African Multidisciplinary ISSN : 1595-7969 Journal of Sciences and Artificial Intelligence Index: Harvard.
Boston.
Sydney University.
Dimensions.
Lens.
ResearchGet Scilit.
Semantic.
Google Scholar.
Base etc https://doi.
org/10.
58578/AMJSAI.
Comparative Analysis of Theoretical Models for Digital Forensic Readiness (DFR) in Nigerian Banking Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey4
1,3,4
Nasarawa State University Keffi.
Nigeria.
2University of Abuja-FCT.
Nigeria akujobi@gmail.
Article Info:
Submitted:
Revised:
Accepted:
Published:
Oct 21, 2025 Nov 26, 2025 Dec 9, 2025 Dec 14, 2025 Abstract The increasing shift to digital banking in Nigeria has accelerated cyber fraud losses, prompting banks to adopt proactive forensic readiness measures.
Recent industry reports show that Nigerian banks lost more than N300 billion ($833 millio.
in a single quarter of 2023, a 534% increase year-on-year.
Digital Forensic Readiness (DFR) is a proactive cybersecurity strategy that ensures digital evidence is preserved and ready for analysis before a breach occurs.
This paper reviews leading forensic readiness models, including LocardAos Exchange Principle, the Diamond Intrusion Model, and the NIST Risk Management Framework, and compares their applicability to Nigerian banking.
We integrate these theories into a proposed DFR framework tailored for NigeriaAos banking sector, drawing on local and global studies.
Key components of DFR .
uch as policies, technology, people, and legal complianc.
are discussed with illustrations.
Current challenges, notably reactive culture, evidentiary gaps, and regulatory compliance, are Finally, best practices and a synthesis framework are presented to guide Nigerian banks toward a more resilient forensic posture.
Keywords: Digital Forensic Readiness.
Digital Evidence Preservation.
Cyber Fraud Losses.
Forensic Readiness Models.
Nigerian Banking Sector Volume 3.
Issue 1, 2026.
https://ejournal.
yasin-alsys.
org/AMJSAI AMJSAI Journal is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.
0 International License Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Introduction The Nigerian banking industry has witnessed a surge in digital financial services alongside escalating cybercrime.
The Nigeria Inter-Bank Settlement System reports that financial losses in NigeriaAos banking sector have been enormous as a result of fraudulent The value of fraud in 2021 was put at N193.
5 billion ($544 millio.
, a significant increase from the N153.
4 billion ($431 millio.
lost in 2020.
This upward trend continued in 2022 when losses due to fraud topped N273 billion ($762 millio.
Even these troubling figures are expected to be exceeded by the end of 2023, with projections estimating potential losses of more than N300 billion ($833 millio.
Mobile and internet channels now account for nearly 72% of fraud cases in NigeriaAos banks.
These losses erode customer trust and can lead to regulatory penalties.
Traditional security measures in Nigerian banks have tended to be reactive focusing on damage control after an incident leaving gaps in evidence preservation and legal compliance.
Digital Forensic Readiness (DFR) addresses this gap by preparing systems to capture and manage evidence proactively.
Cyber fraud in Nigeria has grown rapidly with the expansion of internet banking.
Data from NigeriaAos regulators and police show widespread losses: during the COVID-19 lockdown alone.
Nigerian banks lost C83.
5 billion in one quarter.
Most attacks occur via online/mobile channels Ae e-banking.
USSD, social engineering rather than physical breaches.
Fraud schemes take many forms: researchers have identified internal fraud .
taff colluding with criminal.
, external fraud .
utsiders phishing or hacking customer.
, and collusive fraud between insiders and outsiders.
Historical cases such as multi-million dollar phishing fraud in 2019, demonstrate that cybercriminals exploit any vulnerability in bank systems or personnel.
Nigerian banks also face challenges unique to the local context.
According to surveys, many banks lack comprehensive DFR policies and tend to prioritize fraud prevention over evidence preservation.
