Investigation and Intelligence Framework

Digital forensics investigators face various daily challenges because there are a large variety of high-tech cybercrimes reported, for instance APT, Hacking, Ransomware and DDOS etc... During investigation, the investigators focus on the reverse engineering malware, illustrating its behaviour and conducting packets analysis to deal with any credentials leakage and the pattern of the network attack. They often only concentrate on the evidence itself, but seldom or having difficulties to draw out the whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose. All relevant data from seized media should be utilized and analyzed, later transformed to intelligence so as to build a profile of the potential suspect with his corresponding attributes.

Based on the principle of Zachman Framework, we propose and design an Investigation and Intelligence Framework, which is an automated mechanism to identify the potential suspect at the early stage for the ease of the further investigation, correlating evidence to oversee the entire picture of the cybercrime. Our framework has adopted four of the intersections, i.e. When, Where, Who and How. 4W of the incident should be the concerned factors no matter what type of cybercrimes happened. To fulfill this 4W concept, related artifacts including timeline, location, identity and attack path would be effectively recognized at the earlier phase, and investigators can tackle the cybercrimes more successfully.

The table summarizes the relationship of 4W concepts and evidence, and how IIFramework Tool and Maltego can help the situation.

Below is the basic flow of the IIFramework Tool, evidence data is imported to the engine, it will extract the IP Addresses, Domains and Email Addresses, with the Intelligence, it will rank which evidence data deserves more attention for further investigation. Maltego will help to correlate the important evidence to give a bigger picture of the incident.


A tool is developed to demonstrate the framework, correlating evidence and intelligence in order to provide a big picture of the cybercrime story and help investigation more effectively. Maltego is also contributing the functionalities of correlating the evidences found from tool, with the integration with MalProfile (developed by ran2), it will provide a clearer picture of the potential incident or cybercrime story.

The video is the demo of the Investigation and Intelligence Framework