International Journal of Computer Science and Information Security (IJCSIS),

Vol. 14, No. 12, December 2016

A Survey and Critique of Digital Forensic Investigative Models

Ajetunmobi, Rukayat Aa, Uwadia, Charles Ob, and Oladeji, Florence Ac
a,b,c
Department of Computer Sciences, University of Lagos, Nigeria.
[email protected] , [email protected] , [email protected]

Abstract - With the concept of digital forensics becoming a subject for academic consideration, the need to look in-
depth at the various forensic models in existence has become imperative. It has been an academic study for a
comparatively short duration of time, and one of the ways that researchers deploy in order to understand the scientific
basis of any discipline is by constructing models that would reflect their observations. Though review of constructed
models is one of the ways by which researchers try to understand the facts presented via observation, it also serves as a
means to identify, acknowledge, and propose new models to solve problems. This paper reviews some of the existing
digital forensic models - the Digital Forensic Research Workshop (DFRWS) model, Reith’s Abstract Digital Forensic
Model, Ruibin’s Case-Relevance Information Investigation Model, and Saleem’s Extended Abstract Digital Forensic
Model amongst others. The paper also explores the evolution of forensic investigative models, their advantages and
disadvantages, while highlighting new paradigms and techniques being considered. The review will serve as basis for the
authors to develop a working and viable digital forensic investigative model that will integrate the role of Chain of
Custody (CoC).

Keywords – Chain of Custody, computer crime, digital evidence, Digital Forensics, Digital Forensic Models,
electronic evidence.
I. INTRODUCTION
Ever since electronic evidence and digital information gathering became core issues in the increasing number of
conflicts and crimes being committed, the need to acquire the forensic knowledge of how to get these from digital
devices without compromising the evidence and/or information retrieved has become very imperative to the digital
world.

Computer Forensics, which is a branch of Digital Forensics, can be defined as the use of specialized techniques for
the specific purpose of preservation, identification, extraction, authentication, examination, analysis, interpretation
and precise documentation of digital [1]. It could also be defined as “the use of scientifically derived and proven
methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to
planned operations.” [2].

Through the years, there has been a consensus agreement that there are at least three distinct types of Digital
Forensic Science (DFS) analysis [3] which are as follows –
a. Media Analysis - for examining physical media or devices for evidence
b. Code Analysis - for review of software for malicious signatures
c. Network Analysis – for scrutinizing traffic and logs in order to identify and locate activities.

496 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

The principal targets of computer forensics (which could also be referred to as Media Analysis as its focus is on the
various storage medium), include but are not limited to the following: hard disk drives, USB Drives, floppy disks,
SD memory, Compact Flash, RAM (Random Access Memory), digital mobile devices including mobile phones,
android phones, smartphones, etc. “The process of information retrieval from these devices must be done in a way
that will preserve the integrity and authenticity of the evidence and ensure its admissibility during legal
proceedings” [4]. What are now considered digital forensic techniques were primarily developed for data recovery
and this knowledge is roughly about forty years old [4].

Using Computer forensics for the purposes of discovering if activities, such as hacking, fraud, Credit/Debit card
cloning, software piracy, data theft, etc. had occurred, there is a need to ensure that laid-down guidelines/procedures
are followed leading to the proposal of digital forensic models over the years. It has become a fact that computer
forensics’ activities commonly include:
a. The secure collection of computer data,
b. The identification of suspect data,
c. The examination of suspect data in order to determine details such as its origin and content,
d. The presentation of computer-based information to the courts of Law, and
e. The application of a country’s laws to computer practise.
Source: [5]

With the establishment of the above facts, investigative models became a necessity to assist the process in order to
minimize ambiguity. These models were constructed in a way that precise and orderly action procedures of digital
evidence could be made through it.

While computer forensics laid emphasis on specific methods for evidence extraction from a particular media, digital
forensics is modelled to encompass all types of digital devices. But there is no particular standard or methodology in
place that cuts across all media types and forms, rather a set of procedures and tools that are built from the
experiences of law enforcement agencies, system administrators, and hackers are utilized. Palmer suggested at that
time, that the evolution of digital forensics had proceeded from ad hoc tools and techniques being deployed (these
came from the scientific community, where many of the other traditional forensic sciences have originated) [6]. It
has been noted that some digital forensics models has also deployed the triage system that is normally used in
medical care. In medical care, cases that require emergency treatment are given first priority, followed by cases that
are serious but not urgent, and lastly, cases that are regular. The triage is used by first selecting which evidence or
system should be given top priority by the forensic analyst, before other evidences are considered for analysis after
extraction [7],[8].

