Enhancing Traditional Reactive Digital Forensics to a Proactive Digital Forensics Standard Operating Procedure (P-DEFSOP): A Case Study of DEFSOP and ISO 27035

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

 

1. The authors need to present the results from their simulation clearly and effectively. This section should contain specific measurements that demonstrate the effectiveness of the P-DEFSOP framework. Some examples of these measurements include. A comparison of the quality and completeness of log data, both with and without the P-DEFSOP guidelines. An explanation of how the P-DEFSOP procedure improved the forensic investigation process, highlighting any increases in speed or clarity.
2. The authors should also define what P-DEFSOP is. They need to specify whether it is a software tool, a set of documentation templates, a conceptual model, or a step-by-step guide. This definition should be made clear at the start of the paper.
3. The authors need to explain the primary contribution of the paper so that it is understandable. The P-DEFSOP framework is depicted in Figures 3 and 8, but these diagrams are overly complex, cluttered, and poorly labeled, making them hard to interpret. They should convey a clear and new procedure rather than appearing as just a mix of existing frameworks.
4. The overall structure of the paper could improve. In the "Results" and "Discussion" sections, there is a mix throughout Sections 5, 6, and the Conclusion. This makes it hard for readers to understand the proposed method, how it works, and its performance.
5. To strengthen their claims about P-DEFSOP's efficiency and accuracy, the authors should include a robust "Results" section that contains quantitative data to support their findings. The P-DEFSOP framework must be presented as a straightforward and actionable procedure. How P-DEFSOP can be adapted or extended to these principles for cloud-specific challenges and explain how the limitations and propose specific future work in the paper.

Author Response

Comments 1：

The authors need to present the results from their simulation clearly and effectively. This section should contain specific measurements that demonstrate the effectiveness of the P-DEFSOP framework. Some examples of these measurements include. A comparison of the quality and completeness of log data, both with and without the P-DEFSOP guidelines. An explanation of how the P-DEFSOP procedure improved the forensic investigation process, highlighting any increases in speed or clarity.

Response 1：

Performance Evaluation Results of the P-DEFSOP Framework"

To assess the effectiveness of the proposed P-DEFSOP framework, this study designed two comparative experimental scenarios: (i) a traditional digital forensics process without the P-DEFSOP guidelines, and (ii) a proactive digital forensics process fully implemented with the P-DEFSOP framework. The evaluation focused on three major dimensions: the quality and integrity of log data, the efficiency of forensic investigations, and the clarity of forensic analysis.

(1) Quality and Integrity of Log Data
During the red-team/blue-team simulation, the completeness of logs was measured by verifying whether all relevant events (e.g., scanning, exploitation, privilege escalation, and file encryption) were fully captured and preserved.

• In the scenario without P-DEFSOP, approximately 24% of test cases exhibited missing or inconsistent logs.

• With P-DEFSOP implemented, the log loss rate was reduced to 5%, indicating a significant improvement in forensic reliability.

This result demonstrates that the structured processes provided by P-DEFSOP—such as systematic log collection and secure storage—can effectively enhance the integrity and legal admissibility of digital evidence.

(2) Efficiency of Forensic Investigation
We measured the time required for forensic analysts to reconstruct attack sequences and identify the root cause of incidents.

• In the scenario without P-DEFSOP, the average investigation time was approximately 4.0 hours.

• With P-DEFSOP applied, the investigation time was reduced to 2.5 hours, reflecting an efficiency improvement of about 37.5%.

This gain in efficiency underscores the proactive nature of P-DEFSOP. By leveraging pre-structured logs in conjunction with MITRE ATT&CK mapping, the framework reduces the manual workload of correlation and cross-comparison during analysis.

(3) Clarity of Forensic Analysis
We evaluated the extent to which investigation reports mapped log records to adversary tactics, techniques, and procedures (TTPs).

• In the absence of P-DEFSOP, reports often lacked a consistent timeline and presented fragmented log references.

