International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 497

A Survey of Digital Evidences Forensic andCybercrime Investigation Procedure

Jia-Rong Sun1, Mao-Lin Shih2, Min-Shiang Hwang1,3

(Corresponding author: Min-Shiang Hwang)

Department of Computer Science and Information Engineering, Asia University1

(Email: mshwang@asia.edu.tw)

Department of Financial and Economic Law, Asia University2

No. 500, Lioufeng Rd., Wufeng, Taichung 41354, Taiwan

Department of Medical Research, China Medical University Hospital, China Medical University3

No. 91, Hsueh-Shih Road, Taichung 40402, Taiwan

(Received Jan. 5, 2015; revised and accepted Apr. 10 & May 2, 2015)

Abstract

Due to the development of networks, cybercrime hasmany crime types, including network attack, mail fraud,intimidation, copyright infringement, and so on. For net-work attacks, many approaches have been proposed andused to detect and defense. However, after the networkattack is confirmed or other crime exists, it still need toexecute the investigation procedure by the investigators,collect the evidences related to the crime, find the per-petrators, and prosecute them. Therefore, in this paper,we collect the researches of investigation procedure of cy-bercrime in the recent years. By introducing the researchinvestigation procedure of these papers, we will discoverthe features of every procedure. Then we compare theseinvestigation procedures via the traditional investigativeprocedures compatibility, cybercrime behavior analysis,evidence forensic procedures, case analysis and verifica-tion, the methods of evidence collection and analysis, andthe area of judicial jurisdiction. Finally, we will proposethe viewpoints of cybercrime investigation and forensicprocedures, and we wish this paper will help the researchof investigation and forensic procedures.

Keywords: Cybercrime, digital evidence, forensic proce-dure, investigation procedure

1 Introduction

In the recent years, many approaches used to detect thenetwork attacks have been proposed [9, 11, 14, 20, 21,22, 28, 29, 30]. By using these approaches, we can detectthe network attack occurring, and defense the attacks.However, after the network attacks occurred, these at-tack events will be called cybercrime. Investigating thesecybercrimes not only pursue the liability of criminal, andalso combine the detection approaches to become an in-

vestigation strategy of cybercrime, reducing the damagefrom same criminal behavior.

In the cybercrime, the investigation procedures can bedivided into two main parts, digital evidence forensicsprocess, as well as cybercrime investigation procedure. Inthe cybercrime cases, since the properties of evidence un-necessarily exist at the entity type, perhaps they are digi-tal data and stored in the data storage devices. The exis-tence locations of digital evidence will be different becauseof the type of crime. For example, in wireless networksof cybercrime, digital evidences will exist in the recordof a computer and network equipment in the offendersand the victims [35]; in the net-work attacks, digital evi-dences will exist in the ISP server and the computers ofoffender [16]. The digital evidence collecting aims to findany evidences related to cybercrime, and preserve theseevidences to avoiding the digital evidences were forged,altered, deleted or destroyed. The purpose of digital evi-dence collected is to investigate the process of cybercrimeoccurred. Therefore, the process how to find the digitalevidences and the perpetrators is called a criminal inves-tigation procedure. And the criminal investigation proce-dure includes the procedure of forensics evidence. Whena cybercrime is occurred, collecting the digital evidences,proving the existence of criminal behavior, finding iden-tify of suspects, and proving the causation are called thecybercrime investigation procedure. In the following, wewill define the cybercrime, investigation procedure, andthe nature of digital evidence.

1.1 The Definition of Cybercrime

The cybercrime is a social problem derived from the socialdevelopment. In [12], the cybercrime is defined to a ’digi-tal’ or ’hi-tech’ crime type, or uses network technology asthe primary or secondary tools of crime [3, 23, 27, 31, 34].In [33], the authors consider the difference between tradi-

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 498

tional crimes and cybercrimes is the evidences of cyber-crime scene belonging to an electronic format. In Taiwan,the cybercrime is also defined in the Criminal Code defi-nition of a computer crime in Chapter 36 of the legislativepurpose. In the broad sense, the computer crime refersthe crime tool or process to involve the computer or In-ternet; in the narrow sense, the signification of computercrimes referring to the criminal objects of attack are thecomputers or Internet. In summary, we consider the cy-bercrime must use some tools to connect Internet, andcarry out the illegal behaviors of offense. The evidencesof this cybercrime produced has a part belonging to thedigital evidence, and no fixed location of the crime, andthe offender and victim does not need to face each otherdirectly.

1.2 The Property of Digital Evidence

The type of evidence can be divided into witnesses, phys-ical evidence and documentary evidence. The witnessesare an evidence of personal experience, but does not in-clude speculation. The witnesses includes witnesses, vic-tims, defend-ants or expert testimony; the physical evi-dence refers an object or state which can be used to provefacts of the crime, such as the tools of crime; documen-tary evidence refers to the content of a file which can beused as evidence, such as written report of victims. Fur-thermore, there is some evidences including both charac-teristics of documentary evidence and physical evidence,which is the evidence of cybercrime. The evidence of cy-bercrime belongs to a new type of evidence, called Dig-ital evidence [4, 5, 6]. The witnesses may be changedwith time or interfered by other factors, and the physi-cal evidence and documentary evidence is relatively easyto leave the traces of modification. Therefore, under thenormal circumstances, the probative force (i.e. credibil-ity) of physical and documentary evidence are higher thanwitness evidence. Digital evidence is stored in data stor-age devices generally [33] via the electromagnetic recordtype, and the content of digital evidence can be under-stood through printing, playing, and execution, etc. Fromthe foregoing, the digital evidence has both characteris-tics of physical evidence and documentary evidence. Inaddition, since the digital evidence exists by the electro-magnetic record, it has the following features: easy tomodify and copy [1, 4, 33], hard to understand the con-tent directly without the conversion process [4, 7], andnot easy to retains the original state [1, 4, 33].

