INTEGRATED MANAGEMENT MODEL OF THE CORPORATE DIGITAL FORENSIC INVESTIGATION

Original scientific paper Metrics of the key performances indicators (KPIs) should be established into corporate digital forensic (DF) investigation process management to encourage performances effectiveness and efficiency improvement. The KPIs should lead to a quantitative assessment of gains in the DF investigation objectives, such as creating proved digital evidence (DE), reducing costs and DF investigation cycle time, etc. The KPIs metrics should address alignment with DF principles and standard operating procedures (SOP), forensic and legal requirements, digital evidence (DE) quality, stakeholder satisfaction and digital evidence legal admissibility. As a tool for quality improvement of the DF investigation processes, the KPIs metrics should be well defined and understood, and introduced by all stakeholders in the DF investigation process. The authors of this article suggested an integrated model of the corporate DF investigation management process. The model includes key activities, resources, performances objectives, risks and the KPIs metric. It is relevant for the development and management of the effective corporate DF investigation processes.


Introduction
The difficulties and even impossibilities of measuring the DF investigation process are well described by Dr. Fred Cohen in his reference [1].According to the accessible references, a few authors have described the corporate DF investigation (CDFI) process.However, an integrated management model including DF resources, objectives, key performances and the key performance indicator (KPI) metrics has not yet been defined, even theoretically.Michael W. Andrew [2] has introduced the concepts of efficiency and accuracy as the central issues in the DF analysis phase.Authors Siti R. Selamat, et al. [3] introduce an original Trace Map Model to facilitate the investigator in tracing and mapping the rate of evidence and offender identification.Mapping the DF investigation framework process, defined with between 3 and 21 phases, with activities and outputs for each phase, in order to optimize the whole DF investigation process, is suggested by Siti R. Selamat et al. [4].A comprehensive model of the proactive, active and reactive DF investigation, and definition for Comprehensive Digital Evidence with evidentiary weight in a courtroom, has been proposed by authors C. P. Grobler et al. [5].A model of high-performance computing in reactive, active and proactive DF is defined by authors Soltan Alharbi et al. [6].Authors Henry Nnoli et al. [7] present a corporate forensic framework and sound forensic practices in large organizations.A detailed, iterative DF process model in the five main phases and the different roles it can perform (in each phase in general), followed by a mathematical algorithm to increase the reliability of DE, and are presented by the authors Marjan Khatir et al. [8].The authors Richard E. Overill and Jantje A. M. Silomon [9] suggest quantifying methods for evaluation of the extent to which the recovered DE traces support suspicion of the prosecution that a particular computer crime has been committed, as well as the cost-effectiveness of the DF investigative process.George Sibiya et al. [10] propose a guideline for DF procedures in network forensics and a harmonized DF investigation process.An integrated reactive physical and digital investigation process model has been suggested by authors Brian Carrier and E.H. Spafford [11].The authors of this paper propose an integrated process model of the CDFI management system, including risks, objectives, and recourses, key performances and KPI metrics, which is based on the four-phase reactive DF investigative process model defined by authors David C. Smith and Samuel Petreski [12].This model, also accepted by the U. S. Department of Justice, is appropriate for the CDFI key performances to be chosen in this research.The CDFI KPI metrics are designed following the suggestions for very complex and uncertain metrics in DF as outlined by Dr. Fred Cohen in his reference [1].The KPI metrics of the CDFI process proposed in this paper must be considered as a part of a more complex and comprehensive approach to the CDFI metric system.The CDFI process consists of a computer incident management team, including a qualified digital forensic examiner, and is intended to be integrated into an organization's information security management system (ISMS) and total quality management system (TQM), to form a larger QMS framework in organizations.

