An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS
60 CHAPTER 7. IMPLEMENTATION 1 SELECT DISTINCT ? name ? file 2 WHERE { 3 ? file rdf : type fs : FSFileName . 4 ? file fsfn : name ? name . 5 FILTER ( regex ( str (? name ), " FILENAME ")) 6 } Listing 7.4: Find le Query 7.6.2 Autorun According to [Microsoft, 2010] the entries for the Run and RunOnce keys are located in the paths shown in listing 7.5. HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Run HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / RunOnce HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / RunOnce Listing 7.5: Autorun registry paths A common part of these paths is Windows/CurrentVersion/Run. The goal of the query is to retrieve the key-value pairs that are the values of these keys. The resulting query is shown in listing 7.6. At rst, in lines three and four a key that has the name Windows is selected and bound to the variable ?win. Line ve binds a sub key of the one in ?win to the variable ?cv. The lines six and seven ensure that the key in ?cv has the name CurrentVersion. Line eight works similarly to line ve and binds the subkeys of ?cv to ?run. Line ten lters the value of ?run to contain Run in its name. This way Run, RunOnce and all other keys that contain run like RunServices and RunServicesOnce are included. The lines eleven to thirteen extract the key-value pairs to the variables ?name and ?command. 7.6.3 Parent Process Some malware tries to hide by removing itself from the process hierarchy that starts with one process. This can be detected by looking at the line of ancestors of each process. If one process is its own parent or does not originate from the most basic process, it might have tried to hide. Of course the most basic parent process is always in the result set as it was specied to be its own parent in section 6.5. For this query again two possibilities exist. The rst one is shown in listing 7.7. Lines three and four bind a pro:Process object to the variable ?child that is the process the query will examine. The OPTIONAL keyword species that the restrictions in the following block, that is indicated by braces, do not necessarily need to match. The * in line six
7.6. SPARQL 61 1 SELECT DISTINCT ? nrun ? name ? command 2 WHERE { 3 ? win rdf : type reg : Key . 4 ? win reg : name [ rdf : value " Windows " ] . 5 ? win reg : hasSubKey [ rdf : value ? cv ] . 6 ? cv rdf : type reg : Key . 7 ? cv reg : name [ rdf : value " CurrentVersion " ] . 8 ? cv reg : hasSubKey [ rdf : value ? run ] . 9 ? run reg : name [ rdf : value ? nrun ] . 10 FILTER ( regex ( str (? nrun ), " Run ", "i ")) . 11 ? run reg : hasValue [ rdf : value ? value ] . 12 ? value reg : key [ rdf : value ? name ] . 13 ? value reg : value [ cnt : ContentAsText ? command ] . 14 } Listing 7.6: Autorun Query says that the pro:parent predicate can be matched not, once or multiple times. So the variable ?parent is bound to the one of the ancestors of ?child regarding the pro:parent relation. The structure of the process part of the ontology requires that the most basic parent process has itself as parent as demanded in section 6.5. Along with line seven this leads to the fact that the ?parent variable must be the most basic root. The lter in line eight ensures that the predicate in line six is not applied zero times. If any of the restrictions in the OPTIONAL block does not match the variable ?parent is not bound. This case is ltered in line ten, so only those processes are included in the result that do not have a parent according to the restrictions in the OPTIONAL block. 1 SELECT DISTINCT ? parent ? child ? childname 2 WHERE { 3 ? child rdf : type pro : Process . 4 ? child pro : Name [ rdf : value ? childname ] . 5 OPTIONAL { 6 ? child pro : parent * ? parent . 7 ? parent pro : parent ? parent . 8 FILTER (? child != ? parent ) 9 } 10 FILTER (! BOUND (? parent )) 11 } Listing 7.7: Parent Process SELECT query
- Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
- Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
- Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
- Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
- Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
- Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
- Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
- Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
- Page 32 and 33: 30 CHAPTER 4. FORENSICS
- Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
- Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
- Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
- Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
- Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
- Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
- Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
- Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
- Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
- Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
- Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
- Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
- Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
- Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
- Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
- Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
- Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
- Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
- Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
- Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
- Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST
- Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU
- Page 80 and 81: 78 APPENDIX C. SCREENSHOTS Figure C
- Page 82 and 83: 80 APPENDIX C. SCREENSHOTS Figure C
- Page 84 and 85: 82 APPENDIX C. SCREENSHOTS Figure C
- Page 86 and 87: 84 APPENDIX C. SCREENSHOTS
- Page 88 and 89: 86 BIBLIOGRAPHY [Carrier, 2012c] Ca
- Page 90 and 91: 88 BIBLIOGRAPHY [Microsoft, 2010] M
- Page 92: 90 BIBLIOGRAPHY [W3C, 2004] W3C (20
7.6. SPARQL 61<br />
1 SELECT DISTINCT ? nrun ? name ? command<br />
2 WHERE {<br />
3 ? w<strong>in</strong> rdf : type reg : Key .<br />
4 ? w<strong>in</strong> reg : name [ rdf : value " W<strong>in</strong>dows " ] .<br />
5 ? w<strong>in</strong> reg : hasSubKey [ rdf : value ? cv ] .<br />
6 ? cv rdf : type reg : Key .<br />
7 ? cv reg : name [ rdf : value " CurrentVersion " ] .<br />
8 ? cv reg : hasSubKey [ rdf : value ? run ] .<br />
9 ? run reg : name [ rdf : value ? nrun ] .<br />
10 FILTER ( regex ( str (? nrun ), " Run ", "i ")) .<br />
11 ? run reg : hasValue [ rdf : value ? value ] .<br />
12 ? value reg : key [ rdf : value ? name ] .<br />
13 ? value reg : value [ cnt : ContentAsText ? command ] .<br />
14 }<br />
List<strong>in</strong>g 7.6: Autorun Query<br />
says that the pro:parent predicate can be matched not, once or multiple<br />
times. So the variable ?parent is bound to the one of the ancestors of ?child<br />
regard<strong>in</strong>g the pro:parent relation. The structure of the process part of the<br />
ontology requires that the most basic parent process has itself as parent as<br />
demanded <strong>in</strong> section 6.5. Along with l<strong>in</strong>e seven this leads to the fact that<br />
the ?parent variable must be the most basic root. The lter <strong>in</strong> l<strong>in</strong>e eight<br />
ensures that the predicate <strong>in</strong> l<strong>in</strong>e six is not applied zero times. If any of<br />
the restrictions <strong>in</strong> the OPTIONAL block does not match the variable ?parent<br />
is not bound. This case is ltered <strong>in</strong> l<strong>in</strong>e ten, so only those processes are<br />
<strong>in</strong>cluded <strong>in</strong> the result that do not have a parent accord<strong>in</strong>g to the restrictions<br />
<strong>in</strong> the OPTIONAL block.<br />
1 SELECT DISTINCT ? parent ? child ? childname<br />
2 WHERE {<br />
3 ? child rdf : type pro : Process .<br />
4 ? child pro : Name [ rdf : value ? childname ] .<br />
5 OPTIONAL {<br />
6 ? child pro : parent * ? parent .<br />
7 ? parent pro : parent ? parent .<br />
8 FILTER (? child != ? parent )<br />
9 }<br />
10 FILTER (! BOUND (? parent ))<br />
11 }<br />
List<strong>in</strong>g 7.7: Parent Process SELECT query