1.3 The Definitions of Investigation Pro-cedure

The difference countries have their own judicial investiga-tion procedures based on the law of themselves [13, 26]. InTaiwan, the crime investigative procedures are prescribedin the Criminal Procedure Law. The purpose of theseprocedures are to investigate the facts of crime, collectevidence, find the suspects, and arrest the suspects. In

addition, the types of criminal cases are divided into pub-lic prosecution and private prosecution in Taiwan, andthis classification will affect the start of investigation pro-cedure. The public prosecution event needs the victimsto report the crime event to police or the judiciary to ac-cept this criminal case; private prosecution event refersthat the crime does not need to wait the report of victim,and the judicial investigators can investigate this types ofcrime case actively. These two types will affect the inves-tigation procedure is started actively or passively by thejudicial investigators. The start of investigation must bea legal process, otherwise this case will not be accepted bythe court after the prosecution. When the investigationprocedure is initiated legal, the suspects will be found viathe evidences of legal collect. After summoning and ask-ing the suspects, the innocent people will be released andthe criminal will be arrested. Finally, the criminal will beprosecuted.

In this paper, we collect and survey the papers ofcybercrime investigation procedures from different coun-tries in re-cent years. First, we will introduce the archi-tecture, processes, and forensics procedures of these in-vestigations. Then we will compare these investigativeprocedures, including the traditional investigative pro-cedures compatibility, cybercrime behavior analysis, evi-dence forensic procedures, case analysis and verification,the methods of evidence collection and analysis, and thearea of judicial jurisdiction. Finally, we will propose theviewpoints of cybercrime investigation and forensic pro-cedures, including the digital evidence forensic and the in-vestigation procedure. This paper is organized as follows.In Section 2, we will introduce the proposed approaches ofinvestigation procedures and evidence forensic in cyber-crime; in Section 3, we will compare each investigationprocedures, and propose our viewpoints of cybercrime in-vestigation procedures; finally, we will draw our conclu-sions in Section 5.

2 The Survey of Cybercrime In-vestigation and Forensics Proce-dure

Cybercrime is a crime type produced from the develop-ment of Internet. According to the definition of cyber-crime, the evidences of cybercrime include digital evi-dences, cybercrime has no fixed location of the crime, andthe offender and the victim of cybercrime do not need toface each other directly. Therefore, the content of cyber-crime investigation procedure must contain the methodsincluding to find the real perpetrators, digital evidenceforensic, and analysis of crime. In addition, the investiga-tors is not limited to use only one method in the cyber-crime investigation, and they will use many methods tocollect evidences and identify the perpetrators as long asthe methods is not illegal. Therefore, if these are proposedcybercrime investigation procedures, they can be used to

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 499

Figure 1: The cybercrime execution stack

find the real perpetrators, collect evidences, and analyzethe method of cybercrime, so this procedure will be refer-enced and used by the investigators. In the following, wewill describe the proposed cybercrime investigation pro-cedures.

2.1 The Growing Phenomenon of Crimeand Internet

In this paper [12], the authors proposed and defined acybercrime execution and analysis model. The purposeof this paper is making the conventional policing mod-els more easy use to investigate cybercrime, and helpthe investigators plan investigations. The investigationof cybercrime model is defined to a Cybercrime Execu-tion Stack in this paper. This model is affected by threefactors, including Criminal or illicit intent, Globalized En-vironment, and Evasion and Concealment [12]. In thedifferent countries, the Criminal or illicit intent of cyber-crime is stipulated in their own criminal law, and it willaffect whether the offense is founded or not. The factor ofGlobalized Environment will affect the extent of offensein different countries. If a cybercrime crosses several areaof judicial jurisdiction, the extent of offense may be dif-ferent, or violate the different codes of law. Since theInternet has anonymity, the behavior of evasion and con-cealment in the crime will increase the difficulty of crimeinvestigation and information collection. Therefore, theevasion and concealment of cybercrime also are the oneof affection factors in cybercrime investigation. In the

Cybercrime Execution Stack, as the Figure 1, it has 4main stacks, including Data Objectives, Exploitation Tac-tics, Example Attack Methods, and Networked Technol-ogy [12]. According to the basic function of network tech-nology, Data Objectives can be divided into groups: datacollection, data supply and distribution, and data use [12].The cybercrime tactics will be found out from the targettype of attacks and the criminal behavior. Therefore, inthe Exploitation Tactics it includes three groups: AttackVectors, Social Engineering and Illicit Collusion. In theabove Exploitation Tactics, it can produce lots of differ-ent attack methods, and the Attack Vectors include mal-ware, Trojans, spyware, worms or viruses; Social Engi-neering includes impersonation, email, phishing, blogs orsocial networking; Illicit Collusion includes private web-sites, email, Internet Relay Chat (IRC), Peer-to-Peer datasharing. Finally, the Networked Technology is used to findand collect the evidences and information of cybercrime.These technical characteristics is communication channel,network entry point, access device, network resources, andthe infrastructure devices.

2.2 The Stages of Cybercrime Investiga-tions

In [13], the authors combine the Cybercrime ExecutionStack [12] and the investigations stages from the investi-gation process of law enforcement to a compound proce-dure of cybercrime investigation (See Figure 2) [13]. Thepurposes of this investigation procedure are to establish

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 500

the connection of Cybercrime Execution Stack and lawenforcement investigation, and bridge the gap betweentechnical and non-technical investigation. In the tech-nology side, the authors refer the Cybercrime ExecutionStack, and use this stack as the technology of investigatecybercrime. This investigation procedure has four phases:Initiation, Outcome, Cybercrime Execution Stack, andLaw enforcement investigation process. The CybercrimeExecution Stack includes four stages: Data Objective, Ex-ploitation Tactics, Attack Methods, and Networked Tech-nology [13] (See Figure 1). The purpose of CybercrimeExecution Stack [12] is used to make the investigator an-alyze and divide the technology as well as the feature ob-jectively, and assist every stage of the Law enforcementinvestigation process. The Law enforcement investigationincludes six stages: Modelling, Assessment, Impact/Risk,Planning, Tools, and Action. Modelling stage used toassess, evaluate, plan and communicate the content of acrime event, and assist the assessment stage in the inves-tigation process. The results of Modelling stage is usedto analyze the knowledge and technology related to thecybercrime in the Assessment stage. In the Impact/Riskstage, the potential threat, offences, evidence, and victimswill be analyzed in this stage. According to the results ofModelling stage, Assessment stage, and Impact and riskstage, the investigation actions will be planed and con-firmed in the Planning stage. The Tools stage is usedto find and consider the adequate skills, tools and equip-ment. The Tools stage is used to find the adequate skills,tools and equipment, and it will help the potential digitalevidence. In the Action stage, the action plan will be con-firmed, managed, and coordinated to include the skilledresources and jurisdictions.

