Digital Forensics Abstract digital forensics model (ADFM) and the DFRWS investigative model

December 31, 2022

Abstract digital forensics model (ADFM)

Because the Identification phase of this model presupposes that the incident type has already been correctly identified and defined, this step is crucial because all subsequent processes depend on it. It is then followed by the action of preparation, which is the first phase that has been presented and consists of preparing tools, methods, search warrants, monitoring authorization, and management support. The action of the introduction of the second step then follows this step. Approach Strategy this stage is intended to optimize the evidence gathering while minimizing the impact on the victim by devising various methods and processes to follow.

This step aims to collect as much evidence as possible without hurting the victim. In the next step, called Preservation, all the data obtained has to be compartmentalized and protected so that it may remain in its original form. During the Collection phase, all digital evidence obtained is copied, and a recording is made of the physical scene. These activities are carried out according to established protocols and are conducted as part of the phase.

The following step is called an Examination, and during this phase, an in-depth systemic study is carried out to hunt for evidence related to the present case. During the Analysis phase, the probative value of the evidence that is being evaluated is determined. The next stage is a Presentation, where a process summary is made. After that comes the third step, Returning Evidence, when the investigative process is finished by returning any physical or digital evidence to its rightful owner.

DFRWS investigative model

This model was the foundation for further improvements since it was consistent and standardized. The stages of this model were as follows: identification, preservation, collection, examination, analysis, and presentation (then an additional pseudo step: Decision). At each stage, we test a variety of potential approaches or procedures. The first step is called Identification, and it includes things like the identification of events or crimes, the resolution of signatures, the detection of anomalies, system monitoring, audit analysis, and so on. Next comes the process of preservation, a guarded concept that occurs throughout all phases of forensic work. During this step, proper case management is established, imaging technologies are used, and all measurements are collected to guarantee an exact and appropriate chain of custody.

The next stage, collection, follows immediately after, during which relevant data is gathered based on validated methodologies, software, and hardware; during this step, we use several data recovery techniques and lossless compression. The next step is to perform data mining and create a timeline, both exciting and critical phases that come after this step. Examination and Analysis are the two phases that come after this step.

The examination is the phase in which evidence traceability and pattern matching are guaranteed. The analysis is the phase in which confidential data must be discovered and extracted. The Presentation phase is the most recent step in this approach. Documentation, clarification, an impact statement on the mission, recommendations on what countermeasures should be implemented, and expert testimony are the tasks associated with this stage.

Visit https://www.cybercert.ca or call 416 471 4545 to enroll in the Security+/CEH/CISSP training course.

Sam Fareed

Lead Instructor qualified in CISSP, CCIE, and MCT with 25 years of training experience in Toronto.