An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 9<br />
Summary<br />
The goal of this work has been dened as develop<strong>in</strong>g an ontology that makes<br />
it easier to <strong>in</strong>vestigate security <strong>in</strong>cidents. The required features <strong>in</strong>clude automatic<br />
extraction of evidence from a computer and a way to gather evidence<br />
from the extracted data.<br />
The ontology was created, us<strong>in</strong>g exist<strong>in</strong>g generic structures <strong>for</strong> the different<br />
<strong>for</strong>ensically <strong>in</strong>terest<strong>in</strong>g parts of the computer. In this work the hard<br />
disk and the random access memory were dealt with. To accomplish the<br />
extraction of the data from these sources, exist<strong>in</strong>g <strong>for</strong>ensic tools are used<br />
and their output is converted to a <strong>for</strong>mat that con<strong>for</strong>ms with the structure<br />
of the ontology. To gather evidence from the converted data, it is stored <strong>in</strong> a<br />
queryable triple store. A collection of queries has been developed and tested<br />
on real malware samples (section 7.6 and chapter 8).<br />
A problem with the visualization of ontologies is that <strong>in</strong> contrast to other<br />
markup language, <strong>for</strong> example UML, the graphical representation of the<br />
<strong>in</strong>dividual elements is not specied.<br />
What cannot yet be found by the ontology are traces that are located<br />
<strong>in</strong> the content of the les on the hard disk or <strong>in</strong> the code respectively the<br />
data of the random access memory. Such <strong>in</strong><strong>for</strong>mation can be <strong>in</strong>tegrated <strong>in</strong><br />
the developed ontology by <strong>in</strong>clud<strong>in</strong>g additional <strong>for</strong>ensic tools. <strong>An</strong>y other<br />
<strong>in</strong><strong>for</strong>mation that may be useful to <strong>in</strong>vestigate a case can be <strong>in</strong>cluded <strong>in</strong> the<br />
ontology as it is shown <strong>in</strong> section 7.7.<br />
<strong>An</strong> advantage of the XML based structure of RDF is the eas<strong>in</strong>ess of<br />
generat<strong>in</strong>g it from the output of dierent tools.<br />
That the provided queries can be used to nd traces of malware was<br />
shown <strong>in</strong> chapter 8.<br />
Traces of malware can also be found by virus scann<strong>in</strong>g programs. But <strong>in</strong><br />
contrast to these, the ontological approach allows to nd malware <strong>for</strong> which<br />
there does not yet exist a signature or behaviour prole or any other characteristic<br />
<strong>for</strong> detection. Additionally it is not the purpose of this approach<br />
to compete with such programs, as <strong>for</strong>ensic analysis most times takes place<br />
69