applying grounded theory methods to digital forensics research

Edith Cowan University Edith Cowan University

Research Online Research Online

ECU Publications Post 2013

2016

Applying grounded theory methods to digital forensics research Applying grounded theory methods to digital forensics research

Ahmed Almarzooqi

Andrew Jones Edith Cowan University

Follow this and additional works at: https://ro.ecu.edu.au/ecuworkspost2013

Part of the Computer Sciences Commons

Almarzooqi, A., Jones, A., & Howley, R. (2016). Applying Grounded Theory Methods to Digital Forensics Research. Annual ADFSL Conference on Digital Forensics, Security and Law. 12. Available here. This Conference Proceeding is posted at Research Online. https://ro.ecu.edu.au/ecuworkspost2013/3368

https://ro.ecu.edu.au/

https://ro.ecu.edu.au/ecuworkspost2013

https://ro.ecu.edu.au/ecuworkspost2013?utm_source=ro.ecu.edu.au%2Fecuworkspost2013%2F3368&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/142?utm_source=ro.ecu.edu.au%2Fecuworkspost2013%2F3368&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.erau.edu/adfsl/2016/tuesday/12/

Annual ADFSL Conference on Digital Forensics, Security and Law 2016

May 24th, 3:00 PM

Applying Grounded Theory Methods to DigitalForensics ResearchAhmed AlmarzooqiFaculty of Technology, De Montfort University, [email protected]

Andrew JonesFaculty of Technology, De Montfort University. Cyber Security Centre, University of Hertfordshire,[email protected]

Richard HowleyFaculty of Technology, De Montfort University, [email protected]

Follow this and additional works at: http://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense andSecurity Studies Commons, Forensic Science and Technology Commons, Information SecurityCommons, National Security Law Commons, OS and Networks Commons, Other ComputerSciences Commons, and the Social Control, Law, Crime, and Deviance Commons

This Peer Reviewed Paper is brought to you for free and open access by theConferences at Scholarly Commons. It has been accepted for inclusion inAnnual ADFSL Conference on Digital Forensics, Security and Law by anauthorized administrator of Scholarly Commons. For more information,please contact [email protected]. (c)ADFSL

Scholarly Commons CitationAlmarzooqi, Ahmed; Jones, Andrew; and Howley, Richard, "Applying Grounded Theory Methods to Digital Forensics Research"(2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 12.http://commons.erau.edu/adfsl/2016/tuesday/12

http://commons.erau.edu?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.erau.edu?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.erau.edu/adfsl/2016?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1320?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages












http://commons.erau.edu/adfsl/2016/tuesday/12?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F12&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

http://creativecommons.org/licenses/by-nc-nd/4.0/

http://creativecommons.org/licenses/by-nc-nd/4.0/

Applying Grounded Theory Methods to Digital … CDFSL Proceedings 2016

© 2016 ADFSL Page 83

APPLYING GROUNDED THEORY METHODSTO DIGITAL FORENSICS RESEARCH

Ahmed AlmarzooqiFaculty of Technology, De Montfort University.

[email protected]

Andrew JonesFaculty of Technology, De Montfort University.

Cyber Security Centre, University of Hertfordshire.Cyber Security Research Institute, Edith Cowan University.

[email protected]

Richard HowleyFaculty of Technology, De Montfort University.

[email protected]

ABSTRACTDeciding on a suitable research methodology is challenging for researchers. In this paper,

grounded theory is presented as a systematic and comprehensive qualitative methodology in theemergent field of digital forensics research. This paper applies grounded theory in a digitalforensics research project undertaken to study how organisations build and manage digitalforensics capabilities. This paper gives a step-by-step guideline to explain the procedures andtechniques of using grounded theory in digital forensics research. The paper gives a detailedexplanation of how the three grounded theory coding methods (open, axial, and selective coding)can be used in digital forensics research. Grounded theory offers a rich and detailed methodologyfor theorising while presenting and exploring the How and Why questions at every stage of theresearch. The method shared in this paper provides a detailed critique, making it a valuablecontribution to the discussion of methods of analysis in the field of digital forensics.Keywords: digital forensics; open coding; axial coding; selective coding; digital forensicscapability; research methodology; grounded theory

INTRODUCTIONThe aim of this paper is to provide step-by-step guide and examples to those who wish toapply Grounded Theory (GT) using theStraussian procedure as a research method inDigital Forensics (DF) research. GT, accordingto Charmaz (2008), can be employed as “amajor method for conducting emergentqualitative research.” Charmaz defines this“Emergent Method” as a method that “begins

with the empirical world and builds aninductive understanding of it as events unfoldand knowledge accrues” (Charmaz, 2008,p155). In other words, a well-establishedemergent method like GT is appropriate toemerging fields of research such as DF(Charmaz, 2008). As Charmaz (2008) stated,“emergent methods [like GT] are particularlywell suited for studying uncharted, contingent,or dynamic phenomenon.” In this regard, GT

ADFSL Conference Proceedings 2016 Applying Grounded Theory Methods to Digital …

Page 84 © 2016 ADFSL

is most suited for theorising in DF, a new andgrowing field with phenomena and areas ofresearch that are technologically dynamic (i.e.emergence of new technologies such as cloudcomputing) and uncharted in some areas suchas organisational DF capacity and theApplication and Modification of DF Practices.

