Cyber Investigator Staircase Model

Prior to applying this module to a previously stated case, the author will explain in detail what the actual Cyber Investigator Staircase Model (CISM) is and how it is used. The investigative process model is best described and depicted as a sequence of ascending stairs, in which it provides a practical and methodical approach to conducting an effective digital investigation (Casey & Palmer, 2004). Digital investigators, forensic examiners, and attorneys work together to scale these steps from bottom to top in a systematic, determined manner in an effort to present a compelling story after reaching the final step of persuasion/testimony.

The unique methods and tools employed in each category tie the investigative process to a particular forensic domain. The terms located on the riser of each step are those more closely associated with the law enforcement perspective. To the right of each term is a more general descriptor that captures the essence of each step of the process.

First, case management is depicted as a handrail in the below figure because it plays a vital role in any investigation and spans across all the steps in the process model. It provides stability and enables investigators to tie all relevant information together, allowing the story to be told clearly. In many cases, the mechanisms used to structure, organise, and record pertinent details about all events and physical exhibits associated with a particular investigation are just as important as the information presented. This model could be simplified by treating recovery, harvesting, reduction, organization, and search as subcomponents of the examination step. In addition, it could be made more comprehensive by adding a step to cover the transportation of evidence.

Staircase Model Diagram

The model consists of the following steps:

  • Incident alerts or accusation: This step involves the initial reporting of a crime of policy violation.
  • Assessment of worth: The worth of investigating is estimated and in case of multiple cases in parallel, a prioritisation of them is performed.
  • Incident/crime scene protocols: It includes the procedures and methodical steps that must be followed by the investigator when accessing the incident/crime scene. The protocols may differ depending on the real or virtual nature of the incident/crime scene.
  • Identification of seizure: Recognition of any relevant object that could be of evidentiary value is performed and seizing of it is conducted. Proper packaging procedures for identification and linking to the specific incident/crime instance are applied.
  • Preservation: It involves are necessary case management tasks in order to protect the integrity of the original media and prohibit any inadvertent modifications. This step is the beginning of the chain of custody through documentation that will allow the traceability of the object’s origin to the final evidence. This step involves mostly imaging technologies in order to acquire as much exact copies of the original object as possible. There is a variety of solutions used such as specialized imaging hardware, write-block software order to fulfill the task. Order of Volatility has to be considered in regarding what must be collected and in which order.
  • Recovery: Prior to the analysis step, a recovery of any resident but not directly observable data has to be performed. The most prominent example is that of data resident in a storage device which can include deleted, hidden, camouflaged or fragmented parts. The completeness of the recovery step may allow later access to not only active data but potentially to hidden and deleted ones thus providing access to the maximum possible amount of content and therefore enabling the investigator to perform a much more complete analysis .
  • Harvesting: The investigator identifies categories of data that based on knowledge or experiences are mostly related to the case in focus. The results of the previous phase are organized in such a manner so as to allow access to specific categories of data which are known to be relevant to specific types of cases, e.g. pictures and videos in the case of contraband material or executable files and scripts in the case of computer compromises.
  • Reduction: During this step, a filtering is performed based on related criteria in order to reduce the amount of data needed for the analysis. A common technique is the automated removal of known files that are part of operating systems or other applications. The signatures of these files, commonly in the form of a hash, can be stored as database and used in combination with the forensic tools in order to remove unnecessary data.
  • Organization and Search: In order to facilitate a more thorough and complete analysis, groupings of certain files and data in general can be performed. This can enable the investigator to have an easier access to the data, perform search operations that can identify faster interesting data or events and finally allow cross-referencing between data as well as the final reports.
  • Analysis: This is the main task where the products of the previous steps are further evaluated for their significance and probative value to the case. The main focus in this step is the content of the data selected from the previous steps as well as interpretation of them in relation to the case in hand. The analysis part is usually quite loosely defined in the majority of digital forensics process models and a further more detailed description of it and its subcategories follows below.
  • Reporting: The final report should contain all the necessary documentation of actions and results attained throughout all the previous steps. The report also contains the results of the analysis phase with data of evidentiary value along with any conclusions drawn by the examiner. The examiner should remain objective by presenting only the supporting evidence as well as other scenarios that cannot be supported by the current evidence.
  • Persuasion and testing: Often, the final result of an investigative process must be communicated to decision makers in a clear and understandable manner with the incident and the conclusion of the investigation.

