Академический Документы
Профессиональный Документы
Культура Документы
Abstract- In this paper, we present a review and comparative investigation phases from different perspectives. Organizations
evaluation of forensics guidelines of NIST SP 800-101 Rev.l:2014 already recognize the benefit of adopting two forensic
and ISO/lEe 27037:2012. This study proposes and analyzes an standards; this is common for an organization to conform to the
integrated implementation of these two forensic guidelines. The requirements of one standard and then make further
result of this will provide a forensic investigator with a good improvements to conform to the requirements of the other. The
understanding of the two forensic standards, and present an
European Commission Anti-Fraud Office created the
opportunity to forensic investigators, organizations and
Guidelines on Digital Forensic Procedures on forensic
jurisdictions that are compliant in one standard to realize the
investigation for OLAF staff by taking into account both the
benefits of the other standard. As it is shown, no single standard
internationally approved standards ISO/IEC Standard 27037 on
addresses all processes of digital forensic investigations. This
"Guidelines for identification, collection, acquisition and
comparison identifies areas of forensics guidelines covered by
each standard, commonalities and differences in the two
preservation of digital evidence," adopted in October 2012 and
standards, and their limitations.
the "Good practice guide for digital evidence" published by the
UK Association of Chief Police Officers (ACPO) in March
Keywords-digital evidence; chain of custody; digital handling 2012 [3].
process; forensic investigation; forensic tools
There are a number of advantages in an integrated
implementation of forensics standards, which include
I. INTRODUCTION comprehensiveness and improvement in the quality of forensic
When investigating a crime, the investigator must follow investigations. Forensic investigators can experience the
and reference guidelines on devices or infonnation technology benefits of implementing one forensic standard before the other
forensics. Although countries, organizations and individual or both forensic standards when implemented simultaneously.
investigators may retain certain methods, processes and Key benefits of integrated implementation of these forensic
controls, standardization is expected to lead to the adoption of standards include credibility, lower cost of investigation,
similar if not identical approaches internationally. This makes reduction in time taken for forensic investigation, and
it easier to compare, combine, and contrast the results of such unnecessary duplication.
investigations even when performed by different people or
organizations and possibly across different jurisdictions [1]. This paper presents a comparative evaluation of forensics
guidelines of NIST SP 800-101 Rev.l:2014 [4] and ISO/IEC
It is evident that not all investigations will end up in court, 27037:2012 [5]. The comparative evaluation in the following
SANS Digital Forensics Survey [2013] examined how and why sections focuses on commonalities, differences, and limitations
organizations investigate cases. 62% of the respondents in the two standards and provides the integrated
claimed to have used digital forensics to investigate, "HR implementation of both standards.
issues/employee misuse or abuse," and of those, only 57%
The result of this comparison may provide a forensic
indicate that they were looking for legal evidence that could be
investigator with a good understanding of the two forensic
admissible in court [2].
standards and the opportunity for integrated implementation of
Having said that, forensics examiners should follow both standards. The paper reviews existing forensics
investigative standards and treat all cases as if they will end up investigation methodologies in Section II. Forensic
in court. This means applying an appropriate degree of rigor in investigation standards ISO/IEC 27037:2012 and NIST SP
the collection and preservation of potential digital evidence so 800-101:2014 are reviewed and compared in Section III.
that the reliability of the evidence can be defended. [2].
