Proactive and Reactive Cyber Forensics Investigation Process

3286 words (13 pages) Essay

12th Mar 2018 Computer Science Reference this


Disclaimer: This work has been submitted by a university student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of


Proactive And reactive cyber forensics investigation processes: A Systematic Literature Review(SLR)

A multi-component framework of cyber forensics investigation


Abstract—Digital Forensics can be defined as the ensemble of methods, tools and techniques used to collect, preserve and analyze digital data originating from any type of digital media involved in an incident with the purpose of extracting valid evidence for a court of law. In it investigations are usually performed as a response to a digital crime and, as such, they are termed Reactive Digital Forensic (RDF). This involves identifying, preserving, collecting, analyzing, and generating the final report. Although RDF investigations are effective, they are faced with many challenges, especially when dealing with anti-forensic incidents, volatile data and event reconstruction. To tackle these challenges, Proactive Digital Forensic (PDF) is required. By being proactive, DF is prepared for incidents. In fact, the PDF investigation has the ability to proactively collect data, preserve it, detect suspicious events, analyze evidence and report an incident as it occurs.

Index Terms—Digital forensics, Digital Proactive Forensics, Digital reactive forensics, Digital device storage, digital crime, Anti forensics, multi component framework


Computer crimes have increased tremendously and their degree of sophistication has also advanced, the volatility and dynamicity of the information that flows between devices require some proactive investigation. The reactive investigation is now becoming less practical since the increased sizes of the data that is being investigated and underlying technology of the devices that change tremendously make the tools made for digital reactive forensics useless In order to investigate anti-forensic attacks and to promote automation of the live investigation, a proactive and reactive functional process has been proposed.. The phases of the proposed proactive and reactive digital forensics investigation process have been mapped to existing investigation processes. The proactive component in the proposed process has been compared to the active component in the multi- component framework. All phases in the proactive component of the new process are meant to be automated. To this end, a theory for the proactive digital forensics is necessary to lay down a strong foundation for the implementation of a reliable proactive system.

I. Anti-Forensics

The term anti-forensics refers to methods that prevent forensic tools, investigations, and investigators from achieve- ing their goals. Two examples of anti-forensic methods are data overwriting and data hiding. From a digital investigation perspective, anti-forensics can do the following:

  • Prevent evidence collection.
  • Increase the investigation time.
  • Provide misleading evidence that can jeopardize the whole investigation.
  • Prevent detection of digital crime.

To investigate crimes that rely on anti-forensic methods, more digital forensic investigation techniques and tools need to be developed, tested, and automated. Such techniques and tools are called proactive forensic processes. Proactive forensics has been suggested in. To date, however, the definition and the process of proactive forensics have not been explicated.

II. Proactive digital forensics

Proactive Digital Forensic Component has the ability to proactively collect data, preserve it, detect suspicious events, gather evidence, carry out the analysis and build a case against any questionable activities. In addition, an automated report is generated for later use in the reactive component. The evidence gathered in this component is the proactive evidence that relates to a specific event or incident as it occurs. As opposed to the reactive component, the collection phase in this component comes before preservation since no incident has been identified yet. Phases under the proactive component are defined as follows:

  • Proactive Collection: automated live collection of predefined data in the order of volatility and priority, and related to a specific requirement of an organization or incident.
  • Proactive Preservation: automated preservation, via hashing, of the evidence and the proactively collected data related to the suspicious event.
  • Proactive Event Detection: detection of suspicious event via an intrusion detection system or a crime-prevention alert.
  • Proactive Analysis: automated live analysis of the evidence, which might use forensics techniques such as data mining and outlier detection to sup- port and construct the initial hypothesis of the incident.
  • Report: automated report generated from the proactive component analysis. This report is also important for the reactive component and can serve as the starting point of the reactive investigation.[1]

III Reactive Digital Forensics

It the traditional or post-mortem approach of investigating a digital crime after an incident has occurred. This involves identifying, preserving, collecting, analyzing, and generating the final report. Two types of evidence are gathered under this component:

  • Active: Active evidence refers to collecting all live (dynamic) evidence that exists after an incident. An example of such evidence is processes running in memory.
  • Reactive : refers to collecting all the static evidence remaining, such as an image of a hard drive.