To apply the CISM module, the author has identified the following scenario by D. Leslie, 2014, Legal Principles for Combatting Cyberlaundering, from research and will apply the guidelines to this scenario:

The prosecution of cyber-laundering should commence duly on a lawful basis, and one that should not cause any hindrance to prosecution where the crime in question has prescribed. However, in the above scenario it is interesting that due to it being money laundering it involves two distinct offences; the money laundering offence and the predictive offence upon which the former is based.

Case Management: this plays a vital role and is crucial during every stage of the investigation and more so during digital investigations because of the sensitive and fragile nature of digital investigations.

In the above hypothetical scenario the activities of Jack Sparrow and John Doe can only be detected by the way of the internal regulatory mechanisms that should have been in situ within the gaming website, SL. By conducting tracing and monitoring closely the activities of every individual the company would have been in the best position report and identify the suspicious behaviour.

During the initial gleaning of all evidence and information the investigators should have already been able to recognise and identify the potential sources of required digital evidence, this phase is crucial because it will allow the best evidence to be preserved. Also whilst this is ongoing the investigator should have already identified the offence and the actus reus elements of the crime, however, it will only be presumed at this time until all the evidence has been collected and collated.

The CISM modules being applied at a glance are as follows:

The predictive offence in question is that of drug dealing, with the next element in this scenario being that of illegal funds in that it can clearly be seen the presence of illegal funds totalling US$2 million. In the activity is simple because it shows that Jack Sparrow layers the proceeds by funnelling them into SL, using his accomplices like John Doe. To conduct this type of crime the main element of technology is a computer and the service platforms of the gaming company. To obtain this information the investigators will need to obtain authority to do so via the correct authorities relevant to the country and local state laws, once this has been obtained the investigator can then begin to seize the computer that John Sparrow et al have been using and also request the documentation from the gaming company SL importantly ensuring that a request is for all accounts and details pertaining to Jack Sparrow et al. Of particular interest would also be any other devices that can be used to access the internet or electronic profiles for example mobile telephones.

Once all of this has been seized and/or received the importance here is of evidential preservation this is paramount and should be recorded in great detail on the case management system. All evidential exhibits should be handled in line with the required policy/procedures and when being transported to and from various investigators or technicians recorded so.

During the examination stage of the evidential products a through comprehensive note should be detailed and stored within a file or on the case management system to ensure the integrity of such. Once the examination has been conducted a report will be compiled for the investigator and this will identify any evidential facts or findings that are relevant to pursue the case.

Once these have been received by the investigator it will be then down to them to review all of the findings and if required request further examinations of the relevant or missing data. Only once the investigator is happy will they proceed to a full and detailed report, which dependant on legislation etc. may or may not include an interview of Jack Sparrow et al. it will however include a full synopsis and clear defined guidelines and findings of the investigation with whom the information should be reported to.

Copyright | © 2017 Stephen Langley

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

About the Author

Stephen Langley is an accomplished Senior Security Professional and Brand Protection Manager, who has expertise in compliance related investigations. Stephen holds a degree in UK Law (LLB) that he attained from the Open University and a MSc in Security Management that he obtained from the University of Portsmouth and also various Leadership and Management qualifications.


Other Publications from Stephen

Langley S. (2016). ‘Insider Threat’ in M. Petrigh (ed.) Security and Risk Management: Critical Reflections and International Perspectives, Volume 1 (pp. 37-68). London: Centre for Security Failures Studies Publishing


Subscribe to Stephen’s Articles

Readers who would like to receive an automatic notification every time Stephen Langley publishes a new Article on our Blog can subscribe via FeedBurner, either by email or RSS.




The opinions expressed in this Article are those of the author and do not reflect the opinions of the Centre for Security Failures Studies or its Editors or its Members. Neither the Centre for Security Failures Studies nor the author of this Article guarantee the accuracy or completeness of any information published herein and neither the Centre for Security Failures Studies nor the author shall be responsible for any error, omission, or claim for damages, including exemplary damages, arising out of use, inability to use, or with regard to the accuracy or sufficiency of the information contained in this Article.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s