Next-Generation Digital Forensic Readiness BYOD Framework

Intel’s “Bring Your Own Device” (BYOD) adoption quickly became popular as an alternative workplace solution strategy. It enables employees to use their personally owned devices to perform business activities, leading to increased productivity and employee satisfaction. However, BYOD also brought associated risks because of exponential growth in the number of cybersecurity incidents due to which business ecosystem gets disrupted and fragmented. Although several methods and mechanisms have been developed and adopted to mitigate the risk associated with BYOD, they still represent a challenge as corporate network gets exposed to inherent threats caused by the BYOD threat landscape.,is work demonstrates especially two key aspects:,e first focuses on how to detect and protect BYOD environment from an advanced level attack which cannot be detected by traditional tools and techniques even though available tools are quite effective. Before the attack and damage to the critical infrastructure due to BYOD threat, a strategy was indeed the key requirement for detecting attacks and protecting the environment. ,e second part of the research focuses on conducting forensic investigationmodel and developing a new approach by providing a reliable forensic investigation infrastructure to find digital evidence and detect the source of attack. ,is research work concluded with two different novel strategic ideas. ,e first part contributes to a new method of detecting and protecting against malicious activities which cannot be otherwise detected and protected by traditional security technology like IPS, IDS, AntiBot, or AntiVirus. ,e proposed technique compared to the existing methods led to a significant contribution to the identification of threats before an attack takes place. ,e second part of the research contributes to the defining of a new approach of the next-generation digital forensic readiness (NG-DFR) model in order to build a cyber forensic ecosystem so that cyber secured BYOD environment can be enabled safely.


