Enhancing Traditional Reactive Digital Forensics to a Proactive Digital Forensics Standard Operating Procedure (P-DEFSOP): A Case Study of DEFSOP and ISO 27035

Abstract

With the growing intensity of global cybersecurity threats and the rapid advancement of attack techniques, strengthening enterprise information and communication technology (ICT) infrastructures and enhancing digital forensics have become critical imperatives. Cloud environments, in particular, present substantial challenges due to the limited availability of effective forensic tools and the pressing demand for impartial and legally admissible digital evidence. To address these challenges, we propose a proactive digital forensics mechanism (P-DFM) designed for emergency incident management in enterprise settings. This mechanism integrates a range of forensic tools to identify and preserve critical digital evidence. It also incorporates the MITRE ATT&CK framework with Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) systems to enable comprehensive and timely threat detection and analysis. The principal contribution of this study is the formulation of a novel Proactive Digital Evidence Forensics Standard Operating Procedure (P-DEFSOP), which enhances the accuracy and efficiency of security threat detection and forensic analysis while ensuring that digital evidence remains legally admissible. This advancement significantly reinforces the cybersecurity posture of enterprise networks. Our approach is systematically grounded in the Digital Evidence Forensics Standard Operating Procedure (DEFSOP) framework and complies with internationally recognized digital forensic standards, including ISO/IEC 27035 and ISO/IEC 27037, to ensure the integrity, reliability, validity, and legal admissibility of digital evidence throughout the forensic process. Given the complexity of cloud computing infrastructures—such as Chunghwa Telecom HiCloud, Amazon Web Services (AWS), Google Cloud, and Microsoft Azure—we underscore the critical importance of impartial and standardized digital forensic services in cloud-based environments.

1. Introduction

Most cyber intrusions remain difficult to mitigate effectively because threat actors exploit system vulnerabilities, phishing schemes, and social engineering tactics, making it increasingly challenging for cybersecurity administrators to respond in a timely and effective manner. In recent years, proactive digital forensics in cloud environments has faced unprecedented challenges. The latest research indicates [1] that while enterprise SIEM tools handle an average of 259 log types from nearly 24,000 unique log sources, they still miss 79% of known MITRE ATT&CK techniques, highlighting the inadequacy of existing defense mechanisms in threat detection coverage. A significant number of enterprises and users fail to regularly update their systems due to various factors, including concerns about post-update system stability, logistical barriers associated with managing large-scale updates, and user negligence or procrastination. These issues leave critical systems exposed to known vulnerabilities, thereby escalating organizational cybersecurity risks.

To strengthen cyber defense capabilities, it is essential to conduct a comprehensive analysis of attacker intrusion techniques and behavioral patterns, coupled with the implementation of robust risk mitigation strategies. By integrating MITRE ATT&CK threat detection methodologies with digital forensics (DF) investigation frameworks, we systematically analyze digital artifacts left by adversaries and correlate them with the methods used during intrusions. This integration enhances situational awareness, provides actionable insights into the extent and nature of compromises, and enables organizations to adopt proactive and preventive security strategies to minimize their exposure to cyber threats.

Although proactive digital forensics (PDF) has become a pivotal trend in modern cybersecurity, it still faces challenges related to the preservation and legal admissibility of digital evidence. Once evidence is collected, additional safeguards are required to maintain its integrity and authenticity. To address this issue, it is vital to enhance evidence protection mechanisms by incorporating advanced techniques such as cryptographic encryption, digital signatures, secure storage protocols, and blockchain-based solutions to prevent evidence tampering or unauthorized access.

The remainder of this paper is structured as follows: Section 2 introduces the development and applications of proactive digital forensics. Section 3 discusses the international standard ISO/IEC 27035 for information security incident management. Section 4 presents the system architecture designed for attack-defense simulations and exercises. Section 5 explains the simulation of cyberattacks using the MITRE ATT&CK framework and proactive forensic tools. Section 6 details the deployment design and implementation of the proposed digital forensics mechanism. Section 7 concludes the study and outlines future research directions.

