling, F., Schwittay, B.: A common process model for incident response and
computer forensics. In: 3rd International Conference on IT-Incident Management and
IT- Forensic (2007)
[31] Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic
Techniques into Incident Response. NIST Special Publication 800-86 (2006)