Introduction
Bring Your Own Device (BYOD) is basically the consumerization of information technology (IT) where employees use their personal devices in the corporate networks. It helps the organization to save the cost and increases employee productivity and engagement. Adopting BYOD technology in enterprise leads to an increase in business productivity and enhances collaboration and business agility.
Bring Your Own Device (BYOD) becomes a rule rather than an exception. Technology transformation is the key role of every CIO and IT leader of any organization. As per the study of Gartner, BYOD users will get increased by 75% by 2022 [1] from 35% in 2018. By 2021 [2], maximum organizations are expected to use IoT; approximately 94% of the organizations will adopt IoT as per Microsoft report. During the COVID-19 global pandemic situation, demand for BYOD has even increased exponentially.
e BYOD infrastructure provides Internet access to the employees, while employees being trusted users access the enterprise infrastructure, which is intended to be secured. Guest user access is also one of the features of BYOD to provide access to the visited partner/guest using the selfregistration portal or sponsored portal. During the initial stage of the BYOD solution adoption, most of the organizations did not give access through corporate network due to involved security risks. However, in the later stage, organizations started moving towards a positive direction realizing that personal mobile devices are an integral part of employees' daily life. As BYOD connects untrusted external devices in the corporate wireless network infrastructure, increase in cybersecurity risks and data leakage incidents are observed. Malicious activities can be performed using BYOD. Unmanaged devices might not be following the standard security practice and may not follow the line of defense against malicious content [3]. A study concluded that 62% of digital incidents are triggered by inside users either intentionally or unknowingly [4]. Using BYOD services, users can try to get access to internal network and cloud network, and perform malicious activities, and damage the potential data which can cause the reputation loss of the organization. Data theft, shadow IT, and cybersecurity constitute a major concern in BYOD. Installing malware in BYOD and connecting to the Internet can also lead to serious damage and are a major security risk. While implementing the BYOD legal approach of the mitigation cannot be overlooked [5], every stage of the BYOD security policy should be always in line with protecting the internal network, data, and application. BYOD system has become a huge security risk [6]. Accessing corporate infrastructure using BYOD devices which may be owned by employees, suppliers, or partners makes corporate data protection a major concern for the organization; at the same time, isolating personal data is a need for employee privacy. In a study, the BYOD security impact assessment conducted for the airport smart system stated that compromised BYOD devices can have an impact on airport system integrity and availability [7]. Security breaches are more in terms of the network infrastructure where BYOD service is offered to employees, partners, and staff.
Cyberattack and security risk in airport security is a major risk of the country [8] due to BYOD. BYOD might become "bring your own danger" [9] if proper security control is not implemented and if the solutions do not include forensic investigation after crime.
Due to vulnerability, cyber-attacks have grown periodically. According to CVE [10], Figure 1 represents the growth of vulnerabilities in years. Increase in vulnerability has also increased the attacks.
DFR (digital forensic readiness) in BYOD infrastructure is one of the models that detect attackers' activities and behavior using honeypot, a deception technology. Extensive research has been conducted to improve the approach of DFR and CTI (cyber threat intelligence) to conduct a digital forensic investigation and to reduce the time and cost. Up to 90.73% [11] accuracy level was achieved in analyzing the root cause after an incident.
According to Juniper Survey, 80% of BYOD devices will be unprotected. ere is a need for digital forensic infrastructure in BYOD technology to provide security. Lack of a proactive security model in BYOD architecture can cause digital forensic investigation. A large-scale clustering deployment of BYOD infrastructure needs an advanced model of digital forensic readiness infrastructure for the practice of detection and investigation [12].
Internet users are increasing exponentially by using IoT/ BYOD in every organization, public environment, and smart city environment. Cyberterrorism is defined as the intentional use of a computer or network communication device using public networks to destruct the critical public and private infrastructure for personal objectives which may be political or ideological. e government and public/private sector must gear up to fight against this major crime. Cybercrime rates are also exponentially growing, and this is a challenging area to handle and investigate after an incident. Government of India has taken an initiative to enhance the infrastructure of the National Cybercrime Forensic Laboratory (NCFL) and started a new project called Cyber Prevention, Awareness & Detection Centre (CyPAD) as stated by Union Home Minister on the 18th of Feb 2019 [13]. Union Home Minister has pointed out that cybercrime has become a big challenge to handle. Different questions arise: How governments or private organizations will handle such big cyber forensic investigation and cyber fraud management in smart city environment where IoT users are in large numbers or BYOD users are increasing every day? Who will do this investigation? How those crimes will be handled? How to get the crime activity logs of BYOD/IoT users? ese questions can be addressed by developing and implementing a cyber secured BYOD infrastructure. After an attack, there is a need for forensic investigation in BYOD. Major components in digital forensic investigation are [14] Computer forensic Network forensic Database forensic Mobile forensic Digital forensic or cyber forensic will ideally include the components [15] (a) humans, (b) digital evidence, and (c) process, which act as a reference point. After a cyber-attack analysis, event reconstruction, with reproducible and verifiable results, is an inline requirement for legal action in digital forensic investigation [16]. BYOD has all those components to be covered in forensic investigation. reat finding after an incident and source of attack [8] finding are requirements in forensics; for example, a novel study was conducted for identifying human behavior in an automated way based on handwriting [17].
On the other hand, the cloud adoption rate is expected to be 83% by 2020 [18]. is increased rate of cloud adoption has increased the demand for BYOD at a much larger rate. All organizations are adopting cloud services for different applications and roaming user services, since the increased demand for working anywhere by any device has increased the BYOD demand. At the same time, BYOD security and cyber forensic investigation from enterprise network and cloud network are important concerns that need to be taken care of.
ere is a serious need for BYOD forensics as BYOD devices are the most critical component in forensics and the source of evidence [19]. Due to the increased cyber incident landscape, collecting, preserving, and analyzing digital evidence after an incident and presenting the analysis with integrity are required.
is paper is organized as follows: Section 2 discusses the related work, followed by design and methodologies in Section 3 and then results in Section 4. Comparison and analysis are provided in Section 5. e proposed new model of NG-DFR is explained in Section 6. Section 7 concerns NG-DFR model ecosystem.
e discussion is covered in Section 8, contributions of the research in Section 9, future research areas in Section 10, and conclusion in Section 11.

Related Work
Most of the research in this area is conducted from the Golden Age of digital forensics (1997)(1998)(1999)(2000)(2001)(2002)(2003)(2004)(2005)(2006)(2007) till today, which is not sufficient to complete the analysis as there was a need for a standard, modular [20] approach to digital forensic. Since new technologies are adopted, the deployment approach is also changing and there is no single mitigation technique [21] as methods of attacks keep on changing. erefore, continuous evolvement in forensic technology is required as stated in a study by Deloitte [22]. ere is no single agreed upon digital forensic process that has been developed [23]. Some of the existing methods and techniques are listed below.