497 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

CaseGuard [9] states that dealing with electronic evidence actually involves two chains of custody. This covers the
evidence itself (the item under scrutiny) and the electronic data that is associated with it. The chain of custody for
the electronic data must indicate that the information was properly copied, transported and stored, and ensure that
the electronic information was not altered in any manner.

This paper presents a critique and survey of some existing digital forensic models. The research is about advantages
and disadvantages that the models below have, thereby leading to the development of a new digital forensic
investigative model at the end of the research with the intention of focusing on the Chain of Custody (CoC).

II REVIEW OF EXISTING MODELS

As the usage of computer forensics became a necessity in the investigation of computer and other digital-related
crimes, investigative models have been proposed and implemented over the years. The restriction of limiting these
models to the investigative aspect of crime scenes and evidence acquisition placed most of these models at a
disadvantage. Though there are lots of digital investigative models proposed and implemented over the years, only
some of them are being reviewed in this paper.

It is worthy to note that “a large body of proven investigative techniques and methods exists in more traditional
disciplines. Most are applicable in cyberspace, but are not yet considered strongly”[2].This was the opinion shared
by many when digital forensics started gaining prominence, but as we have discovered, the cyberspace is a key point
in consideration both for investigative and research purposes.

According to Pollitt [10], the process of computer forensics is compared and then mapped to the admissibility of the
evidence documented in a court of law. Some steps were distinctively identified to serve as precedence towards the
admission of such evidence in a court or other legal proceeding. These steps are:

Acquisition

Identification

Evaluation

Admission as evidence
Source: [11]

2.1 Digital Forensic Research Workshop (DFRWS), 2001.

The workshop led to the creation of a consensus framework that was proposed by Palmer [12] that would serve as a
guide for digital forensics at that time in a linear process. The categorization of the processes would enable
practitioners to visualize where they need to add capabilities from what is available, while the academic researchers
would use the process to look for shortfalls in technology, and consequently helping them to focus on areas where

498 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

research is required the most. It has seven linear phases involved, which are Identification, Preservation, Collection,
Examination, Analysis, Presentation, and Decision. In figure 1 below, the boxes in grey are considered as the core
and fundamental processes by the group after the creation of the consensus framework. It deployed varying
techniques and tools during its various processes. It became the framework on which other models were built and/or
modified upon over the years. It was the first model that was proposed, but it was not comprehensive enough to
cater to investigative requirements like maintenance of Chain of Custody.

Fig.1: The DFRWS Model. Source: [2]

2.2 The Forensic Process Model, 2001.

This model was proposed by John Ashcroft, an Attorney General, for the U.S. National Institute of Justice (NIJ)
[13]. It was constructed to serve as a guide for first responders, especially the law enforcement agents who may have
the responsibility of protecting any electronic crime scene, and for the recognition, collection, preservation,
transportation, and/or storage of digital evidence. Its process consists of four phases namely Collection,
Examination, Analysis, and Reporting. It provides a very high-level, four-phased process that is linear and non-
recursive in nature, thereby limiting the investigator’s ability to revisit the scene of the crime for more evidence
collection if or when the need arises.

2.3 Abstract Digital Forensic Model (ADFM), 2002.

These authors [14] reviewed some frameworks for digital forensics and they proposed a model named Abstract
Digital Forensic Model, which would serve as an enhancement of the DFRWS model using the ideals from the
physical evidence collection method practiced by the law enforcement agencies. It consists of 9 components namely
– Identification, Preparation, Approach strategy, Preservation, Collection, Examination, Analysis, Presentation,
and Returning evidence. This model includes all the processes of DFRWS with their own contributions being the
Preparation (component 2), Approach Strategy (component 3) which has been identified as being a duplication, to
an extent, of the Preparation phase, and, Returning Evidence (component 9) which replaced the Decision phase in
the DFRWS Model [14]. This model was designed to track the traditional evidence collection strategy practiced by
law enforcement agencies, but it was also non-recursive in nature. The ADFM’s main focus concerns the
investigation procedures. Its disadvantage is that the third phase of the model is considered a duplication of its

499 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

second phase because the preparation while selecting tools depends directly on the strategy used [15]. Compared to
the DIP Model, it actually described what each phase was all about, which the DIP Model lacked [16].

2.4 The Integrated Digital Investigation Process Model (IDIP), 2003.

This model designed by [17] converted the digital investigative process into physical investigation process via
mapping after reviewing the previous models that were available at the time. The process was organized into five
groups – (1) Readiness Phases, (2) Deployment Phases, (3) Physical Crime Scene Investigation Phases, (4) Digital
Crime Scene Investigation Phases, and (5) Review Phases. Within these phases, there are 17 phases making them all
up [17]. It views the computer to be a separate crime scene rather than just another object for physical evidence
acquisition. However, its practice seems impossible especially how to confirm a digital or computer crime without
and until some preliminary physical and digital investigation has been carried out. It also does not provide sufficient
specificity and does not show a clear distinction between investigations at the victim’s (known as the secondary
crime) scene and the suspect’s (known as the primary crime) scene [18]. It was also discovered that the trace back
process can be very challenging when dealing with larger networks, for example the Wide Area Network (WAN) of
some organizations, and the Internet in particular [19]. Its deployment phase, which handles the confirmation or
otherwise of the incident, is not practically achievable for the computer crime without proper investigation being
done first [15].

Readiness Deployment Physical Crime Scene Review Phase

Phases Phases Investigation Phases

Digital Crime Scene

Investigation

Fig. 2: Phases of the IDIP Model (Source: [20])

2.5 The Enhanced Integrated Digital Investigation Process Model, 2004.

The authors, Florence Tushabe and Venansius Baryamureeba, suggested modifying Carrier and Spafford’s Model of
2003 by adding two additional phases; the trace back and dynamite phases, which sought to separate the
investigation into primary (the computer) and secondary (the physical crime scene) crime scenes respectively, thus
making it an enhanced version of the Integrated Digital Investigation Model. The purpose behind this was to have
the resource to reconstruct the two crime scenes concurrently in order to avoid and minimise inconsistencies
[20].This model, though it reserves only one event reconstruction to occur (at the end of the whole process); it
actually makes provision for investigative hypotheses (and recursion) to be propagated throughout the whole
process, thereby making it usable for cybercrime investigations.

2.6 The Extended Model of Cybercrime Investigations, 2004

This is a model by [21] meant to explicitly represent the information flow in an investigation and to also capture the
full scope of the investigation, instead of only processing the evidence available. It consists of thirteen phases

500 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

including some from the DFRWS framework. It argued that the previous existing models focused only on
processing of the evidence. It combines the advantages of previous models, but with extra benefits. Its main
advantage is its explicit manner of identifying information flows in the investigative process, which allows
specification and development of tools, deal with case management, examining of evidence, and the controlling of
disseminated information. It provided a good basis for understanding the process of investigation and captures the
flow of information. Its main disadvantage is due to its generalistic nature; its application must be in context of an
organisation before it will be possible to identify clear details of the process. This is because it concentrates on the
management aspect of investigation [21].

2.7 Case-Relevance Information Investigation Model, 2005.

The authors [22] designed the model that was introduced as a concept that uses the property of any piece of
information which can be used to measure its ability to answer the investigative “who, what, where, why, and how”
questions in a criminal investigation using the computer’s intelligence. The authors used this notion in relationships
towards ascertaining the degree of relevance that could be used to describe the distinctions that exist between
computer security and forensics by even defining the degrees of case-relevance. It was used to measure the degree of
relevance that information gathered was directly relevant to the case in question. Computer intelligence is expected
to play a more prominent role by offering more assistance in the investigation procedures and better knowledge
reuse and sharing in the area of computer forensics. Its limitation includes areas of Profiling, Case Matching, Expert
System, Template Building, lack of Standard Test Datasets, and Evaluation Criteria [22].

Absolutely Probably Possibly Possibly Probably Provably

Irrelevant Irrelevant Irrelevant Case-relevant Case-Relevant Case-Relevant

Fig. 5: Degrees of Case-Relevance. Source: [11]

2.8 Digital Forensic Model Based on Malaysian Investigation Process, 2009.

Perumal (2009) noted that most existing models paid little or no attention to the fragile evidence that was being
retrieved, as well as the data acquisition process. Due to the absence of these areas, he noted that the models would
not be stable enough to be used in cybercrime investigation. He proposed the following stages for his model:
Planning Identification, Reconnaissance, Analysis, Result, Proof & Defence, and finally, Diffusion of Information.
This model included the acquisition of static and dynamic data in its [23]. The drawbacks of this model include its
acquisition stage which is static; otherwise, it helps by laying emphasis on handling delicate digital evidence [15].