Data analysis in GT, using the Straussianapproach, involves three main steps: (1) opencoding, (2) axial coding, and (3) selectivecoding. The coding processes differ from eachother in each of three steps. Before starting thedata analysis, it is important to distinguish thetype of data being analysed. GT gives theresearcher a number of options for the types ofdata to be analysed such as documentaryanalysis, focus group, survey and interviews.

This paper covers transcribed text frominterviews conducted by the researcher. Theprocess of analysis, using the Straussianapproach, urges the researcher to conduct theanalysis after each interview, especially ifconducting a series of interviews, to enhancethe quality of the data and the researcher's"theoretical sensitivity." Therefore, beforediscussing the coding process, this paper firstdescribes strategies for enhancing theoreticalsensitivity in section 2. Section 3 shows anddiscusses the coding processes, and finallysection 4 sums up the paper with conclusions.

THE SAMPLE DATAUSED IN THIS PAPER

This section explains how the researcher hasapplied GT using Straussian procedures andtechniques to analyse the data. Throughoutthis paper, it is important to remember thatthe researcher’s application of GT, usingStraussian techniques and procedures for dataanalysis, employs the dynamic interplaybetween the researcher and data (Strauss &Corbin 1998, p.13). This complex interplay isnot linear, but rather creative and systematic.

(Strauss and Corbin 1990, p.13; Strauss &Corbin 1998).

The data used in this paper is the part of apiece of research that discusses the need for atheory of developing DF capability. Asopposed to technical or infrastructure capacity,the research examines the capability in termsof the DF organisation as a whole, whichincludes examination of capability within a DFlaboratory and in the management range. Suchan organisational view of DF’s capability takesinto account the interactive roles of policy,people, infrastructure, and the investigativeprocess. Finally, the research relies on the datato identify core capabilities in a DForganisation that can be expressed as a DForganisation core capability framework ortheory.

The researcher collected data byinterviewing a number of experts in the DFfield from the UK and the UAE. The nextsection gives examples for strategies to enhancethe quality of data being analysed beforeshowing the actual data analysis process insection 3.

Strategies for EnhancingTheoretical Sensitivity

Glaser and Strauss are the initiators and maincontributors of GT; each has his own approachand each approach is named after thecontributor. The Straussian approach allowsfor some review of the literature beforeconducting the data analysis (Corbin &Strauss, 2008), as was done in this research,where a literature review was conducted at thebeginning of the research. The first version ofGT, the Glaserian approach, on the otherhand, criticised the process of findingimportant words and labelling them in the firststage of data analysis, which is called coding,and discouraged a review of the literature priorto data analysis to let the data speak for itself(Glaser & Strauss, 1967; Glaser, 1992).



The researcher found the Straussianapproach to be most suitable because thisapproach takes into account the researcher’sprevious background studies and exposure tothe relevant literature before the datacollection; a significant difference from theGlaserian approach. The researcher had totake literature reviews into account because, inthis area, it was a requirement for the Ph.D.program prior to the data collection andanalysis. The Straussian Approach has beencriticised by more recent constructivist GTresearchers for forcing the data into categoriesunder the processes described below (Charmaz,2008). The researcher took note of theconstructivist approach while following theStraussian Approach.

During the coding processes, the researcherapplied two strategies for enhancing theoreticalsensitivity: (1) “the asking of questions” orquestioning, and (2) “the making ofcomparisons” or constant comparison (Strauss& Corbin 1990, p 62). These two essential

strategies helped the researcher to make theanalysis of data precise, specific, creative, andopen (Strauss & Corbin, 1990, p.62-63; Straussand Corbin, 1998, p.73). This sectiondemonstrated how the researcher applied thesetwo strategies to the interviews.

To collect the data, the researcheremployed the questioning technique whichallowed the researcher to consider potentialcategories, their properties and dimensions(Strauss & Corbin, 1990, p.77). The basictypes of questions that the researcher used as aguide were the 5Ws plus 2H, or Who, What,Where, When, and Why plus How and Howmuch? (Strauss & Corbin, 1990, p.77). Ofcourse, many questions came naturally as theresearcher responded to the data. Theresearcher applied the memo creation processwhile employing the questioning technique tomake the process systematic and documentedfor later referencing. An example is presentedbelow.

Table 1Questioning Memo for interview 04AUINTUAE14

MEMO 11.20.14 QUESTIONINGThe subcategory “Preservation” came from and with the concepts “Imaging” and “Duplication.”This raises many questions that are required to be elaborated and answered either from thedata or the literature. Who conducts the preservation? Is it the same person through the entireinvestigation process that does the preservation, analysis and reporting? There seems to be astep before preservation as well, which is identification. Do these steps have to happen insequence or can they go back and forth throughout the investigation process. How many copiesmust be made or preserved? Does it matter? Where the images of digital evidence stored? Doesthis now have a relationship with the tools used in terms of storage? How long after the seizureof the DF evidence must the imaging or duplication takes place? Is it right after identification?Is there a rule that waiting too long makes it more likely that the evidence has been altered?What are the other purposes of imaging and duplication? What happens to the duplicated dataafter the investigation ends? Is there a privacy issue involved? Should there be a policy ofstorage and/or disposal of the imaged data? Who is in-charge of the whole process? How canthe DF procedures guarantee that he imaged data have been secured from privacy breaches?