Honeypot Technology.
Deception technology honeypot has been explored to detect threats in BYOD infrastructure in 2016. is opens the way for doing root cause analysis after an incident [12]. An improved extended study of a generic digital forensic readiness model for BYOD using honeypot technology [12] was again conducted in 2019 where a reat Intelligence Platform is used to detect the incident, and accuracy has been analyzed [11]. Using audit logs of malicious activities collected from the reat Intelligence Collector, accuracy has been analyzed and found to be 90.73%, 96.16%, and 93.71% [11]. Subsequently, honeypot was integrated with cyber risk management process of five preparedness mission areas of FEMA (Federal Emergency Management Agency) [24].

Cryptographic Blockchain Method of Forensics.
e cryptographic blockchain authentication process has been studied where the record-keeping system has been used for secure authentication of BYOD users. Evidence collection for forensic investigations has also been covered using records [25]. Furthermore, the digital method of recordkeeping systems has been used for the multifactor authentication process [25]. is ledger makes an easier way to conduct digital evidence investigation after the crime/ malicious activity, for example, image haze removal technique [26], forward mechanism, or reverse mechanism in dual-tree complex wavelet transform (DTCWT) [27]. Using advanced intrusion detection and distributed ledger technology in the IoT environment by identifying malicious activity and finding the source of the attack, storing the digital evidence is explored so that digital evidence can be collected to conduct a digital investigation [28]. [29] based BYOD threat model is proposed and analyzed threat interaction in BYOD. BYOD internal and external threat interaction with the corporate network are analyzed so that security and forensic threats in BYOD can be understood. Reverse adoption of encryption using the Group Encrypted Transport VPN (GETVPN) method of BYOD traffic was a novel approach to detecting malicious activities and to reducing threats. erefore, the forensic analysis mechanism was analyzed for internal and external traffic threats [30].

Smart City IoT Cloud Data Security Forensics.
Data security on the cloud is also an important aspect to be considered as stored data in the cloud does not have enough control. Since cloud data is not an enterprise control data center, so data accessed by unauthorized entities is a risk. Data integrity is an important parameter for postincident forensic analysis. Forensic analysis and finding out the root cause constitute the important view that has been highlighted. Artificial intelligence is also one of the major areas that have been pointed out in this study. e identification of security threats is studied in [31].

IoT Mobile Forensics.
Smartphone IoT devices traces were used to find the logs of the incident for forensic investigation. Extracting the logs from IoT devices and analyzing logs captured with Wireshark for finding out digital evidence constituted one of the approaches [32]. Using smartphone devices, collecting the stored logs from the smartphones, and reconstructing the event of crime are very useful case studies done in DFRSW (Digital Forensic Research Workshop). Retrieving the information from digital

Security and Communication Networks
IoT devices and analysis of using multiple tools like Wireshark [33] were important findings of digital evidence of the crime [34].

Integration of Digital Forensics and Forensic
Science. e task of collecting digital evidence from a dynamic IoT environment is very complex. Due to a lack of proper tools and techniques, the process becomes very challenging [35]. An important study was conducted regarding the integration of different forensic sciences to build a smart ecosystem of forensic science [36]. While various mechanisms are implemented to reduce security attacks, in some cases image processing reduces the computation speed which has also been addressed in the nondominated genetic algorithm [37]. A powerful digital forensic ecosystem can be created in case of a collaborative effort of different tools, technologies, and cyber laws, and forensic experts can integrate all together.
As per an IBM study in 2018, 77% of organizations do not have a consistent cybersecurity incident response plan (CSIRP) [38], even after the General Data Protection Regulatory (GDPR) has been in effect since May 2018 [39]. On average, it takes 23.6 hours [40] to address cybercrime aftermath. is indicates that there is a serious need for advanced level cybersecurity response systems, cyber defense mechanisms, and cyber forensic mechanisms.
If BYOD cyber forensic mechanism can be developed in such a way that the incident can be analyzed to detect the crime with sufficient evidence, then BYOD cyber forensic ecosystem can be a more reliable environment for the organization.
is study has shown a flagrant result of BYOD malicious activity forensic analysis which can be helpful for organizations to implement cyber defense and cyber forensic ecosystem in the BYOD environment.

