A method to enhance the accuracy of digital forensics in the absence of complete evidence in Saudi Arabia

Alanazi, Fahad Mosalm

January 2017

The tremendous increase in the use of digital devices has led to their involvement in the vast majority of current criminal investigations. As a result, digital forensics has increasingly become one of the most important aspects of criminal investigations. The digital forensics process involves consideration of a number of important phases in order to achieve the required level of accuracy and to reach a successful conclusion of the investigation into the digital aspects of crimes; through obtaining acceptable evidence for use in a court of law. There have been a number of models developed and produced since 1984 to support the digital investigation processes. In this submission, I introduce a proposed model for the digital investigation processes which is based on the scope of the Saudi Arabia investigation process, which has been integrated with existing models of digital investigation processes and has produced a new phase to deal with a situation where there is insufficient evidence. In this research, grounded theory has been adopted as a research method to investigate and explore the participant’s perspectives and their opinions regarding the adoption of a method of a digital forensics investigation process in the absence of complete evidence in the Saudi Arabian context. The interaction of investigators with digital forensics processes involves the social aspect of digital investigation which is why it was suitable to adopt a grounded theory approach. A semi-structured data collection approach has been adopted, to enable the participants to express their visions, concerns, opinions and feelings related to factors that impact the adoption of the DF model for use in cases where there is an absence of sufficient evidence in Saudi Arabia. The proposed model emerged after conducting a number of interviews and analysing the data of this research. The researcher developed the proposed model based on the answers of the participant which helped the researcher to find a solution for dealing with cases where there is insufficient evidence, through adding a unique step in the investigation process, the “TraceBack” Phase. This study is the first in Saudi Arabia to be developed to enhance the accuracy of digital forensics in the absence of sufficient evidence, which opens a new method of research. It is also the first time has been employed a grounded theory in a digital forensics study in the Saudi context, where it was used in a digital forensics study, which indicates the possibility of applying this methodology to this field.

600

The Comprehensive Digital Forensic Investigation Process Model (CDFIPM) for digital forensic practice

Montasari, Reza

January 2016

No description available.

Forensic evidence isolation in clouds

Delport, Waldo

January 2013

Cloud computing is gaining acceptance and also increasing in popularity. Organisations often rely on cloud resources as an effective replacement for their `in-house' computer systems. In the cloud, virtual resources are provided from a larger pool of resources, these resources being available to multiple different clients. When something suspicious happens within a digital environment, a digital forensic investigation may be conducted to gather information about the event. When conducting such an investigation digital forensic procedures are followed. These procedures involve the steps to be followed to aid in the successful completion of the investigation. One of the possible steps that may be followed involves isolating possible evidence in order to protect it from contamination and tampering. Clouds may provide a multi-tenancy solution across multiple geographical locations. When conducting an investigation into physical equipment the equipment may be isolated. This may be done, for example, by placing a cell phone in a Faraday bag in order to block signals or unplugging a computer's network cable to stop the computer from either sending or receiving of network traffic. However, in the cloud it may not be applicable to isolate the equipment of the cloud because of the multi-tenancy and geographically separated nature of the cloud. There is currently little research available on how isolation can be accomplished inside the cloud environment. This dissertation aims at addressing the need for isolation on the cloud by creating new methods and techniques that may be incorporated into an investigation in order to isolate cloud resources. Isolation can be achieved by moving the unnecessary evidence to a different location and retaining the required evidence or by moving the required evidence in such a manner that the evidence would not be contaminated. If isolated evidence were to be moved to a digital forensic laboratory, the question arises as to whether it would be possible to create such a laboratory on the cloud utilise the benefits of cloud computing and enable the investigation to be conducted on the cloud without moving the isolated evidence from the cloud. The dissertation will develop various models of isolation. These models are then tested in experimental conditions. The experiments were conducted on Nimbula Director 1.0.3 and VMware vSphere 5.0. The models were successfully applied in the experiments. It was found that investigations could benefit from the use of the proposed models for isolation. However, the experiments also highlighted that some of the models are not applicable or that a combination should be used. The experiments also indicated that the methods to be used would depend on the circumstances of the investigation. A preliminary "cloud laboratory" was designed and described in terms of which a digital forensic laboratory can be created on the cloud resources, thus enabling an investigation to be conducted inside the cloud environment. / Dissertation (MSc)--University of Pretoria, 2013. / Computer Science / unrestricted

Digital forensics

Cloud computing

Digital forensics process

Isolation

UCTD

C14/4/60/gm