All readers are expected to have access to copies of both
Various perspectives are necessary to provide a formidable standards. For instance, forensic investigators, organizations
forensic investigation, and different guidelines look at and jurisdictions may opt for ISO/IEC 27037 as a result of the
978-1-908320-42/1/©2014 IEEE 66
World Congress on Internet Security (WorldCIS-2014)
trans-border nature of criminal activities and their global II. REVIEW OF FORENSIC INVESTIGATION METHODOLOGIES
context. This allows for standardization across participating There are numerous digital forensic investigation
countries or, where needs are more country-specific, a methodologies that have been developed and adopted since
jurisdiction such as the criminal justice system may choose 1984, when a formalized process was presented. Different
NIST SP 800-101. There could also be an implementation of forensic investigation standards and models have been adopted
ISO/IEC 27037 when NIST SP 800-101 is already in different nations for identification, collection, acquisition
implemented, or vice versa; there could be an implementation and preservation of digital evidence [7], [8], [9]. While some of
of both ISO/IEC 27037 and NIST SP 800-101 together; or the forensic investigation standards are precise and detailed,
integration of existing ISO/IEC and NIST SP 800-101. some are of wider scope and general [10]. Also, some models
concentrate on the technical aspect of forensic investigation,
An Overview ofISO/ IEC 27037 and NlST SP 800-101 while some models emphasize the non-technical aspect of
ISO (International Organization for Standardization) is the forensic investigation. This section reviews some of the related
world's recognized authority of International Standards. forensics investigation models.
International Standards give state of the art specifications for
A. Digital Forensic Research Workshop 2001 [Il}
products, services and good practice, helping to make
The first Digital Forensics Research Workshop (DFRWS)
industries more efficient and effective.
was held in Utica, New York (2001). DFRWS was the
ISO/IEC 27037 [5] standard seeks to create a common foundation garment of digital forensic investigation process
reference line for the practice of digital forensics. The [11]. The DFRWS investigative model consists of
application of this international standard requires compliance Identification, Preservation, Collection, Examination, Analysis
with federal laws and regulations with no intention of replacing and Presentation.
them. Rather, it may serve as practical for any Digital Evidence
B. Abstract Digital Forensics Model [J2}
First Responders (DEFRs) and Digital Evidence Specialists
(DESs) in investigations involving potential digital evidence. Reith, Carr and Gunsch (2002), in their study, An Abstract
Moreover, it is intended to facilitate the usability of evidence Digital Forensics Model, describe a model which is to some
obtained in one jurisdiction by a legal process operating in extent derived from the DFRWS model and not dependent on a
another jurisdiction [6]. particular technology or electronic crime. This model uses the
protocol for an FBI physical crime scene search [12]. The
A. Related lSO/ IEC projects model was inspired by DFRW and therefore thought to be its
Since ISO/IEC 27037 addresses only the initial handling enhancement. This model has seven phases, namely
process of digital evidence, other forensic process steps are Identification, Preparation, Approach Strategy, Preservation,
subject to additional standards, some of which are still under Collection, Examination, Analysis.
development [6]. International Standards that are related to
C. Integrated Digital Investigation Process [I3}
ISO/IEC 27037 are graphically illustrated below.
Carrier and Spafford (2003), in their study, mapped digital
investigative process to physical investigate process. They
Inddent invt'Sligalion principles and processes (ISOIlEC 27043) came up with five phases of investigative processes, namely
Readiness, Deployment, Physical Crime Scene Investigation,
! ! ! ! ! Digital Crime Scene Investigation and Review, and they call
!SOIlEC 27035 ISOIlEC 27037 ISOIlEC 27041 ISOIlEC 27042 ISOIlEC 27050·1 this model Integrated Digital Investigation Process.
Guidance on
Guidelines on assuring
D. Digital Forensic Model Based on Malaysian Investigation
identification, suitability and Process [8}
colledion, adequacy of Guidelines for
Information acquisition, and incident analysis and Digital Forensic Model Based on Malaysian Investigation
5t'curity incident presen'ation of iOl1t'srigatin interpretation of Electronic
Process based on Malaysia cybercrime law [8] is an
management digital ("'idente metbods digital f"idence disconry
investigation model based on existing models by incorporating
Figure I. Related ISO/lEC Standards a live and static data acquisition process that focuses on
NIST (National Institute of Standards and Technology) is a volatile data. This model consists of seven phases: Planning,
technological, non-regulatory federal agency under the U.S. Reconnaissance, Transport & Storage, Analysis, Proof and
Department of Commerce. NIST works with industries to Defence, and Achieve Storage.
