Development of KRAFF: A Digital Forensics and Cyber Incident  Response Framework Based on International Multi-Standard  (NIST, ISO/IEC, and ITIL 4) as a Practical and Measurable  Adoption Guide

Andi Faridz Fakhriza; Kalamullah Ramli

doi:10.62146/ijecbe.v3i4.201

Authors

Andi Faridz Fakhriza Universitas Indonesia
Kalamullah Ramli Universitas Indonesia

DOI:

https://doi.org/10.62146/ijecbe.v3i4.201

Keywords:

Digital Forensic, Cyber Incident Response, NIST, ISO/IEC 27000 Series, ITIL 4, Expert Judgement, Free-Marginal Multirater Kappa

Abstract

Digital forensics and cyber incident response represent crucial capabilities for IT-based organizations to manage cyber incidents effectively. However, organizations often face a fundamental constraint characterized by digital forensic processes that are ad hoc, unstructured, and detached from incident management. This situation compromises the integrity of digital evidence, prolongs service recovery times, and stems from the absence of a practical framework capable of integrating forensic procedures into incident management. This paper presents a comprehensive and integrated framework for digital forensics and cyber incident response, specifically designed to address these deficiencies. The framework is designed through a multi-standard synthesis that aligns technical guidelines from NIST and the ISO/IEC 27000 series with established service management principles from ITIL 4. Structurally, the proposed framework comprises four main phases, supported by 19 detailed activities, 16 defined roles and responsibilities, 18 requisite report or document artifacts, and 18 key performance metrics. Validation of this framework was conducted using the expert judgement method, involving a panel of nine specialists in the cybersecurity domain. A quantitative assessment using the Free-Marginal Multirater Kappa yielded a value of 0.9316, indicating “almost perfect agreement” among the experts regarding the framework's relevance and applicability. Consequently, this framework is positioned for widespread adoption within IT-centric organizations, serving as a practical guide for establishing mature, measurable, and integrated capabilities in digital forensics and cyber incident response.

Author Biographies

Andi Faridz Fakhriza, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

Kalamullah Ramli, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

References

IBM, “Cost of a Data Breach Report,” IBM, 2025.

SentinelOne, “Key Cyber Security Statistics for 2025,” SentinelOne, 30 Juli 2025. [Online]. Available: https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/.

Fortinet, “"What is DFIR?",” Fortinet, [Online]. Available: https://www.fortinet.com/br/resources/cyberglossary/dfir. [Diakses 15 September 2025].

Palo Alto Networks, “"What is Digital Forensics and Incident Response (DFIR)?",” Palo Alto Networks, [Online]. Available: https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response. [Diakses 15 September 2025].

IBM, “"What is Digital Forensics and Incident Response (DFIR)?",” IBM, [Online]. Available: https://www.ibm.com/think/topics/dfir. [Diakses 15 September 2025].

B. Carrier, File System Forensic Analysis, USA: Addison-Wesley Professional, 2005.

A. R. Hakim, K. Ramli, T. S. Gunawan dan S. Windarta, “A Novel Digital Forensic Framework for Data Breach Investigation,” IEEE Access, vol. 11, pp. 42644-42659, 2023.

E. Munke dan P. M. W. Musuva, “Digital Forensics as a Service Implementation: A Scalable Solution for Cyber Incident Response,” dalam IST-Africa 2024 Conference Proceedings, 2024.

S. J. Lee dan G. B. Kim, “K-FFRaaS: A Generic Model for Financial Forensic Readiness as a Service in Korea,” IEEE Access, vol. 9, pp. 130094-130110, 2021.

A. A. Thakar, K. Kumar dan B. Patel, “Next Generation Digital Forensic Investigation Model (NGDFIM) - Enhanced, Time Reducing, and Comprehensive Framework,” Journal of Physics: Conference Series, vol. 1767, no. 1, p. 12054, 2021.

S. Rudrakar, P. Rughani dan L. Sadineni, “Digital forensics and incident response management model for IoT based agriculture,” Sci. Rep., vol. 15, no. 1, p. 17797, 2025.

V. R. Kebande, P. P. Mudau, R. A. Ikuesan, H. S. Venter dan K. -K. R. Choo, “Holistic digital forensic readiness framework for IoT-enabled organizations,” Forensic Sci. Int. Rep., vol. 2, p. 100117, 2020.

O. Regina, K. Ramli dan A. H. Amarullah, “Illicit Cryptocurrency Investigation Digital Forensic Framework: Integrating Off-Chain and On-Chain Analysis for Two Types of Crime,” International Journal of Electrical, Computer, and Biomedical Engineering, vol. 3, no. 2, pp. 411-432, 2025.

National Institute of Standards and Technology, “NIST Cybersecurity Framework v.2.0,” NIST, USA, 2024.

P. Cichonski, T. Millar, T. Grance dan K. Scarfone, “NIST SP 800-61 - Computer Security Incident Handling Guide,” NIST, USA, 2012.

K. Kent, S. Chevalier, T. Grance dan H. Dang, “NIST SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response,” NIST, USA, 2006.

International Organization for Standardization, “ISO/IEC 27001:2022 - Information security, cybersecurity, and privacy protection - Information security management systems - Requirements,” 2022.

International Organization for Standardization, “ISO/IEC 27035-1 - Information technology - Security techniques - Information security incident management - Part 1: Principles of incident management,” ISO, 2016.

International Organization for Standardization, “ISO/IEC 27035-2 - Information technology - Security techniques - Information security incident management - Part 2: Guidelines to plan and prepare for incident response,” ISO, 2016.

International Organization for Standardization, “ISO/IEC 27037:2012 - Information technology - Security techniques - Guidelines for identification, collection, acquisition, and preservation of digital evidence,” ISO, USA, 2012.

International Organization for Standardization, “ISO/IEC 27042:2015 - Information technology - Security techniques - Guidelines for the analysis and interpretation of digital evidence,” ISO, USA, 2015.

International Organization for Standardization, “ISO/IEC 27043:2015 - Information technology - Security techniques - Incident investigation principles and processes,” ISO, USA, 2015.

AXELOS ITIL Foundation, ITIL 4 Edition, London: The Stationery Office, 2019.

AXELOS, ITIL 4 Practice Guide: Incident Management, London: AXELOS, 2020.

AXELOS, ITIL 4 Practice Guide: Information Security Management, London: AXELOS, 2020.

AXELOS, ITIL 4 Practice Guide: Problem Management, London: AXELOS, 2020.

V. Braun dan V. Clarke, “Using thematic analysis in psychology,” Qualitative Research in Psychology, vol. 3, no. 2, pp. 77-101, 2006.

J. J. Randolph, “Free-Marginal Multirater Kappa: An Alternative to Fleiss 'Fixed-Marginal Multirater Kappa',” dalam Joensuu Learning and Instruction Symposium, October 2005.

M. B. Miles, A. M. Huberman dan J. Saldana, Qualitative Data Analysis: A Methods Sourcebook, Sage Publications, 2024.

J. R. Landis dan G. G. Koch, “An Application of Hierarchical Kappa-type Statistics in the Assessment of Majority Agreement among Multiple Observers,” Biometrics, vol. 33, no. 2, pp. 363-374, 1977.