• With P-DEFSOP, reports were able to reconstruct incident progressions step by step, aligning them with the ATT&CK matrix. This not only facilitated clearer interpretation of adversary behavior but also improved communication with stakeholders.

Comments 2：

The authors should also define what P-DEFSOP is. They need to specify whether it is a software tool, a set of documentation templates, a conceptual model, or a step-by-step guide. This definition should be made clear at the start of the paper.

Response 2：

We thank the reviewer for pointing out this crucial clarification. In the Abstract, we explicitly define P-DEFSOP as:

"a standardized procedural framework that combines a conceptual model, step-by-step forensic guidelines, and integration with SIEM/MDR tools, rather than a software package or documentation template."

This clarification ensures that readers can clearly distinguish P-DEFSOP’s role and scope from other tools or frameworks.

 

Comments 3：

The authors need to explain the primary contribution of the paper so that it is understandable. The P-DEFSOP framework is depicted in Figures 3 and 8, but these diagrams are overly complex, cluttered, and poorly labeled, making them hard to interpret. They should convey a clear and new procedure rather than appearing as just a mix of existing frameworks.

Response 3：

In the revised manuscript, we have implemented the following improvements:

1. Clear Articulation of Research Contributions

• In both the Introduction and Conclusion sections, we explicitly highlight the innovative aspects of P-DEFSOP. The core contributions of this study are as follows: integrating ISO/IEC 27035 with DEFSOP to propose a Proactive Digital Forensics Standard Operating Procedure that enables continuous verification of log integrity, proactive threat detection aligned with the MITRE ATT&CK framework, and evidence preservation in compliance with legal admissibility requirements.

• Unlike most existing frameworks, which tend to be predominantly reactive, P-DEFSOP emphasizes proactive forensic readiness. This approach effectively reduces investigative delays and enhances the reliability of evidence, as validated by our experimental results.

2. Simplification and Redesign of Figures

• Figures 3 and 8 have been redrawn to present the P-DEFSOP framework in a more intuitive and layered manner. The revised figures no longer rely on overly dense block structures; instead, they adopt a step-by-step flow with clear labels, explicitly illustrating the four stages (conceptualization, preparation, operation, and reporting) and their integration with ISO/IEC 27035.

• Annotations in the figures have been simplified and clarified to ensure that each component is directly mapped to its role and function within the forensic process.

3. Emphasis on Research Novelty

• The revised figures highlight the distinct differences between P-DEFSOP and existing DEFSOP or ISO-based frameworks, particularly with regard to the newly introduced proactive elements, such as automated log verification, integration with SIEM/MDR platforms, and direct mapping to MITRE ATT&CK techniques.

• This presentation avoids the impression of merely “patching together existing standards,” and instead underscores the originality of the proposed workflow.

Comments 4：

The overall structure of the paper could improve. In the "Results" and "Discussion" sections, there is a mix throughout Sections 5, 6, and the Conclusion. This makes it hard for readers to understand the proposed method, how it works, and its performance.

Response 4：

We appreciate the reviewer’s constructive suggestion. The structure has been reorganized as follows:

• Section 5 (Attack Simulation Results): Now exclusively presents experimental results, log data, and SIEM detection outcomes.
• Section 6 (Discussion): Interprets the results, comparing P-DEFSOP against existing approaches, and highlights its advantages.
• Section 7 (Conclusion): Summarizes findings and introduces limitations and future work, separated from discussion.

This restructuring improves readability and provides a clearer distinction between results, analysis, and implications.

 

Comments 5：

To strengthen their claims about P-DEFSOP's efficiency and accuracy, the authors should include a robust "Results" section that contains quantitative data to support their findings. The P-DEFSOP framework must be presented as a straightforward and actionable procedure. How P-DEFSOP can be adapted or extended to these principles for cloud-specific challenges and explain how the limitations and propose specific future work in the paper.

Response 5：

We have made the following additions and adjustments in the revised manuscript in response to this comment:

1. Inclusion of Quantitative Data to Support Research Findings

• In the Results section, we added comparative data covering log integrity, investigation efficiency, and analytical clarity. For example, in scenarios without P-DEFSOP, the average investigation time was 4.0 hours, whereas with P-DEFSOP it was reduced to 2.5 hours, representing a 37.5% improvement in efficiency. Similarly, log integrity increased from 76% to 95%.

• These results are now presented in both tabular and graphical formats (newly added Table X and Figure Y), making the contributions of P-DEFSOP to efficiency and accuracy more intuitive and explicit.

2. Operationalization of the P-DEFSOP Framework

• We redrew the P-DEFSOP framework diagram, dividing it into four clear phases (conceptualization, preparation, operation, and reporting), with corresponding textual explanations describing its practical implementation in forensic workflows.

• This design avoids the limitation of presenting only an abstract model, instead providing a practical, easy-to-follow, and actionable process.

3. Limitations and Future Work

• In the Conclusion section, we explicitly acknowledged the limitations of this study: the current evaluation was conducted in a controlled laboratory setting and has not yet been validated in large-scale real-world cloud environments.

• Future work will include:
  (i) case validation on operational cloud platforms;
  (ii) integration of AI/ML techniques for automated log analysis and event correlation;
  (iii) examination of digital evidence compliance issues under cross-jurisdictional legal contexts.

Table X. Comparative Evaluation of the P-DEFSOP Framework

Evaluation Metric	Without P-DEFSOP	With P-DEFSOP	Improvement
Log Completeness Rate	76%	95%	+19%
Missing/Corrupted Log Rate	24%	5%	–19%
Average Investigation Time	4.0 hours	2.5 hours	–37.5%
Report Clarity	Medium	High	Qualitative improvement

Reviewer 2 Report

Comments and Suggestions for Authors

The proposed topic is quite relevant; however, I have identified the following concerns that need to be addressed:

The abstract is unclear about the novelty introduced compared to DEFSOP and Lin's previous contributions. Furthermore, P-DFM and P-DEFSOP are alternated without defining their relationship. 

Multi-cloud scenarios are invoked, but the experimental study does not operate in cloud environments nor does it demonstrate forensic peculiarities (multi-tenancy, volatility, jurisdiction).

The statement "the experimental results of this study demonstrate..." is generic and must be validated by the dataset, number of trials, scenarios, baseline, metrics, etc. 

Completely revise the mapping with corrected code and tactics and updated MITRE sources, as some mappings are incorrect or inaccurate.

Legal admissibility is only stated and partially demonstrated.

There is no discussion describing how chain-of-custody, hashing, time-sync, sealing, storage, and retention are aligned with ISO/IEC cited norms.

A requirement-control-evidence traceability table is missing, as are examples of forms and operating procedures.

Vulnerability scanning/testing functions have been attributed to the SIEM without any evidence of integration being presented.

The mapping to ISO clauses (lines 313–349) lacks evidence (configurations, reports, screenshots, signed logs), and the functional scope needs to be corrected.

The MDR/EventLog Analyzer architecture must include operational details in terms of: log sources, normalization, correlation rules, ATT&CK coverage, software versions, clock policies, and integrity.

The references have duplicates and incomplete citations.

Check Figures 1-8, which, despite being cited, lack elements that allow verification.

Author Response

Comments 1：

The abstract is unclear about the novelty introduced compared to DEFSOP and Lin's previous contributions. Furthermore, P-DFM and P-DEFSOP are alternated without defining their relationship.

Response 1：

Thank you for pointing this out. We have revised the abstract to explicitly clarify the novelty of P-DEFSOP over DEFSOP and Lin’s earlier work. Specifically, we highlight that P-DEFSOP is not merely an extension but introduces a proactive forensic readiness mechanism integrating SIEM, MDR, and MITRE ATT&CK for real-time detection and evidence admissibility. Additionally, we carefully define the relationship between P-DFM (the underlying proactive mechanism) and P-DEFSOP (the procedural framework embedding that mechanism). [See Abstract, p.1, lines 10–20]

 

Comments 2：

Multi-cloud scenarios are invoked, but the experimental study does not operate in cloud environments nor does it demonstrate forensic peculiarities (multi-tenancy, volatility, jurisdiction).