2.3 New Model for Cyber Crime Investi-gation Procedure

In this paper of [26], the authors proposed a new proce-dure model of cybercrime investigation. It improves thedigital investigation process of Brian Carrier [8], and in-creases several phases used to investigate the cybercrime,coursing this investigation procedure is more suitable toinvestigate the cybercrime event. In the digital investiga-tion process of Brian Carrier [8] there are five phases,including readiness phase, deployment phase, physicalcrime scene investigation phase, cybercrime scene inves-tigation phase, and review phase. In [26], the phases ofinvestigation procedure include readiness phase, consult-ing with profiler, cybercrime classification and investiga-tion priority decision, damaged cybercrime scene inves-tigation, analysis by crime profiler, suspects tracking, in-jurer cybercrime scene investigation, suspect summon, cy-bercrime logical reconstruction, and writing report. Thereadiness phase is used to ensure the executing of inves-tigation will be succeed, and reduce the waste time anderror of investigation. The Crime profiling is used to findthe information of the suspects from the crime scene. Itwill help to investigate same type crime in future, and

Figure 2: The stages of cybercrime investigations

reduce the time of investigation. The Cybercrime clas-sification and investigation priority decision are used todecide the priority of investigation based on crime profil-ing data and classifying. In the Damaged (victim) cyber-crime scene investigation phase, it’s used to collect digitalevidences, and the collection method is listed as below.

1) Establish “police line” on Internet;

2) Set the collection equipment to collect evidences ofcybercrime events;

3) Photo evidences by digital or video camera;

4) Use tools to collect and analyze the volatile evi-dences [2, 19];

5) Use the storage imaging method to prevent the evi-dence from be modified or deleted [18, 19];

6) Obtain the evidences of network by using networkforensic systems [24, 25].

In the Crime profiling phase, the investigator analyzesthe nature of suspects by using the information collectedfrom the crime scene. It will help to reduce the scopeof investigation. After then, the investigator trace thesuspects based on the digital evidences and cyber infor-mation in the Suspects tracking phase. In the Injurercybercrime scene investigation phase, the investigationpoints are same with the Damaged (victim) cybercrimescene investigation phase, and increase a step to collect

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 501

the evidences from the printers of injurer. In the Suspectssummon phase, the suspects will be summoned accord-ing to the collected digital evidences and the informationof crime scene. In the cybercrime logical reconstructionphase, the investigators use the information and evidencesthat are collected from above investigation procedure tore-construct the cybercrime process, and use this recon-struct result to check the investigation result. At lastphase, Writing report, the investigators write the reportof criminal case about the evidence collect, preserve, andanalyze. The Investigation Procedure of [26] is shown inFigure 3.

2.4 SoTE: Strategy of Triple-E on SolvingTrojan Defense in Cyber-crime Cases

In this paper [16], it presented a strategy of Triple-Ebased on [16, 17], and used to investigate the cases ofinternet intrusion in the cybercrime, like Trojan. By us-ing the strategy of Triple-E, the authors wish to identifythe suspects of cybercrime, find the facts of cybercrime,and collect the evidences. In the Triple-E, it has threeviewpoints, including Education, Enforcement, and Engi-neering. The Education viewpoint focuses to reduce thecybercrime amount of hackers and recidivism rate beforecybercrime occurring. And the Education will establisha safe internet habits of people, which is used to increasepublic awareness by distributing a safe internet behavior,implementing a public awareness campaign, and observ-ing the feeling of shame [16]. Furthermore, the investiga-tors use the 6W1H (What, Which, When, Where, Who,Why, and How) Questions to find the motivation and pur-pose of hackers, and to establish a complete view of cy-bercrime events, avoiding being deceived by the suspects.The Enforcement focuses of investigation are the investi-gation field, philosophy role, the purpose of fact finding,and constructing the criminal fact. And the Enforcementbased on MDFA (Multi-faceted Digital Forensics Analy-sis) Strategy can be used against the cybercrime events.Furthermore, the enforcement procedure can be exam-ined from diverse viewpoints, such as exploring aggres-sive attacks, Comparing illegal offenses, and constructinga holistic view [16]. In the Engineering approach, it fo-cuses on the forensics field, science role, the purpose oftarget authentication, and the method of arresting thecriminals [16] based on the process of Ideal Log and M-NModel. In this viewpoint, it focuses on the importance ofevidential records and comparison with other logs, andthe measures such as to enable some elementary datafor scientific consideration, synchronize the timestamp is-sues, and conduct an audit examination or cross exami-nation [16]. The utilization of SoTE is shown in Figure 4.

This three viewpoints are related to four layers, in-cluding 6W1H questions policy, MDFA strategy proce-dure, Ideal Logs and M-N Model process, and Evidencerecord. The 6W1H questions policy is related to Educa-tion viewpoint, and used to define a direction of investi-gation procedure, including What, Which, When, Where,

Who, Why, and How.