GT is often referred as a “constantcomparative method of analysis” (Strauss &Corbin 1990, p. 62; Glaser & Strauss, 1967, pp.1-116; Charmaz, 2006). Constant comparison

can be defined as “the process of constantlycomparing instances of data.” (Urquhart et al,2010). Constant comparison’s ultimate goal isto reach data and theoretical saturation



(Strauss, 1987; Glaser, 1992; Charmaz, 2006;Urquhart et al., 2010). Making comparisons isessential to identify and categorise concepts(Strauss & Corbin, 1990, p. 84). Constantcomparison therefore, is applied throughoutthe coding process from open, axial, toselective coding (Charmaz, 2006); and througheach data set.

Again, whenever possible, the researcherapplied the technique of using Memos whenapplying the constant comparison strategy

technique to make the process systematic andensure that the data collected was recorded forlater referencing. Occasionally the researchersmay skip the theoretical saturation and use theMemo aspect of GT (Charmaz , 2008).Theoretical saturation, according to Charmaz(2008) is widely claimed but scarcely practiced.Using Memos is necessary in GT, and must bedone using more analytic as opposed todescriptive writing (Charmaz , 2008). Here isanother example of a memo on constantcomparison:

Table 2Comparison Memo in Interview 04AUINTUAE14

MEMO 11.20.14 COMPARISONIn the previous memo, I asked the question: Do these steps have to happen in sequence or canthey go back and forth throughout the investigation process. It is therefore important tocompare the sequences or phases of the investigation process. So comparison can be madebetween the processes of preservations with identification. Do both processes take the sametime to be carried out? Does one take more time than the other? Why do they take differenttime? Time is a property with dimensions of hours to months. It would be interesting tocompare the time dimensions for each of the processes. Then to compare the causes of thedelay or time challenges. Are they caused by people, tools, process, or policy? Are the skillsrequired for each of the processes the same? There seems to be more skill required in analysiscompared to preservation. Is this true or is a specialized skill needed in instances where theevidence to be preserved may be at risk of destruction or corruption. Can the processes berated in terms of difficulty? The dimension could be from least difficult to most difficult. Doesthe difficulty related to the tools used, the skills of the people involved or some otherintervening cause like third parties or constraints in the investigation?

The GT method relies on the researcher’simaginative approach to the data, a point thatsome researchers may see as an obstacle(Charmaz, 2008). According to Charmaz, GTrequires abductive reasoning, which “invokesimaginative interpretations because theresearcher imagines all possible theoreticalaccounts for the observed data and then formsand checks hypotheses until arriving at themost plausible interpretation of the observeddata” (Charmaz, 2008; Charmaz, 2006). Whileasking of questions and constant comparisonsare tools that aim to help the researcherenhance theoretical sensitivity; the use of thesetools is highly dependent on the researcher’simagination. The ability of the researcher to

enhance theoretical sensitivity would likelydepend on the researcher’s “intimatefamiliarity” with the studied phenomena(Charmaz, 2008). A researcher, therefore, whodoes not become familiar with both theliterature and the data, will probably have adifficult time with the GT method.

APPLICATION OF THEGROUNDED THEORY

CODINGThis section provides an example of dataanalysed from the interviews and the concepts,sub-categories and categories that emergedusing GT coding. Coding in GT is defined asthe “analytical processes through which data



are fractured, conceptualised, and integrated toform theory” (Strauss & Corbin, 1998). Thereare three stages in the coding process: openended coding, axial coding, and selectivecoding (Robson, 2002). In open-ended coding,the aim is to define simple categories andconcepts for comparison and understanding(Charmaz, 2000; Robson, 2002). Axial codingnarrows down the data and focuses byexamining the data and providing a context forrelationships in the data (Charmaz, 2000;Robson, 2002). Finally, according to Straussand Corbin, selective coding is “the process ofintegrating and refining the theory” (Straussand Corbin 1998, p. 143).

Interplay between Open andAxial Coding

According to Strauss and Corbin (1998, p.58),though open and axial coding are distinctanalytic procedures, when the researcher isactually engaged in the analysis he or shealternates between the two modes.” A possibletrap for researchers employing the GT methodis to become linear in their approach. Doing sowould likely lead to confusion about the data,difficulty in grounding the categories andproperties, and certainly a theory that isdifficult to reconcile with the data. It isimportant to realize that when discussing thecoding process, the researcher here actuallymoved “back and forth.” As stated by Straussand Corbin (1990, p.98), “though open andaxial coding are distinct analytic procedures,when the researcher is actually engaged in theanalysis he or she alternates between the twomodes.” For example, the researcher asked thefollowing question in 11CTINTUAE14 at page9:

…how did you become a … digital forensicsspecialist?

The participant replied as follows:

I had to undergo, of course, training. So Idid the tools training.