For example, most banks focus on reducing attack impact after it happens, rather than on forensic readiness.
Inadequate logging, insufficient staff training, and poor regulatory alignment further hamper investigations.
This gap is exacerbated by evolving regulations like the NigeriaAos Cybercrime Act .
and Data Protection Regulation .
which imposes stricter evidence-handling requirements, but many institutions remain unaware of how to comply proactively.
Without forensic readiness, banks risk delayed incident response and weaker legal cases against fraudsters.
Volume 3.
Issue 1, 2026 Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Despite these challenges, some strength exists: larger Nigerian banks have invested in security operations .
SIEM systems, continuous monitoring, specialized fraud unit.
However, experts note that legal and procedural gaps persist evidence admissibility issues, outdated policies, and limited forensic skills are widespread.
This evidence suggests a dual problem: cyber fraud is rising in Nigerian banking, and existing DFR practices are inconsistent or insufficient.
In this paper, we review core theoretical models underpinning forensic readiness (LocardAos Principle, the Diamond model, and Risk Management framework.
and analyze their relevance to Nigerian banks.
We then outline the essential DFR components, compare the models, and propose a tailored DFR framework.
This analysis is grounded in recent research and the challenges observed in NigeriaAos banking sector.
Literature Review Digital Forensic Readiness (DFR) is defined as the capacity of an organization to maximize its potential to use digital evidence for legal, investigative, or security purposes.
(Rowlingson, 2004.
Tan & Lee, 2.
Unlike traditional, reactive forensics.
DFR is proactive it establishes policies, procedures, and systems to capture and preserve evidence before an incident (Keong & Choo, 2020.
Reith et al.
, 2.
For example, every digital interaction .
mails, transactions, and login.
leaves a trace.
well-prepared systems log these artifacts so investigations can proceed swiftly (Elyas et al.
, 2014.
Kent et al.
, 2.
In the Nigerian context, adequate DFR means banking systems are configured to retain logs, images, and transaction records in a legally compliant manner.
LocardAos Exchange Principle .
asserted that every contact between a perpetrator and the environment leaves a trace.
In cybersecurity, this implies that each malicious event will leave digital artifacts on servers or endpoints.
Forensic readiness frameworks applies this principle by ensuring tools .
log collectors, intrusion detector.
are always active so that Auevery contactAy generates collectible evidence.
The Diamond Model of Intrusion Analysis (Caltagirone et al.
, 2.
complemented Locard by focusing on adversary behavior.
It breaks down an incident into four linked elements Adversary.
Infrastructure.
Capability, and Victim forming a AudiamondAy of relationships.
By mapping these features, organizations can anticipate attacker tactics and ensure evidence .
alware samples, network traffic, target asset.
is gathered proactively.
For example, knowing an AuadversaryAy uses a particular tool motivates African Multidisciplinary Journal of Sciences and Artificial Intelligence Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey deploying sensors to capture that toolAos signatures.
Meanwhile, the NIST Risk Management Framework (RMF) (SP 800-.
brought a structured, risk-based approach.
By embedding risk assessment into system design.
RMF ensures that critical assets are identified, controls are selected, and monitoring is continuous.
In DFR terms.
RMF drives organizations to implement security controls .
audit logs, access control.
that protect evidence and support forensic processes.
Other models like the Cyber Kill Chain are also relevant, as they delineate attack stages from reconnaissance to execution (Hutchins et al.
, 2.
Such models imply that readiness efforts should cover each phase .
capturing malicious payloads at AuDeliveryAy stage, monitoring for AuExploitAy event.
Overall, these theoretical frameworks provide complementary views: Locard ensures evidence capture, the Diamond model guides threat context, and RMF ensures organizational preparedness.
Integrating them yields a holistic forensic readiness strategy.
Digital forensic readiness depends on multiple organizational components.
A broad literature survey identifies eight core categories of readiness: People.
Process.
Policy & Procedure.
Technology.
Monitoring & Reporting.
Risk Assessment and Legal & Compliance.