Accepted model of the DF investigation process
The complexity of the DF investigation process has been analysed by many authors.Just as any process can be decomposed according to purpose, such as implementation, analysis, improvement, etc., the decomposition of the DF investigative process can be into four phases [12], five [2], or more [3].In this research, the main purpose of the integrated CDFI process model decomposition is to avoid failed investigation and to improve CDFI procedures.Therefore, the four-phase DF investigation process was applied (Fig. 1): (1) identification & preparation, (2) acquisition, (3) analysis, and (4) presentation.In Phase 1 the DF investigative process should be prepared and planned, the forensic request identified and well understood, and all resources and communications provided.All digital devices in a computer incident that may be or may contain potential digital evidence (DE) must be identified and properly documented.In Phase 2, which is the most critical from a DF analysis point of view, sources of the potential DE are collected, packed, transported, and preserved, and their integrity maintained.In the next step of the logical acquisition, the potential DE is imaged or cloned into forensically clean media.In Phase 3 the relevant data for the case are identified, extracted and analysed.According to the forensic request, a proved piece of DE is constructed by corroborative DE traces, retrieved from different locations of the image/clone of digital data sources.In phase 4, the proved piece of DE must be reported and presented to the management of the organization, to law enforcement, or in a courtroom in a clear and understandable way.Obviously, live forensics are not considered in this CDFI model due to management support to the process and free access to the digital data (DD) sources.From the legal point of view, all DD are essentially circumvent evidence due to the nature of digital data, and as such could be unacceptable by a legal system.In fact, direct evidence in a digital environment can only be an immediate confession of an attacker caught by police during the attack itself, which is almost impossible and extremely rare at best.To be admissible in a courtroom, the nature of circumvent DD and the importance of the acquisition phase for DE construction must be carefully considered in accordance with DF science.Otherwise, admissibility of DE at trial does not depend so much on the acquisition but on the legality of the seizure, legality of the search, and relevance of the DD for the case.The DE, coming from many types of digital devices, can be easily modified and damaged, since it [3]: (1) is dispersed through the computer's traces; ( 2) is barely readable to humans; (3) gives a partial view of an incident/crime; (4) comprises abstractions of certain events; (5) is volatile and easily altered; and (6) must be retrieved from different sources and created by corroborative digital traces.
Collecting, maintaining and protecting the chain of custody of DE through a structured process and documented standard operating procedures (SOPs) in order to be admitted by law enforcement for further processing is crucial for the first incident responders in the CDFI process.In the acquisition phase of the CDFI process there are two aspects: (1) physical acquisition or collection of the DE sources, and (2) logical acquisition of the potential DE, retrieving them from a forensic image/clone in the post-mortem model applied in this model.In big data and cloud computing environments, the diversity of devices and locations generates a huge volume of DE that is not easily identified and traced [3].In the acquisition and analysis phases of the CDFI process, forensic tools must be scientifically proved, legally accepted and performed by qualified DF experts responsible for the integrity of the DE.The DE must be easily tracked and preserved.In the presentation phase of the CDFI process, the main activities are documenting and explaining the DE in a clear and understandable way.As any forensic case could end up in the courtroom, consistency in terms of DE identification and traceability is very important and the most challenging feature of the CDFI process.

Quality of the DF investigation process performance
The quality of any process performance mainly depends on the KPIs metrics that must be defined completed and broadly accepted.Measuring the KPIs, as the key activities essential for the development and management of the effective DF investigation process, is proposed in this article.In order to develop quality of the DF investigation process, an objectively measurable KPI metric system must be defined.Except specification of DF case hypothesis and KPIs definitions, some thresholds of the KPIs metrics must be defined, too.These can be levels of: support by law; qualitative criteria; effectiveness and efficiency; industry standards application; statistical analysis; metric attainability; forensic examiner expertise, and the KPIs metric acceptance in the DF community, etc.
Quality of the DF investigation process KPIs metrics enables compliance with existing forensics standards.In these metrics, Yes/No measure must be used due to many uncertainties, such as: establishing DF process and KPIs criteria; measuring process performances effectiveness and efficiency; analysing the DF investigation reports, arbitrary assessing achieved threshold level, etc.