2.9 The Systematic Digital Forensic Investigation Model (SRDFIM), 2011.

This model explored different processes involved in the investigation of cybercrime and cyber-fraud using an
eleven-stage model. It lays emphasis on evidence dynamics and reconstruction of events by using properties and
standards in analysis of computer frauds and cybercrime (CFCC). It serves as benchmark and reference points for

501 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

investigating cybercrimes to ensure that the integrity and admissibility of the evidence is attained. Its limitation is
that its application is limited to computer frauds and cybercrimes [15],[24].

2.10 The New Approach Digital Forensic Investigation Model, 2011.

This model helps the forensic examiner and organisations using a structured and consistent approach for its
investigation procedures. The model is set up into a 4-tier iterative approach. The first tier consists of the preparation
or inception phase; this phase will occur throughout the investigation process – from the assessment to the final
presentation phase. The second tier consists of collection, preservation, and documentation. The third tier consists of
examination, exploratory testing, and analysis, while the forth tier, known as the representation stage consists of
result, review and report. The model, which identifies the need for interaction to occur, ensures that consistent
interaction occurs amongst all resources being used during the investigation process. However, the generality of the
model makes it not to be explicit in nature; rather it must be applied within the context of a crime occurring before
clear details of the process can be possible [15],[25].

2.11 Extended Abstract Digital Forensic Model with 2PasU (2PasU stands for Preservation and Protection as
two explicit Umbrella principles), 2014
This model was developed based on the Reith’s [14] abstract model while incorporating the principles of
safeguarding basic human rights and preservation of integrity as the two necessary umbrella principles. This model
was designed after a literature review was conducted on twenty (n=20) frameworks and models used in digital
forensics investigations [26]. The results the authors got indicated that published abstract models lacked preserving
the integrity of digital evidence and protecting the basic human rights as being explicit overarching umbrella
principles. The model fulfilled the functional requirements of forensic investigations using seven sub-processes and
non-functional qualitative requirements whilst applying the two principles of preservation and protection. It consists
of a list of seven ordered sub-phases namely (1) preparation and planning (2) collection (3) examination (4) analysis
(5) reporting (6) presentation (7) archiving and returning evidence. The sub-phases (coloured green in figure 7) are
the core forensic activities, while the others (coloured in blue) are considered significant forensic activities. Though
this model has factored in these two umbrella principles, the fact that it is abstract in nature serves as a disadvantage
because it automatically creates limitation on its utilization.

Fig. 6: Extended Abstract Digital Forensic Model with 2PasU. Source [26]

502 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

III. Discussion

Examining the various existing models highlighted the marked absence of Chain of Custody (CoC) maintenance in
any of the phases implemented in the investigative models reviewed. The role of chain of custody cannot be over-
emphasised; without it being fully implemented during the investigation process, any evidence tendered ends up
being inadmissible during legal proceedings. Though numerous studies have been done on implementing chain of
custody, the authentication aspect for digital evidence has not been fully factored into the investigative models.

DF models are considered as a set of processes that provide a concise, abstract (sometimes), mutually
understandable and concurrent foundations that encourage technological development. Thus, because of their often
abstract nature, validating them requires deploying appropriate approach. In order to fulfil the Frye standard, the
formal methods of validation using Peer evaluation [27] and the mathematical model of [28] were deployed. The
following metrics were used to evaluate the reviewed models – timestamp (this covers the dates, times, numbers and
frequency the document was opened and/or edited), digital signatures (this covers the number of times the document
was flagged), chain of custody, basic human rights protection, and finally, trusted platforms (this covers the
encryption hashing associated with the document) [26].
Table I: Reviewed models with metrics used for analysis
Model Timestamp Digital Chain of Basic Human Rights Trusted
Signatures Custody Protection Platforms
(Palmer, 2001) √ X √ √ X KEY
(National Institute of Justice, July 2001) √ X √ X X √ = Yes
(Reith et al., 2002) √ √ √ X ? X = No
(Carrier & Spafford, 2003) X ? √ X ? ? = Not clear
(Ciardhuain, 2004) √ ? X X ?
(Tushabe & Baryamureeba, 2004) √ ? √ X X
(Ruibin et al., 2005) √ ? X ? ?
(Perumal, 2009) √ ? √ √ ?
(Rogers, 2011) ? ? x ? √
(Agarwal et al., 2011) √ ? √ ? ?
(Ademu et al., 2011) √ √ √ X √
(Kalbande & Jain, 2013) √ ? √ X √
(Saleem et al., 2014) √ √ √ √ √