In practical terms, banks need clear policies and procedures to govern evidence collection and For example, a bank should have documented retention policies, evidence-handling standard operating procedures (SOP.
, and defined roles .
ho collect logs, who analyzes Technological components include log management systems, intrusion detection, firewalls, and endpoint forensics tools.
These ensure that when an incident occurs, relevant data .
ogs, disk images, metadat.
are captured and preserved.
People and training are also crucial: staff must be aware of forensic policies and have skills .
hrough training or certification.
to follow them.
Furthermore, ongoing monitoring, incident reporting, and regular audits help detect potential breaches early and maintain evidence integrity.
These elements can be summarized as follows:
Policies & Procedures: Formal forensic policies, compliance frameworks, and SOPs to guide evidence handling.
Technology: Systems configured for forensics e.
SIEM platforms (Splunk.
IBM QRada.
, secure logging, intrusion detection, and forensic software (EnCase.
Autops.
People & Training: Skilled personnel .
ybersecurity analysts, forensic investigator.
and awareness programs .
, phishing simulation.
to maintain readiness culture.
Volume 3.
Issue 1, 2026 Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Legal & Compliance: Alignment with laws .
NigeriaAos Cybercrime Act.
NDPR) and admissibility standards Ae ensuring collected evidence is court-ready.
Risk Assessment & Management: Continuous risk analysis .
sing frameworks like ISO 31000 or NIST) to identify threats to digital assets and adjust controls accordingly.
Monitoring & Reporting: Continuous monitoring .
, dashboards, network analyzer.
and clear incident reporting protocols, so suspicious events trigger forensic workflows.
Table 1.
illustrates how various tools and techniques support these DFR components.
In practice.
Nigerian banks leverage platforms (Metric Stream.
KnowBe4.
SIEM, etc.
) and processes .
olicy development, incident escalation, evidence imagin.
that map to each Implementing all components cohesively is key.
missing elements .
or example, having SIEM tools but no documented chain-of-custod.
undermines readiness.
Table 1.
Illustration of tools and techniques by Digital Forensic Readiness (DFR) components DFR Component Example Tools/Platforms Techniques/Practices Policy & Procedure Compliance Policy development, formal SOPs, retention (MetricStrea.
, repositories (SharePoin.
Technology SIEM .
Splunk.
QRada.
, firewalls.
IDS/IPS, endpoint Log aggregation/correlation, alert triage, threatsecurity (CrowdStrik.
intel integration.
Disk imaging, file carving.
Forensic suites (EnCase.
FTK, timeline & metadata analysis Autops.
, data recovery tools People (Awarenes.
E-learning (KnowBe.
, forensic Security training (CHFI.
GCFA) simulations, skill development Legal & Compliance Regulatory gap analysis, evidence admissibility e-Discovery tools, legal audit reviews, alignment with NDPR/NPDC Risk Assessment Risk Mgmt tools .
RSA
Threat modeling, impact analysis, digital risk Arche.
, vulnerability scanners (Nessu.
Dashboards (SIEM).
Monitoring & analyzers (Wireshar.
Reporting Process Continuous monitoring, anomaly detection, automated incident reporting Workflow (Jira.
Incident escalation procedures, evidence ServiceNo.
, chain-of-custody documentation, optimized forensic workflows African Multidisciplinary Journal of Sciences and Artificial Intelligence Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Comparative Analysis of Theoretical Models We compared three prominent models relevant to forensic readiness:
LocardAos Exchange Principle: Emphasized that Auevery contact leaves a traceAy.
In DFR terms, this means every digital action .
ogin, transaction, and emai.
will deposit artifacts.
Models based on LocardAos principle focuses on evidence collection ensuring systems are configured to capture logs, memory dumps and other traces before they are overwritten.
Its strength is a firm evidentiary foundation: by assuming traces exist, an organization remains vigilant in data capture.
However.
LocardAos model is conceptual rather than prescriptive.
does not specify processes or controls, so banks need complementary frameworks to operationalise it.
Diamond Intrusion Model (Caltagirone et al.
, 2.
: Breaks down an intrusion into four linked elements (Adversary.
Infrastructure.
Capability.
Victi.
forming a AudiamondAy.
This model excels at threat context as it helps analysts map attacker tools to targets.
practice, a bank using the Diamond model will proactively hunt for evidence of known adversary infrastructure .
, command-and-control server.
and capabilities .
alware signature.
against its systems.
Its advantage is structured threat analysis and attribution it encourages linking incidents into broader campaigns.
Limitations include complexity .
equires detailed intelligence about adversarie.
and focus on networked attacks it may be less directly helpful for purely insider fraud without external infrastructure.
Still, it guides collecting evidence about who is attacking and how, enriching DFR.
Figure 1.
The Diamond Model of intrusion analysis (Caltagirone et al, 2.
Risk Management Framework (NIST RMF): A process-oriented model (Prepare.
Categorize.
Select.
Implement.
Assess.
Authorize.
Monito.
for managing cybersecurity risk.
Volume 3.
Issue 1, 2026 Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey a DFR context.
RMF ensures that forensic readiness is institutionalized through policies and For example, during the AuSelectAy phase, a bank would choose specific forensic controls .
write-once log.
the AuMonitorAy phase enforces their continuous operation.
RMFAos strength lies in its comprehensive, formal approach Ae aligning forensic controls with business objectives and compliance requirements.
It also emphasizes continuous oversight, which supports forensic readiness over time.
However.
RMF is resource-intensive and smaller banks may find its processes heavy.
Moreover.
RMF is broad .
overing all securit.
, so forensic-specific needs could be overlooked unless explicitly addressed.
These models overlap but emphasize different facets as shown in Table 2.
LocardAos principle underpins evidence focus, the Diamond model underpins adversary-centric analysis, and RMF underpins governance and process controls.
In Nigerian banking, a hybrid approach is advisable: apply Locard by enhancing logging and data preservation.
use Diamond concepts in threat intelligence and incident analysis.
and adopt RMF practices for policy and risk Each model contributes: for instance, logs collected per Locard become inputs into a diamond-style analysis of an attack, and RMF ensures both activities are documented and compliant.
The comparative advantages and limitations of each are summarized below.
Table 2.
Comparative summary of key DFR-related models/frameworks, with their focus and trade-offs.
Model/Framework Focus Strengths Limitations LocardAos Principle Ensures all system are Conceptual only needs Evidence as policies/tools (Auevery contact leaves potential evidence.
forensic guidance on processes Diamond Model Adversary-centric threat Structured view of Requires detailed threat (Adversary, attacker may not cover Capability.
Infrastructure, aids threat hunting insider-only scenarios Victi.
and attribution Aligns forensic Complex and processRisk-based security controls with heavy.
forensic elements Risk Management business objectives.
Framework (NIST) (PrepareIeMonito.
mandates continuous without focus.
mature governance African Multidisciplinary Journal of Sciences and Artificial Intelligence Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Proposed DFR Framework for Nigerian Banks Drawing on these models and Nigeria-specific needs.
A tailored Digital Forensic Readiness Framework (DFRF) for the Nigerian banking sector was proposed.
This framework integrates technical, organizational, and legal dimensions.
Seven key components form its core: Policy & Procedure.
People.
Process.
Technology.
Risk Assessment.
Legal & Compliance, and Monitoring & Reporting.
For example, the AuPolicy & ProcedureAy component mandates formal forensic policies aligned with NDPR and CBN rules, while AuTechnologyAy covers forensic-capable IT systems (SIEMs, endpoint agent.
The AuLegal & ComplianceAy component ensures evidence handling complies with NigeriaAos Cybercrime Act .
and admissibility standards.
This DFRF is proactive rather than reactive.
Its goal is to enable evidence collection before an incident: for instance, real-time logging of transactions and automated alerts for As an expert review of this framework found, it Auensures banks can collect, preserve, and utilize digital evidence efficiently before a cyber incident occursAy.
