Computing and Information Systems - Theses

Permanent URI for this collection

http://hdl.handle.net/11343/351

Filters

2007 - 2009 1 2010 - 2014 1
1 1
Reset filters

Settings
Statistics
Citations
Type: PhD thesis × Start date: 2000 × Subject: digital forensics ×

Search Results

Now showing 1 - 2 of 2
  • Item
    Thumbnail Image
    A model for digital forensic readiness in organisations
    ELYAS, MOHAMED ( 2014)
    Organisations are increasingly reliant upon information systems for almost every facet of their operations. As a result, there are legal, contractual, regulatory, security and operational reasons why this reliance often translates into a need to conduct digital forensic investigations. However, conducting digital forensic investigations and collecting digital evidence is a specialised and challenging task exacerbated by the increased complexity of corporate environments, diversity of computing platforms, and large-scale digitisation of businesses. There is agreement in both professional and academic literature that in order for organisations to meet this challenge, they must develop ‘digital forensic readiness’ – the proactive capability to collect, analyse and preserve digital information. Unfortunately, although digital forensic readiness is becoming a legal and regulatory requirement in many jurisdictions, studies show that most organisations have not developed a significant capability in this domain. A key issue facing organisations intending to develop a forensic readiness capability is the lack of comprehensive and coherent guidance in both the academic and professional literature on how forensic readiness can be achieved. A review of the literature conducted as part of this study found that the academic and professional discourse in forensic readiness is fragmented and dispersed in that it does not build cumulatively on prior knowledge and is not informed by empirical evidence. Further, there is a lack of maturity in the discourse that is rooted in the reliance on informal definitions of key terms and concepts. For example, there is little discussion and understanding of the key organisational factors that contribute to forensic readiness, the relationships between these factors and their precise definitions. Importantly, there is no collective agreement on the primary motivating factors for organisations to becoming forensically ready. Therefore, this research project proposes the following research questions: Research Question 1. What objectives can organisations achieve by being forensically ready? Research Question 2. How can forensic readiness be achieved by organisations? Which in turn suggests the following sub-questions: Sub-Question 2. What factors contribute to making an organisation forensically ready? Sub-Question 3. How do these factors interact to achieve forensic readiness in organisations? A systematic review approach and coding techniques have been utilised to synthesise key elements of the vast and largely fragmented body of knowledge in forensic readiness towards a more holistic and coherent understanding. This led to the development of a comprehensive model that explains how forensic readiness can be achieved and what organisations can achieve by being forensically ready. The proposed model has been extensively validated through multiple focus groups and a multi-round Delphi survey, which involved experienced computer forensic experts from twenty countries and diverse computer forensic backgrounds. The study found there to be four primary objectives for developing a forensic readiness capability: 1) to manage digital evidence; 2) to conduct internal digital forensic investigations; 3) to comply with regulations; and 4) to achieve other non-forensic related objectives (e.g. improve security management). The study also identified the factors that contribute to forensic readiness. These are: 1) a strategy that draws the map for a forensically ready system; 2) human expertise to perform forensic tasks; 3) awareness of forensics in organisational staff; 4) software and hardware to manage digital evidence; 5) system architecture that is tailored for forensics; 6) policies and procedures that outline forensic best practice; and 7) training to educate staff on their forensic responsibilities. Further, the study found three additional organisational factors external to the forensic program: 1) adequate support from senior management; 2) an organisational culture that is supportive of forensics; and 3) good governance. This study makes significant theoretical contributions by introducing a more comprehensive model for forensic readiness that is characterised by the following: 1) providing formal definitions to key concepts in forensic readiness; 2) describing the key factors that contribute to forensic readiness; 3) describing the relationships and interactions between the factors; 4) defining a set of dimensions and properties by which forensic readiness is characterised; and 5) describing the key objectives organisations can achieve by being forensically ready. The study also makes significant contributions to practice. A key attribute of the digital forensic readiness model is its depth (in terms of the various dimensions and properties of each factor), which enables its use as an instrument to assess and guide organisational forensic readiness. Furthermore, this research increases the marketability of forensic readiness by introducing a well-defined list of objectives organisations can achieve by developing a forensic capability.
  • Item
    Thumbnail Image
    Digital forensics: increasing the evidential weight of system activity logs
    AHMAD, ATIF ( 2007)
    The application of investigative techniques within digital environments has lead to the emergence of a new field of specialization that may be termed ‘digital forensics’. Perhaps the primary challenge concerning digital forensic investigations is how to preserve evidence of system activity given the volatility of digital environments and the delay between the time of the incident and the start of the forensic investigation. This thesis hypothesizes that system activity logs present in modern operating systems may be used for digital forensic evidence collection. This is particularly true in modern organizations where there is growing recognition that forensic readiness may have considerable benefits in case of future litigation. An investigation into the weighting of evidence produced by system activity logs present in modern operating systems takes place in this thesis. The term ‘evidential weight’ is used loosely as a measure of the suitability of system activity logs to digital forensic investigations. This investigation is approached from an analytical perspective. The first contribution of this thesis is to determine the evidence collection capability of system activity logs by a simple model of the logging mechanism. The second contribution is the development of evidential weighting criteria that can be applied to system activity logs. A unique and critical role for system activity logs by which they establish the reliability of other kinds of computer-derived evidence from hard disk media is also identified. The primary contribution of this thesis is the identification of a comprehensive range of forensic weighting issues arising from the use of log evidence that concern investigators and legal authorities. This contribution is made in a comprehensive analytical discussion utilizing both the logging model and the evidential weighting criteria. The practical usefulness of the resulting evidential weighting framework is demonstrated by rigorous and systematic application to a real-world logging system.