Digital forensics science is a well-known initiative to unearth computer-assisted crimes. The thriving criminal activities using digital media have changed the typical definition of a traditional crime. Meanwhile, the means and targets of criminal activities have been transformed in a broader context due to the diverse nature of offenses associated with the multiple crime categories, affecting the way of investigations as well. In order to withstand the difficulties caused due to the crime complexity, forensics investigation frameworks are being tuned to adjust with the nature and earnestness of the felonies being committed. This article presents an in-depth comparative survey of fourteen popular and most cited digital forensics process models and various forensics tools associated with different phases of these models. The relationships among these forensics process models and their evolutions are analyzed and a graph-theoretic approach is presented to rank the existing process models to facilitate investigators in selecting an appropriate model for their investigation tasks.
Top1. Introduction
Digital forensics (also known as computer forensics) is a systematic process of uncovering a crime through investigating the media components found in associated digital devices. The investigation practice follows a list of scientifically derived and justified mechanism towards gathering and illustrating the evidences of a crime scene. A forensic science integrates the scientific knowledge and methodology to a legal problem and criminal investigation. Over the last few years, digital forensics has been given much importance where electronic devices are used for executing an offense. Though the initial focus of digital forensics investigations was based on the crimes perpetrated using computers only, the field nowadays has been extended to incorporate different other digital devices like camera, smart phones, etc. Any digital information stored in such devices can be inspected and identified for various types of criminal activities (Kohn, Eloff & Eloff, 2013).
Forensics is a very different business when it comes to technology. Compared with traditional forensic science, digital forensics differs significantly and also poses some substantial challenges. The traditional forensics analysis involves the investigation using tangible, physical items found around the crime scene, whereas the digital forensics encompasses with various operations like extraction, storage and analysis of digital data using scientifically derived and proven methods. A traditional forensic analysis can logically progress step-by-step, with a common intention with widely accepted forensic practices. It is generally dependent upon the laboratory setting and on-field activities. However, in general, it comes with the widely accepted physical forensics practices. In comparison, a computer forensic science is almost technology and market driven, independent of laboratory environment and settings (Noblett, Pollitt, & Presley, 2000). The digital examinations and analysis present a unique variation in different investigations. In case of sample accumulation for investigation, traditional forensics attempts to gather as much information as possible from an evidence sample, whereas digital forensics attempts to discover only the relevant information from a large volume of heterogeneous digital data.
In digital forensic research workshop, Palmer (2001) defined digital forensics as “…the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations…” This definition is frequently cited and also accepted to be an all-inclusive definition (Kohn, Eloff, & Eloff, 2013). Willassen et al. (2005) defined digital forensics in a broader way as “…the practice of scientifically derived and proven technical methods and tools towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of after-the-fact digital information derived from digital sources for the purpose of facilitating or furthering the reconstruction of events as forensic evidence…” The main change in this definition in comparison to the Palmer’s definition is that Willassen et al. have removed the criminal events and unauthorized actions. As a result, this definition extends the scope of application to include digital forensics in various types of investigation, such as commercial investigation (Kohn, Eloff, & Eloff, 2013).