An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8 CHAPTER 1. INTRODUCTION<br />
data leads to nd<strong>in</strong>g evidence and gather<strong>in</strong>g specic additional <strong>in</strong><strong>for</strong>mation<br />
later on.<br />
<strong>An</strong>other po<strong>in</strong>t that has changed is that much evidence can only be<br />
found on live systems. Caused by the fact that a live system runs on,<br />
some <strong>in</strong><strong>for</strong>mation might vanish which complicates the retrieval of additional<br />
facts.[Adelste<strong>in</strong>, 2006]<br />
But the person who has to acquire a computer as evidence does not<br />
necessarily know that there is volatile data and how to seize it correctly.<br />
In [National Institute of Justice (U.S.), 2004] it is mentioned that evidence<br />
can be volatile but <strong>in</strong> the chapter about acquisition it is assumed that the<br />
computer is powered o prior to the exam<strong>in</strong>ation.<br />
<strong>An</strong>other problem is that the tools built <strong>for</strong> help<strong>in</strong>g <strong>for</strong>ensic analysts and<br />
<strong>in</strong>vestigators do not always work as they are supposed to. Some of them<br />
can be conv<strong>in</strong>ced to work together, but there are only few standards <strong>for</strong><br />
exchang<strong>in</strong>g data. Many of the tools are developed from scratch. This leads<br />
to the problem that similar program parts are developed multiple times<br />
whereas the used eort could be used more productively.[Garnkel, 2010]<br />
Caused by the fact that researchers develop new tools <strong>for</strong> the eld they<br />
are procient with, the result<strong>in</strong>g products are made only <strong>for</strong> this purpose.<br />
As a result there are plenty of tools an <strong>in</strong>vestigator has to be able to use <strong>for</strong><br />
solv<strong>in</strong>g a s<strong>in</strong>gle case. <strong>An</strong>d the output of one tool needs to be adjusted to be<br />
compatible to another tool. <strong>An</strong> additional problem is that new techniques are<br />
developed and presented but without a fully work<strong>in</strong>g implementation[Tang<br />
and Daniels, 2005].<br />
This work <strong>in</strong>troduces an ontology <strong>for</strong> <strong>for</strong>ensic analysis. By us<strong>in</strong>g the ontology<br />
the output of tools can be put to one place like <strong>in</strong> traditional databases<br />
but furthermore it allows to automatically draw conclusions about the correlation<br />
of the s<strong>in</strong>gle results.<br />
The topic <strong>for</strong> this work was issued by Siemens CERT Munich. At rst<br />
an ontology that represents the <strong>for</strong>ensically <strong>in</strong>terest<strong>in</strong>g parts of a computer<br />
had to be implemented. As next move an example implementation of a<br />
program had to be built that converts data provided by exist<strong>in</strong>g <strong>for</strong>ensic<br />
tools to a <strong>for</strong>mat that matches the constra<strong>in</strong>ts of the ontology had to be<br />
built. Additionally queries had to be written that allow to nd evidence <strong>in</strong><br />
the converted data. Furthermore the functionality needed to be tested on<br />
real malware.