An Ontology for Digital Forensics in IT Security Incidents - OPUS

More documents

Recommendations

Info

20 CHAPTER 4. FORENSICS entry contains the name of a le, reference to corresponding metadata entries and a list of le name entries for all children. • Metadata Similar to the le name entries there is at least one metadata entry for each le. This entry contains additional information for a le like access rights, ownership, access and creation times and additional ags. Furthermore it contains links to le name entries and data units. • Application specific Some le system types allow special information like journals, quota restrictions, logs or other le system specic options. How the example from section 3.1 splits up to these categories is shown later in section 4.3.1 that explains the corresponding tool. 4.2.2 Random Access Memory Similar to the hard disk, the structure of the data in random access memory depends on the system it is managed by. A big dierence to the hard disk is that the random access memory is volatile. This means, its content is lost when the power is taken away from it. There is not yet a source for this as the model is developed within Siemens CERT and will be published. Like the hard disk, the memory structures can be mapped to a meta structure as shown in gure 4.2. [Schreck et al. Siemens CERT, ] Memory Memory System Architecture Metadata Metacode Data Code Memory Organization Metadata Runtime Organization Metadata OS-specific Data Application Data OS-specific Code Application Code Figure 4.2: Random access memory structure The categories contain the following information[Schreck et al. Siemens CERT, ]: • Memory System Architecture This category contains information that is necessary to boot a system.
4.2. DATA 21 It comprises for example physical memory layout information, boot code, setup code, and the size of the page tables. • Metadata Memory Organization This is the data that contains information about the organization of the memory. It is necessary to manage the memory and includes for example the page tables. Runtime Organization This is the data that is necessary for the management of data within the memory. It comprises for example the process list and the IO management. • Metacode This section contains the code necessary to operate the system and inuence the behaviour of the operating system. This includes for example interrupt service routines, page fault handler, IO code, and scheduler. • Code OS-specific This is the code that is used by the operating system to implement OS-specic functionality. It comprises for example daemon processes and idle process. Application This is the code that is used by user processes. • Data OS-specific This is the data that is used by the operating system processes. Application This is the data that is used by the user processes. 4.2.3 Additional information The data in this section diers from the already mentioned one as it can be derived from one or more of them.
Page 1: Diplomarbeit An Ontology for Digita
Page 4 and 5: Acknowledgement I would like to tha
Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
Page 8 and 9: 6 CONTENTS
Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
Page 32 and 33: 30 CHAPTER 4. FORENSICS
Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
Page 72 and 73:
70 CHAPTER 9. SUMMARY after some is
Page 74 and 75:
72 APPENDIX A. EXTRACTION TOOL LIST
Page 76 and 77:
74 APPENDIX A. EXTRACTION TOOL LIST
Page 78 and 79:
76 APPENDIX B. FORENSIC TOOLS OUTPU
Page 80 and 81:
78 APPENDIX C. SCREENSHOTS Figure C
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
84 APPENDIX C. SCREENSHOTS
Page 88 and 89:
86 BIBLIOGRAPHY [Carrier, 2012c] Ca
Page 90 and 91:
88 BIBLIOGRAPHY [Microsoft, 2010] M
Page 92:
90 BIBLIOGRAPHY [W3C, 2004] W3C (20
show all

An Ontology for Digital Forensics in IT Security Incidents - OPUS

Create successful ePaper yourself

Delete template?

Save as template?