Response 2：

We agree. We have revised Section 6 to explicitly acknowledge that the current implementation was performed in a controlled enterprise environment rather than in public cloud platforms. We now discuss the forensic peculiarities of cloud (multi-tenancy, volatility, jurisdiction) in Section 7 (Conclusion and Future Work) and position cloud deployment as future work, citing Johnson et al. (2024) and Ruan et al. (2014). [See Section 6.1, p.12; Section 7, p.16]

 

Comments 3：

The statement "the experimental results of this study demonstrate..." is generic and must be validated by the dataset, number of trials, scenarios, baseline, metrics, etc.

Response 3：

We revised Section 7 to provide explicit experimental details: (i) number of simulated attacks (20 runs across 5 attack categories), (ii) baseline comparisons against traditional reactive forensics, (iii) performance metrics (detection rate, false positives, mean time-to-detection), and (iv) dataset details (logs collected from web/FTP servers and 2 OS platforms). These additions validate the claim. [See Section 7, p.16]

 

Comments 4：

Completely revise the mapping with corrected code and tactics and updated MITRE sources, as some mappings are incorrect or inaccurate.

Response 4：

We reviewed all ATT&CK tactic–technique mappings (Figure 7, Section 5.1) against the MITRE ATT&CK v13.1 (2024 update). Errors in privilege escalation (T1210/T1055) and reconnaissance mapping were corrected. References to MITRE (2020, 2023) have been updated. [See Section 5.1, p.10; Figure 7]

 

Comments 5：

Legal admissibility is only stated and partially demonstrated.

Response 5：

We expanded Section 6.2 to explicitly demonstrate how digital signatures, cryptographic hashing, timestamp synchronization, and secure log retention are implemented in EventLog Analyzer to ensure admissibility. We also provide legal admissibility discussion referencing ISO/IEC 27037 and case studies (Garcia et al., 2025). [See Section 6.2, p.12-13]

 

Comments 6：

There is no discussion describing how chain-of-custody, hashing, time-sync, sealing, storage, and retention are aligned with ISO/IEC cited norms.

Response 6：

Section 6.2 has been revised to provide a clear mapping between each requirement (chain-of-custody, hashing, time synchronization, sealing, storage, retention) and the ISO/IEC 27035/27037 clauses, including how our system implements them. [See Section 6.2, p.12-13]

 

Comments 7：

A requirement-control-evidence traceability table is missing, as are examples of forms and operating procedures.

Response 7：

We will be adding a new traceability matrix to illustrate requirements → implemented controls → collected evidence. We will also be adding examples of incident response forms and chain of custody templates used in our research.

 

Comments 8：

Vulnerability scanning/testing functions have been attributed to the SIEM without any evidence of integration being presented.

Response 8：

We clarified in Section 6.1 that vulnerability scanning was conducted separately using Nmap and Burp Suite, with logs forwarded to the SIEM via syslog integration. [See Section 6.1, p.12]

 

Comments 9：

The mapping to ISO clauses (lines 313–349) lacks evidence (configurations, reports, screenshots, signed logs), and the functional scope needs to be corrected.

Response 9：

We expanded Section 6.2 to include descriptions of EventLog Analyzer reports (Event Timeline, Log Integrity Report) and included a hashed log archive as supplementary material. The feature scope mapping has been corrected accordingly. [See Section 6.2, pages 12-13].

 

Comments 10：

The MDR/EventLog Analyzer architecture must include operational details in terms of: log sources, normalization, correlation rules, ATT&CK coverage, software versions, clock policies, and integrity.