In the above question and reply, opencoding resulted in identifying the phenomenonof “undergoing training” which then led to theconcept of “tool training.” The concept of “tooltraining” was further developed and led to thetypes of “tool training” which include, amongothers, “Access Data FTK Training”,“Guidance Software Encase Training”, and“XRY training”. The dimensions led to howoften the training took place (once to threetimes), how frequent the training took place(yearly), and the depth of the training(overview to specialize). Eventually theconcepts were categorized under “Types ofTraining.”

Concurrently, with the open codingprocess, the researcher was connecting the “tooltraining” concept with another category called“DF tools” and a subcategory called “ForensicAnalysis Software.” These subcategories andcategories arose from concepts relating to thetools identified by participants as being used inthe investigation process like “FTK,” “EnCase”and “XRY.” In other words, there was arelationship between the categories of “DFTools” and “Types of Training.” Axial codingwas also taking place at the same time as opencoding. There was interplay between opencoding and axial coding. The researcher had touse the Paradigm Model to develop the axialcoding further.

The researcher then open-coded a differentphenomenon labelled “Forensic Training” thatbelonged to the category of “Type of Training.”The process jumped back and forth betweenopen coding and axial coding, fromphenomenon to concept to category (back andforth), to data coding to writing memos, tonaming categories to connecting relationships,and so on. The most important lesson was thatGT is a complex transactional method of dataanalysis that dynamically carried the


8 © 2016 ADFSL

researcher’s analysis into many discoveries.There was a “constant interplay betweenproposing and checking” and between inductiveand deductive thinking (Strauss & Corbin,1990, p. 111).

Application of Open CodingProcedure

Open coding is part of the Straussian GTanalytical process that “pertains specifically tothe naming and categorising of phenomenathrough close examination of data” (Strauss &Corbin 1990, 62). After the interviews aretranscribed, the researcher should categoriseanswers to questions during and after opencoding, following the Straussian coding modelparadigm (Corbin and Strauss, 2008; Straussand Corbin, 1990; Strauss and Corbin, 1998).

The researcher applied open coding by (1)labelling the phenomena as named concepts,categorising concepts that seem to relate toeach other under categories and subcategorieswhenever relevant (2) developing thecategories and subcategories by identifyingpossible properties and dimensions, and (3)grounding the concepts, categories andsubcategories to the interviews. This sectionshows how the researcher applied the opencoding process to the data.

1. Initial Microanalysis OpenCoding and Subsequent Coding

Open coding is a flexible methodology. “Thereare several ways of approaching the process of

open coding” (Strauss & Corbin, 1990, pp. 72).How a researcher handles the volume of datais, therefore, dependent on the needs of theresearcher. The researcher may interact withthe data on a line-by-line analysis (whetherword-for-word or phrase-by-phrase), bysentence or paragraph analysis, or by an entiredocument analysis (Strauss & Corbin, 1990,pp.72-73). Some may criticise microanalysis forbeing too tedious. However, “generating yourcategories early through line-by-line analysis isimportant because categories also become thebasis of your theoretical sampling” (Corbin &Strauss, 2008).

The researcher, therefore, began the opencoding process with a line-by-line analysis, ormicroanalysis (Strauss & Corbin, 1998, p.57) ofthe first two interviews: 03ALINTUAE14 and04AUINTUAE14. The researcher labelled anumber of texts via underlining as potentialitems representing codes or concepts. Corbinand Strauss defined concepts as “Words thatstand for groups or classes of objects, eventsand actions that share some major commonproperty(ies), though the property(ies) canvary dimensionally” (Corbin & Strauss 2008, p.45).

In subsequent open coding, the researcherapplied both sentence and paragraph analysis.Below is a memo regarding this process.



Table 3Interviews #5-19MEMOAfter the line-by-line analysis or microanalysis of interviews #3-4, the researcher conductedsentence by sentence, paragraph by paragraph, and document-by-document open coding of theinterviews, one at a time, from interview #5-19. The researcher intends to add the open coding ofthe rest of the data to the concepts. Also, the researcher is considering grounding the data to theconcepts and/or phenomena as the researcher anticipates the need to return to the specific data asthe researcher goes to axial coding, selective coding and then more open coding. Therefore,grounding will be a continuous and flexible process as will be the coding. The grounding will beaccomplished by stating the interview number and the page number where the phenomena orconcept was taken from the following format (5p1), which means the concept or phenomena wasfound in interview 5 a page 1.