2. Development and Application of Proactive Digital Forensics Technology

2.1. Definition of P-DEFSOP

P-DEFSOP is a standard-operating-procedure (SOP) that operationalizes proactive digital forensics readiness on top of DEFSOP by (i) pre-positioning collectors and integrity controls, (ii) mapping correlation rules to ATT&CK techniques, (iii) embedding chain-of-custody and legal controls per ISO/IEC 27037/27041/27042/27043, and (iv) defining quantitative verification steps (coverage, F1, MTTD/MTTR, log-loss). It is not a software product; it is an actionable, step-by-step procedure with checklists, forms, and evidence requirements.

2.2. Application of Emerging Technologies in Proactive Digital Forensics

As cybersecurity threats continue to evolve, proactive digital forensics has advanced considerably. The integration of machine learning into Security Information and Event Management (SIEM) systems enhances real-time threat detection by automatically identifying anomalous behavioral patterns and generating early alerts. In addition, the adoption of blockchain technology to safeguard the integrity of digital evidence ensures both traceability and immutability of the chain of custody, thereby providing stronger technical guarantees of legal admissibility.

Proactive digital forensics (PDF) refers to a forward-looking forensic methodology designed to identify and preserve potential digital evidence prior to the occurrence of security incidents or cybercrimes [2,3]. Unlike traditional reactive digital forensics—illustrated in Figure 1—which is initiated post-incident and focuses on retrospective investigation, PDF emphasizes the early detection, analysis, and mitigation of threats to prevent malicious activities before they materialize.

Conventional digital forensics typically involves the post-event analysis of compromised systems, where investigators extract digital evidence from hard drives, memory dumps, system logs, and other sources [4]. However, such analyses often occur with substantial time delays and involve large volumes of data, limiting their utility in preempting future attacks. In contrast, proactive digital forensics enhances cybersecurity resilience by implementing continuous monitoring systems, threat intelligence integration, and automated incident response protocols to detect and respond to anomalies in real time—before they evolve into full-scale security breaches. Furthermore, blockchain-based evidence integrity protection technology [5] provides innovative solutions for proactive digital forensics, ensuring the immutability of digital evidence throughout the collection, analysis, and preservation processes through distributed ledger technology, significantly enhancing the legal admissibility of evidence.

Given the growing complexity and sophistication of cyber threats, proactive digital forensics has emerged as a necessary and effective strategy for modern enterprise defense. For example, Grobler, Louwrens, and von Solms (2010) introduced a framework to guide the implementation of proactive digital forensics in organizational settings [6]. More recently, Makura et al. (2020) proposed the use of keystroke logging from cloud-based environments as a source of potential digital evidence to enhance forensic readiness [7], further underscoring the importance of forward-thinking forensic methodologies.

Building on these foundations, this study integrates the Digital Evidence Forensics Standard Operating Procedure (DEFSOP) proposed by Yi-Long Lin (see Figure 2) with international forensic standards [8,9] to develop a structured and standardized digital forensic framework. The proposed approach categorizes the forensic process into four distinct and interdependent phases—Conceptual, Preparation, Operational, and Reporting [10] (see Figure 3)—thereby ensuring a systematic, traceable, and legally sound process for managing cybersecurity incidents.

Table 1. Reactive Forensics vs. DEFSOP vs. P-DEFSOP (source: author’s own representation).

Dimension	Reactive	DEFSOP	P-DEFSOP
Trigger	Post-incident	Post-/pre-mixed	Proactive readiness prior to incidents
ATT&CK mapping	None/Ad hoc	Partial	Technique-level rules, audited
Evidence integrity	Ad hoc hashing	Basic	Hash-chain + time-sync + sealed export
SIEM use	Log store	Dashboards	Normalization + correlation + metrics
Legal admissibility	Case-by-case	Partial	Controls aligned to ISO/IEC 27037/41/42/43
Cloud readiness	N/A	Limited	Multi-cloud collectors & custody hooks

provides a comparison of the different contributions of P-DEFSOP with standard operating procedures such as DEFSOP and ISO. This comparison highlights the innovation of P-DEFSOP in ensuring legal admissibility while transitioning from passive to active digital forensic preparation.