In the MDFA strategy procedure, it’s related to En-forcement viewpoint, and used to analyze the informa-tion of cybercrime events. The MDFA strategy has fourphases, including Evidential Phase (Evidence), ForensicPhase (Scene), Suffering Phase (Victim), and BehaviorPhase (Suspect). In the Evidential Phase, it’s used tocollect and preserve evidences until the cybercrime caseinto court proceedings. The Evidential Phase has 5 steps:Identification, Preservation, Examination, Interpretation,and Presentation. In the Forensic Phase, it’s used to col-lect and examine evidences from the crime scene, and dis-cover the criminal process and facts through the crimescene reconstruction. The Forensic Phase has 5 steps:Qualified Expert, Chain of Custody, Admissibility Con-sideration, Forensic Conclusion, and Crime Scene Recon-struction. In the Suffering Phase, the investigators findand discover the clues of crime case by using the infor-mation from victims provided. The steps of SufferingPhase include Variety of Victim, Everyday Process, Vic-tim Himself, Victim Reaction, and Societal Response. Inthe Behavior Phase, the information of the suspect will beevaluated and analyzed, such as the criminal psychology,personality, criminal actions, and voluntary or not. Thesteps of Behavior Phase are Background Understanding,Environmental Influence, Linkage Analysis, Logic Rea-soning, and Criminal Profiling.

In the Ideal Logs and M-N Model process is used toidentify the users behind the computer, and discriminatethe in-formation of evidence is real or forged. The IdealLogs fall into two categories, explicit and tacit knowledge.The explicit knowledge is used to find the location of thesuspect by using the clues from digital evidences, such asIP address and timestamp. The tacit knowledge is used tofind the clues of digital action and response message, suchas data up-load/download, program execute, and abnor-mal behavior. The M-N Model process is a method usedto check the log-in/logout process. M is the path tracesfrom client to server, N is a parts including login and lo-gout in a period of time. When a user wants to loginserver, the client will produce a login time record TLo-gin 1. The Login message will be through ISP (InternetService Provider), and produce a login time record TLo-gin 2. The Login message will arrive to a server, and pro-duce a login time record TLogin 3. When the user wantsto logout a server, the logout message will follow the pathof login, and produce the logout time record TLogout 3,TLogout 2 , TLogout 1 on the server, ISP, and client.Further, the M-N model provides a proposition analysisconsisting of Sequential Inequality and Period Inequality.This methodology will help clarify the issues that the ev-idences are reliable or not, and the suspect is guilty ornot. The M-N model is shown in Figure 5.

In the Evidence record, since the evidences is used todiscover the crime fact and the internet behavior, the col-lected evidence record must has the clear and objectivefeatures. At last, the investigators find the causality fromthe result of this four-layer, and make the details of a

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 502

Figure 3: The investigation procedure of [12]

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 503

Figure 4: The utilization of SoTE

Figure 5: TM-N model

crime event clear.

2.5 A Study on Digital Forensics Stan-dard Operation Procedure for Wire-less Cybercrime

In this paper [35], the authors proposed a Standard Op-eration Procedure (SOP) of digital forensics for a wirelesscybercrime. This procedure includes two pairs, the dig-ital forensics and the wireless cybercrime investigation.The authors of this paper define the main behaviors ofa wireless cybercrime, and use the definition to proposea wireless cybercrime investigation. Further, this paperproposed a digital forensics SOP based on the DigitalForensic Standard Operation Procedure (DFSOP).

In the wireless cybercrime investigation, the five behav-iors of a wireless cybercrime were defined as follows [35]:

1) Cracking a wireless Internet access, and then con-nected to Internet by using the identity of anotherperson;

2) Invading a wireless base station;

3) Intercepting packets of a wireless network; side-recording the conversations, accounts, and pass-words;

4) Denial attacking the wireless base station;

5) Phishing in the wireless base station.

The wireless intrusion is the beginning in the wirelesscybercrime. When the intrusion action is successful, thebehaviors (2) to (5) will be also finished successfully. Inorder to solve the above wireless cybercrime, the inves-tigation of this paper provide three stages, including In-vestigating and analyzing wireless cybercrime, Recogniz-ing the criminal origin and behavior, and Arresting theperpetrator. In the Investigating and analyzing wirelesscybercrime, the plan of investigation is to follow the de-scription of the victim. And, then, the content of the wire-less cybercrime will be identified by analyzing the modusoperandi, such as checking the record from access points,the status of the network, the detection systems, and logfiles. In the Recognizing the criminal origin and behavior,the purpose of this stage is to find the suspects of a wire-less cybercrime. The investigation methods are detectingthe data of user, tracing the connection source, checkingthe record of communications, the firewall records, and soon. Sometime, in order to obtain the clues of a suspect,the investigation process even need to monitor and recordthe wireless network. In the Arresting the perpetrator,it’s used to collect the evidence by using search and seize,summoning the suspects, and the forensic of wireless net-works. Further, in order to facilitate the execution ofinvestigation, this paper provides four directions to helpthe investigation of wireless cybercrime, including [35]:

1) Finding the illegal wireless access point;

2) Locking up the active illegal links;

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 504

3) Setting the honeypots in wireless;

4) Setting the intrusion detection system, such as awireless intrusion prevention systems (WIPS) andwireless intrusion detection systems (WIDS).

In the digital forensics SOP, this paper proposes a wire-less forensics SOP based on DFSOP. In the DFSOP, Ithas four phases: Concept, Preparation, Operation, andReport. In the Concept phase of DFSOP, it’s used todescribe the concepts of collecting evidence and forensicsbased on Laws, Principle, and Cognitive. The conceptshave seven parts including collecting the evidences quicklyand preserving them; ensuring the continuity of evidence;establishing a procedure to record the audit informationand analysis of the digital evidences; operating the dig-ital evidences by the experts; recording and filming theprocess of evidence collection, analysis and forensics; en-suring the integrity and security of data storage; usingthe copy instead of the original evidence in the operateanalysis, investigation and forensics. On the other hand,the Concept phase of wireless DFSOP increases a proce-dure part to establish SOP and tools; in the laws part,it increases two subparts, acceptance at complaint only,and Non-acceptance at complaint only; in the cognitive,it in-creases three subparts; Forensic Expertise and Skills,Computer Professional and Skills, and Network Profes-sional and Skills.

In the Preparation phase of DFSOP, it’s used to collectrelated information to prepare the work before the foren-sics and the four parts based on Authenticity and SecurityPolice, Collection of the Basic Information of the Targetto Ensure the 5W&1H (Who, Why, When, Where, Whatand How), and Preparation of Tools and Information andMission Education . The four parts are Collection ofthe basic information of the crime target, Preparation oftools, Professional members, and Education before theoperation. On the other hand, the Preparation phase ofwireless DFSOP increases a subpart, Simulation of TaskAllocation and Action.