Iterative process of the DF KPI metric system development and implementation
The DF KPI metric system, focused on the specific forensic needs, can help significantly in developing DF investigation process maturity.It requires a quantitative measuring the DF KPI through the iterative activities and reality checks of the capabilities to capture and report DE.Before any KPIs metrics are implemented, the processes to define, develop and educate the stakeholders must be performed.However, any pre-defined DF KPI metrics could be ineffective due to uniqueness of each forensic case.Except measuring key performance of the DF investigative process the DF KPI metric includes knowledge and skill of the forensic examiner and other stakeholders.However, an initial set of the DF KPI metrics must be developed by digital forensic examiners and forensic community.The other stakeholders, including justice system, must be involved later on, and aligned the metric results with the DF investigation objectives.Therefore, once selected and agreed, the quantitative DF KPI metrics must be incorporated into the DF investigative management standards, principles and procedures.However, many of the DF KPI metrics are uncertain and some of them cannot be defined easily or even at all [1].Therefore, very often there are no metrics associated with the DF KPIs, especially in changeable ebusiness and cybercrime environment.The DF objectives sometimes could be unrealistic (too high or too low) and the associated DF KPIs metrics' objectives must be changed.However, there is nothing wrong in that, if it is supported by the sound DE admitted by judge.

Establishing integrated model of the DF process performances objectives and the KPIs metrics
The main objective of the DF investigation process is to reconstruct event of the computer incident/crime and prove it in courtroom.However, on the whole the proved DE cannot be sufficient to reconstruct a case completely, particularly in connecting people to the attacker's computer.Therefore, in addition to the proved DE, some physical artefacts and eyewitness statements are needed.
The CDFI KPI metrics must meet legal requirements for measuring reliability, authenticity and accuracy of the DE, based on properly applied scientific methodology and independent, repeated examinations.However, the DF KPI metrics have not yet been established comprehensively and precisely, and there is no industry standard to support them.Therefore, KPI metrics concepts from another research area must be adopted to build the CDFI KPI metric system.However, some metrics in the DF investigative process have already been proposed, such as the Forensic Traceability Measurement by authors Siti R. Selamat et al. [3].Daniel Ayers [13] makes suggestions for the measurement of the computer forensic tools' efficacy and performance, including the following parameters: absolute (T) and relative (T1) speed; completeness (%); accuracy (100 %); reliability (100 %); auditability (%); repeatability (%); and limitations of first-generation tools (Y/N).
The CDFI KPI metrics should be implemented into the computer incident management system to encourage its performance improvement, effectiveness and efficiency of the internal security controls and the ISMS.This approach should provide quantitative assessment of gains in the main CDFI objectives, such as: (1) creation of the proved DE; (2) reduction of the cost and the CDFI cycle time; and (3) understanding attack activities and reconstruction of the computer incident/crime.The key elements of the CDFI KPI metrics in this approach should address alignment with the DF principles and SOPs, and meet the forensic and legal requirements.
Measuring the CDFI KPIs is of critical importance for improvement of their objectives, performances, effectiveness and efficiency.These parameters incorporate "best practices" of the measured KPIs, an appropriate risk analysis, and provide a quantitative assessment of new business values.The first step in developing the CDFI KPI metrics is to involve the DF stakeholders and other necessary resources, then to identify critical phases of the CDFI process, forensic requirements, objectives, key performances of the CDFI process, and finally the KPI metrics.Examples of independent category classification of the DE KPIs that are not mutually exclusive could involve content and variety of data (such as metadata, directory, configuration, log, backup, recovered and tampered data), and forensic interpretation, as well.
In general, to determine the quality of a particular KPI metric, the SMART (specific, measurable, attainable, realistic, and timely) test can be used.The importance of the KPI metrics' quality is well known, especially for assessment of the process trend and change management against known and new coming standards.In the CDFI KPI metrics, a Yes/No or TBD measure must very often be used, usually for establishing trends and baselines, such as: DE legal admissibility; performed DF analysis with/without SOP criteria; qualification of the DF examiner, etc.The CDFI KPI metrics can provide a quantitative assessment of forensic requester satisfaction and quality of CDFI performances and DF investigator's services.
According to ISOstandards, objectives are defined as wanted results and performances as accomplished results.They should have the same KPIs as much as possible [15].Development of the CDFI KPIs and their objectives and metrics can best be specified when they are defined at the levels of objectives, criteria and KPI metrics.The key performance objectives, risks and recourses of the CDFI process are outlined in Tab. 1.
In Tab. 1 the phases and activities are selected according to the four-phase DF investigative model.Some activities such as planning and providing resources for the CDFI process are avoided, as they are mandatory in any process.The other items are selected as representatives of the key activities, following the idea of the CDFI key performance analysis.Among the many performances of the CDFI process, the authors have selected only the key ones among them that are critical for the effectiveness and efficiency of the CDFI process, including their risk, verification status and validation status.The risk factors Technical Gazette 23, 6(2016), 1591-1600 have to be analyzed in any process, and therefore must be assessed in the CDFI process, as well.The verification status of the key activities reflects assessment of the SOPs and forensic technology application strictness in accordance with the CDFI process.The validation status of the CDFI process depends on legal judgement after cross-examination in the courtroom.The legal system's involvement includes providing a warrant for initiating the CDFI process, and extends into the trial process.In Tab. 1 an "expert" means one expert of the computer science without forensic knowledge who can tell only facts.Opposite, "an expert witness" is a digital forensic specialist who has legal licensee and can express facts and his/her own opinion.Some examples of the CDFI KPI objectives and metrics are described in Tab. 2. Some of them are implicitly included, such as: compliance with the DF principles, methods, techniques and tools, and forensic request; CDFI cost optimization; quality of the DE and DF investigator's work; CDFI cycle time reduction; delivery time of the DE; forensic requester satisfaction, etc.