3. International Standard for Information Security Incident Management: ISO/IEC 27035

ISO/IEC 27035 is a globally recognized standard that provides a unified, comprehensive, and reliable framework for managing information security incidents. It emphasizes a full lifecycle approach to incident management, including prevention, preparation, detection, assessment, investigation, resolution, and documentation. By adopting ISO/IEC 27035, organizations can establish a structured, adaptable, and effective incident response capability, enabling them to manage diverse cybersecurity threats efficiently while minimizing potential damage and operational disruptions.

The ISO/IEC 27035 framework outlines key principles and best practices that enhance organizational readiness and response efficiency. The standard’s incident management lifecycle [11,12] (Figure 4) comprises the following phases:

1.

Prevention Phase: Focuses on reducing the likelihood of security incidents by implementing appropriate security controls and proactive risk mitigation strategies.

2.

Preparation Phase: Involves the development of incident response plans, communication strategies, and personnel training to ensure a timely and effective organizational response to potential incidents.

3.

Identification and Assessment Phase: Ensures the timely detection and evaluation of incidents to determine their severity, potential impact, and required response actions.

4.

Investigation Phase: Conducts forensic analysis to identify the root cause, origin, and scope of the security incident.

5.

Resolution Phase: Implements mitigation and recovery strategies to contain and remediate the incident while restoring affected systems to normal operations.

6.

Documentation Phase: Involves comprehensive recording of incident details, actions taken, and lessons learned, which contribute to continuous improvement of future incident response capabilities.

By adhering to this structured framework, organizations can significantly improve their cybersecurity posture, enhance their ability to manage threats proactively, and foster a culture of continual improvement.

3.1. ISO/IEC 27035-1:2023—Overview of Information Security Incident Management (Part 1: Principles and Process, Second Edition)

Part 1 of the standard provides a foundational overview of the core concepts, principles, and end-to-end processes involved in information security incident management. It defines the standard’s purpose, scope, and applicability, while illustrating the interrelationships among its key components. This part emphasizes a holistic and structured approach to incident management, spanning all lifecycle phases—from prevention to documentation—and underlines the importance of coordinated, efficient, and resilient response mechanisms. Recent studies [14] have indicated that the integration of ISO/IEC 27001 and ISO/IEC 27035 provides a comprehensive framework foundation for building resilient cybersecurity strategies in 2025, enabling organizations to establish more comprehensive and forward-looking incident management capabilities.

3.2. ISO/IEC 27035-2:2023—Guidelines to Plan and Prepare for Incident Response (Part 2: Principles of Information Security Incident Management, Second Edition)

This part of the standard provides detailed guidance for the planning and preparation activities required for effective incident response. It encompasses critical elements such as risk assessment, incident classification, escalation procedures, response protocols, and inter-departmental coordination. These guidelines help organizations to develop a proactive and comprehensive incident management strategy that is aligned with their operational and security needs.

3.3. ISO/IEC 27035-3:2020—Guidelines for ICT Incident Response Operations (Part 3: Guidelines for Incident Response Operations, First Edition)

Part 3 outlines the practical aspects of implementing incident response operations. It includes the establishment and operation of dedicated Incident Response Teams (IRTs), defining their roles, responsibilities, and structured workflows. This part provides actionable guidance on executing incident response procedures, enabling IRTs to operate efficiently and cohesively. Empirical research [15] demonstrates that automated incident response practices based on the ISO/IEC 27035-3:2020 guidelines can significantly improve organizational threat handling efficiency, reducing the average incident response time by 35%. The incident response process under this standard is depicted in Figure 5.

3.4. ISO/IEC 27035-4—Coordination in Information Security Incident Management (Part 4: Coordination)

This section focuses on cross-organizational collaboration and coordination during information security incidents. It provides guidance on how multiple entities—whether within the same enterprise group or across different organizations—can effectively work together to contain and resolve security incidents. It also discusses the strategic role of coordination teams and the implications of external partnerships in terms of an organization’s internal incident response capability.