Labelling Phenomena andNaming CategoriesAn important step in the data analysis isthe conceptualisation of the data.Conceptualising data is not the same assummarising data (Strauss & Corbin, 1990,p. 64). Rather, it involves identifying, in thedata, the “central idea, event, happening,

incident”, called a phenomenon of an actionor interaction or a set of actions orinteractions and describing or naming thatphenomenon (Strauss & Corbin, 1990, p.96). As an example, after a microanalysis ofthe first two interviews, the researcheridentified the following Phenomena orconceptual labels:

Table 4Phenomena and Concepts LabelsPHENOMENA: ACTIONS DESCRIBED BYPARTICIPANTS

CONCEPTS

Handle cases InvestigationMust finish a case in limited time DeadlineMust follow an investigation process Investigation processMust stay within scope of investigation, cannot investigateeverything

Scope of investigation

There is a documented process to follow, conducts DFinvestigation based on experience

Documented process andprocedures

Look at a reference point, no absolute standard exist Multiple standardsFollow usually, follow experience, experience dictates what to do Best practices

Then, the concepts were grouped intocategories. Categorisation, which encouragesthe generation of initial categories, is the nextstep in the Straussian open coding process(Strauss & Corbin, 1990, p. 63; Corbin andStrauss, 2008). Once a set of phenomena orconcepts have been identified, they arecategorised into categories and subcategories, aprocess called conceptual categorisation(Strauss & Corbin, 1990, p 65) “Categories

have conceptual power because they are ableto pull together around them other groups ofconcepts or subcategories” (Strauss & Corbin,1990, p. 65).

Here, the researcher categorised theconcepts generated from the listing ofphenomena. First, concepts were grouped intocategories that covered multiple relatedphenomena. Next, the concepts were further



grouped into subcategories. The researcher, inthe main, invented the names of the categories,but at times the names were borrowed fromthe literature (Strauss & Corbin, 1990, p. 68),or from the words of the interview participantsthemselves, called “in vivo codes” (Strauss &Corbin, 1990, p. 69).

Developing Categories andSubcategories with Properties andDimensions

Another important step in the process was thedevelopment of the categories in terms of theirproperties and dimensions. In order to expandthe categories, the researcher identifiedpossible properties and dimensions for each ofthe identified categories. According to Straussand Corbin (1990, p. 69), “properties are thecharacteristics or attributes of a category, andthat dimensions represent locations of aproperty along a continuum.” The process ofcreating dimensions enables the researcher togive specificity to the category or concept(Strauss & Corbin, 1990, p. 72).

Identifying the dimensions and propertiesmade more obvious the relationships of a

property, dimension, or category to othercategories, subcategories, or properties. Theresearcher also engaged in constantcomparison, where the researcher comparedcategories, subcategories, and concepts to othercategories, subcategories, and concepts. Theact of comparison took into account theexisting literature and new concepts andcategories that arose from each new data set.In this regard, constant comparison wascarried out from one set of data to another.Likewise, axial coding inherently occurredsimultaneously during the open coding process(Strauss & Corbin, 1990). Overall, the processof expanding the categories with properties anddimensions resulted in a richer set of codingthat made the theoretical memo much richeras well. The researcher was able to discussaspects of the categories that would have beenlargely ignored without engaging in these moredetailed steps in the GT process. An exampleof how the researcher developed a categoryusing properties and dimensions is in thefollowing table:

Table 5Properties and Dimensions

CATEGORIES PROPERTIES DIMENSIONS

Investigation Process Human Factor How many investigators?Specialization needed?

Extent of investigator skillChallenges Time Constraint (Fast)

Limited ResourcesVolume

The strategy of questioning was veryhelpful as well, at this stage, because theresearcher was able to ask questions insubsequent interviews about thesubcategories that enhanced the researcher’sunderstanding of the category. Questioning

led the researcher to be more theoreticallysensitive to other concepts relating to whoconducts the investigation, the steps in theinvestigation process, and challenges facedduring these procedures including storageand time constraints.



As the researcher identified concepts andcategories during the open coding process,the researcher also grounded the data byusing the faceted code of the interview andcorresponding page number into the tables.Grounding the data simultaneously made iteasier to refer back to the interviews usingMemos. Grounding the data in this manneralso allowed the researcher to identifyconcepts in the research that needed furtherdata, or that are not theoretically relevant.

Application of Axial CodingProcedure

Axial coding is the process of putting thedata back together in new ways by makingconnections between categories andsubcategories (Strauss & Corbin, 1990, pp.96-97). Simply put, it is the “process ofrelating categories to their subcategories”(Strauss & Corbin, 1998, p. 123; Corbin and

Strauss, 2008). It comes after identifyingcategories in the open coding process byfinding relationship between the categoriesand subcategories. The researcher appliedaxial coding to the data using the paradigmmodel, and then by developing thecategories using the paradigm model andidentifying the properties and dimensions ofthe categories and subcategories.

The Paradigm Model

In the axial coding process, the relationshipsamong the subcategories and categories arelinked by identifying the (1) causalcondition, (2) phenomenon or concept, (3)context, (4) intervening conditions, (5)action/interaction strategies, and (6)consequences (Strauss & Corbin, 1990, p.99). The paradigm model has beencommonly referred to in the followingsimplified diagram:

Table 6.Paradigm Model Diagram

(A) CAUSAL CONDITIONS (B) PHENOMENON (C) CONTEXT

(D) INTERVENING CONDITIONS (E) STRATEGIES (F) CONSEQUENCES

It is important to use this model in anyGT analysis because failure to do so willlead to a “lack of density and precision” inthe analysis (Strauss & Corbin, 1990, p.99).The researcher used the paradigm model to

link relationships among subcategories andcategories. An example of the use of theparadigm model is shown in the followingtable7:



Table 7Paradigm Model Sample

Causal Condition Phenomena Context InterveningConditions Strategies Consequences

Crime InvestigationDigital orelectronicevidence

Destruction ofDigital Evidence

DFInvestigationFramework

Finding ofEvidence/ solving

caseFinding digitaldevice at crime

sceneType of DFinvestigation

Inside PC/Mobile/

Flash DriveChallenges toInvestigation Identification Not finding

evidence

Receiving requestfrom client

Type of DFlaboratory Preservation Reporting of

findingsRequest for research

and developmentLength of

investigation Analysis Court testimony

Request to testsecurity Recurrence Tool specific

strategiesEliminate security

breachSecurity breach (iehacking, or misuse

of informationType of crime

Create mechanismto prevent future

breaches

It should be noted that constructivistshave criticised the paradigm model ofStraussian GT because it may force theresearcher to fit the data into the categories(Charmaz, 2008). The researcher here,however, viewed the paradigm model as ameans of gaining a better understanding ofthe categories and how they relate to eachother and to more specific propertied anddimensions. The paradigm model, therefore,helped the research to develop betterrelationships with (from) the data.

Developing RelationshipsThe axial coding process of linking anddeveloping categories is complex (Strauss &

Corbin, 1990, p.107). The procedure requiressimultaneous action of relating subcategoriesto categories, verifying hypothesis withactual data, identifying properties anddimensions, and identifying variations in thephenomena through constant comparison ofcategories and subcategories (Strauss &Corbin, 1990, p. 107). It is a process ofidentifying patterns that emerge from thecoding process. This complex processproduced a set of categories andsubcategories, an example of which aretabled below:

Table 8.Categories and SubcategoriesCATEGORIES SUBCATEGORIES

Investigation Process Purpose of InvestigationScope of investigationIdentificationPreservationAnalysisReportingACPO Principles



As the researcher identified concepts andcategories during the axial coding process, healso grounded the data by coding the facetedcode of the interview and corresponding pagenumber into the tables of subcategories andcategories.

Selective coding is the final step in thedata analysis process. It is the “process ofselecting the core categories, systematicallyrelating it to other categories, validating thoserelationships, and filling in categories that needfurther refinement and development” (Strauss& Corbin, 1990, p. 116). Corbin and Straussdefined selective coding as the “process ofintegrating and refining the theory” (Strauss &Corbin 1998, p. 143).

In essence, selective coding is aboutintegration (Strauss & Corbin, 1990, p. 117).After data analysis, theoretical sensitivityrequires the researcher to conceptualise andformulate a theory that emerges from the data,literature, existing theories or experience of thesubject under investigation (Glaser & Strauss,1967; Corbin & Strauss, 2008; Urquhart et al.,2010; Glaser, 1978). The theoriesconceptualised by the researcher must then berelated to other theories in the field in what isknown as theoretical integration (Urquhart etal. 2010). Theoretical integration is the processof comparing the generated substantive theorywith previously developed ones with the aim ofscaling up the findings and achievingtheoretical explanation (Urquhart et al., 2010;Birks & Mills, 2011). While the process issimilar to axial coding, in that it requiresidentifying relationships, selective coding is“done at a higher more abstract level ofanalysis” (Strass and Corbin, 1990, p. 117).

GT applies iterative conceptualisation toarrive at a theory. Iterative conceptualisationrequires the researcher to analyse the data by

increasing the level of abstraction and movingthe degree of conceptualisation beyonddescription to a more theoretical domain. Thishigher level of abstraction should be appliedwith theoretical sensitivity during theinterpretation of the coding using constantcomparison and the data from the theoreticalmemo (Urquhart, 2010). The higher level ofcategories arrived at by the researcher shouldbe grouped into broader themes called the corecategories that can be generalised into theories.

The researcher here applied selectivecoding by: (1) identifying patterns and corecategories, (2) relating the categories at thedimensional level, (3) explaining the story line,and (4) validating the relationships bygrounding the theory to the data (Strauss &Corbin, 1990, p. 117-118).

The researcher first identified patterns inthe categories and subcategories. This patternidentification was done through the applicationof the paradigm model, diagramming, andusing Memo. It also helped to specify thedimensions of the category and subcategorybeing related. In doing so, the researcherfound that four core categories have emergedfrom the categories: (1) Investigation, (2)Infrastructure, (3) People, and (4) Policy.These are the four core concepts of capabilitybeing described in the data and the literature.

The researcher next linked the corecategories to their dimensional level. Onespecific example is the selective coding of thecore category “investigation”, which consistedof the categories of “investigation process,”“evidence admissibility,” and “investigationprocedure” that were associated to theirspecific dimensions. Under the category“investigation process,” these two examples ofthe many properties and dimensions wereidentified:



Table 9Properties and Dimensions

PROPERTIES DIMENSIONSHuman Factor Number of investigators: few to many

Number of specialization neededExtent of investigator skill

Challenges Time Constraint: limited to unlimitedLimited Resources: limited to unlimitedVolume of data: low to highClient Trust: low to high

Results Number of data identified: low to high

The properties and dimensions identifiedin the category of “investigation process”linked to the core category of “Investigation”as these dimensions give specificity to theDF investigation as a core concept. Forexample, the number of investigators is afactor that DF organisation must considerin determining capability. The researcheridentified the need for a formula or ratio fordetermining the number of investigators, anumber that could be linked to the numberof cases per month that go through thelaboratory or possibly the amount of datathat the laboratory processes per monthmeasured in bytes. For example, theresearcher suggests that determining theratio of investigators in a DF organisation isimportant to determine efficient“throughput” (Jones & Valli, 2011).