develop and apply technology, measurements, and standards. E. Association of ChiefPolice Officer (ACPO) Good Practice
NIST SP 800-101 Rev 1 Guidelines on Mobile Devices Guide for Digital Evidence [7}
Forensics is a publication by the United States National In the United Kingdom, the Association of Chief Police
Institute of Standards and Technology (NIST). The guide Officers' (ACPO) has Good Practice Guide for Computer
provides an in-depth look into mobile devices and explains Based Electronic Evidence. This high-level document covers
technologies involved and their relationship to forensic any type of group that is actively involved in the processing of
procedure. The guide discusses the procedures for validation, digital evidence. This model consists of Plan, Capture,
preservation, acquisition, examination, analysis, and reporting Analyze, and Present. The purpose of this document is to
of digital information [4]. provide guidance,
978-1-908320-42/1/©2014 IEEE 67
World Congress on Internet Security (WorldCIS-2014)
not only to assist law enforcement, but also for all that assist in B. Evidence handling Process ojiSO/iEC 27037
investigating cyber security incidents and crime. Fig. 2 below presents a model of digital handling process of
F. Electronic Crime Scene Investigation: A Guide jor First ISO 27037.
Responders, Second Edition [9} Idenuncal loD
978-1-908320-42/1/©2014 IEEE 68
World Congress on Internet Security (WorldCIS-2014)
978-1-908320-42/1/©2014 IEEE 69
World Congress on Internet Security (WorldCIS-2014)
TABLE II. GENERAL REQUIREMENTS AND SUMMARY OF ISO/IEC 27037 AND NIST SP 800-101
Repeatability is established when the same test results are produced using the same
Repeatability measurement procedure and method, using the same instruments and under the same ./ ./
conditions and can be repeated at any time after the initial test.
Reproducibility is established when the same test results are produced using the same
Reproducibility measurement method, using different instruments and under different conditions and can ./ ./
be produced at any time after the original test.
Both the Digital Evidence First Responders (DEFRs) and the Digital Evidence
Justifiability Specialists (DESs) should be able to justify all actions and methods used in handling the ./ ./
potential digital evidence.
Digital
ISO/IEC NIST SP
Evidence Summary
27037 800-101
Handlin�
The Table III below shows the comparison of the digital Process of preparing a
handling processes of both NIST SP 800-101 Rev.1:2014 and detailed summary of all the
ISO/IEC 27037:2012. The comparison highlights what is Reporting steps taken and * ./
conclusions reached in the
missing in one standard but available in the other.
investigation of the case.
978-1-908320-42/1/©2014 IEEE 70
World Congress on Internet Security (WorldCIS-2014)
devices; ISO/IEC 27037 also gives guidance for wide • Both standards are limited in scope because they do
varieties of devices including mobile phones, personal not prescribe how law enforcement and incident
Digital Assistants (PDAs), Personal Electronic Devices response communities should handle digital evidence
(PEDs), memory cards, etc. during investigation or incident.
• Both standards have Acquisition and Preservation • Litigation can clearly be criminal or civil, but none of
phases in their forensic investigation process. the standards discuss this aspect and perhaps the advice
the internal legal department in an organization should
• The two standards recognize that forensic examination offer in order to minimize costs of forensic
begins with the identification of the device. investigation.
• Both standards emphasize Confidentiality, Integrity, • Both standards are essentially describing reactive
and Availability of potential digital evidence measures and do not include a guidance on proactive
throughout the process of forensic investigation. forensic investigation processes.
B. Differences in the two standardss • ISOIIEC 27037 does not extend to the analysis of
• ISO/IEC 27037 applies globally, and is intended for digital evidence.
both public and private sectors; NIST SP 800-101 is
• Combining the two standards still may not provide a
the United States' recommendations for forensic
holistic approach. For example, Planning is very vital
examiners, response teams and private organizations in forensic investigation and this is not addressed in
on a voluntary basis. either standards.
• ISO/IEC 27037 emphasizes non-technical processes of • The two documents are to be read in conjunction with
forensic investigation; NIST SP 800-101 dwells on other standards.
both technical and non-technical processes of forensic
investigation. VII. DISCUSSION OF RESULTS
• NIST SP 800-101 provides basic information on In reviewing and undergoing a comparative evaluation of
mobile forensic tools and preservation, acquisition, ISO/IEC 27037 and NIST SP 800-101 to examine the
examination and analysis, reporting of digital evidence commonalities and differences in the two standards and their
on mobile devices. ISO/IEC 27037 provides guidelines limitations, it is evident that neither of these two standards
for identification, collection, acquisition, and addresses all processes of digital forensic investigations. While
preservation of digital evidence. ISO/IEC focuses on the initial handling process and addresses
the non-technical aspect of digital forensic investigation of
• NIST SP 800-101 explains in detail the forensic tools crime, NIST SP 800-101 is technical and more detailed in the
used in forensic investigation, while ISO does not selection and use of forensic tools. An integrated
extend to the analysis of digital evidence. implementation of ISO/IEC 27037 and NIST SP 800-101 is
possible and will be more comprehensive than a single
• ISO/IEC 27037 only pertains to the initial stages of
standard.
digital investigation; NIST SP 800-101 is detailed in its
mobile device forensics. Since neither of the two standards addresses the forensic
investigation process comprehensively, it would be
• NIST SP 800-101 has an Examination and Analysis
advantageous to individual investigators, organizations and
phase as well as a Reporting phase in its investigation
jurisdictions that are compliant in one standard to realize the
process, while this phase is not present in ISO/IEC
benefits of the other standard and integrate the two. NIST SP
27037.
800-101 is specifically a guideline for Mobile Device Forensics
• ISO/IEC 27037 has Identification and Collection while the ISO/IEC 27037 standard provides guidelines on
phases; NIST SP 800-101 assumes that the mobile identification, collection, acquisition, and preservation of
device on which the forensic investigation is to be digital evidence for information technology in general.
performed has been identified and collected.
978-1-908320-42/1/©2014 IEEE 71
World Congress on Internet Security (WorldCIS-2014)
Identification Preservation
Collection Acquisition
Preservation Reporting
978-1-908320-42/1/©2014 IEEE 72
World Congress on Internet Security (WorldCIS-2014)
ensure that a copy acquired has not been modified since integrated implementation model of both ISO/IEC 27037 and
acquisition. NIST SP 800-101 will provide individual investigators,
organizations and jurisdictions the benefits of both standards.
Phase 3: Preservation
Also, a forensics guideline best practice/standard could be
Evidence preservation is the process of securely maintaining an developed, based on the concepts of integrated implementation
acceptable chain of custody of property without altering or of ISO/IEC 27037 and NIST SP 800-101.
changing the content of data that resides on devices and
REFERENCES
removable media [4]. Preservation involves the search,
recognition, documentation, and collection of electronically [I] ISO/IEC 27041 - Infonnation technology - Security techniques -
based evidence which must be preserved and free from Guidance on assuring suitability and adequacy of incident investigative
process should be initiated and maintained throughout the [3] OLAF European Commission Anti- Fraud Office, 2014 Guidelines on
Digital Forensic Procedures for OLAF Staff, Available:
digital evidence handling processes. Potential digital evidence
http://ec.europa.eu/anti_fraudldocuments/forensics/guidelines_en. pdf
helps admissibility in a court of law; it should therefore be
[4] NISI SP 800-101, Revision I "Guidelines on Mobile Device forensics"
preserved in a manner that ensures the integrity of the data. May 2014, Available: http://www.nist.gov
Phase 4: Examination and Analysis [5] ISO/IEC FDIS 27037, "Guideline for identification, collection,
acquisition and preservation of digital evidence," 2012, Available:
The Examination and Analysis process uncovers digital http://www.iso.org
evidence, both volatile and non-volatile, including that which [6] Incident Management and Forensics Working Group , 2013, Mapping
may be hidden or obscured. The process begins with a copy of the Forensic Standard ISO/IEC 27037 to Cloud Computing Available:
https:!/downloads.c1oudsecurityalliance.orgiinitiatives/imf/Mapping-the
the evidence acquired from the device. The analysis process
ForensicoStandard-ISO-IEC-27037-to-Cloud-Computing. pdf
looks at the result of examination for its direct significance and
[7] ACPO Good Practice Guide for Digital Evidence, 2012, Available:
probative value to the case. The Examination and Analysis http://www.acpo.police. ukldocuments/crime/2011l20111 O-cba-digital
process is accomplished using approved guidelines and the evidence-v5.pdf
right forensic tools. [8] Sundresan Perumal (2009) Digital Forensic Model Based On Malaysian
Investigation Process. IJCSNS International Journal of Computer
Phase 5: Reporting Science and Network 38 Security, vol .9 No.8, 2009. Available:
http://paper.ijcsns.orgl07_bookl200908/20090805.pdf
The Reporting process prepares a detailed summary of all steps
[9] Electronic Crime Scene Investigation: A guide for first responders.
