An Ontology for Digital Forensics in IT Security Incidents - OPUS

More documents

Recommendations

Info

8 CHAPTER 1. INTRODUCTION data leads to nding evidence and gathering specic additional information later on. Another point that has changed is that much evidence can only be found on live systems. Caused by the fact that a live system runs on, some information might vanish which complicates the retrieval of additional facts.[Adelstein, 2006] But the person who has to acquire a computer as evidence does not necessarily know that there is volatile data and how to seize it correctly. In [National Institute of Justice (U.S.), 2004] it is mentioned that evidence can be volatile but in the chapter about acquisition it is assumed that the computer is powered o prior to the examination. Another problem is that the tools built for helping forensic analysts and investigators do not always work as they are supposed to. Some of them can be convinced to work together, but there are only few standards for exchanging data. Many of the tools are developed from scratch. This leads to the problem that similar program parts are developed multiple times whereas the used eort could be used more productively.[Garnkel, 2010] Caused by the fact that researchers develop new tools for the eld they are procient with, the resulting products are made only for this purpose. As a result there are plenty of tools an investigator has to be able to use for solving a single case. And the output of one tool needs to be adjusted to be compatible to another tool. An additional problem is that new techniques are developed and presented but without a fully working implementation[Tang and Daniels, 2005]. This work introduces an ontology for forensic analysis. By using the ontology the output of tools can be put to one place like in traditional databases but furthermore it allows to automatically draw conclusions about the correlation of the single results. The topic for this work was issued by Siemens CERT Munich. At rst an ontology that represents the forensically interesting parts of a computer had to be implemented. As next move an example implementation of a program had to be built that converts data provided by existing forensic tools to a format that matches the constraints of the ontology had to be built. Additionally queries had to be written that allow to nd evidence in the converted data. Furthermore the functionality needed to be tested on real malware.
Chapter 2 Related Work In [Garnkel, 2010] it is outlined that digital forensics have grown important in recent time but it largely lacks standardization and process and that there has not yet been found a solution for the lack of intelligent analytics beyond full-text search, non-standard computing devices (especially small devices), ease-of-use, and a laundry list of unmet technical challenges. One of the problems concerning standardization is that the available data sources have dierent formats. For example there exist plenty of dierent formats for hard disks, called le systems, some with great other with less dierences. A forensic analyst therefore needs to be familiar with the details of the most popular ones. This necessity can be treated by developing a superior classication of the data stored on the disk. The hard disks can be divided into the same categories, regardless of the format, as shown in [Carrier, 2005]. This model for le systems is not only useful for theoretical comparison but can be used practically. The author has written a collection of tools with one for each aspect of this model. Among other things this includes one tool for determining the disk layout, one for the list of les. A closer look at the categorization and the tools is taken in sections 4.2.1 and 4.3.1. The same issue imposes with the random access memory. And it can be treated equally. The data can be categorized in a similar manner. Details on the model can be found in section 4.2.2 and one tool for retrieving the needed data is presented in section 4.3.2. Caused by the increasing amount of data that has to be processed, eorts are being made to automate as much of the investigative work as possible. This can for instance be seen in [Garnkel, 2009] where a tool is being presented that analyses a hard disk and generates an XML description of it. Prior to this tool the aforementioned set of utilities had to be used to generate an overview of the hard disk. But it takes much more time to run many programs by hand. In [Farrell, 2009] a batch reporting system is introduced that allows the 9
Page 1: Diplomarbeit An Ontology for Digita
Page 4 and 5: Acknowledgement I would like to tha
Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
Page 8 and 9: 6 CONTENTS
Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
Page 32 and 33: 30 CHAPTER 4. FORENSICS
Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
Page 60 and 61:
58 CHAPTER 7. IMPLEMENTATION the co
Page 62 and 63:
60 CHAPTER 7. IMPLEMENTATION 1 SELE
Page 64 and 65:
62 CHAPTER 7. IMPLEMENTATION Anothe
Page 66 and 67:
64 CHAPTER 7. IMPLEMENTATION 7.8 St
Page 68 and 69:
66 CHAPTER 8. EVALUATION 6. The las
Page 70 and 71:
68 CHAPTER 8. EVALUATION key (CTEMO
Page 72 and 73:
70 CHAPTER 9. SUMMARY after some is
Page 74 and 75:
72 APPENDIX A. EXTRACTION TOOL LIST
Page 76 and 77:
74 APPENDIX A. EXTRACTION TOOL LIST
Page 78 and 79:
76 APPENDIX B. FORENSIC TOOLS OUTPU
Page 80 and 81:
78 APPENDIX C. SCREENSHOTS Figure C
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
84 APPENDIX C. SCREENSHOTS
Page 88 and 89:
86 BIBLIOGRAPHY [Carrier, 2012c] Ca
Page 90 and 91:
88 BIBLIOGRAPHY [Microsoft, 2010] M
Page 92:
90 BIBLIOGRAPHY [W3C, 2004] W3C (20
show all

An Ontology for Digital Forensics in IT Security Incidents - OPUS

Create successful ePaper yourself

Delete template?

Save as template?