This observation also linked to anotherdimension identified in the same corecategory, category: The property“Challenges” which means challenges in theinvestigation process had a dimension of“time constraint” that is measured by thetime available to conduct the investigation,whether it is limited or unlimited. In otherwords, does the investigation concern onlyspecific areas or does it include everythingin the evidence. This dimension of “timeconstraint” under the property of

“Challenges” is linked to the dimension of“number of investigators” in a differentproperty called “Human Factor.” Thedimensions, therefore, were also beinglinked, and strengthened the core categoryof “Investigation.”

Additionally, the researcher identifiedthe relationship between the dimension“number of investigators,” to the corecategory “People,” and “number ofinvestigators” also became a dimension inthat core category. Likewise, the samedimension “number of investigators” wasapplicable in another core category,“Infrastructure,” where the category“Building a DF Facility” and thesubcategory “Facility Requirements” led tothe concept of “people” or “staffing.” In otherwords, the dimension “number ofinvestigators” was essential across corecategories in identifying staffing needs (corecategory “People”), identifying initialstaffing needs in “Building a DF Facility”(core category “Infrastructure”) both ofwhich affected the ability of theinvestigation to meet “Challenges” based on“Human Factors.” This linking to other corecategories strengthened the core categoriesbecause the researcher was able to identifythe similarities and differences of the role ofthe dimension in the distinct core categories



using the constant comparison technique. Ofcourse, many more relationships andlinkages arose from the dimension of“number of investigators.”

The example above shows that relatingthe core categories and categories at thedimensional level is, therefore, an essentialstep in the selective coding process becauseit adds specificity to the theory developmentby linking specific measures in the

dimension to the higher level categories andacross different higher level categories.

Finally, the researcher explained thestory line that seemed to emerge from theanalysis of the data. Before attempting tostate the story line, the researcher askedwhat it is about the core categories and thesubsidiary categories that stand out (Strauss& Corbin, 1990, p.119). In a memo on thestory line, the following table is what theresearcher wrote:

Table 10Memo: Story LineMEMO 02/02/15 STRORYLINEWhat is most striking here are the different ways that people think about the concept ofcapability in the context of digital forensics laboratory building and management. Someunderstand the capability in terms of the DF tools available in the organisation; others in termsof the people or the human resources, while others as having both the DF Tools and the humanresources. Others still view capability in terms of their ability to act and/or interact in thecontext of the challenges they face during the digital forensics investigation process. While manyrecognise policy as necessary in the DF organisation, it is not readily identified as a componentof capability.

In essence, the story line is that thereseems to be a need in DF for a system thatrecognizes the core components of capability,as well allows the DF industry to discusscapability in the same paradigm. Currently,what capability means to a DF organisation issubjective and changes to suit the needs of theorganisation. The story line arrived at by theresearcher seems to pave the way towardscreating a theory on DF capability fordeveloping and managing a DF organisation.

An important step in the selective codingprocess is the validation of relationships amongthe categories by connecting them to the data.This validation process occurred mainly at theconceptual and dimensional level, thereforeemphasizing the need to relate higher levelcategories to the dimensional level. The benefitof grounding the data during open and axialcoding is appreciated most at the selectivecoding process. It became much easier toground the more abstract phase of coding

when grounding was already existent in priorcoding processes.

Referring back to the example of thedimension “number of investigators,” thisdimension was grounded by going back to theinterviews that were previously groundedthrough coding during open, axial, andselective coding. For example, the need forhaving a number of investigators was linked tothe following interview:

QUESTION: “…how do you define anorganisation to be digital forensics capable?”

ANSWER: “…they should have enoughcapabilities in term of human resources, peoplehave enough experience” (07COINTUAE14, p.4).

The participants here used the word“enough” which triggered the question of what“enough” means. One of the obvious meaningsof “enough” is quantity, but there is also aquality dimension to the word. Therefore, the



researcher also linked the dimension of“number of investigator” to the dimension “skilllevel” of the investigator under the category“Quality of Investigator” which was linked andappeared in the core categories“Infrastructure,” “Investigation,” and “People.”In other words, the process of grounding thetheory also led back to the coding process,demonstrating how GT goes back and forthbetween inductive and deductive analysis.

Finally, the story line was connected toexisting literature and theories. Primarily, theresearcher applied the story line to (1) theemerging research in DF on the applicability ofthe capability maturity model (Kerrigan, 2013;Al-Hanaei & Rashid, 2014), (2) the work byGrobler on DF readiness and capability(Grobler, 2010), and (3) the works by Jonesand Valli (2011) on building a DF laboratorywith processes and procedures.

CONCLUSIONThis paper shows how to apply GT methodsusing the Straussian approach in DF research.It is important to note that the methoddemonstrated in this paper is that of theStraussian Approach, which, though it hasgeneral similarities, does differ from theGlaserian Approach. The researcher therefore,ought not to apply the method here directly toa Glaserian GT research. In fact, one criticismof GT may be that it has evolved intocompeting “constellations” of methods that canbe confusing to those researchers new to GT(Charmaz, 2008).

Regardless of which approach taken, thispaper has addressed a gap between themethods and literatures for the DF and IT/ISfield. Far too many researchers who have usedthe GT methodology, for example, failed todemonstrate their use of Memo, an importantaspect of GT methods. Researchers ought toimprove the way in which they demonstratethe application of GT methods by showing

how their data analysis evolved from opencoding, to axial coding, and then to selectivecoding.

Researchers must also demonstrate howthey grounded the data in their categories,properties and dimensions. The grounding tothe data is what gives the research method itsintegrity and strengthens the theory theresearcher arrives at. Researchers should notforget that the GT method is ultimately abouttheorising (Strauss and Corbin, 1998). It ismore important, however, to explain how onearrived at such theory with the research data.Such theorising must be demonstrated throughan explanation of the story line and thengrounded in both the literature and the data.

Digital Forensic Organisation CoreCapability (DFOCC) is the framework derivedfrom analysing data using grounded theory.DFOCC enhances the admissibility of evidenceas it requires that a DF organisation has madecertain procedures part of its business process.The framework is simple because it isnarrowed down to four variables (Policy,People, Infrastructure, and Investigation) thatare required for a DF organisation to be DFcapable. The DFOCC framework will help theentire digital forensic investigation processprove the guilt of a perpetrator because theDFOCC will help organisations ensure thatthey have the correct resources and proceduresin place to carry out investigations efficiently.The DFOCC framework aims to reduce thepossibility of successful challenges to DFevidence presented in courts. For example, DForganisations that do not already do so, will berequired to document each stage of theinvestigation process, which will in turnstrengthen expert testimony on suchrequirements as chain of custody andauthentication.

Finally, what is important in groundedtheory is not the result but the process. AsCharmaz noted, “The grounded theory method



emphasizes the process of analysis and thedevelopment of theoretical categories, ratherthan focusing solely on the results of inquiry”(Charmaz 2008).



REFERENCES

Hanaei, A., Hamad, E., & Rashid, A. (2014,May). DF-C2M2: A Capability MaturityModel for Digital ForensicsOrganisations. In Security and PrivacyWorkshops (SPW), 2014 IEEE (pp. 57-60). IEEE.

Birks, M., & Mills, J. (2011). Groundedtheory: A practical guide. Sagepublications.

Charmaz, K. (2000). Constructivist andobjectivist grounded theory. Handbookof qualitative research, 2, 509-535.

Charmaz, K. (2003). Grounded theory -Objectivist and constructivist methods.In N. K. Denzin & Y. S. Lincoln (Eds.),Strategies of qualitative inquiry , 249-291

Charmaz, K. (2006). Constructing groundedtheory: A practical guide throughqualitative analysis (IntroducingQualitative Methods Series).

Charmaz, K. (2008). Grounded theory as anemergent method. Handbook of emergentmethods, 155-170.

Corbin, J. and Strauss, A. (2008) Basics ofqualitative research: Techniques andprocedures for developing groundedtheory. Thousand Oaks, CA: Sage.

Glaser, B. G. (1978). Theoretical sensitivity:Advances in the methodology ofgrounded theory. Sociology Pr.

Glaser, B. G., & Strauss, A. L. (1967). Thediscovery of grounded theory: Strategiesfor qualitative research. New Brunswick,NJ:

Glaser, B. G. (1992). Emergence vs forcing:Basics of grounded theory analysis.Sociology Press.

Glaser, B. G. (2001). The grounded theoryperspective: Conceptualizationcontrasted with description. SociologyPress.

Grobler, M. M. (2010). Digital forensicsstandards: international progress.Proceedings of the South AfricanInformation Security Multi-Conference(SAISMC 2010)

Grobler, C. P., Louwrens, C. P., & Von Solms,S. H. (2010, February). A framework toguide the implementation of proactivedigital forensics in organisations.In Availability, Reliability, and Security,2010. ARES'10 International Conferenceon (pp. 677-682). IEEE.

Jones, A., & Valli, C. (2011). Building aDigital Forensic Laboratory: Establishingand Managing a Successful Facility.Butterworth-Heinemann.

Kerrigan, M. (2013). A capability maturitymodel for digital investigations.DigitalInvestigation, 10(1), 19-33.

Robson, C. (2002). Real world research.2nd. Edition. Blackwell Publishing. Malden.

Strauss, A., & Corbin, J. (1990). Basics ofqualitative research (Vol. 15). NewburyPark, CA: Sage.

Corbin, J., & Strauss, A. (2014). Basics ofqualitative research: Techniques andprocedures for developing grounded theory.Sage publications.

Urquhart, C., Lehmann, H., & Myers, M. D.(2010). Putting the ‘theory’back intogrounded theory: guidelines for grounded



theory studies in informationsystems. Information systemsjournal, 20(4), 357-381.

applying grounded theory methods to digital forensics research

Documents