An Ontology for Digital Forensics in IT Security Incidents - OPUS

More documents

Recommendations

Info

24 CHAPTER 4. FORENSICS vulnerable to tampering as any other le. Another problem mentioned in [Kruse and Heiser, 2001, pp 320f] is the admissibility of log les. Depending on the legal boundaries some of them are allowed and others are not. If one needs the information from log les in the ontology one can add it. Another problem of log les is that if they were disabled neither investigators nor tools may be able to detect that or reconstruct the data[Harris, 2006]. Details on adding other data with the example log les can be found in section 7.7. 4.2.4 Example After the data was collected as explained in section 4.1.3 the next step is to split it up to the structures explained above. The hard disk data is separated according to section 4.2.1. In the data structure of the le system category all le name entries are listed except the ones for the ImportantDocument and the Malware le. All le name entries, metadata entries, and all data units are still on the disk, although the les were deleted, and get assigned to the corresponding categories. The data of the Registry le is extracted and categorized. The processes are data in the random access memory that belong to the Runtime Organization Metadata category, whereas the handles and connections belong to the according Data category and the registry belongs to the OS-specific Data category. The registry is extracted and categorized similar to the Registry le on the hard disk. The content of the Registry le on the hard disk is shown in gure 4.3. The content if the Registry memory object diers from the one on the hard disk only in the Firewall/Status which has the value 0 instead of 1. How the data ts to the ontology will be explained in section 6.10. 4.3 Forensic Tools This section provides an overview of the used forensic tools. As for most use cases there are alternatives for these tools. The selected tools are all released under open source licenses. This has some advantage over closed source tools. As explained in [Carrier, 2003] using open source tools, respectively having access to the relevant code for commercial tools, simplies the procedure of proving the admissibility of the found evidence. In [Manson et al., 2007] open source forensic tools are compared to a proprietary one. It shows that the open source tools are robust and easy to use. This section is not intended to be a manual for the tools and all their options, thus it will discuss only those parts that are useful for this work.
4.3. FORENSIC TOOLS 25 4.3.1 The Sleuth Kit The Sleuth Kit[Carrier, 2012a] is a collection of programs for analysing the data on a hard disk respectively on an image of it[Carrier, 2012b]. It was developed by Brian Carrier, author of [Carrier, 2005]. The programs are subdivided into categories. The tools are subdivided according to the categories that are shown in section 4.2.1:[Carrier, 2012c] • File System fsstat Shows le system details and statistics including layout, sizes, and labels. An example output is shown in the appendix in listing B.1. • File Name s Lists allocated and deleted le names in a directory. • Metadata icat Extracts the data units of a le, which is specied by its meta data address (instead of the le name). Another set of tools can be used to extract the le system structure from a disk or disk image. • mmls Displays the layout of a disk, including the unallocated spaces. For most commands an oset of the beginning of the image is required, as the image does not necessarily start with the rst partition or the partition one wants to analyse. The mmls command displays the structure of the image and the required oset can be read from the output. The output for the example of section 3.2 is similar to the example given in listing 4.1. In this example the rst partition starts at 63. The tools for extracting the information from this partition need to be started with -o 63. DOS Partition Table Offset Sector : 0 Units are in 512 - byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000000062 0000000063 Unallocated 02: 00:00 0000000063 0020948759 0020948697 NTFS (0 x07 ) 03: ----- 0020948760 0020971519 0000022760 Unallocated Listing 4.1: Sample output of mmls
Page 1: Diplomarbeit An Ontology for Digita
Page 4 and 5: Acknowledgement I would like to tha
Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
Page 8 and 9: 6 CONTENTS
Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
Page 32 and 33: 30 CHAPTER 4. FORENSICS
Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
Page 76 and 77:
74 APPENDIX A. EXTRACTION TOOL LIST
Page 78 and 79:
76 APPENDIX B. FORENSIC TOOLS OUTPU
Page 80 and 81:
78 APPENDIX C. SCREENSHOTS Figure C
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
84 APPENDIX C. SCREENSHOTS
Page 88 and 89:
86 BIBLIOGRAPHY [Carrier, 2012c] Ca
Page 90 and 91:
88 BIBLIOGRAPHY [Microsoft, 2010] M
Page 92:
90 BIBLIOGRAPHY [W3C, 2004] W3C (20
show all

An Ontology for Digital Forensics in IT Security Incidents - OPUS

Create successful ePaper yourself

Delete template?

Save as template?