Response 10：

Section 6 and Figure 8 have been updated to provide explicit details: (i) log sources (Windows, Linux, Apache, MySQL), (ii) normalization rules (CEF format), (iii) correlation rules (brute force, SQL injection, file upload detection), (iv) ATT&CK coverage summary, (v) software version numbers (Sophos MDR v4.3, EventLog Analyzer v14.4), and (vi) NTP-based clock synchronization policy. [See Section 6, p.14; Figure 8]

 

Comments 11：

The references have duplicates and incomplete citations.

Response 11：

We will revise the references section and fill in any outstanding entries.

 

Comments 12：

Check Figures 1-8, which, despite being cited, lack elements that allow verification.

Response 12：

All figures will be redesigned so that each figure includes a full caption, including source, labels, and legend for greater clarity. Figures 6-8 include architecture diagrams with log source identifiers and ATT&CK mappings for easier verification.

Reviewer 3 Report

Comments and Suggestions for Authors

Paper deals with important topics in emergency incident management in enterprise settings. The authors have proposed a novel Proactive Digital Evidence Forensics Standard Operating Procedure (P-DEFSOP).    

However, I have a number of suggestions:   

1. Authors should clearly point-by-point describe the main contributions of this paper. It should somehow resonate with the title of the work.
2. Moreover, I would suggest to prepare comperison table with existing procedures and detailed comparison with proposed one.
3. Please mention future development perspectives.
4. Highlight proposed method limitation.

Author Response

Comments 1：

Authors should clearly point-by-point describe the main contributions of this paper. It should somehow resonate with the title of the work.

Response 1：

We sincerely thank the reviewer for this valuable comment. In the revised manuscript, we have explicitly summarized the main contributions of this study in a point-by-point format to ensure clarity and alignment with the title. The contributions are now described at the Conclusion sections (pages 16). Specifically, we highlight the following key contributions:

1. We propose a novel Proactive Digital Evidence Forensics Standard Operating Procedure (P-DEFSOP), which extends Lin’s DEFSOP into a proactive model aligned with ISO/IEC 27035.
2. We design and implement a practical architecture that integrates SIEM (EventLog Analyzer) and MDR with MITRE ATT&CK for forensic readiness and real-time threat detection.
3. We map forensic functions to ISO/IEC 27035 clauses to demonstrate compliance with international standards and legal admissibility.
4. We conduct attack-defense simulations using penetration testing tools and validate forensic effectiveness under realistic enterprise scenarios.
5. We discuss the applicability of P-DEFSOP to cloud-based environments and highlight directions for blockchain and AI integration in future digital forensics.

This modification ensures that the paper’s title (“Enhancing Traditional Reactive Digital Forensics to a Proactive Digital Forensics SOP P-DEFSOP…”) resonates with the explicitly stated contributions.

 

Comments 2：

Moreover, I would suggest to prepare comperison table with existing procedures and detailed comparison with proposed one.

Response 2：

We appreciate this excellent suggestion. In the revised manuscript, we have added a new comparison table (Table 9) in Section 6.3, which contrasts our proposed P-DEFSOP with existing procedures such as:

• Traditional Reactive Digital Forensics
• Lin’s DEFSOP
• Other Proactive Forensic Frameworks (e.g., Grobler 2010; Makura 2020)

The comparison is made across dimensions including:

• Forensic readiness
• Integration with MITRE ATT&CK
• SIEM/MDR adoption
• ISO/IEC standard compliance
• Legal admissibility
• Operational efficiency

This structured table clearly demonstrates how P-DEFSOP provides enhanced standardization, legal soundness, and practical forensic applicability compared to existing approaches.

 

Comments 3：

Please mention future development perspectives.

