Advanced Data Acquisition Model

From ForensicsWiki
Jump to: navigation, search

Background

Given the pervasive nature of information technology, the nature of evidence presented in court is now less likely to be paper-based and in most instances will be in electronic form . However, evidence relating to computer crime is significantly different from that associated with the more ‘traditional’ crimes for which, in contrast to digital forensics, there are well-established standards, procedures and models to which law courts can refer.

The key problem is that, unlike some other areas of forensic practice, digital forensic practitioners work in a number of different environments and existing process models have tended to focus on one particular area, such as law enforcement, and fail to take into account the different needs of those working in other areas such as incident response or ‘commerce’.

The Advanced Data Acquisition Model (ADAM) was created after a review of current process models involving the acquisition of digital data that included an assessment of each of the models from a theoretical perspective, by drawing on the work of Carrier and Spafford (2003), and from a legal perspective by reference to the Daubert test. The result of the model assessment is that none provide a description of a generic process for the acquisition of digital data, although a few models contain elements that could be considered for adaptation as part of a new model.

Following the identification of key elements for a new model (based on the literature review and model assessment) the outcome of the design stage is a three-stage process model that comprises of three UML3 Activity diagrams, overriding Principles and an Operation Guide for each stage. Initial testing of the ADAM involves a ‘desk check’ using both in-house documentation relating to three digital forensic investigations and four narrative scenarios. The results of this exercise were fed back into the model design stage and alterations made as appropriate.

The main testing of the model involved independent verification and validation of the ADAM utilising two groups of ‘knowledgeable people’. The first group, the Expert Panel, consisted of international ‘subject matter experts’ from the domain of digital forensics. The second group, the Practitioner Panel, consisted of peers from around Australia that are digital forensic practitioners and included a representative from each of the areas of relevance for this research, namely: law enforcement, commerce and incident response. Feedback from the two panels was considered and modifications applied to the ADAM as appropriate.

This creation of the ADAM builds on the work of previous researchers and demonstrates how the UML can be practically applied to produce a generic model of one of the fundamental digital forensic processes, paving the way for future work in this area that could include the creation of models for other activities undertaken by digital forensic practitioners. It also includes the most comprehensive review and critique of process models incorporating the acquisition of digital forensics yet undertaken.


References:

  • [1], The full thesis that created the ADAM (over 7,000 downloads)
  • [2], Paper Investigating the use of ADAM for cloud forensics
  • [3], Article on the ADAM, the Journal of Digital Forensics, Security and Law
  • [4], Book chapter introducing the ADAM, IGI Global Publishing