Integrated management model of the corporate DF investigation
The effectiveness of a CDFI management system can be measured by levels of its performance objective achievement.The main purpose of establishing a CDFI management system is to define the following: management methodologies of its policy and objectives; risk factors influencing them; and the resources and CDFI process activities to fulfil stakeholders' forensic requirement needs and expectations [16].Any organization conducting a CDFI process must ensure that it is supported by forensically sound and legally admissible procedures.The CDFI process must implement a quality management system to apply CDFI methodologies, techniques and tools.The objectives of the CDFI management process can cover many functions, such as: manage legal and ethical requirements for education, security training and awareness; define security/forensic policies and procedures; perform incident investigation [18]; identify and collect DE; examine, analyse and manage DE; manage third parties; and document, report and present DE [7].In the integrated model of the CDFI process management system, forensic requirements are input values.The needs and expectations of the stakeholderswho may include the client and the legal system, DF and law enforcement investigators, and suspected/convicted persons -are the objectives that management must identify.For the clients and the other stakeholders, the outputs of the integrated CDFI process management model are products/services of the CDFI process phases and activities.Results of the outputs can be defined as the KPIs of achieved objectives of DF investigation process performances.The functional structure of the integrated model of the CDFI process management system, providing application of the IMPROP model [16] to the DF investigation process, is shown in Fig. 2.