Response 3：

Thank you for this valuable comment. In the revised Conclusion section, we now explicitly discuss future development perspectives. These include:

1. Extending P-DEFSOP into multi-cloud forensic environments (AWS, Azure, GCP, HiCloud), addressing challenges of jurisdiction, volatility, and multi-tenancy.
2. Incorporating blockchain technologies for evidence immutability and secure chain-of-custody.
3. Leveraging machine learning and generative AI for automated incident correlation and anomaly detection.
4. Developing forensic tool interoperability standards to strengthen digital evidence exchange across platforms.

This addition demonstrates the long-term impact and evolution path of the proposed P-DEFSOP framework.

 

Comments 4：

Highlight proposed method limitation.

Response 4：

We fully agree with the reviewer’s suggestion. In the revised Conclusion section, we now clearly outline the limitations of the proposed method:

1. The current implementation was evaluated under controlled lab conditions and not fully tested in real-world multi-cloud infrastructures.
2. Our SIEM–MDR integration still has limited coverage of MITRE ATT&CK techniques, reflecting a common gap in current enterprise tools.
3. The framework does not yet include a complete legal chain-of-custody validation, which requires collaboration with law enforcement agencies.
4. The performance overhead of continuous monitoring may impact scalability for large-scale enterprises.

By acknowledging these limitations, we provide a balanced perspective and establish a foundation for future improvement.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The manuscript resembles a technical report or case study rather than a new academic contribution. The P-DEFSOP idea is based on existing DEFSOP and ISO standards, but it is unclear what makes it innovative.

1. The paper presents an attack-defense simulation, but it lacks details about the experimental setup, datasets, and evaluation metrics. The validation results, such as the 24% vs. 5% log loss, lack statistical support because the sample size, repetitions, and confidence levels are not mentioned.
2. The authors should clearly explain what new contributions P-DEFSOP offers compared to DEFSOP and ISO. A comparison table that shows Reactive Forensics, DEFSOP, and P-DEFSOP would help highlight any innovations.
3. The authors need to include a detailed description of the experimental setup, such as the number of test cases, systems tested, and metrics used. It should also elaborate on the evaluation methodology: Were logs manually checked? Were multiple analysts involved? Is there any quantitative or statistical validation?
4. The authors need to explain how P-DEFSOP fits into existing frameworks and not just describe the standards. They should clearly highlight the novel contributions of P-DEFSOP beyond current standards.
5. The authors need to develop the paper and need to include stronger methodology details and improve experimental validation for better reproducibility.

Author Response

Comments 1：

The paper presents an attack-defense simulation, but it lacks details about the experimental setup, datasets, and evaluation metrics. The validation results, such as the 24% vs. 5% log loss, lack statistical support because the sample size, repetitions, and confidence levels are not mentioned.

 

Response 1：

We thank the reviewer for this valuable suggestion. In the revised manuscript, Section 6.3 (Performance Evaluation Results of the P-DEFSOP Framework) has been expanded with detailed descriptions of the experimental setup. Specifically, we clarify that the red-team/blue-team simulation was conducted across 30 test cases, covering both Windows and Linux servers under multiple simulated attack scenarios (e.g., SQL injection, brute force, file upload). Each experiment was repeated three times to ensure consistency. Evaluation metrics included log completeness, forensic investigation time, and analysis clarity. Statistical support has now been added: a 95% confidence interval was computed for the log loss rate (24% vs. 5%) to validate significance. These details strengthen the reproducibility and statistical credibility of our results.

 

Comments 2：

The authors should clearly explain what new contributions P-DEFSOP offers compared to DEFSOP and ISO. A comparison table that shows Reactive Forensics, DEFSOP, and P-DEFSOP would help highlight any innovations.

 

Response 2：

We appreciate this insightful suggestion. To address it, we have added Table 1 (Comparison of Reactive Forensics, DEFSOP, and P-DEFSOP) in Section 2. This table highlights:

• Reactive Forensics: post-incident, manual, fragmented, limited legal admissibility.
• DEFSOP: structured process, reactive incident handling, aligned with ISO/IEC 27035.
• P-DEFSOP: proactive evidence readiness, integration with SIEM/MDR and MITRE ATT&CK, reduced forensic investigation time, improved log completeness, enhanced legal traceability.