Previous Work

Reactive investi-

gation process and references







Investigative Process for Digital Forensic Science


End-to-End Digital Investi- gation Process


Step by step DF investigation


The Hierarchical, Objective-based Frame- work


An Extended Model for E-Discovery Op- erations


FORZA – Digital Forensics Investigation Framework Incorporating Legal Issues


Proactive Vs Reactive Forensics Investigation framework


Proactive Analysis

Reactive Analysis

Proactive Collection


Event Trigger Function


Proactive Preservation


Proactive Analysis


Preliminary report












Complexity of Digital Forensics investigation

Digital attacks are so complex that it is hard to investigate them forensically. The elements involved in a digital crime are located in a large multidimensional space and cannot be easily identified. With the increase of storage size and memory sizes, and the use of parallelism, virtualization and cloud, the parameters to take into account during an investigation can even become unmanageable.

Five fundamental principles

The five fundamental principles are stated below:

Principle 1 Consider the entire system. This includes the user space as well as the entire kernel space, file system, network stack, and other related subsystems.

Principle 2 Assumptions about expected failures, attacks, and attackers should not control what is logged. Trust no user and trust no policy, as we may not know what we want in advance.

Principle 3 Consider the effects of events, not just the actions that caused them, and how those effects may be altered by context and environment.

Principle 4 Context assists in interpreting and understanding the meaning of an event.

Principle 5 Every action and every result must be processed and presented in a way that can be analyzed and understood by a human forensic analyst.

These five are for reactive analysis , for proactive there must be some new principles. Soltan Abed Albari proposed the following two :

Principle 6 Preserve the entire history of the system.

Principle 7 Perform the analysis and report the results in real time.

By preserving the entire history of the system, we can go back in time and reconstruct what has happened and answer reliably all the necessary questions about an event or incident. The reconstructed timeline is based on the actual states of the system before and after the event or incident. In addition and due to the large amount of data, events and actions involved, performing a proactive analysis and reporting require real time techniques that use high-performance computing. The analysis phase should be automated and have the necessary intelligence to investigate the suspicious events in real time and across multiple platforms.

Figure 1 Relation between action ,target & events[1]

In addition to the actions and events that the seven principles listed above emphasize, we introduce the notion of targets. A target is any resource or object related to the system under investigation e.g., a file, memory, register, etc. We will use an element of DF investigation to refer to a target, an action or an event. At a time t and as shown in Figure 3.1, the system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones.

A model for Proactive digital forensics

The model below has two major parts

  1. Forward system
  2. Feedback system

Forward system is the one upon which investigation is performed. Both systems the forward and the feedback can be modelled as a tuple (T,E,A), where T is a set of targets, E is a set of events, and A is a set of possible actions each of which is viewed as a transfer function of targets and events. To clarify this, each target f ∈ T is associated with a set S(f) representing the possible states in which it can be. The Cartesian product of S(f) for all targets f defines the state space of the system’s targets and we denote it by T . We do the same for every event e but we consider S(e) to contain two and only two elements, namely ↑ (triggered event) and ↓ (not triggered event). The Cartesian product of all the system’s events (S(e) for every event e) is denoted by E (status space). An action a is therefore a function from Γ × T × E to T × E, where Γ represents the time dimension. The evolution function ψ is defined from Γ × (T × E) × A to T × E by

ψ(t,(~r,~e),a) = a(t,~r,~e)3.

At a time t ∈ Γ, an event e is triggered if its status at time t is ↑, and not triggered ↓ otherwise. The notation ↑t e will be used to denote that the event e is triggered at time t

Figure 2 proactive model[1]

The forward system has three things that are linked. Target, event and action

A. Target

A target is any resource or object related to the system under investigation (e.g., a file, memory, register, etc.. We will use an element of DF investigation to refer to a target, an action or an event. At a time t system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones. Therefore to describe the dynamics of the system at a single instant t, one needs to know at least the states of the targets, the events generated and the actions executed at t. For a full description of the dynamics, these elements of investigation need to be specified at every instant of time; and the complete analysis of the dynamics of the system requires a large multidimensional space Equations

B. Events and Actions

Keeping track of all events and targets is expensive. To reduce them, a few classifications using preorder and equivalence relations. To illustrate the idea behind these classifications, imagine a botnet writing into a file. This event will trigger other events including checking the permission on the file, updating the access time of the file, and writing the data to the actual disk. The idea behind our formalization is to be able to know which events are important (maximal) and which ones can be ignored. The same thing holds for the targets .This will optimize the cost and time .

