An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
22 CHAPTER 4. FORENSICS<br />
4.2.3.1 Registry<br />
In<strong>for</strong>mation about the registry data can be found <strong>in</strong> random access memory<br />
and on the hard disk but there is a dierence. In the memory there are parts<br />
of the registry that are only necessary at runtime and can there<strong>for</strong>e not be<br />
found on the disk. Forensically <strong>in</strong>terest<strong>in</strong>g is the dierence of the data from<br />
the two sources. One cause <strong>for</strong> dierences is that changes <strong>in</strong> the registry are<br />
not always immediately written to disk respectively memory. <strong>An</strong>other one<br />
is that malware tries to manipulate the computer by chang<strong>in</strong>g one or both<br />
sources.<br />
The nam<strong>in</strong>g of the dierent parts of the registry is <strong>in</strong>spired by the Microsoft<br />
W<strong>in</strong>dows registry structure. Other conguration stores can also be<br />
mapped to this model even though the ma<strong>in</strong> target system is the Microsoft<br />
W<strong>in</strong>dows family.<br />
The registry is made up of hives. Hives are the dierent les that conta<strong>in</strong><br />
conguration <strong>in</strong><strong>for</strong>mation. One hive conta<strong>in</strong>s the data of both sources<br />
to make it easier to spot dierences. The hives themselves have a tree structure,<br />
so every entry <strong>in</strong> the tree, called key, can have hive-values, the nal<br />
conguration data, and sub-keys. The keys can have a state-ag that tells<br />
whether it can be found only <strong>in</strong> volatile memory or <strong>in</strong> both sources. The<br />
hive-values are tuples with key, value and data type of the value. <strong>An</strong> example<br />
hive is shown <strong>in</strong> gure 4.3.<br />
As prior mentioned, the conguration of other systems can be mapped<br />
to this structure. For example the conguration of the Gnome Desktop is<br />
also structured as a tree[The GNOME Project, 2011].<br />
4.2.3.2 Network<br />
Similar to the registry data this data is acquired from one or more of the<br />
sources above. Interest<strong>in</strong>g network <strong>in</strong><strong>for</strong>mation <strong>in</strong>clude current IP addresses<br />
and connections, gateways, and name server. If the malware <strong>for</strong> example<br />
wants to redirect the user to manipulated or <strong>for</strong>ged websites it may change<br />
the name server as done by the DNSChanger[Federal Bureau of Investigation,<br />
2011].<br />
4.2.3.3 Other data on a computer<br />
Of course there is more <strong>in</strong><strong>for</strong>mation stored on a computer. One example<br />
are log les. These can provide <strong>in</strong><strong>for</strong>mation about events on the system and<br />
when they occurred. From this perspective they are <strong>for</strong>ensically <strong>in</strong>terest<strong>in</strong>g.<br />
As mentioned <strong>in</strong> [Kruse and Heiser, 2001, pp 291f] they are not necessarily<br />
trustworthy. At rst logg<strong>in</strong>g has to be enabled and work<strong>in</strong>g prior to the<br />
<strong>in</strong>cident. Then there is the question about authenticity of the log entries.<br />
Some malware can create and/or edit log entries and thus obfuscate or delete<br />
traces. If the log is <strong>for</strong> example a normal le on the computer, it is similarly