An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4<br />
<strong>Forensics</strong><br />
This chapter will expla<strong>in</strong> what data is needed <strong>for</strong> the <strong>for</strong>ensic analysis and<br />
<strong>in</strong>troduce tools and techniques <strong>for</strong> retriev<strong>in</strong>g, stor<strong>in</strong>g and access<strong>in</strong>g the data.<br />
4.1 <strong>Forensics</strong> Basics<br />
<strong>Forensics</strong>, short <strong>for</strong> <strong>for</strong>ensic science, means the systematic application of<br />
scientic methods <strong>for</strong> answer<strong>in</strong>g questions. The majority of the questions<br />
belong to the solution of crim<strong>in</strong>al acts or are otherwise connected to them.<br />
Forensic methods are used <strong>in</strong> order to provide reasonable reproducible facts<br />
<strong>for</strong> the solution. As <strong>for</strong>ensic methods are successfully applied on cases <strong>in</strong><br />
various doma<strong>in</strong>s <strong>for</strong> a long time, they were adapted to the needs of cases<br />
that <strong>in</strong>volve computers.[Kruse and Heiser, 2001]<br />
The term malware is used as a general label <strong>for</strong> all k<strong>in</strong>ds of malicious<br />
software. Among other th<strong>in</strong>gs this <strong>in</strong>cludes viruses, rootkits, trojan horses,<br />
worms, and dialers.<br />
4.1.1 Real Case<br />
In the United States of America the famous case of the BTK-killer was solved<br />
by the help of computational <strong>for</strong>ensics after several decades. The perpetrator<br />
killed ten people and sent letters to the police <strong>in</strong> the years of 1974 to 1991.<br />
In 2004 he sent a oppy disk with his last message. Forensic exam<strong>in</strong>ers<br />
found the decisive <strong>in</strong><strong>for</strong>mation <strong>in</strong> the metadata of the document le.[The<br />
Associated Press, 2012, IADT Chicago, 2011]<br />
4.1.2 Cyber <strong>Forensics</strong><br />
In this document <strong>for</strong>ensics specically means computational <strong>for</strong>ensics, also<br />
called <strong>IT</strong>-<strong>for</strong>ensics or cyber <strong>for</strong>ensics. This "<strong>in</strong>volves preservation, identication,<br />
extraction, documentation, and <strong>in</strong>terpretation of computer media <strong>for</strong><br />
evidentiary and/or root cause analysis"[Kruse and Heiser, 2001].<br />
15