Skip to content

42 - Investigating methods

Digital forensics investigation can be approached from several perspectives. The D4I framework presents a semi-automatic way of cyber attack investigation regardless of the nature, type, and sophistication of the attack. The framework is designed to complement NIST’s existing phasing of the investigation process by focusing on enhancing the examination and analysis phases. The framework provides detailed steps to process and interpret digital evidence collected from the crime scene.

The D4I framework has two pillars on which to build. The first is the proposed categorization of artifacts and their mapping to CKC. The second is the proposed step-by-step instruction method for the examination and analysis phases, which is based on the above categorization and mapping of artifacts. D4I aims at reviewing and investigating cyber-attacks with the same sequence of steps they have occurred to easily and rapidly identify their traces, i.e. artifacts they have created.

The proposed step-by-step instructing method for the NIST’s examination and analysis phases consists of the following six steps

  1. Choose: Choose a cyber kill chain phase.
  2. Identify: Identify all artifacts belonging to the chosen cyber kill chain phase based on the proposed artifacts categorization.
  3. Correlate: Find correlations between the artifacts of the chosen cyber kill chain phase with artifacts belonging to the same, previous, or next cyber kill chain phase. Artifacts can be correlated by either their attributes or content.
  4. Construct Chain of correlated Artifacts (CoA): Keep every artifact that has any kind of correlation with artifacts belonging to the same, previous, or next cyber kill chain phase and add it to a chain. In effect, an analysis is being performed since conclusions are already started being drawn.
  5. Repeat: Repeat the procedure (1–4 steps) for all the phases of the cyber kill chain.
  6. Analyze CoA: Analyze the chain of correlated artifacts to determine if it describes an attack. As an attack follows the phases described in the cyber kill chain, this chain of artifacts is the trace the cybercriminal left behind with the cyber attack.