An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
66 CHAPTER 8. EVALUATION<br />
6. The last step, was to query the database <strong>for</strong> evidence. This step is<br />
described <strong>in</strong> sections 8.3, 8.4, 8.5 and 8.6. For these sections it is<br />
assumed that it is not known what k<strong>in</strong>d of malware was run. The<br />
approach is to run selected queries to get an overview and then exam<strong>in</strong>e<br />
more <strong>in</strong> detail.<br />
8.2 SPARQL Queries<br />
This section shows the queries that are used to nd traces of malware. Some<br />
of them are already expla<strong>in</strong>ed <strong>in</strong> detail <strong>in</strong> chapter 7.<br />
8.2.1 F<strong>in</strong>d le<br />
A query to nd les as shown <strong>in</strong> list<strong>in</strong>g 7.4 is expla<strong>in</strong>ed <strong>in</strong> section 7.6.1.<br />
FILENAME has to be replaced by the str<strong>in</strong>g to search <strong>for</strong>. The result conta<strong>in</strong>s<br />
all les that have the given str<strong>in</strong>g <strong>in</strong> their path.<br />
8.2.2 Autorun<br />
The query shown <strong>in</strong> list<strong>in</strong>g 7.6 is expla<strong>in</strong>ed <strong>in</strong> section 7.6.2. It lists all<br />
key-value pairs of the values of the W<strong>in</strong>dows/CurrentVersion/Run registry<br />
subtrees. These subtrees conta<strong>in</strong> the programs that are started with the<br />
operat<strong>in</strong>g system.<br />
8.2.3 Network<br />
<strong>An</strong>other sign <strong>for</strong> malware may be the network connections. The query from<br />
list<strong>in</strong>g 8.1 can be used to nd all processes that have TCP connections. This<br />
returns the processes and what they are connected to.<br />
Replace the two tools <strong>in</strong> the hasForensicTool l<strong>in</strong>es by their socket equivalent<br />
(see 4.3.2) to search <strong>for</strong> all network protocols.<br />
8.2.4 Parent Process<br />
The query expla<strong>in</strong>ed <strong>in</strong> section 7.6.3 and shown <strong>in</strong> list<strong>in</strong>g 7.7 lists all processes<br />
that do not have a normal l<strong>in</strong>e of ancestors.<br />
8.2.5 Resources<br />
A useful piece of evidence is which resources a process uses. To obta<strong>in</strong><br />
this <strong>in</strong><strong>for</strong>mation the query from list<strong>in</strong>g 8.2 can be used. The query b<strong>in</strong>ds<br />
the process to the variable ?pid and lters the name match<strong>in</strong>g the regular<br />
expression PROCESSNAME. If the resource is a le, the OPTIONAL block b<strong>in</strong>ds<br />
the name of the le to the variable ?filename.