Article Preview
TopIntroduction
Digital forensics is a complex and important field emerging because of the increasing nature and complexity of modern day cybercrime and the ever-increasing utilization of computer systems and digital media in real world crimes. The likelihood of becoming a target of cybercrime is a fear of almost every computer user. Therefore, cybercrime is a significant challenging problem that could cause severe financial damage. Digital forensics is a craft-based discipline that has grown out of the need to enforce law and justice in cyberspace bringing together the whole body of knowledge in computer sciences to the legal system.
Generally cyber criminals leave evidence, which is correlated and analyzed by forensics investigators to understand who, what, why, when, where and how a crime was committed. Forensic evidence should be admissible, authentic, complete, reliable and believable by the legal system to prosecute the criminals (Brezinski & Killalea, 2002). However, anti-forensics methods have recently gained popularity by criminals who aim to interfere with the forensic processes by destroying digital evidence using different methods and tools or increasing the examiners’ overall investigation time and cost. According to various international reports, the usage of anti-forensics has recently risen to over one third of cybercrime cases in recent years (Verizon Business, 2009). Therefore, a reliable framework for digital forensics investigations in terms of tools and methods is needed while at the same time addressing anti-forensic methods, particularly when time, cost and resources are critical constraints in an investigation.
Digital forensics investigation models have remained at an informal level of expressivity and there are very few attempts in literature that aim at the formalization of what a digital forensics investigation is (Leigland & Krings, 2004). For example, Carrier (2006) showed that the concept of digital forensics investigations could be mapped onto computing concepts by demonstrating that a particular program created some file, and Gladyshev (2004) analyzed a printer queue to show who printed a particular document. However, these attempts are detailed analyses of single pieces of evidence. Blackwell (2009) systematically analyzed credit card fraud using attack trees, which could also be applied to forensic investigations, and would benefit from using a more formal and systematic methodology.
According to Leigland and Krings (2004), such formalization might have several benefits, which can be classified as follows:
- •
Procedural: By reducing the amount of data and their management;
- •
Technical: By allowing digital forensic investigations to be modified to take account of the technological changes underlying them;
- •
Social: In that the capabilities of an attack are captured within the social as well as technical dimension, and finally;
- •
Legal: In that it allows the expression of the legal requirements in an investigation.
In this article, we develop a framework to support digital forensics investigations considering possible anti-forensic situations. We use a goal-driven formal requirements engineering methodology called KAOS (van Lamsweerde, 2009) in formalizing the goals, obstacles, procedures and responsibilities involved in any digital forensics investigation. Therefore, we map the KAOS concepts such as goals, obstacles and agents with concepts used in typical digital forensics investigations.
The main contributions of this paper therefore are: