An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 3<br />
Goal Forensic Semantic Model<br />
This chapter expla<strong>in</strong>s what this work is about. Additionally it <strong>in</strong>troduces<br />
the example that will be used throughout this work.<br />
3.1 <strong>Ontology</strong><br />
The goal is to create an ontology, a data store, a program to ll the data store,<br />
and several queries that allow the exam<strong>in</strong>er to obta<strong>in</strong> conclusive evidence fast<br />
and easily. In the end, only the sources to obta<strong>in</strong> the data from have to be<br />
selected and the program extracts the necessary <strong>in</strong><strong>for</strong>mation and puts it<br />
<strong>in</strong>to the appropriate structure. After the data was imported <strong>in</strong>to the data<br />
store the exam<strong>in</strong>er can query <strong>for</strong> evidence. If not marked otherwise the term<br />
ontology stands <strong>for</strong> the one that is <strong>in</strong>troduced <strong>in</strong> this work.<br />
It is <strong>in</strong>tended to make the gather<strong>in</strong>g of data and the extraction of evidence<br />
faster and more eectively. One positive side eect of the automatic<br />
import<strong>in</strong>g is that there is no need to know every option of every tool <strong>in</strong>volved,<br />
so even novice users can use the program to gather evidence and<br />
the <strong>for</strong>ensic expert can concentrate on more dicult tasks. <strong>An</strong>other po<strong>in</strong>t<br />
is that multiple users can access the data store so numerous exam<strong>in</strong>ers can<br />
work together on one case.<br />
The procedure is ma<strong>in</strong>ly <strong>in</strong>tended <strong>for</strong> the fast exam<strong>in</strong>ation of cases that<br />
<strong>in</strong>cident response teams have to take care of. A requirement from the ontology<br />
is that it has to be customizable <strong>for</strong> special needs. This can be relevant<br />
if additional <strong>in</strong><strong>for</strong>mation is required that is not yet represented yet. <strong>An</strong> example<br />
<strong>for</strong> this is expla<strong>in</strong>ed <strong>in</strong> section 4.2.3.3. The tools that provide the<br />
<strong>in</strong><strong>for</strong>mation collected <strong>in</strong> the data store have to be <strong>in</strong>terchangeable, what is<br />
another important fact. This allows exam<strong>in</strong>ers to use the tools they are<br />
familiar with.<br />
The idea is to build an ontology which represents the <strong>for</strong>ensically <strong>in</strong>terest<strong>in</strong>g<br />
parts of a computer system. Chapter 4 will expla<strong>in</strong> how to extract<br />
which part of <strong>in</strong><strong>for</strong>mation and why they are <strong>in</strong>terest<strong>in</strong>g. The <strong>in</strong><strong>for</strong>mation is<br />
11