DF investigation processes
The detailed structure of partial management systems (e.g.ISMS), shown vertically in Fig. 2, can be defined by establishing individual management systems according to corresponding standards.However, many forensic standards are still missing.Some of them are in draft form, and a few of them have been already published.There is also a lack of standardized data sets that are available for research purposes [17].
In this model, the main purpose of ISO/IEC standards is to promote techniques and methods of good practice in the DF investigation process.The results of a standardized DF investigation process could facilitate easier comparison and acceptance of the obtained DE by different people in the CDFI process, or in different legal systems.Once adopted into CDFI practice, these forensic standards require the CDFI process management system to be integrated into ISMS and TQM systems within the organization.In addition to the existing forensic standards, general QMS (ISO 9001) and EMS (ISO 14001) standards must also be included in this model.The QMS standard can help in defining the DF investigation process input transformation and its product value, antiforensic risk prevention, and quality achievement of the CDFI process objectives.The EMS standard, focused on environmental risk prevention and achievement of environmental objectives, as well as the other general and information security standards, such as ISO 9004, ISO 31000, ISO 26000, ISO/IEC 27001, 27032, 27033, 27034, and 27035, should also be applied in the model.
Current industry standards cover only three components of the DF investigation process: acquisition, preservation and analysis [2].Existing nationally created DE acquisition procedures for cross-border computer crimes may not be accepted by another country's legal system.Therefore, the newly published ISO/IEC 27037 standard for acquiring DE must be included in the integrated model.This standard provides guidance on integrity preservation of the identified, collected, acquired, marked, stored and transported DE.It harmonizes acquisition activities across borders so that cyber criminals can be prosecuted accordingly.This standard is not technically oriented and avoids using jurisdiction-specific terminology.The main purpose of the ISO/IEC 27041 standard is to describe mechanisms, methods and processes used in the first response and investigation of computer incidents or crimes, providing relevant DE for a successful DF investigation later on.It gives guidance on the validation of the DF investigative processes.The main focus is on security of the DF processes, methods and tools used in the DF investigation.The scope and purpose of ISO/IEC 27042 describes guidance on the processes of analysing, interpreting and corroboratively constructing the proved DE.This standard emphasizes the integrity of these processes in such a way that different investigators, working on the same DE, must get essentially the same results.Any differences in results, due to use of different tools or forensic techniques, should be traceable and explainable.It introduces the basics of forensic tool selection and use, as well as proficiency and competency of the investigators.A harmonized DF process is presented in the ISO/IEC 27043 standard.The scope and purpose of this standard concerns the DF principles and the processes involved in investigating incidents, providing proactive counter-processes to an incident, including retrieving DE from storage or dissemination of any DF investigation experience.These forensic standards are the drivers for standardization of the DF investigative process, application of good practices, lessening of the complexity of DE, and use of common terminology and forensically sound approaches to any computer incident or crime.
Therefore, it is possible to apply the IMPROP model in the case of using one or more management system standards, including ISMS and CDFI process management systems that are mutually complementary.These standards support the effectiveness and efficiency of security and CDFI management systems.It is recommended to use them simultaneously.In the application of this model to the CDFI, it is very important to emphasize the significance of teamwork, due to the multidisciplinary knowledge and experiences that are required in DF science.

Conclusion
Quantitative measurement of CDFI KPIs may provide corporate digital forensic investigators and managers, law enforcement DF examiners and judges with vital information for monitoring and verifying the consistency of the CDFI process, enabling the most appropriate judgment in the courtroom and focusing CDFI resources on the areas of greatest business value.Some metrics, such as financial metrics, are well established and, to a great extent, dictated by regulatory bodies worldwide.In the DF community there are no such broadly accepted standards to establish a consistent KPI metric system of the DF investigative process.The authors of this article suggested some of the key CDFI process performances and their KPI metrics, based on available references and original research.Beyond these suggested CDFI KPI measures, it is up to each DF investigative entity, each CDFI team and the individuals involved to define the right metrics for their environment and DF investigative processes.More practice and experience in CDFI KPI metric implementation could contribute to this insufficiently defined forensic area.All relevant stakeholders in the CDFI process can benefit from wellconceived and implemented CDFI KPI metrics.
In this research the authors proposed a theoretical integrated CDFI process model, its key performances and their KPI metrics.Further research, developing and implementing the CDFI process model and KPI metrics in real systems, is an extremely important step toward maturing the field of the CDFI process itself, corporate forensic readiness and computer incident management systems, which are also a vital part of an organization's proactive network security, incident management, ISMS and TQM systems.Finally, it would provide further promotion and standardization of DF as a forensic science.

Figure 1
Figure 1 CDFI investigation process model using four phases

Figure 2
Figure 2 Integrated management model of the CDFI process

Table 1
Mapping objectives and resources of the CDFI process key performances Key phases and activities of the DF investigation process Key performances, risks and resources of the DF investigationprocess Legend: DF -Digital Forensics; DD -Digital Data; DE -Digital Evidence