In the Operation Stage, it’s divided to three proceduresbased on Crime Scene and Laboratory. The three proce-dures are Collection Procedure, Analysis Procedure, andForensics Procedure based on Crime Scene and Labora-tory. The procedures is used to collect evidence of everytype by different tools, analyze these evidences, and thenreconstruct the crime scene. Further, in the OperationStage of wireless DFSOP, it presents three sources of col-lect evidences: Wireless Devices of Suspect, Wireless De-vices of Scene, and Other Devices. And the Presentationforms the Collection phase, so the evidences are dividedto the Volatile and Non-volatile type. The data collectedfrom the wireless cybercrime will be analyzed includingPicture, Images, Files, Connection History, Log Files ofAP and PC, Wireless Network Event Viewer, and Wire-less Packets.

In the Report Stage, it’s used to produce a report aboutthe content of cybercrime event, the evidences relatedto the cybercrime event, and the suspects of cybercrime

event. This report will be sent to court, and become thebasis of judgment. Therefore, the report must has the fol-lowing related data: Copywriting and Presentation, Ex-amination of Forensics Result, Court Preparation, andFile Establishment and Learning. The Copywriting andPresentation are used to describe the content of this crimecase, the collected evidences, the evidence sources, andthe process of forensics. The Examination of ForensicsResult is the procedures of evidence forensics and util-ities usage. The Court Preparation means the dig-italevidence forensics must be classified, and matched withthe control procedure. At last, in the File Establishmentand Learning, the forensics process, evidence types, andinvestigation experience of each cybercrime cases will beclassified to establish in the file and sharing mode, it willhelp the future of cybercrime investigation.

3 The Discussion of InvestigatorProcess and Investigation Pro-cedure

3.1 Analysis and Comparison

In this paper, we collect five papers of the cybercrimeinvestigation procedure, and analyze whether these pro-posed investigation procedure has the following featuresand content, the compatibility of traditional investigativeprocedures, cybercrime behavior analysis, evidence foren-sic procedures, case analysis and verification, the methodsof evidence collection and analysis, and the area of judi-cial jurisdiction. In addition, we put the area of judicialjurisdiction into the comparison items, so it will help tounderstand the purpose and legal basis of the investiga-tion procedure. The comparison of cybercrime investiga-tion procedures are shown in Table 1.

1) With the compatibility of traditional investigativeprocedures: This is used to illustrate the investiga-tion procedure of cybercrime, and whether it is pro-posed or not according to the conventional investiga-tion procedure. It will affect whether this investiga-tion procedure is easy to use or not by the police orinvestigators without the professional knowledge.

2) With the analysis of cybercrime behavior: In the in-vestigation procedure of cybercrime, whether it hasthe analysis of cybercrime behavior clearly, and de-scribes the focus types of this cybercrime procedure.It will help the investigators to find scope of this in-vestigation procedure applies.

3) With the evidence forensic procedures: Whether aninvestigation procedure has the process and steps offorensic, it will affect the process of collecting thedigital evidences. Without the forensic process, theinvestigators, perhaps, will not know what the digitalevidences exist, and where can collect them.

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 505

4) With case analysis and verification: When the in-vestigations procedure are used actually before, theinvestigation procedure of cybercrime only is a hy-pothesis. If the investigation procedure is based onan instance, or it can be used to analyze and ver-ify for an instance, it will increase the feasibility ofinvestigation and evidence collection procedures.

5) The methods of evidence collection and analysis: Ifthe investigations procedure has a method of scien-tific or mathematical analysis, it will make the digitalevidences of this procedure collected has more pro-bative force.

6) The area of judicial jurisdiction: The investigationsprocedure we collected is not in the same judicial ju-risdiction. To clarify these judicial jurisdictions willhelp the investigators to understand the purpose andthe legal basis of investigation procedures.

In [12], it provides a Cybercrime Execution Stack. Thisframework stack presents the technology of cybercrime,the criminal object of attack, and attack mode. The mainpurpose of this framework stack is used to classify thecybercrime, and become a step in the cybercrime inves-tigation procedure. Therefore, in [12], it only had thecybercrime analysis, but it did not establish a full investi-gation and evidence collection process. In [13], it provideda combination of investigative procedure with [12]. Thisprocedure is based on an investigation procedure that al-ready exists, and combine the frame-work of [12] proposedto become an investigative procedure focus on cybercrime.However, in [13], it presents a conceptual investigationprocedures, but it did not provide the evidence forensicprocedures and other methods. Therefore, in [13], it isan investigative procedures that have the compatibilityof traditional investigative procedures and cybercrime be-havior analysis. In [26], it provides a more clearly inves-tigation procedure than [13]. In every investigation stageof [26], it describes the purpose of stage and source offorensic evidence clearly. However, in [26], it did not pro-vide and describe the applicable type of cybercrime forthe investigation procedure, and did not provide a clearevidence collection and analysis methods, as well as caseanalysis and verification. It makes the investigation pro-cedure of [26] proposed still need to be proved that it canbe used in the cybercrime events.

In [35], it provides a SOP investigation procedure ofdigital forensics used to investigate the wireless cyber-crime. In this SOP, it provides a clear investigationphase based on the conventional investigative procedures.It makes the investigation procedures of [35] compatiblewith the conventional investigative procedures. In ad-dition, the proposed investigation procedures of [35] de-fined the each step of investigation clearly, the behaviorof wireless cybercrime, and a real pro-cess of investigat-ing a cybercrime case. In this investigation procedure, itdescribes the process and source of evidence forensic pro-cess clearly. Therefore, the investigation procedure of [35]

provides a high viability investigation procedures. In [16],it provides cybercrime investigation procedure based oncriminology. This procedure is used to investigate Tro-jans cybercrime, and to illustrate the current situation ofthis type of crime. It makes the investigation procedureof [16] feasible. In addition, the investigation procedureof [16] uses the MDFA as the forensics process, and usesthe M-N mod-el as a method of analysis the evidence inthe forensics process. Since the investigation procedureof [16] conforms the above-mentioned characteristics ofeach, which makes it became a more complete cybercrimeinvestigation procedures than others.

3.2 The Viewpoints of Cybercrime Inves-tigation Procedure

In this paper The Digital evidence forensic process isone of stages belonging to the cybercrime investigationprocedures. When a cybercrime occurs, the investiga-tors will collect the digital evidences according to crimetypes, and preserve them. These Digital evidences arevery important in the investigation procedure. The in-vestigators confirm the crimes suspects, crime facts, timeof occurrence, location, and possible criminal tools byanalyzing these Digital evidences. The digital evidenceforensic process is used to make cybercrime investigationprocedures can be carried out smoothly. Since the everycybercrime case is independent, the digital evidence pre-sented these cases will be in different ways. Therefore,the primary purpose of digital evidence forensic processshould be “whether can collect direct evidences”; the sec-ond is “whether can collect indirect evidences”; and fi-nally, “Which method of forensic evidence is the fastest.”The reasons of this order is when the cybercrime is onthe trial, and the judge will determine the outcome of thejudgment based on the direct evidences; in the investi-gation procedure, the direct and indirect evidences willbe the key to confirm the facts and suspects. There evi-dences will become a relevance indicator used to confirmthe crime facts and the suspects, it is called the probativeforce of the evidence. If the process of forensic evidence isvery fast, but cannot guarantee to collect evidence of highprobative force, it will increase the time of investigation,as well as waste the judicial resources. Therefore, the dig-ital evidence forensic methods should be focused on howto collect the direct and indirect evidences effectively.

In the conventional crime, the evidence type is sub-stantive evidence, and the perpetrator can be found eas-ily; there is an actual location of the crime, and the crimetools are easy to find. Therefore, the purpose of inves-tigation procedures in the conventional crime is how toprotect the crime scene, how to collect evidence from thecrime scene, and how to quick to arrest the criminals.However, the cybercrime is a new type of criminal of-fense. The perpetrator of this crime is not easy to befound directly due to no actual location of the crime, sothe evidences of crime are not easy to preserve and view,and criminal means and tools are not easy to find. There-

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 506

Table 1: The comparison between the each investigation forensics procedures of cybercrime

fore, in the cybercrime investigation procedures, how tocollect the key digital evidences becomes the importantkey. According to these Digital evidences, the investiga-tors can confirm the criminal facts, the perpetrator, crim-inal tools and criminal means. Once the digital evidencesare forged, altered, deleted or destroyed, it will cause theinvestigation hard to continue implementing, or even mis-lead the investigators. Finally, the results will make theinnocence person is punished, and the guilty person isreleased. Therefore, in the investigation procedure of cy-bercrime, how to find the perpetrator accurately will bethe primary purpose in the procedure; secondly, since thejudicial resources are limited, how to reduce the use ofjudicial resources is one of the key points in the investiga-tion procedure. In addition, all the investigation behaviormust base on the relevant laws and regulations. Only theevidence forensic by the legal process can be used in thetrial, and it is called the evidence capability. The evi-dence from unlawful conduct investigations obtained attrial would lose the evidence capability, and cannot beused to prove the defendant is guilt. The collected evi-dence must have the evidence capability, and then it willhave the probative force. Therefore, how to find and ver-ify the perpetrator accurately and lawfully and reduce theuse of judicial resources will be the focus in the cybercrimeinvestigation procedures.

4 Future Works

In the future, the types, methods, and targets of cyber-crime will be changed continuously, and every types ofcomputer, network equipment, and smart phone will bethe target of attack. The points are how to combinethe digital forensic methods and the resent investigationprocedure, or even establish a defense method in the in-

vestigation procedure, resulting the purposes to defense,detect, and investigate effectively. Since the cybercrimewill constantly change in the future, the cybercrime in-vestigation procedure should be established based on thetype of crime. In addition to these investigative proce-dures used to investigate the crime fact after the eventoccurring, it must has the functions of real time detectionand forensic. Therefore, before the investigation proce-dure establishing, we propose to establish an architecturefigure of cybercrime factors first. Once the cybercrimeoccurs, the investigators will decide which investigationprocedure will be used based on the factors of case, anddetermine whether the subsequent criminal behavior has.However, many factors can affect cybercrime, so in the fol-lowing we will enumerate several factors that will affectthe cybercrime, including Criminal objects, Crime Envi-ronment, Connection Technology, Source areas of crime,Crime types, and Criminal objects. The affection fac-tors of cybercrime as shown in Figure 6. In the Criminalobjects, we divide the targets of crime into three types:equipment, single victim, and multiple victims. In thiscategory, we wish to confirm the purposes of offenders forthis type of victims.

In the Crime environment, we divide the environmentinto the Public network, Private network, and Half-Publicnet-work based on the classification of the network type.The purpose of this classification is used to find the placeof exist-ing crime clues through the criminal environment.In the Connection technology, we enumerate three com-mon technologies of network connection: Ethernet, Wire-less Fidelity (WiFi), and Mobile communication technolo-gies (MCTs). This classification will help the investiga-tors to collect the digital evidences. In the Source areasof crime, we will confirm the jurisdiction area of crime,External or Internal, through the area that found the sus-

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 507

Figure 6: The affection factors of cybercrime

pect. Finally, we will divide the crime types into Conven-tion and Technology. This classification of crime typeswill be used to confirm the perpetrator of the crime andestablish the tactics of investigation as the cumulativeexperience of investigation. In these factors, the orderdoes not be constructed, but rather as the analysis itemsof cybercrime, and used to develop the evidence forensicprocess and investigation procedure.

According to the combination of these factors, it can besummarized to the concept of two types: Universal type ofCybercrime Investigation Procedure (UCIP) and Partic-ular type of Cybercrime Investigation Procedure (PCIP);and two types of cybercrime forensic process: Universaltype of Cybercrime Forensic Process (UCFP) and Par-ticular type of Cybercrime Forensic Process (PCFP), asshown in Figure 7.

The universal type is used to describe the type of con-ventional crime. This crime type refers the criminal of-fenses al-ready existed before the Internet development,such as Fraudulence, intimidation, defamation, and so on.These scene of conventional crimes are gradually trans-ferred to the Internet with the development of Internet.In order to investigate the conventional crimes and col-lect the digital evidences on the Internet, we propose toestablish the UCIP and UCFP. The UCIP and UCFPaims to provide a simple and accurate method of investi-gation, and make the general security police also to inves-

Figure 7: The investigation and forensic of cybercrime

tigate the cybercrime. And avoiding the criminal investi-gations is hindered because of the investigators lacking theknowledge of network technology. The Particular type isused to describe the crime type of technology-based. Thiscrime type refer that the perpetrator uses the expertiseand tools to commit the cybercrime offenses, and makethe investigators without the expertise not to understandthe method of crime, such as the Network attack, Systemintrude, Identity camouflage and hide, Data theft, andso on. Since investigating these crimes requires techni-cal expertise, it will make the investigation process verydifficult, and the general security police also cannot inves-tigate this kind of cybercrime. Therefore, we propose toestablish the PCIP and PCFP for the particular type ofcybercrime. The purpose of PCIP and PCFP is to allowthe general public security police and the investigatorswith technical expertise to cooperate together in the in-vestigation of the cybercrime, and improve the efficiencyof the investigation.

Since Internet still has the unknown development inthe future, the affect factors of cybercrime and sub-factorswill not be confined to the range of Figure 6; the inves-tigation procedure and forensic process will not only in-clude the two types in Figure 7. Once the new type ofcybercrime event occurs, it still need the investigators toanalyze the technology and features of cybercrime, andestablish the emphasis investigation and forensic proce-dure.

Furthermore, after the investigation procedure, thecriminal case will turn into the judgment procedure inthe court. In the judgment of cybercrime, the result oftrial will be different between cybercrime and conven-tional crime. The judgment procedure will affect the evi-dence that need to collect in the investigation procedure,and the evidences will affect the judge to find crime factsand the result of trial. Therefore, the investigation pro-cedure and the forensic method of cybercrime still needto adjust and modify according to the result of trial.

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 508

5 Conclusions

In this research, we focus on how to collect the digital ev-idences from the cybercrime events, and how to proposean effective cybercrime investigation procedure. The dig-ital evidences will help find the real perpetrators duringthe investigation procedure of cybercrime, and brings theperpetrators to justice in the trial; the effective cyber-crime investigation procedures will help reduce the wasteof judicial resources, and protect the human rights. Agood method to collect digital evidences, in addition tofocus on how to collect quickly the evidence, should focuson how to collect the digital evidence of high probativeforce. Whether these digital evidences are collected auto-matically by the computer system, or collected manuallyby the system administrator, the value of evidences arebased on how many probative force that can provide toprove in the trial. In cybercrime investigation procedure,a good investigation procedure requires the less use of ju-dicial resources, and avoids the mandatory punishment ofsuspects.

Acknowledgments

The author expresses deep sense of gratitude to the De-partment of Science & Technology (DST) , Govt. of In-dia, for financial assistance through INSPIRE Fellowshipleading for a PhD work under which this work has beencarried out, at the department of Computer Science &Engineering, University of Kalyani.

References

[1] I. O. Ademu, C. O. Imafidon, D. S. Preston, “A newapproach of digital forensic model for digital foren-sic investigation,” International Journal of AdvancedComputer Science and Applications, vol. 2, no. 12,pp. 175–178, 2011.

[2] D. Brezinski, T. Killalea, “Guidelines for evidencecollection and archiving,” RFC 3227, 2002.

[3] R. P. Bryant, Investigating Digital Crime, Wiley,2008.

[4] E. Casey, Digital Evidence and Computer Crime:Forensic Science, Computers and the Internet, Aca-demic Press, pp. 41-46, 2000.

[5] E. Casey, Handbook of Digital Forensics and Investi-gation, Academic Press, 2009.

[6] E. Casey, Digital Evidence and Computer Crime,Academic Press, 2004.

[7] B. Carrier, “Defining digital forensic examinationand analysis tools using abstraction layers,” Inter-national Journal of Digital Evidence, vol. 1, no. 4,pp. 1–12, 2003.

[8] B. Carrier, E. H. Spafford, “Getting physical with thedigital investigation process,” International Journalof Digital Evidence, vol. 2, no. 2, pp. 1–20, 2003.

[9] Y. Chen, S. Das, P. Dhar, A. E.Saddik, A. Nayak,”Detecting and preventing IP-spoofed distributedDoS attacks,” International Journal of Network Se-curity, vol. 7, no. 1, pp. 69–80, 2008.

[10] Alan M. Gahtan, Electronic Evidence, ThomsonCanada Limited, 1999.

[11] M. Geva, A. Herzberg, Y. Gev, “Bandwidth dis-tributed denial of service: Attacks and defenses,”IEEE Security & Privacy, vol 1, pp. 54–61, 2014.

[12] P. Hunton, “The growing phenomenon of crime andthe Internet: a cybercrime execution and analysismodel,” Computer Law & Security Review, vol. 6,no. 6, pp. 528–535, 2009.

[13] P. Hunton, “The stages of cybercrime investigations:Bridging the gap between technology examinationand law enforcement investigation,” Computer Law& Security Review, vol. 27, no. 1, pp. 61–67, 2011.

[14] N. Jeyanthi1, N. Ch. Sriman Narayana Iyengar, “Anentropy based approach to detect and distinguishDDoS attacks from flash crowds in VoIP networks,”International Journal of Network Security, vol. 14,no. 5, pp. 257–269, 2012.

[15] D. Y. Kao, and S. J. Wang, “The IP address and timein cyber-crime investigation,” Policing: An Interna-tional Journal of Police Strategies & Management,vol. 32 no. 2, pp. 194–208, 2009.

[16] D. Y. Kao, S. J. Wang, Frank F. Y. Huang, “SoTE:Strategy of Triple-E on solving Trojan defense inCyber-crime cases,” Computer Law & Security Re-view, vol. 26, no. 1, pp. 52–60, 2010.

[17] G. C. Kessler, “Anti-forensics and the digital inves-tigator,” in Proceedings of the 5th Australian DigitalForensics Conference, 2007.

[18] G. A. Lee, D. W. Park, and Y. T. Shin, “A study onthe chain of custody for securing the faultlessness offorensic data,” Journal of the Korea Society of Com-puter and Information, vol. 11, no. 6, pp. 175–184,2006.

[19] S. H. Lee, H. Kim, S. Lee, J. Lim, “Digital evidencecollection process in integrity and memory informa-tion gath-ering,” in Systematic Approaches to DigitalForensic Engineering, First International Workshopon Systematic Ap-proaches to Digital Forensic Engi-neering (SADFE’05), pp. 236–247, 2005.

[20] C.Y. Liu, C.H. Peng, and I.C. Lin, “A survey of bot-net architecture and batnet detection techniques,”International Journal of Network Security, vol. 16,no. 2, pp. 81–89, 2014.

[21] M. Mahmoud, M. Nir, and A. Matrawy, “Survey onbotnet architectures, detection and defences,” Inter-national Journal of Network Security. (in press)

[22] B. Mihajlov and M. Bogdanoski, “Analysis of theWSN MAC protocols under Jamming DoS attack,”International Journal of Network Security, vol. 16,no. 4, pp. 304–312, July 2014.

[23] E. Moulton, The Future of Cybercrime, Police Pro-fessional, 2008.

International Journal of Network Security, Vol.17, No.5, PP.497-509, Sept. 2015 509

[24] S. Mukkamala, A. H. Sung, “Identifying significantfeature for network forensic analysis using artificialintelligent techniques,” International Journal of Dig-ital Evidence, vol. no. 4, pp. 1–17, 2003.

[25] J. S. Park, U. H. Choi, J. Moon, T. Shon, “A studyon network forensics information in automated com-puter emergency response system,” Journal of theKorea Institute of Information Security and Cryptol-ogy, vol. 14. no. 4, pp. 149–162, 2004.

[26] Y. D. Shin, “New model for cyber crime investigationprocedure,” Journal of Next Generation InformationTechnology, vol. 2, no. 2, pp. 1–7, 2011.

[27] D. L. Shinder, M. Cross, Scene of the Cybercrime,Second Edition, Syngress, 2008.

[28] C. Sorrells and L. Qian, “Quickest detection ofdenial-of-service attacks in cognitive wireless net-works,” Inter-national Journal of Network Security,vol. 16, no. 6, pp. 468–476, 2014.

[29] M. Subramanian, T. Angamuthu, “An autonomousframework for early detection of spoofed flooding at-tacks,” International Journal of Network Security,vol. 10, no. 1, pp. 39–50, 2010.

[30] J. Udhayan, T. Hamsapriya, “Statistical segrega-tion method to minimize the false detections duringDDoS attacks,” International Journal of Network Se-curity, vol. 13, no. 3, pp. 152–160, 2011.

[31] D. S. Wall, Cybercrime: The Transformation ofCrime in the Information Age, Polity Press, 2007.

[32] S. J. Wang, “Measures of retaining digital evidence toprosecute computer-based cyber-crimes,” ComputerStandards & Interfaces, vol. 29, pp. 216–223, 2007.

[33] S. J. Wang, “Measures of retaining digital evidence toprosecute computer-based cyber-crimes,” ComputerStandards & Interfaces, vol. 29, no. 2, pp. 216-223,2007.

[34] M. Yar, Cybercrime and Society, Sage PublishingLtd, 2006.

[35] Y. S. Yen, I. L. Lin, A. Chang, “A study on digi-tal forensics standard operation procedure for wire-less cyber-crime,” International Journal of ComputerEngineering Science, vol. 2, no. 3, pp. 26–39, 2012.

Jia-Rong Sun Jia-Rong Sun received the B.S. degreeand M.S. degree in Computer Science and InformationEngineering from Asia University, Taiwan in 2010. He iscurrently a Ph.D student in the Department of ComputerScience and Information Engineering, Taichung, Taiwan.His research interests include Information security andcybercrime investigation.

Mao-Lin Shih received the B.S. degree in College ofLaw National Taiwan University, Taipei, Taiwan; andthe honorary Ph.D from Woosuk University, Korea,in 2009; Dr. Shih was a judge in 1984-1993. He wasalso a Chief Prosecutor during 1997-2004. From 2005to 2008, he was the Minister of Ministry of Justice inTaiwan. He is currently a professor of the Department ofFinancial and Economic Law in Asia University. He isthe director-general of Legal Risk Management Societyof Taiwan. His current research include Criminal Lawand Legal Case Study.

Min-Shiang Hwang received the B.S. in Electronic En-gineering from National Taipei Institute of Technology,Taipei, Taiwan, Republic of China, in 1980; the M.S. inIndustrial Engineering from National Tsing Hua Univer-sity, Taiwan, in 1988; and the Ph.D. in Computer and In-formation Science from National Chiao Tung University,Taiwan, in 1995. He also studied Applied Mathematicsat National Cheng Kung University, Taiwan, from 1984-1986. Dr. Hwang passed the National Higher Examina-tion in field “Electronic Engineer” in 1988. He also passedthe National Telecommunication Special Examination infield “Information Engineering”, qualified as advancedtechnician the first class in 1990. From 1988 to 1991, hewas the leader of the Computer Center at Telecommuni-cation Laboratories (TL), Ministry of Transportation andCommunications, ROC. He was also a project leader forresearch in computer security at TL in July 1990. He ob-tained the 1997, 1998, and 1999 Distinguished ResearchAwards of the National Science Council of the Republicof China. He is a member of IEEE, ACM, and ChineseInformation Security Association. His current research in-terests include database and data security, cryptography,image compression, and mobile communications.