The strengths and weaknesses of the various models reviewed are summarized below

Table II: Strengths and weaknesses of digital forensic models

Year Model Strengths Weaknesses
2001 The Digital Forensics Research Workshop Model Authentication, usage of tools for Authorisation, live
(DFRWS) proposed by Palmer analysis, served as the framework acquisition, lacks
on which other models were built maintenance of chain of
upon. custody
2001 The Forensic Process Model proposed by John Ashcroft, Provides guidance for protection Authorisation, live
an Attorney General, for the U.S. National Institute of of first responders acquisition
Justice (NIJ)
2002 Abstract Digital Forensic Model proposed by Reith, Carr Identification Authorisation, live
& Gunsch acquisition, Moving of
evidence to a controlled
area, Abstract in nature
2003 The Integrated Digital Investigation model (IDIP) It views the computer to be a Lacks protection

503 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

proposed by Carrier and Spafford separate crime scene rather than

just another object of physical
evidence
2004 Extended model of cybercrime investigation proposed by Created awareness Preservation, Cybercrime
Ciardhuain Focus, Overlapping of
steps, Live acquisition
2005 Case-relevance information investigation proposed by The degrees of case-relevance are Profiling, Case Matching,
Ruibin, Yun and Gaertner defined. Expert System, Template
building, lack of standard
test datasets and evaluation
criteria
2009 Digital forensic model based on Malaysian investigation Acquisition of static & dynamic Classification of crime
process by Perumal data, Archiving
2011 Systematic Digital Forensic Investigation Model Emphasis on evidence dynamics Application is limited to
proposed by Agarwal, Gupta, Gupta, and Gupta and reconstruction of events, computer-frauds and
serves as benchmark and reference cybercrimes
points for investigating
cybercrimes to ensure integrity and
admissibility of digital evidence is
attained.
2011 The systematic digital forensic investigation model It follows an exploratory testing Generalistic in nature
(SRDHM) proposed by Ademu, Imafidon and Preston that allows investigators undertake
their own testing methods that also
meet the requirement of the
jurisdiction.
2014 Extended Abstract Digital Forensic Model with 2PasU Provides awareness, preservation Abstract in nature
(2PasU stands for Preservation and Protection as two and protection of evidence
explicit Umbrella principles

Designing a conceptual model for Chain of Custody using an encryption algorithm to ensure its integrity is
maintained during transfer and examination of evidence has become very crucial and critical with the general
acceptance of digital evidence during legal proceedings as long as the chain of custody has not been broken and
there is authentic evidence to back the claim up. The conceptual model being considered will utilize the RSA and
Huffman Algorithms for encrypting, compressing, and decrypting of the transferred evidence. According to [29],
survey and reports by [30], [31],[32] indicates that cybercrime is a serious threat to individuals, corporate entities, or
countries where the loss can be equated to the national income of a country.
The conceptual model will consist of:
Conceptual Model = CoC + (1)
k = <T + DFM +LM> (2)

CoC = Chain of Custody, P = A series of digital phases, T = Technique and tools, σ = Encryption Algorithm, DFM
= Digital Forensic Model, L = Legal Method, DE = Digital Evidence, n = number of actors.

The model being suggested lends credibility to the important role that chain of custody plays in digital forensics.
The model is designed based on the common generic phases of existing models but now enhanced with the
introduction of CoC into the model.

504 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

Fig. 7: Enhanced Digital Forensic Investigative Model with CoC (CoC stands for Chain of Custody)

The phases involved are:

1. Acquisition Phase
2. Identification Phase
3. Analysis and Investigation Phase
4. Evaluation and Report Phase
5. Admission Phase.
The first four phases have a Chain of Custody (CoC) procedure attached to them, while the transition from phase
four to phase five involves Legal Principles.

III Proposed Algorithm for Conceptual Model

The conceptual model being proposed can be evaluated and tested via the following procedure which can be
implemented thus:
Algorithm 1: Proposed process flow for Enhanced Digital Forensic Investigative Model with CoC
1. Get message to be conveyed as DE (Digital Evidence)
2. Get n, number of actors involved
3. For i = 0 to n (number of actors), where 0 is source actor
4. Duplicate received DE (d_DE) (d_DE means duplicated Digital Evidence)
a. If i = 0
Generate MD5 or SHA-1 Hash
b. Else
Verify duplicated DE (d_DE) with MD5 or SHA-1 Hash
Decrypt duplicated d_DE
5. Process d_DE
a. If (review is required or error detected)
Transmit d_DE to previous actor (i = i-1)
b. Else
Perform Duplicate d_DE
Encrypt d_DE as DE
Transmit DE to next actor (I =I + 1)
6. End.

In the development of the model by [26], analytical metrics were used to compare varying principles on multiple
investigative models as shown in Table 4.1. This work will leverage on this state of art approach but using CoC as a
metric to evaluating investigative models. The CoC to be used will be utilised via encryption at multiple layers. The

505 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

idea is to develop a framework that handles CIA in the CoC of DE encapsulated within a DFM. The current metric
widely used in DF for its digital CoC is Integrity checks via Hashing and/or timestamp [29]. The author of this work
is proposing a model that incorporates the following principles; Confidentiality through the usage of password,
Integrity through Hashing, and Authenticity through encryption and encoding at multiple layers. This model is
represented in Algorithm 1.

IV Conclusion

Every year, different types of cybercrimes are committed worldwide, thereby requiring varying digital forensic
models to assist in solving them. In the 1980s, most of the digital forensic investigations were made up of “live
analysis”, examination of digital media by direct usage of non-specialist tools. By the 1990s, many freeware and
other patented tools (consisting of both hardware and software) were being created to assist in investigations to
occur without the media being modified. This paper reviewed some of the various existing digital forensic
investigative models in existence. As the cybercrimes being committed get more digitally savvy, technology being
deployed also gets more sophisticated in nature, thereby leading to the designing of commensurate investigative
models that can be applied to solve these crimes. As noted by [7], the usage of triage as it is practiced in the medical
profession can also be applied to computer forensics. Gielen (2014) also observed that some of the investigative
models had actually included usage of triage as a stage before the gathering and analysis of evidence [31]. However,
the major flaws noticed across the models is that they lack a systems analytical approach, as well as a lack of
presence of maintaining Chain of Custody (CoC) during various phases of the investigative models, which is what
the authors are looking into incorporating into the model being considered for development. This model will also try
to utilize the triage from the extraction stage of the model such that any evidence collected will remain useful
without alteration or degradation over a long period of time.

Digital forensic investigative models are meant to aid and serve as guidelines for investigators, practitioners and the
academia towards the development of digital forensic procedures. The authors, after surveying and critiquing the
above models, propose a Digital Forensic Investigative Model being enhanced by Chain of Custody that will fit into
any of the existing models for the purpose of authentication and integrity maintenance of the evidence.

REFERENCES

[1] Cartel Working Group, "Anti-Cartel Enforcement Manual," International Competition Network, pp. 2-27,
2010.
[2] Digital Forensic Research Workshop, "A Road Map for Digital Forensic Research," in Report from the first
Digital Research Workshop (DFRWS), New York, 2001.
[3] David Baker, "Digital Forensics," in A Road Map for Digital Forensic Research (DTR - T001-01 Final). Utica:
DFRWS, 2001.
[4] Simon L. Garfinkel, "Digital Forensics Research: The next 10 years," Science Direct, pp. S64-S73, 2010.
[Online]. www.elsevier.com

506 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

[5] Purdue University. (2003) Digital Forensics.