4. System Architecture for Attack–Defense Simulation and Exercises

The proposed system architecture comprises three core components: the Attacker, the Server, and the Security Information and Event Management (SIEM) system, as depicted in Figure 6. The attacker component leverages a Kali Linux virtual machine equipped with penetration testing tools [13], incorporating MITRE ATT&CK techniques to execute simulated attacks [16].

(1)

Attacker:

The attacker represents a simulated threat actor connected via an external router. Utilizing a Kali Linux virtual machine, the attacker scans for and exploits system vulnerabilities. The primary objective is to perform network-based attacks on PCs and servers to evaluate the system’s security resilience.

(2)

Server:

The server component encompasses both Windows and Linux platforms that host essential applications and services, including web servers, database servers, and file-sharing systems. These servers are the primary targets during simulated attacks, allowing for a comprehensive assessment of potential vulnerabilities and system robustness.

(3)

Security Information and Event Management (SIEM):

The SIEM component is responsible for aggregating, monitoring, and analyzing system security events. It consists of two integral subsystems:

• SOPHOS Managed Detection and Response (MDR) Server:
• This server continuously monitors security events and analyzes endpoint activity. SOPHOS MDR Clients are deployed on all servers to collect logs and transmit them to the MDR Server for real-time threat detection and analysis.
• ManageEngine EventLog Analyzer Server:
• This subsystem focuses on analyzing system logs, including web and FTP logs, to provide deeper forensic insights into security incidents.

Current trends in SIEM system development [17,18] include the application of machine learning technologies to enhance real-time threat detection capabilities, utilizing behavioral analysis and anomaly detection algorithms to improve the accuracy of threat identification, and deep integration with the MITRE ATT&CK framework to provide more precise threat classification and analysis functions.

This architecture facilitates real-time threat monitoring, in-depth log analysis, and proactive incident response, thereby significantly enhancing the system’s defense mechanisms against cyber threats [3,19].

5. Simulating Attacks Using the MITRE ATT&CK Framework and Proactive Digital Forensics Tools

5.1. Simulating Attacks Using the MITRE ATT&CK Framework

The integration of the MITRE ATT&CK framework with Managed Detection and Response (MDR) systems [20] provides a standardized threat description language for modern cybersecurity defense, enabling security teams to communicate threat techniques through a unified framework and establish reusable detection rule libraries.

This study employed Kali Linux as the primary attack platform due to its comprehensive suite of penetration testing tools [13]. The MITRE ATT&CK framework was referenced to emulate realistic adversarial tactics and techniques, as depicted in Figure 7 [16]. The following simulated attacks are systematically mapped to the framework’s tactics, techniques, and procedures (TTPs).

(1)

Nmap Scanning

Nmap is used to conduct port scanning and identify open service ports on the target web server.

• Tactic: TA0043—Reconnaissance.
• Technique: T1046—Network Service Scanning.
• Procedure: Tool—Nmap.

(2)

Gobuster Enumeration

Gobuster is employed to enumerate directories and files on the web server, uncovering potential hidden resources.

• Tactic: TA0043—Reconnaissance.
• Technique: T1133—External Remote Services.
• Procedure: Tool—Gobuster.

(3)

Hydra Brute-Force Attack

Hydra is utilized to perform brute-force attacks targeting login pages to gain unauthorized access credentials.

• Tactic: TA0006—Credential Access.
• Technique: T1110—Brute Force.
• Procedure: Tool—Hydra.

(4)

SQL Injection

SQLMap is used to inject malicious SQL statements into vulnerable parameters of the web application to manipulate backend databases.

• Tactic: TA0001—Initial Access.
• Technique: T1210—Exploitation for Privilege Escalation.
• Procedure: Tool—SQLMap.

(5)

File Upload Attack

Malicious file uploads (e.g., web shells) are executed to achieve remote code execution (RCE) or to initiate subsequent attack stages.