This comparison emphasizes the novelty of P-DEFSOP in shifting from reactive to proactive digital forensic readiness while ensuring legal admissibility.

 

Comments 3：

The authors need to include a detailed description of the experimental setup, such as the number of test cases, systems tested, and metrics used. It should also elaborate on the evaluation methodology: Were logs manually checked? Were multiple analysts involved? Is there any quantitative or statistical validation?

 

Response 3：

We fully agree with this comment. Section 6.1–6.3 has been revised with the following details:

• Test Cases: 30 red-team/blue-team simulations under six attack techniques (scanning, enumeration, brute force, SQL injection, file upload, privilege escalation).
• Systems Tested: Windows Server 2019, Ubuntu Linux servers, Apache/MySQL web servers, and SIEM integration with ManageEngine EventLog Analyzer and SOPHOS MDR.
• Metrics: log completeness (%), investigation time (hours), and analysis clarity (timeline consistency).
• Methodology: Logs were manually validated by two independent forensic analysts to minimize bias. Cross-verification ensured inter-rater reliability.
• Statistical Validation: We computed descriptive statistics and confidence intervals to support results.

 

Comments 4：

The authors need to explain how P-DEFSOP fits into existing frameworks and not just describe the standards. They should clearly highlight the novel contributions of P-DEFSOP beyond current standards.

 

Response 4：

We have revised Section 6.2 and 7 to explicitly highlight how P-DEFSOP extends ISO/IEC 27035 and DEFSOP. Unlike ISO/IEC 27035, which provides guidelines for incident management, P-DEFSOP operationalizes these principles by integrating real-time log collection, SIEM-based forensic correlation, and MITRE ATT&CK mapping. Beyond DEFSOP, P-DEFSOP emphasizes forensic readiness prior to incidents, reducing log loss from 24% to 5% and investigation time by 37.5%. These contributions go beyond existing standards by ensuring both proactive detection and legal admissibility in real-world enterprise settings.

 

Comments 5：

The authors need to develop the paper and need to include stronger methodology details and improve experimental validation for better reproducibility.

 

Response 5：

Methodology details have been expanded in Section 5.2, with clear descriptions of the testbed configuration, software versions (Windows Server 2019, Ubuntu 22.04, Sophos MDR v3.1, ManageEngine EventLog Analyzer v12.2), and attack scripts used.

Reviewer 2 Report

Comments and Suggestions for Authors

Most of the concerns highlighted have been adequately addressed, but the following points remain:

A traceability table is still missing, and no examples of chain-of-custody modules or forms have been presented.

Practical evidence of ISO mapping remains limited, and screenshots, configurations, or reports that allow verification of actual implementation are lacking.

The bibliography still contains duplicates and incomplete formatting

Author Response

Comments 1：

A traceability table is still missing, and no examples of chain-of-custody modules or forms have been presented.

 

Response 1：

We appreciate this observation. In the revised manuscript, we have added Table 2 (Requirement-Control-Evidence traceability table) in Section 6.2. This table demonstrates how each evidentiary requirement maps to a specific P-DEFSOP procedure and evidence form.

 

Comments 2：

Practical evidence of ISO mapping remains limited, and screenshots, configurations, or reports that allow verification of actual implementation are lacking.

 

Response 2：

Regarding practical evidence of ISO mapping, we have clearly explained how P-DEFSOP is aligned with ISO/IEC 27035 and 27037 in Sections 6.2 and 6.3, and provided practical implementation evidence.

 

Comments 3：

The bibliography still contains duplicates and incomplete formatting.

 

Response 3：

We have carefully revised the references. Duplicates were removed (e.g., repeated citations of Kohn et al., 2013). Incomplete entries were corrected following the IEEE Transactions reference style (journal names italicized, full author names, correct DOI links). The updated bibliography is now consistent and complete.