An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS
52 CHAPTER 6. FORENSIC ONTOLOGY Partition1 fs : hasFSFileName FsFn6 FsFn6 rdf : type fs : FSFileName FsFn6 fsfn : name " Root Object / UserData / Malware " FsO6 rdf : type fs : File FsO6 fs : containsFSFileName FsFn6 FsO6 fs : childOf FsO2 Partition1 fs : hasFSFileName FsFn7 FsFn7 rdf : type fs : FSFileName FsFn7 fsfn : name " Root Object / UserData / ImportantDocument " FsO7 rdf : type fs : File FsO7 fs : containsFSFileName FsFn7 FsO7 fs : childOf FsO2 Partition1 fs : hasFSFileName FsFn8 FsFn8 rdf : type fs : FSFileName FsFn8 fsfn : name " Root Object / System / Kernel " FsO8 rdf : type fs : File FsO8 fs : containsFSFileName FsFn8 FsO8 fs : childOf FsO3 Partition1 fs : hasFSFileName FsFn9 FsFn9 rdf : type fs : FSFileName FsFn9 fsfn : name " Root Object / Programs / Browser " FsO9 rdf : type fs : File FsO9 fs : containsFSFileName FsFn9 FsO9 fs : childOf FsO4 Partition1 fs : hasFSFileName FsFn10 FsFn10 rdf : type fs : FSFileName FsFn10 fsfn : name " Root Object / Programs / FileExplorer " FsO10 rdf : type fs : File FsO10 fs : containsFSFileName FsFn10 FsO10 fs : childOf FsO4 Listing 6.1: Sample hard disk triples 6.10.2 Random Access Memory Listing 6.2 shows the triples that represent the data from the random access memory. The Process Malware is not visible with the standard tools available in the operating system but it can be found because it is stored in the memory. pro : ProcessList pro : hasProcess Proc0 Proc0 pro : parent Proc0 Proc0 pro : name " Kernel " pro : ProcessList pro : hasProcess Proc1 Proc1 pro : parent Proc0 Proc1 pro : name " Browser " Proc1 pro : hasConnection " www . google . com " pro : ProcessList pro : hasProcess Proc2 Proc2 pro : parent Proc0 Proc2 pro : name " FileExplorer " Proc2 pro : hasResource FsO5 Proc2 pro : hasConnection " www . malicious - server . com "
6.10. EXAMPLE 53 pro : ProcessList pro : hasProcess Proc3 Proc3 pro : parent Proc3 Proc3 pro : name " Malware " Listing 6.2: Sample memory triples 6.10.3 Registry Listing 6.3 shows the triples that represent an excerpt of the data of the registry on the hard disk. The registry data of the memory is not shown as the dierence is only the value of the rewall status. H1 rdf : type reg : Hive H1 reg : root K0 H1 reg : name " Hive1 " K0 rdf : type reg : Key K0 reg : name " Root " K0 reg : hasSubKey K1 K1 rdf : type reg : Key K1 reg : name " Firewall " K1 reg : keystate S1 K1 reg : hasValue V1 S1 rdf : type reg : State S1 rdf : value "S" V1 rdf : type reg : Value V1 reg : type T1 V1 reg : key " Status " V1 reg : value "1" T1 rdf : type reg : ValueType T1 rdf : value " DWORD " Listing 6.3: Sample registry triples
- Page 4 and 5: Acknowledgement I would like to tha
- Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
- Page 8 and 9: 6 CONTENTS
- Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
- Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
- Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
- Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
- Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
- Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
- Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
- Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
- Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
- Page 32 and 33: 30 CHAPTER 4. FORENSICS
- Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
- Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
- Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
- Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
- Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
- Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
- Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
- Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
- Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
- Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
- Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
- Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
- Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
- Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
- Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
- Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
- Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
- Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
- Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
- Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
- Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST
- Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU
- Page 80 and 81: 78 APPENDIX C. SCREENSHOTS Figure C
- Page 82 and 83: 80 APPENDIX C. SCREENSHOTS Figure C
- Page 84 and 85: 82 APPENDIX C. SCREENSHOTS Figure C
- Page 86 and 87: 84 APPENDIX C. SCREENSHOTS
- Page 88 and 89: 86 BIBLIOGRAPHY [Carrier, 2012c] Ca
- Page 90 and 91: 88 BIBLIOGRAPHY [Microsoft, 2010] M
- Page 92: 90 BIBLIOGRAPHY [W3C, 2004] W3C (20
6.10. EXAMPLE 53<br />
pro : ProcessList pro : hasProcess Proc3<br />
Proc3 pro : parent Proc3<br />
Proc3 pro : name " Malware "<br />
List<strong>in</strong>g 6.2: Sample memory triples<br />
6.10.3 Registry<br />
List<strong>in</strong>g 6.3 shows the triples that represent an excerpt of the data of the<br />
registry on the hard disk. The registry data of the memory is not shown as<br />
the dierence is only the value of the rewall status.<br />
H1 rdf : type reg : Hive<br />
H1 reg : root K0<br />
H1 reg : name " Hive1 "<br />
K0 rdf : type reg : Key<br />
K0 reg : name " Root "<br />
K0 reg : hasSubKey K1<br />
K1 rdf : type reg : Key<br />
K1 reg : name " Firewall "<br />
K1 reg : keystate S1<br />
K1 reg : hasValue V1<br />
S1 rdf : type reg : State<br />
S1 rdf : value "S"<br />
V1 rdf : type reg : Value<br />
V1 reg : type T1<br />
V1 reg : key " Status "<br />
V1 reg : value "1"<br />
T1 rdf : type reg : ValueType<br />
T1 rdf : value " DWORD "<br />
List<strong>in</strong>g 6.3: Sample registry triples