• Tactic: TA0001—Initial Access.
• Technique: T1505—Server Software Component Injection.
• Procedure: Tools—Webshell, PwnKit.

(6)

Privilege Escalation

Privilege escalation is performed by exploiting known vulnerabilities or insecure configurations to gain elevated system access.

• Tactic: TA0004—Privilege Escalation.
• Technique: T1055—Process Injection.
• Procedure: Tool—PwnKit.

5.2. Proactive Digital Forensics Tools

To enable real-time threat detection and rapid incident response, a dual-layer proactive defense architecture is implemented:

(1)

A Managed Detection and Response (MDR) solution is deployed on the web server to provide continuous endpoint monitoring, threat intelligence integration, and automated mitigation. In parallel, a Security Information and Event Management (SIEM) system is used to aggregate and correlate security events across multiple sources.

(2)

In this study, ManageEngine EventLog Analyzer is adopted as the primary SIEM tool. It is configured to collect and analyze logs from web servers, FTP servers, and operating systems. The system generates real-time alerts on anomalous or suspicious activities, supporting both immediate triage and in-depth forensic investigation.

(3)

The SIEM platform utilizes structured event logs to proactively identify emerging attack patterns and trace threat actors. It plays a critical role in shortening detection-to-response timeframes and improving the organization’s security posture through actionable insights.

This integrated architecture allows for concurrent execution of attack simulations and security performance evaluations. By correlating observed behaviors with MITRE ATT&CK techniques and analyzing forensic artifacts via the SIEM, defenders can validate the efficacy of implemented controls. The findings from these assessments guide the continuous refinement of security strategies, thereby strengthening the organization’s overall cyber resilience.

5.3. SIEM System Performance Evaluation and Improvement

Recent research has indicated that although enterprise Security Information and Event Management (SIEM) platforms are highly capable of processing large-scale log data, they continue to exhibit notable deficiencies in their coverage of MITRE ATT&CK techniques. These limitations impede the comprehensive detection of sophisticated adversarial behaviors. To mitigate such shortcomings, the integration of advanced SIEM analytics with the MITRE ATT&CK framework has been increasingly advocated. This integration not only enhances the accuracy and efficiency of threat detection, but also plays a critical role in reducing false positives. More importantly, it substantially strengthens organizational capacity to identify and respond to genuine threats, thereby improving the overall resilience of cybersecurity defense.

6. Deployment Design and Implementation of the Proactive Digital Forensics Mechanism

6.1. Deployment Design of the Proactive Digital Forensics Mechanism

To ensure comprehensive detection and incident analysis capabilities, the proactive digital forensics mechanism is deployed in a structured, multi-phase approach:

(1)

Attack Simulation:

Appropriate penetration testing tools—such as Nmap, Gobuster, and Burp Suite—are utilized to emulate cyberattacks on the target web application. Common offensive techniques, including SQL injection, file upload vulnerabilities, and cross-site scripting (XSS), are employed to rigorously assess the system’s security posture under realistic threat conditions.

(2)

Detection and Logging:

During simulated attacks, proactive forensic monitoring tools—including Managed Detection and Response (MDR) and EventLog Analyzer—are actively engaged. These tools provide real-time surveillance of system processes, network traffic, and security logs. Using behavior-based detection models and rule-based analysis engines, these tools identify suspicious activities and anomalies, flagging attempted intrusions and logging relevant forensic data for deeper investigation.

(3)

Log Storage and Analysis:

Detected security events and log data are stored within the centralized SIEM infrastructure for aggregation, correlation, and post-event analysis. The SIEM platform consolidates logs across multiple systems and devices, enabling real-time event correlation, alert generation, incident visualization, and automated response handling. Proper configuration of log sources ensures accurate ingestion and retention of forensic evidence, enhancing the speed and accuracy of threat detection and mitigation.

(4)

Digital Forensic Investigation:

Following the completion of the simulated attacks, forensic analysts employ specialized tools and methodologies to conduct in-depth investigations. The digital forensic process traces attack vectors, identifies exploited vulnerabilities, and reconstructs attacker behaviors. These analyses not only determine the nature and scope of each simulated breach but also provide actionable insights for strengthening defenses and ensuring the legal admissibility of collected evidence.

By executing this end-to-end deployment strategy, the effectiveness and operational readiness of the proactive digital forensics mechanism are validated [21,22]. This approach fortifies the cybersecurity resilience of the web application by enabling timely threat detection, rapid incident response, and comprehensive forensic documentation.

6.2. Mapping SIEM Forensic Capabilities to ISO/IEC 27035 Within the P-DEFSOP Framework

To ensure the standardization and legal admissibility of digital forensic procedures, comparative studies of the NIST SP 800-86 and ISO/IEC 27037 standards [23] have provided important reference benchmarks for establishing digital forensic evidence analysis frameworks. Meanwhile, best practices and case studies of ISO/IEC 27037 implementation in modern digital forensics [24] have further validated the critical importance of standardized procedures for ensuring evidence integrity. (For details about the Requirement-Control-Evidence traceability table, see

Table 2. Requirement–Control–Evidence Traceability.

ISO Clause	Requirement	P-DEFSOP Control	Evidence Artifact
ISO/IEC 27037 §6–8	Identification & acquisition	Pre-positioned collectors; sealed exports	CoC-Form-02, hash-manifest, export logs
ISO/IEC 27041 §5	Method adequacy	Calibrated tools & validation runs	Tool version list, test run logs
ISO/IEC 27042 §7–9	Analysis & interpretation	Correlation rules + analyst SOP	Analyst worksheet, rule hits, timeline
ISO/IEC 27043 §8–10	Incident investigation	End-to-end workflow	Case file, audit trail, approvals

).

To ensure alignment with international best practices, this study maps the forensic capabilities of the EventLog Analyzer Server to the ISO/IEC 27035 standard using the Proactive Digital Forensics Standard Operating Procedure (P-DEFSOP) framework. Figure 8 illustrates the mapping between functional components and corresponding ISO clauses.

(1)

Information Security Incident Management Analysis

ISO/IEC 27035: 5.3.3—Information Security Incident Management Process

EventLog Analyzer Server Capabilities:

• Tracks and documents security incidents in real time;
• Provides configurable alerting and incident notification mechanisms.

(2)

Security Audit Trail Analysis

ISO/IEC 27035: 6.1.3—Security Audit Trails

EventLog Analyzer Server Capabilities:

• Collects system events, application activity, and network traffic;
• Generates detailed audit logs and forensic reports for accountability.

(3)

Incident Response Preparedness Analysis

ISO/IEC 27035: 8.2.1—Preparedness for Incident Response Plans

EventLog Analyzer Server Capabilities:

• Supports automated alerting and reporting workflows;
• Enables predefined incident response playbooks and emergency handling mechanisms.

(4)

Security Testing Analysis

ISO/IEC 27035: 9.2.2—Security Testing

EventLog Analyzer Server Capabilities:

• Conducts continuous security testing for network and application layers;
• Performs vulnerability scanning and updates detection patterns.

(5)

Information Security Incident Logging Analysis

SO/IEC 27035: 12.2.1—Information Security Incident Logging

EventLog Analyzer Server Capabilities:

• Collects, logs, analyzes, and reviews security events with timestamped integrity;
• Supports long-term retention and retrieval of forensic logs.

(6)

Monitoring and Measurement Analysis

ISO/IEC 27035: 13.2.1—Monitoring and Measurement

EventLog Analyzer Server Capabilities:

• Monitors critical system metrics and behaviors;
• Utilizes collectors to gather telemetry data and triggers real-time alerts based on anomaly detection.

This mapping validates the forensic robustness of the EventLog Analyzer Server and demonstrates the system’s compliance with internationally recognized cybersecurity and digital forensics standards. The integration of P-DEFSOP with ISO/IEC 27035 principles ensures a proactive, standards-based approach to incident detection, response, and investigation.

