Browser unable to execute script; please use the site map to navigate the site.

On Generic Digital Forensic Readiness



(Citation)Citation information

M. S. Olivier. “On Generic Digital Forensic Readiness”. In: AAFS 72nd Annual Scientific Meeting. (Oral presentation; abstract included in proceedings). Anaheim, CA, USA, Feb. 2020


In digital forensics the phrase forensic readiness refers to information that needs to be collected during day-to-day operations of IT systems, such that the evidence required to examine a specific case at some stage will be available and known to be reliable. This paper provides a generic model of the notion. The intention is to move the discourse from how such information may be collected to a deeper discussion of the cost/benefit trade-offs required (where cost also refers to the privacy of the innocent).

Had the phrase forensic readiness occurred in other forensic science disciplines it would probably have referred to the availability of data and samples to facilitate a laboratory’s (or analyst’s) ability to examine a variety of cases. Examples that come to mind are databases of fingerprints, fibre characteristics, and chemical composition of drugs, to name but a few. The hashes of known software maintained as part of the US National Software Reference Library (Rowe 2012) is arguably the best-known example of such preparation in the digital forensics discipline.

Note that such “readiness” is not entirely foreign to forensic science. Cockpit voice and data recorders are of immense value when the causes of aviation accidents are examined (and they are present solely for such investigations). In many contexts a (manual or digital) log of activities is maintained that, again, is very useful during an investigation that involves those activities. However, a more abstract (and more formal) description of typical forensic readiness not only serves to better distinguish such work from the examples mentioned above, but also enables one to present a generic forensic readiness model.

Forensic readiness is typically engineered for some system S. The readiness often targets some irregularity (such as specific crimes, or contraventions of corporate policy). Let i be some irregular activity (such as spoofing of an email, or some specific form of fraud). The set of activities Ai that would be sufficient to perform i is then determined. To be ready to examine i it is then posited that each activity in Ai should leave a trace. Such a trace is recorded in a logging facility, with the nature of the log entry dependent on the information required to prove i. Let, for any set of traces, T, the proposition ρ(T,i) denote that T is sufficient to prove i. If ρ(T,i) and T implies the activities A (from the construction of T) then, readiness papers argue, that i has been demonstrated.

We contend that a simple model based on this notation simplifies the description of a forensic readiness model; this is explored for a number of proposed readiness models.

Based on the simple model, important questions such as whether the space required for storing traces is warranted by the prevalence (or impact) of any given inappropriate action i. Questions about the size of the generated traces naturally raise the question whether the size for any proposed mechanism is minimal. It may be possible to offset the costs of being ready for i if i-readiness also implies j-readiness for a j I; that is when ρ(S,i) ρ(S,j).

A major concern about readiness models is the fact that it collects ‘evidence’ about innocent people even before an irregular activity is performed. It seems possible to consider privacy metrics for a set of traces T. If two equivalent readiness models lead to the collection of traces T and T, respectively, then the one with the better privacy score is obviously the better choice. However, even the better model may not justify the cost in terms of privacy.

In summary, this paper presents a simple generic digital forensic readiness model that allows researchers to propose specific readiness models more concisely. More importantly, the concise description facilitates comparison. In particular does it make provision for more reflection on the nature, utility and impact of proactive traces collected.
Rowe, N. C. 2012. “Testing the National Software Reference Library.” Digital Investigation 9:S131 – S138. The Proceedings of the Twelfth Annual DFRWS Conference

(BibTeX record)BibTeX reference

author={Martin S Olivier},
title={On Generic Digital Forensic Readiness},
booktitle={AAFS 72nd Annual Scientific Meeting},
address={Anaheim, CA, USA},
note={(Oral presentation; abstract included in proceedings)} )