Wireless Drone Forensic Readiness Model.
e wireless forensic readiness model was explored with a dedicated forensic server with drone architecture in the year 2011. Packet decryption and Wireshark analysis were done to identify the attack [41], and the collection of digital evidence was explored. After collection of logs, analysis of wireless LAN traffic using NetWitness [23] was another approach explored to conduct a digital forensic investigation.
As discussed above, a different BYOD cyber forensic model has been explored in various tangents, but due to exponential increase of cyber-attack tools and technology, there is a definite need for further development in this area. Hence, the objective of this research is to first secure the BYOD infrastructure using traffic encryption and second develop BYOD forensic investigation using Check Point SandBlast.

High-Level Digital Forensic Readiness BYOD Model.
is section presents a high-level digital forensic readiness model. An advanced level of the next-generation digital forensic readiness model is projected. is study has been conducted to detect the cyber-attack, protect infrastructure from threat, and develop a postincident forensic investigation process. As honeypot technology for digital forensic readiness (DFR) [12] is not sufficient and large-scale evidence finding technique was required, the deception technology has been used for digital forensic readiness. As the components of digital forensic or cyber forensic investigation include [15] (a) humans, (b) digital evidence, and (c) process, the model of the advanced digital forensic model needs to include all these parameters. After an incident, finding the threats and tracing the source of attack [8] become a major requirement, and prediction of future attacks based on the current attack is also important, for example, in an engine where future flow demands are based on the current flow [42]. Major components included in this study are represented in Figure 2.
DFR model includes people, process, technology, digital forensic infrastructure, and law enforcement.

Detailed DFR Model Architecture.
e architecture for BYOD in this study was done as per standard design. Multiple OEM products are used. Initially, the BYOD setup was implemented for normal Internet access using the corporate wireless infrastructure. e same wireless infrastructure is used for corporate wireless and BYOD services. Identity Service Engine [43] was used for authentication and back-to-back user identity was used as Microsoft Active Directory. Table 1 shows the components used during the research.
Components used for testing authentication traffic between branch locations and a central location are represented in Table 2, followed by additional forensic/ investigation components used during the research for threat hunting and analysis in Table 3.

Implementation of BYOD
Architecture. BYOD architecture was established to initiate the traffic from 2 different sources. e first category of the BYOD traffic is mentioned in Table 4.
In this research, we conducted 2 different scenarios of BYOD forensic traffic analysis.
(a) Scenario 1. Analysis with Check Point SandBlast: Figures 3 and 4 show BYOD architecture and overall traffic flow with sandblasting as a forensic analysis mechanism. e index used in Figure 3 for the demonstration is mentioned in Table 5.
(b) Scenario 2. Analysis with Palo Alto Forensic Cortex and cloud instance for BYOD forensic analysis: In this scenario, we conducted an analysis of BYOD forensic traffic with Palo Alto Cortex. Figure 4 shows additional components used in the test. e additional components used in the second scenario are presented in Table 6.
During the research in the second scenario, additional components used for BYOD traffic forensic analysis are Cortex of Palo Alto network and Palo Alto 820 as threat prevention, and also Palo Alto Cloud for threat management was used.

Authentication Mechanism and Onboarding Process of BYOD Users.
Authentication and onboarding secured mechanism is used with certificate-based authentication [43]. During the study, for authentication procedures and traffic flow for authentication, ports are allowed on the DMZ firewall.
e ports opened on the DMZ firewall during the study index 6 (Figures 3 and 4) for communication purposes of BYOD management traffic are listed in Table 7.

Cyber Defense Ready BYOD Infrastructure.
e proactive approach of implementing BYOD was followed so that malicious activities can be detected and protected against to reduce the threat and risk. Implementing        GETVPN for segregation and encryption of authentication traffic reduced the number of threats over MPLS [44]. Traffic was encrypted and segregated using GETVPN over MPLS which reduced the initial risk of the infrastructure and protected internal infrastructure.

Forensic Readiness BYOD Implementation.
We have conducted a two-phase study and, during the first phase of the study, we have used Check Point SandBlast for threat hunting mechanism, threat emulation, and forensic investigation [45]. SandBlast is implemented on the Check Point management server. For the forensic investigation, we have also used a forensic module of Check Point to find the source of attack and logs of malicious activity. Clustering of multiple gateways was used to conduct crime analysis for large-scale deployment for correlated view [12].
During the second phase of the study, we have used Palo Alto Cortex which is an AI-based security platform for cyber defense mechanisms and Palo Alto Firewall for capturing BYOD threat traffic and analysis as well as Panorama for management and reporting.