6.3. Performance Evaluation Results for the P-DEFSOP Framework

To assess the effectiveness of the proposed P-DEFSOP framework, this study designed two comparative experimental scenarios: (i) a traditional digital forensics process without the P-DEFSOP guidelines and (ii) a proactive digital forensics process fully implemented with the P-DEFSOP framework. The evaluation focused on three major dimensions: the quality and integrity of log data, the efficiency of forensic investigations, and the clarity of forensic analysis. The effect of P-DEFSOP on forensic outcomes is depicted in Figure 9.

(1)

Quality and Integrity of Log Data

During the red-team/blue-team simulation, the completeness of logs was measured by verifying whether all relevant events (e.g., scanning, exploitation, privilege escalation, and file encryption) were fully captured and preserved.

• In the scenario without P-DEFSOP, approximately 24% of the test cases exhibited missing or inconsistent logs.
• With P-DEFSOP implemented, the log loss rate was reduced to 5%, indicating a significant improvement in forensic reliability.

This result demonstrates that the structured processes provided by P-DEFSOP—such as systematic log collection and secure storage—can effectively enhance the integrity and legal admissibility of digital evidence.

(2)

Efficiency of Forensic Investigation

We measured the time required for forensic analysts to reconstruct attack sequences and identify the root cause of incidents.

• In the scenario without P-DEFSOP, the average investigation time was approximately 4.0 h.
• With P-DEFSOP applied, the investigation time was reduced to 2.5 h, reflecting an efficiency improvement of about 37.5%.

This gain in efficiency underscores the proactive nature of P-DEFSOP. By leveraging pre-structured logs in conjunction with MITRE ATT&CK mapping, the framework reduces the manual workload of correlation and cross-comparison during analysis.

(3)

Clarity of Forensic Analysis

We evaluated the extent to which investigation reports mapped log records to adversary tactics, techniques, and procedures (TTPs).

• In the absence of P-DEFSOP, the reports often lacked a consistent timeline and presented fragmented log references.
• With P-DEFSOP, the reports were able to reconstruct incident progressions step by step, aligning them with the ATT&CK matrix. This not only facilitated clearer interpretation of adversary behavior, but also improved communication with stakeholders.

7. Conclusions

The experimental results of this study demonstrate that the international cybersecurity standard ISO/IEC 27035, in conjunction with the Digital Evidence Forensics Standard Operating Procedure (DEFSOP), offers a well-defined and structured framework for managing information security incidents. Compliance with these standards enables organizations to respond effectively to cybersecurity threats and implement proactive emergency management strategies that help mitigate risks and prevent data breaches.

Within the SIEM environment, the integration of ISO/IEC 27035 and DEFSOP principles into the EventLog Analyzer Server significantly enhances the system’s capabilities for security event management. This integration supports a comprehensive range of functionalities, including incident handling, security audit trails, emergency response planning, vulnerability assessments, incident documentation, and continuous monitoring. By adopting these standards, organizations can substantially strengthen their ability to detect, investigate, and mitigate cyber threats before they escalate into major security incidents.

Moreover, adherence to ISO/IEC 27035 and DEFSOP not only ensures that digital evidence is collected and managed in a forensically sound and legally admissible manner but also reinforces the organization’s resilience against evolving cyber threats. These standards promote a structured, repeatable, and timely incident response process, ultimately reducing financial losses, minimizing operational disruptions, and safeguarding critical information assets. Future research directions should include the further development of proactive digital forensics technologies in cloud environments [25], as well as the expanded application of blockchain technology in digital evidence integrity protection [5]. The integration of these emerging technologies is expected to bring revolutionary changes to the digital forensics field, particularly in addressing forensic challenges in large-scale cloud infrastructure environments.

Therefore, the proposed P-DEFSOP framework—developed through the integration of ISO/IEC 27035 and DEFSOP with the EventLog Analyzer Server—serves as a robust model for enhancing organizational cybersecurity posture. It ensures the confidentiality, integrity, and availability (CIA) of information assets while simultaneously promoting forensic readiness and compliance with international best practices.