An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
24 CHAPTER 4. FORENSICS<br />
vulnerable to tamper<strong>in</strong>g as any other le. <strong>An</strong>other problem mentioned <strong>in</strong><br />
[Kruse and Heiser, 2001, pp 320f] is the admissibility of log les. Depend<strong>in</strong>g<br />
on the legal boundaries some of them are allowed and others are not. If one<br />
needs the <strong>in</strong><strong>for</strong>mation from log les <strong>in</strong> the ontology one can add it. <strong>An</strong>other<br />
problem of log les is that if they were disabled neither <strong>in</strong>vestigators nor tools<br />
may be able to detect that or reconstruct the data[Harris, 2006]. Details on<br />
add<strong>in</strong>g other data with the example log les can be found <strong>in</strong> section 7.7.<br />
4.2.4 Example<br />
After the data was collected as expla<strong>in</strong>ed <strong>in</strong> section 4.1.3 the next step is to<br />
split it up to the structures expla<strong>in</strong>ed above.<br />
The hard disk data is separated accord<strong>in</strong>g to section 4.2.1. In the data<br />
structure of the le system category all le name entries are listed except the<br />
ones <strong>for</strong> the ImportantDocument and the Malware le. All le name entries,<br />
metadata entries, and all data units are still on the disk, although the les<br />
were deleted, and get assigned to the correspond<strong>in</strong>g categories. The data of<br />
the Registry le is extracted and categorized.<br />
The processes are data <strong>in</strong> the random access memory that belong to<br />
the Runtime Organization Metadata category, whereas the handles and<br />
connections belong to the accord<strong>in</strong>g Data category and the registry belongs<br />
to the OS-specific Data category. The registry is extracted and categorized<br />
similar to the Registry le on the hard disk.<br />
The content of the Registry le on the hard disk is shown <strong>in</strong> gure 4.3.<br />
The content if the Registry memory object diers from the one on the hard<br />
disk only <strong>in</strong> the Firewall/Status which has the value 0 <strong>in</strong>stead of 1.<br />
How the data ts to the ontology will be expla<strong>in</strong>ed <strong>in</strong> section 6.10.<br />
4.3 Forensic Tools<br />
This section provides an overview of the used <strong>for</strong>ensic tools. As <strong>for</strong> most use<br />
cases there are alternatives <strong>for</strong> these tools. The selected tools are all released<br />
under open source licenses. This has some advantage over closed source tools.<br />
As expla<strong>in</strong>ed <strong>in</strong> [Carrier, 2003] us<strong>in</strong>g open source tools, respectively hav<strong>in</strong>g<br />
access to the relevant code <strong>for</strong> commercial tools, simplies the procedure of<br />
prov<strong>in</strong>g the admissibility of the found evidence. In [Manson et al., 2007]<br />
open source <strong>for</strong>ensic tools are compared to a proprietary one. It shows that<br />
the open source tools are robust and easy to use.<br />
This section is not <strong>in</strong>tended to be a manual <strong>for</strong> the tools and all their<br />
options, thus it will discuss only those parts that are useful <strong>for</strong> this work.