taken and conclusions reached in the investigation of the case.
Publication info: 2nd ed.; Washington, DC: U.S. Dept. of Justice, Office
The tasks related to this phase involve forensic tools and of Justice Programs, National Institute of Justice, 2008, Available:
techniques used, documentation, and forensic expert testimony. https:llwww.ncjrs.gov/pdffilesl/nij/219941.pdf
Irrespective of how the reports are generated, making sure that [10] Yunus Yusoff, Roslan Ismail and Zainuddin Hassan, 2011, Common
the final report is consistent with the data presented in the user Phases of Computer Forensics Investigation Models. Available:
interface representation is vital to identify and eliminate any http://airccse.orgljournal!jcsitl061Icsit02.pdf
possible inconsistencies that may surface [16]. The reporting [Il] Digital Forensic Research Workshop (DFRWS) August 7-8, 2001,
phase of NIST SP 800-101 will help in reporting anything Utica, New York. A Road Map for Digital Forensic Research. Available:
http://www.dfrws.orgl200 I/dfrws-rm-final.pdf
learned about the investigation which can improve forensics
[12] Mark Reith, Clint Carr, Gregg Gunsch, 2002, An Examination of
processes. Lessons learned during the investigation should Digital Forensic Models. International Journal of Digital Evidence Fall
also be documented. vol. I, Issue 3. Available:
http://www. utica. edulacademic/instituteslecii/pubIications/articleslA04A
X. CONCLUSION 40DC-A6F6-F2C1-98F94F16AF57232D.pdf
The objective of this paper is to undertake a review and [13] Brian Carrier and Eugene H. Spafford, 2003, International Journal of
Digital Evidence. Getting Physical with the Digital Investigation
comparative evaluation of forensics guidelines of NIST SP
Process. Available:
800-101, Revision 1 Guidelines on mobile device forensics and http://www. utica. edulacademic/instituteslecii/pubIications/articleslA0A
ISO/IEC 27037 Guideline for identification, collection, C5A7A-FB6C-325D-BF5I 5A44FDEE7459.pdf
acquisition and preservation of digital evidence in order to [14] NISI-- U.S. Departments of Justice and Commerce Name Experts to
identify commonalities and differences in the two standards First-Ever National Commission on Forensic Science, Jan 2014,
and their limitations. It is evident that no single standard Available: http://www. nist.govIforensics/forensic-science-commission-
01l014.cfrn
addresses all processes of digital forensic investigations.
[15] Kwaku, K., Zavarsky, P., Lindskog, D., Ruhl, R.: A Review and
Scenarios are shown to illustrate that the two standards can
Comparative Study of Digital Forensic Investigation Models, 2012,
complement one another for digital forensic investigation. For Available: http://link.springer.com/chapterII0.1007%2F978-3-642-
example, while NIST SP 800-101 was not published 39891-9_20
necessarily for a situation where litigation would or might be [16] Rick Ayers, 2014, Mobile Device Forensics. Available:
the purpose, it shares elements which would make it partially http://www.cftt.nist.gov/presentations/RickAyers_AAFS_Mobile-
suitable. So when NIST SP 800-101 is integrated with 2014.pdf
ISO/IEC 27037, then the missing areas are filled in. The
978-1-908320-42/1/©2014 IEEE 73