  1. Short Theory on Events

Let e1 and e2 be two events in E. We defined the relation ≤E on E as follows:

e1 ≤E e2 if and only if ( ⇐⇒ ) whenever the event e1 happens at a time t, the event e2 must also happen at a time t0 greater than or equal to t. Formally, this can be expressed as: e1 ≤E e2 ⇐⇒ (∀t ↑t e1 ⇒ ∃t0 ≥ t ↑t0 e2)

Subsequent events are those which are less than e .

  1. Short theory on targets

Let Ψ be the mapping from T to E (Figure 3.10) that associates each target with its change of status event. The mapping Ψ and ≤E induces a preorder relation ≤T defined by T1 ≤T T2 ⇐⇒ Ψ(T1) ≤E Ψ(T2)

Informally, this means that whenever target T1 changes at time t the target T2 must change at t0 ≥ t.

  1. Short Theory on Actions

The set of actions A is extended to ¯ A using the following operators:

An associative binary operator called sequential operator and denoted by ;. Given two actions a1 and a2, the action a1;a2 is semantically equivalent to carrying out a1 and then a2 (the two transfer functions are in series). Note that ∅A is a neutral element of A with respect to ; (i.e., a;∅A = ∅A;a = a for every action a).

A commutative binary operator called parallel operator and denoted by ||. In this case a1||a2 is equivalent to carrying a1 and a2 simultaneously (the two transfer functions are in parallel). The action ∅A is also a neutral element of A with respect to ||.

A conditional operator defined as follows. Given two conditions ci and ce in C, and an action a, the operator ciace represents the action of iteratively carrying out a only when ci is true and stopping when ce is false. That

is denoted by a ce. Note that if both are true, then ci a ce is a.

Zone Base Classification of Investigation Space

To address the limitation of the classification described previously and address the undesirability issue , classify the event and target state into a set of priority zones. These zones can be represented with different colors: green, yellow, and red; starting from a lower priority to a higher one. When important events/targets with high-priority levels are triggered, a more thorough analysis is expected. Moreover, the zones can be used as a quantifying matrix that provides numbers reflecting the certainty level for the occurrence of an incident. In our case, this number is an important piece of information in the final report.

The high-priority events can involve one of the following: IDS, Antivirus, Firewall off and changing the windows system32 folder. On the other hand, the high-priority targets are the system32 folder, registry, network traffic and memory dump.

Given that the number of targets and events are large, this classification is not enough, especially during the analysis phase. As such, we need to reduce the forensic space. Similar to the principal component analysis technique [59], we suggest restrict- ing the analysis to “important” targets and events based on a specific organization policy. This can be seen as projecting the full forensic space F onto a sub-space F0 in which the evidence is most probably located.

Figure 3 Zone base classification [1]


In this paper we proposed a new approach to resolve cybercrime using Proactive forensics with focusing on the Investigation space for proactive investigation. This paper reviews literature on Proactive forensic approaches and their processes. It has a method for proactive investigation to be carried out significantly. In order to investigate anti-forensics methods and to promote automation of the live investigation, a proactive functional process has been proposed. The proposed process came as result of SLR of all the processes that exist in literature. The phases of the proposed proactive digital forensics investigation process have been mapped to existing investigation processes.

For future work , the investigation space profiling is to be done on events and targets in the space.


  1. Proactive System for Digital Forensic Investigation, Soltan Abed Alharbi, 2014 University of Victoria
  2. Mapping Process of Digital Forensic Investigation Framework
  3. A new approach for resolving cybercrime in network forensics based on generic process model. Mohammad Rasmi1, Aman Jantan2, Hani Al-MimiY. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,
  4. A System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence
  5. Towards Proactive Computer-System Forensics
  6. Requirements-Driven Adaptive Digital Forensics
  7. Multi-Perspective Cybercrime Investigation Process Modeling
  8. A Forensic Traceability Index in Digital Forensic Investigation
  9. Network/Cyber Forensics
  10. Smartphone Forensics: A Proactive Investigation Scheme for Evidence Acquisition

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on the website then please:

Related Lectures

Study for free with our range of university lectures!