Results
After implementation of the BYOD digital forensic infrastructure, we have captured and analyzed the results. e results have been also compared, and significant advancement of cyber defense mechanisms in BYOD forensic has been observed. e clustering approach implementation shows multiple incidents and malicious activities. e malicious activity was also captured using Wireshark logs, and it was analyzed [33]. e malware was created to test the malicious activity, a postincident forensic investigation was conducted, and the result was captured.

Critical Attack View.
Based on the analysis and detection of malicious activity conducted in a BYOD environment, Figure 5 represents the resultant forensic analysis of a critical attack. is was captured on the endpoint using Check Point SandBlast tool. e attack happened and was captured as Process ID 9232 was an attack in nature, and after entry of the malware, file was renamed and deleted in the BYOD environment. e malicious activity was performed intentionally, the result was captured, and it was observed that Trojan which tried to damage the system in the BYOD environment was detected. It tried to damage the critical infrastructure.

Critical Attack View from Forensic Analysis View of
Cortex. Similarly, from Palo Alto Cortex, attack information was captured and analyzed. After attack in the BYOD infrastructure, the investigation was conducted to complete the analysis as per Figure 6. e result from Cortex is clearly reflected in Figure 6.

Critical Attack Logs from Cortex.
During the investigation, critical attack information was further analyzed with raw logs to track the source of the attack. Source IP address and destination are presented in Table 8. e attack was from IP addresses 172.28.15.14, 172.28.3.220, and 172.28.1.164, which were used in the BYOD devices as internal IP addresses. During the investigation process, we clearly detected the user and malicious activities performed by the users. Sensitive and robust analysis was done so that manual conventional result can be compared with the simulated analytical result as to how analysis is done in a study of pressure relief [46]. Table 5: e index used in Figure 3.

Index
Description 1 Wireless LAN controller 2 Authentication traffic from branch to AAA server 3 Ethernet over IP (EoIP) tunnel between foreign controller and anchor controller 4 Corporate users (non-BYOD) 5 BYOD untrusted users 6 DMZ segregation firewall 7 Anchor controller (guest controller) 8 External firewall 9 AAA (authorization, authentication, accounting) server for BYOD authentication 10 Active Directory for user identity 11 External Internet router 12 Traffic logs from gateway to management server for activity logs 13 Management server (log management) 14 Traffic logs from branch to central management server 15 Branch external firewall 16 EoIP tunnel 17 Branch BYOD users 18 Branch trusted users 19 Branch foreign controller 20 Authentication traffic from branch to central site AAA server 21 Branch/remote location is traffic was captured from the architecture of Figure 4 and index 23. e malicious traffic observed in Cortex and cyber defense system was built to prevent those attacks as well, which is shown in Table 5.

Forensic Analysis from BYOD Endpoint.
After analysis of malicious activities from gateway level, the next level investigation was conducted from the endpoint after identifying the attack source from sandblasting. reat emulation shows the absolute result of malicious activities by endpoint BYOD devices as illustrated in Figure 7. e result shows that malicious activity was detected during the preauthentication of the BYOD users, with a preauthentication segment IP address (192.168.1.x). One of the phishing attack packets was captured after an attack, and the details of the attack are represented in Figure 8(a). is packet has the source IP address 172.28.1.164, attack type was phishing attack, and also user identity was traced from the Cisco Identity Service Engine during the test as per Figure 3, index 9. User identity was identified after the attack.
is result was captured after detection of the endpoint performing reverse analysis from SandBlast from gateway level. Logs were captured for forensic analysis case event type from BYOD gateway as per Table 9. e logs of this attack were captured after an incident, and we conducted the analysis of the threat. e attack ID is a4640108-ce8b-af06-5dd7-9aa500050000. Traffic from 172.28.1.164 was an attack, and traffic was decrypted in the gateway level. Besides, as seen in the result, the system was "Windows 10.0 Enterprise Edition" and the "Gen.SB.exe" was detected in the system which accessed c:\\users\\ima-nali\\desktop\\340s.exe. Finally, Trojan was detected. e mentioned threat landscape detail was captured.   is was an artifact after BYOD threat analysis with different risk, attack, and forensic information.

