CIFM: Converged Infrastructure Forensics Model – A New Framework for Cross-Domain Cyber Attack Investigation

CIFM (Converged Infrastructure Forensics Model) is a forensic investigation framework for converged ecosystems such as cloud, telecommunications, edge, IoT/IIoT, and industrial control systems. It aims to address the problem that traditional digital forensics methods cannot reconstruct attack trajectories across domains. Its core methods include identity-centric analysis, distributed telemetry, and human-machine loop verification, providing a unified methodology through four structural innovations.

With digital transformation, modern infrastructure forms a converged ecosystem interwoven with cloud, telecommunications, edge, IoT/IIoT, and industrial control systems. Traditional digital forensics methods were designed in the host-centric era and cannot provide a unified methodology for reconstructing cross-domain adversary activities. This gap led to the development of the CIFM framework.

CIFM is an investigation framework (not a detection/monitoring tool) aimed at reconstructing attack trajectories in converged ecosystems, covering cloud, telecommunications, edge, IoT/IIoT, industrial control systems, and other fields. Four core contributions: 1. Unified Evidence Manifest (UEM) to standardize heterogeneous evidence; 2. Human-machine loop verification layer (AI-assisted + manual verification); 3. Iterative non-linear workflow; 4. Visibility and trust boundary matrix to assess telemetry blind spots.

Application Scenarios: Suitable for cross-cloud attack investigations, supply chain security incidents, critical infrastructure attacks, APT investigations, etc.

Version Evolution: v1.0RC (archived in April 2026), v1.1RC (candidate version in April 2026, submitted for operational verification). v1.1RC cites Henriques et al.'s 2023 journal article and clarifies its positioning as an investigation and reconstruction framework (does not provide detection/monitoring capabilities).

CIFM uses the CC BY 4.0 international license agreement, allowing free sharing and adaptation (with attribution required) to promote community contributions. The framework was created by Kerry Hazelton (alias "Professor Kilroy"), reflecting collaboration between academia and industry.

Comparison with Traditional Methods: Traditional forensics focuses on a single domain (host/network/cloud), while CIFM integrates scattered domains to solve the problem of cross-domain attack chain reconstruction.

Outlook: CIFM is a forward-looking methodology that adapts to the trend of infrastructure convergence, providing practitioners with systematic tools. It is currently in the research phase and will continue to evolve with practice and community feedback.