To ground the framework in practice, we leverage existing strengths of Nigerian banks: many already use SIEM and monitoring tools.
The DFRF layers on these by adding clear roles (People componen.
and legal checks.
Conversely, it directly addresses known gaps: e.
Risk Assessment .
ia threat modelin.
and strengthening legal compliance .
ia internal audi.
Figure 2.
Proposed Visual Representation of the components for DFRF Figure 2 conceptually illustrates the proposed framework.
In essence, all components interact dynamically so that whenever suspicious activity is detected .
hrough Monitoring & Volume 3.
Issue 1, 2026 Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Reportin.
, the Process and People components spring into action .
ncident protocols and forensic respons.
, supported by Technology and guided by Policies.
This cycle ensures Nigerian banks are Austrategically positioned to prevent and manage .
yber attack.
through continuous monitoring and reportingAy, fulfilling both security and regulatory objectives.
Discussion This analysis highlights that effective DFR in Nigerian banking requires a synthesis of models and practices.
LocardAos principle drives evidence-centric preparedness: e.
that a fraudsterAos laptop will retain traces of transactions.
The Diamond model encourages Nigerian banks to build threat intelligence, connecting adversaries to their tools and targets.
The RMF brings the necessary governance rigor .
etting policies, authorizations, and monitoring loop.
to make readiness systematic.
Local challenges underscore where gaps remain.
Many Nigerian banks have reactive experts note that digital forensics capabilities are often fire-fighting rather than In practice, this means logs may not be retained long enough, and evidence chains might be broken.
There is also a shortage of skilled forensic personnel, as well as low awareness of legal requirements .
, preserving electronic records per NDPR).
Best practices emerging from industry studies include: defining clear incident response roles, conducting regular readiness drills .
, and aligning forensic processes with compliance audits.
Our proposed framework embodies these lessons.
By integrating continuous risk assessment, legal audits, and technical controls, it addresses the implementation gaps For instance, incorporating the RMFAos AuAuthorize/MonitorAy steps ensures banks periodically review forensic controls.
Embedding the Diamond model means correlating cross-incident data .
linking multiple phishing attempts to a single acto.
And anchoring in LocardAos idea, the framework assumes every transaction leaves traces, so systems must preserve them.
In summary.
Nigerian banks can leverage a multi-model approach: use LocardAos evidence focus to justify logging, the Diamond model to enrich threat context, and RMF to create a culture of proactive readiness.
Regulatory and technological developments .
ike NigeriaAos NDPR and new anti-fraud tool.
can further support this.
The key is institutionalizing forensic readiness as an ongoing process, not just an afterthought.
African Multidisciplinary Journal of Sciences and Artificial Intelligence Chibuzor Akujobi1.
Francisa Ogwueleka2.
Gilbert Aimufua3.
Steven Bassey Conclusion Cyber fraud poses a severe threat to Nigerian banksAo profitability and reputation.
This paper surveyed major forensic readiness models LocardAos Exchange Principle, the Diamond Intrusion Model, and the Risk Management Framework and analyzed their applicability to the banking sector.
Each model contributes useful perspectives: evidence capture, threat analysis, and structured governance, respectively.
We synthesized these insights into a comprehensive DFR framework tailored for Nigeria, emphasizing seven core components .
olicy, people, process, technology, risk, legal, and monitorin.
This framework is designed to leverage existing strengths .
ecurity tools, monitorin.
while filling gaps in policy and compliance.
For researchers and practitioners, this work highlights that proactivity is essential.
Banks should shift from reactive forensics to readiness: routinely preserve logs, train staff in evidence handling, and align forensic processes with law.
Future work could empirically test the proposed frameworkAos effectiveness across Nigerian banks or refine it as new threats Overall, a robust DFR posture will help Nigerian banks detect fraud earlier, conduct swifter investigations, and support legal action when needed, thereby strengthening trust in the financial system.
References