BYOD Environment Cyberattack Category Analysis.
During the research, the different types of attacks in BYOD environment were reviewed and categorized by risk and criticality. e attack categorization framework was analyzed. Different attack event was framed.
We have captured a total of 966 packets from Check Point for analysis with different risk severity. Based on risk, the categorization of the traffic analysis result is shown in Figure 9. e attack categorization framework was captured as per MITRE ATT&CK as shown in Figure 10.

Comparison and Analysis of Existing Technology
After conducting the research comparison and analysis, our prime focus was to find out the uniqueness of this simulation. Results and outcomes were compared with the existing available model of the threat detection process. While existing methods and techniques are quite effective in detecting known threats and protecting known threats, DNS layer security mechanism is not enough to protect. As per Cisco research, 91% of the malware attacks are in DNS layer [47] while the majority of the organizations do not have a mechanism for detection and protection. For unknown threat portfolio, available solutions of sandboxing are effective, but since the threat landscape is increasing day by day with new behavior, even an effective solution is not mitigating the new advanced threats. For better understanding, a graphical representation is used in Figure 11 for available solutions and limitations. Figure 12 shows the limitations to the mitigation of a new zero-day malware attack.
An attack that is brand new or zero-day cannot be detected, and this might disrupt the business system such as the attack shown in the simulation.
In order to mitigate this situation, an advanced level of detection and protection mechanism is an upcoming requirement.
is research has a potential mechanism to detect attacks targeting system memory or CPU level attacks. As shown in Table 8, a system-level attack which executes commands at the process level was observed. is was a zero-day attack that has not been identified by AntiVirus, AntiBot, or IPS as this was a brand new malicious code that attacked the BYOD environment. Even regular sandboxing mechanism did not work to quarantine or to block it. e architecture of the advanced threat detection model proposed in this research is shown in Figure 11. e proposed model is shown in the sequential manner of events in Figure 11. In sequence 1, CPU starts processing, and hypervisor is running in 2 along with OS in sequence 3. After setup of the minimum requirement, application is accessed through any native application. Monitoring of CPU activities is in sequence 5 which is a key focused area in this process. If any malicious activities are observed in sequence 6, anomalies detection and protection mechanism is called in sequences 7 and 8. Sequence 9 protects the system before an attack so that BYOD environment cannot be exploited.
Comparison and benefit of the new technique are provided in Table 10. e comparison of the existing mechanisms and the proposed mechanism is a comprehensive technique in protecting the organization before a potential attack by analyzing the behavior of the malicious activities from the CPU level in the BYOD environment.

Proposed Cyber Forensic NG-DFR Model
After analysis of the results, an advanced level of the cyber forensic model concept is formalized. Next-generation digital forensic (NG-DFR) model is proposed to complete the process of investigation. is model is proposed with the major components as BYOD process definition, then BYOD technology enablement, threat hunting mechanism as the 3rd component, thereafter protection mechanism as the 4th component, and at last forensic process, law, and enforcement as the 5th component. All these 5 components of collaboration approaches in the cyber forensic environment are presented to build a cyber forensic ecosystem. e major 5 component modules described prove the concept of the next-generation DFR model.

BYOD Cyber Forensic Process Definition.
e first and foremost task is the process layout of the BYOD environment. Framework for cyber secured BYOD policy is where untrusted devices are provisioned to access resources over critical infrastructure. In this phase, the security policy definition is framed. After policy of detection mechanism environment is framed, this can comprise multiple technologies and processes. In this phase, the attack detection mechanism is framed. After detection policy violations and acceptance policy are defined, the incident handling mechanism and security operation center mechanism are defined along with the integration of multiple products, and the technology framework is defined in this phase. At last, 6.2. BYOD Technology Enablement. BYOD technology enablement is an important key area in this proposed concept of NG-DFR. Different products and technologies enabled the complete service. While choosing products and technology, the most important factor to consider is the integration of different products and technology. If advanced level networking and security products and technology are placed but all these do not talk with each other, then threat intelligence in NG-DFR will be a challenge. Accordingly, in this phase, major service enablement products and technology are factored to work in an integrated way so that each and every threat can be traced without any break of the packet flow. As shown in Figure 4, integration was done along with Cortex for the data lake. Apart from this in Figure 3, integration of next-generation endpoint protection is also introduced for the threat hunting process to enable critical infrastructure. In this section, actual threat detection technology is integrated with the authentication of BYOD users. After secure authentication and onboarding [43], detection of malicious traffic mechanism is proposed [48]. Log management and sandboxing for traffic analysis are considered in this phase.

reat Hunting
Framework. e most important key part for the forensic investigation ecosystem to develop is the threat hunting mechanism. Monitoring is a continuous action to collect activity logs for potential threat detection in a cyber forensic system. After an attack, finding the source of the attack is a critical task [8]. Detection of malicious [49] traffic which is indeed a major dependent technique required in cyber forensic mechanism is introduced in this phase. Primarily in this section, log analysis is conducted in order to track suspicious traffic. Once the threat is detected in this phase, threat verdict and score are checked to determine whether it is malicious or not. If it is found to be malicious and known pattern, then protection [48] module is called. If the threat pattern is unknown by the threat defender, for example, a zero-day attack [50], then, after extraction of hash, it is sent to threat cloud for verdict and score of the threat and retrospective event is triggered [51]. Finally, logs are preserved for further investigation. In this section, endpoint traffic logs are captured in the external gateway as shown in Figure 3 index 8 and Figure 4 index 23 so that later on logs can be investigated further. Apart from this, all traffic including source IP, destination IP, user information, and user MAC address is captured with all activity details.

reat Protection Mechanism.
Protection from threat is the foremost task before an attack on the organization. Consistently, researchers are focusing on developing new tactics for threat protection. Different types of novel approaches have been developed in threat protection. One of the advanced level protection mechanisms was developed in BYOD cyber forensic ecosystem study [48]. In this phase, concept of protection of critical infrastructure is covered. After getting the threat category, traffic dropped and logs are preserved for analysis as shown in Figure 3 index 13, and results are shown in Figure 8(b).

Forensic Investigation, Law, and Enforcement Module.
In this phase, a forensic paradigm is presented. In order to complete the forensics of attack, few key areas need to be focused on such as analysis of the logs, preservation of the traffic, and stored log. After analysis, presentation and documentation need to be done. e entire BYOD ecosystem has to have the ability to do all these activities. Preserving evidence and log correlation is focused on the integration of different technologies and products as shown in Figures 3 and 4, where all the gateway perimeter security devices along with AAA, controller, and BYOD users are integrated with Active Directory user database. After integration, end-to-end logs analysis mechanism is developed to enable the forensic system. Finally, forensic correlation of related facts and finding is documented and presented.

Next-Generation DFR Model Ecosystem
In this phase, the final framework is represented by nextgeneration digital forensic readiness (NG-DFR) model. Step by step sequential process is explained to complete the cyber forensic ecosystem. e complete ecosystem comprises process, policies, humans, technology, and integration. Integration of process and technology with human interaction area is covered to build cyber forensic BYOD environment. As shown in Figure 13, complete steps are proposed for nextgeneration DFR model. In Step 1 of the NG-DFR model in Figure 13 planning, policy frameworks are defined with related security and technology enablement paradigm. Service enablement policy, security policy, and detection policies alert mechanism are defined. e integration process is defined.
In Step 2 Service enablement area is focused on. In particular, to build secured BYOD infrastructure with all required products and technology is a key component of this phase. In Step 3 specially, a detection mechanism is proposed. Detection of various threats and then categorization of the threats are sequential events. Malicious traffic and known threats are detected, and unknown threats are filtered. Unknown threats are sent to the threat cloud in this phase to be analyzed and get the threat score so that appropriate action can be taken.

In
Step 4, protection of critical infrastructure is focused on. Protection from different threats before exploiting up to best possible options is taken care of so that the threat landscape can be reduced.
In Steps 5 and 6, the focus area of NG-DFR that is a thorough investigation of the threat is covered. In this phase, outcome of the integration of all tools, techniques, products, and technology are leveraged to build a cyber forensic ecosystem. After analysis from preserved logs, threat hunting mechanism is enabled to carry out the investigation. Finally, storing the logs and artifacts and preparing documentation for submission to law and enforcement are covered.
In a nutshell, this proposed approach of NG-DFR model covered end-to-end system to complete the forensic   Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Figure 13: Next-generation digital forensic framework.

Security and Communication Networks 15
Step Step 9: Present to Law and enforcement Step 11: Stop investigation in order to build an advanced level of the cyber forensic ecosystem.
Detailed algorithm of NG-DFR based model is shown in Algorithm 1.
An algorithmic approach for NG-DFR model is proposed as per architectural flow shown in Figure 13.

Discussion
With BYOD, being external devices connected in the infrastructure, it is very sensitive and critical in nature to control threats and postincident analysis of the attack, and finding the source of the attack is a very crucial part. As per Check Point technology research, 99% of organizations [52] do not have a protection mechanism to fight against the ongoing cyber-attack threats.
e proposed approach of NG-DFR has addressed the need for an end-to-end cyber forensic ecosystem.
After any cyber incident, finding digital evidence, analyzing the evidence, preserving and presenting the evidence for legal requirement for the court of law are important requirements. is research developed a new model of investigation of a different attack, reaching up to the endpoint of the attack which was targeted during the research. Network security, endpoint security, and critical infrastructure security all are covered in this research with respect to protection of critical infrastructure from BYOD threat.
During the investigation process in BYOD, after an attack, we analyzed all different categories of attack and behavioral analysis of crime. As it was also an important target to protect the infrastructure, detection and prevention were also achieved. Honeypot technology used for detection was not enough to protect the infrastructure. ere was a need for prevention technologies after detection by the system without manual intervention. STRIDE-based threat model, which is an interaction between the threat and the corporate network, can be integrated with this model to get a better result.
End-to-end visibility, analysis, investigation, and integration between tools and technologies for building up an advanced model of cyber defense system were needed to fight against today's advanced cyber threat landscape. During the research, an advanced level of cyber forensic model was developed.
Moreover, one important aspect was analyzed during the research, which is run time detection of attack endpoint, status of connection and blocking, and preventing the endpoint from the infrastructure. Detection of threat, visibility of threat associated risk, incident response, and postincident forensic model are key areas explored in this research.

Contribution
ere are two major novel contributions from this research. e first research contribution is a unique attack detection mechanism. is unique attack detection mechanism helps to detect and protect against zero-day attacks which cannot be detected by traditional tools like IPS, IDS, AV, and AntiBot. e second key contribution is to build a cyber defense BYOD ecosystem. is research has contributed to the area of cyber forensic analysis of a BYOD environment. e complexity of forensic analysis of the malicious activity in a BYOD environment is simplified. e different approaches of forensic investigation are compared using different tools and techniques. Finding the source of an attack in BYOD is analyzed from internal and external threats. e threat prevention mechanism is also an important contribution to this research, and end-to-end BYOD cyber forensic ecosystem framework is also defined.

Future Research
Digital forensic investigation becomes complex due to lack of standard procedures depending upon the types of digital crime. e growing complexity of crime becomes a challenge to face with standard tools and techniques. Since BYOD adoption is an upcoming growing phase, new tools and technologies are used by criminals to conduct crimes in zero-day attack behavior. erefore, ongoing further research is important to fight against crimes. Also, an important area of further research is the collaboration of cyber tools, technology, and cyber law.

Conclusion
Due to the lack of a cyber defense ecosystem in the BYOD environment, attacks on the critical infrastructure of the organizations increased, and as a result business ecosystem gets fragmented. Cyber secured BYOD infrastructure is one of the major requirements for organizations today to protect from the advanced level of threats. In this paper, a framework of the cyber forensic model is presented including a cyber-secure BYOD model.
In the first phase of this research, the detection technique of threat is explored with different tools and techniques for further research and analysis.
In the second phase of this research, a major conclusion is a novel approach of detection and protection mechanism of zero-day attacks which cannot be detected by traditional tools like IPS, IDS, AntiBot, and AntiVirus. e proposed method of detection and protection model of unknown threats or zero-day attacks contributed to the protection of the organization's critical infrastructure. e comparison of the outcomes shows a significant advanced incremental positive result, and adoption of this method helped to build the complete cyber forensic ecosystem.
Postincident threat hunting is a critical task in any cyber forensic investigation which is addressed in this research using different tools and techniques like sandblasting and Cortex.
Finally, an advanced level of cyber forensic readiness BYOD infrastructure is developed. Next-generation digital forensic readiness (NG-DFR) model is proposed to mitigate the ongoing need for conducting end-to-end digital forensic investigation including detection and protection framework which also includes the BYOD policy framework and service enablement technology area.
Data Availability e design/data/architecture used to support the findings of this study are included within the article. Disclosure e research, hypothesis, assessments, and analysis articulated in this paper are those of the authors alone and not the organization with which the authors are associated.

Conflicts of Interest
e authors declare that they have no conflicts of interest.