[6] Gary L Palmer, "Forensic Analysis in the Digital World," International Journal of Digital Evidence, Vol. 1
No.1, 2002.
[7] Mattijs Gielen, "Prioritizing Computer Forensics Using Triage Techniques, MSc thesis," 2014.
[8] M.K Rogers, J Goldman, R Mislan, T Wedge, and S Debrota, "Computer Forensic Field Triage Process
Model," , 2006, pp. 27-40.
[9] PoliceOne. (2015, October) PoliceOne. [Online]. https://www.policeone.com/police-
products/investigation/evidence-management/articles/26949006-Evidence-chain-of-custody/
[10] M Pollitt, "Computer Forensics: An Approach to Evidence in Cyberspace," in National Information Systems
Security Conference, Vol. II, 1995, pp. 487-491.
[11] Mark Pollitt, "An Ad Hoc Review of Digital Forensic Models," in Second International workshop on
Systematic Approaches to Digital Forensic Engineering (SADEF'07), 2007.
[12] Gary L Palmer, "A Road Map for Digital Forensic Research," in Digital Forensic Research Workshop, Utica,
2001.
[13] National Institute of Justice. (July 2001) National Institute of Justice. [Online].
http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
[14] Mark Reith, Carr Clint, and Gregg Gunsch, "An Examination of Digital Forensic Models," International
Journal of Digital Evidence, Fall 2002, Volume 1 Issue 3., 2002.
[15] Gulshan Shrivastava, Kavita Sharma, and Akansha Dwivedi, "Forensic Computing Models: Technical
Overview," in Computer Science & Information Technology (CS & IT).: CS & IT-CSCP, 2012, pp. 207-216.
[16] Chang-Tsun Li, Emerging Digital Forensic Applications for Crime detection, Prevention and Security.: Idea
Group Inc., 2013.
[17] Brian Carrier and Eugene H. Spafford, "Getting Physical with the Investigative Process," International Journal
of Digital Evidence, Fall 2003, Volume 2, Issue 2, 2003.
[18] Henry Lee, Timothy Palmbach, and Marilyn Miller, Henry Lee's Crime Scene Handbook.: Academic Press,
2001.
[19] Joseph Migga Kizza, Ethical and Social Issues in the Information Age, Second Edition.: Springer, 2003.
[20] Florence Tushabe and Venansius Baryamureeba, "The Enhanced Digital Investigation Model," in DFRWS
2004 Workshop Report and Findings, New York, 2004, pp. 20-22.
[21] Seamus O. Ciardhuain, "An Extended Model of Cybercrime Investigations," International Journal of Digital
Evidence, Volume 2, Issue 1, Summer Edition, 2004.
[22] Gong Ruibin, Tony Chan Kai Yun, and Mathias Gaertner, "Case-Relevance Information Investigation: Binding
Intelligence to the Current Computer Forensic Framework," International Journal of Digital Evidence, Volume
4, Issue 1, Spring Edition, 2005.
[23] Undresan Perumal, "Digital Forensic Model Based On Malaysian investigation Process," International Journal
of Computer Science and Network Security, Vol. 9, pp. 38-44, 2009.

507 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 12, December 2016

[24] Ankit Agarwal, Megha Gupta, Saurabh Gupta, and Subhash Chandra Gupta, "Systematic Digital Forensic
Investigation Model," International Journal of Computer Science and Security, Vol.5, pp. 118-131, 2011.
[25] Inikpi O. Ademu, Chris O. Imafidon, and David S. Preston, "A New Approach of Forensic Model for Digital
Forensic Investigation," International Journal of Advanced Computer Science and Applications, Vol. 2, No.12,
pp. 175-178, 2011.
[26] Shahzad Saleem, Oliver Popov, and Ibrahim Bagilli, "Extended Abstract Digital Forensics Model with
preservation and protection as umbrella principles," in 18th International Conference on Knowledge-Based and
Intelligent Information & Engineering Systems - KES2014, Poland, 2014, pp. 812-821.
[27] Erbacher, R.F., “Validation for Digital Forensics” in 7th International Conference on Infromation Technology:
New Generations - ITNG 2010, Las Vegas, 2010. DBLP.
[28] Metrics for Digital Forensics. [Online] California Sciences Institute. Available at:
http://www.securitymetrics.org/attachments/Metricon-3.5-Cohen-Forensics-Metrics.pdf [Accessed 21 July
2016].
[29] Prayudi Yudi and SN Azhari, "Digital Chain of Chustody: State of the Art," International Journal of Computer
Applications (0975-8887), Vol 115-No.5 March, 2015.
[30] CSIC, "Net Losses: Estimating the Global Cost of Cybercrime," Washington DC, USA, 2014.
[31] PwC, "US cybercrime: Rising risks, reduced readiness," 2014.
[32] RSA, "The Current State of Cybercrime 2014: An Inside Look at the Changing Threat Landscape," 2014.
[33] G Cantrell, D Dampier, Y. S. Dandass, N Niu, and C Bogen, "Research toward a partially-automated, and
crime specific digital triage process model," Computer and Information Science, 5(2), pp. 29-38, 2012.

508 https://sites.google.com/site/ijcsis/
ISSN 1947-5500