An Ontology for Digital Forensics in IT Security Incidents - OPUS

15.01.2014 Views
Acknowledgement I would like to thank all those who participated in making this piece of work a reality. Special thanks go to Thomas Schreck who suggested the topic of this thesis and guided me through the eld of forensics. Additionally I would like to express my gratitude towards Dr. Kurt Stenzel who made this work possible. Special thanks also to all further proof readers who gave me valuable feedback, namely Gabriele Binner and Christoph Lassner. Last but not least I would like to thank my family and my girlfriend for supporting me during all the time of work.

Contents 1 Introduction 7 2 Related Work 9 3 Goal Forensic Semantic Model 11 3.1 Ontology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4 Forensics 15 4.1 Forensics Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1.1 Real Case . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1.2 Cyber Forensics . . . . . . . . . . . . . . . . . . . . . . 15 4.1.2.1 Hard Disk . . . . . . . . . . . . . . . . . . . . 17 4.1.2.2 Random Access Memory . . . . . . . . . . . 18 4.1.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.2 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.2.1 Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.2.2 Random Access Memory . . . . . . . . . . . . . . . . . 20 4.2.3 Additional information . . . . . . . . . . . . . . . . . . 21 4.2.3.1 Registry . . . . . . . . . . . . . . . . . . . . . 22 4.2.3.2 Network . . . . . . . . . . . . . . . . . . . . . 22 4.2.3.3 Other data on a computer . . . . . . . . . . . 22 4.2.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3 Forensic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3.1 The Sleuth Kit . . . . . . . . . . . . . . . . . . . . . . 25 4.3.2 Volatility . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.3.3 reglookup . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.3.4 bkhive + samdump2 . . . . . . . . . . . . . . . . . . . 29 5 Ontology 31 5.1 Ontology Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.1.1 Creating an ontology . . . . . . . . . . . . . . . . . . . 34 5.1.2 Advantages of ontologies for forensics . . . . . . . . . . 35 5.1.3 XML/RDF(S)/OWL . . . . . . . . . . . . . . . . . . . 35 3

Page 1: Diplomarbeit An Ontology for Digita

Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .

Page 8 and 9: 6 CONTENTS

Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead

Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig

Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI

Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI

Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules

Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran

Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta

Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg

Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable

Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m

Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock

Page 32 and 33: 30 CHAPTER 4. FORENSICS

Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name

Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati

Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des

Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu

Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy

Page 44 and 45: 42 CHAPTER 5. ONTOLOGY

Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for

Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro

Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg

Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9

Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par

Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY

Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD

Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co

Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE

Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe

Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St

Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las

Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO

Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is

Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST

Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST

Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU

Page 80 and 81: 78 APPENDIX C. SCREENSHOTS Figure C



Page 86 and 87: 84 APPENDIX C. SCREENSHOTS

Page 88 and 89: 86 BIBLIOGRAPHY [Carrier, 2012c] Ca

Page 90 and 91: 88 BIBLIOGRAPHY [Microsoft, 2010] M

Page 92: 90 BIBLIOGRAPHY [W3C, 2004] W3C (20

ontology

listing

forensic

query

disk

registry

entry

output

forensics

rdfs

digital

incidents

opus

opus.bibliothek.uni-augsburg.de

An Ontology for Digital Forensics in IT Security Incidents - OPUS

An Ontology for Digital Forensics in IT Security Incidents - OPUS ... View more An Ontology for Digital Forensics in IT Security Incidents - OPUS

Delete template?

Save as template ?

An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS