An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS
70 CHAPTER 9. SUMMARY after some issue occurred. Using the ontology to investigate the cases made it easier because only queries had to be issued. For example, for the Autorun query the printkey module of volatility needs to be run multiple times to get the data from the registry in the memory. For the registry on the hard disk it is rst needed to know where the relevant les are located and then extract them with icat from The Sleuth Kit if the source is an image and then run reglookup for each of them. All this is simplied to only issuing one query because all other commands have been run automatically during the extraction process. In my opinion the ontological approach has great potential because it makes forensic analysis easier. An additional aspect is that after the database is lled, multiple investigators can use this data and do not need to run the same tools again. The creation of the ontology is not that easy as the tools do not create satisfying RDFS les or are uncomfortable to use. If the forensic ontology is to be developed further, it may be useful to create a tool that allows an easier creation of RDFS les of similar structure. Additionally, a program should be developed that makes it easier to parse the output of a forensic tool and map it to the correct part of the ontology.
Appendix A Extraction tool listings < properties > < comment > ExtractInformation - Config - File < entry key =" samdump2 " >/ usr / bin / samdump2 < entry key =" started " >1353417866724 < entry key =" sesamerepo "> case1 < entry key =" ramimage " >../ cases / case1 / zeus . vmem < entry key =" fsstat " >../ TSK / fsstat < entry key =" hddimage " >../ cases / case1 / zeus . raw < entry key =" threadcount " >10 < entry key =" skipregistry "> true < entry key =" reglookup " >../ reglookup / reglookup < entry key =" ontology " >../ ONTO < entry key =" database "> sesame < entry key =" datadir " >../ cases / case1 / extracted < entry key =" bkhive " >/ usr / bin / bkhive < entry key =" python " >/ usr / bin / python < entry key =" fls " >../ TSK / fls < entry key =" hddimageoffset " >63 < entry key =" baseuri "> http :// www .0 x221b . org / < entry key =" mmls " >../ TSK / mmls < entry key =" sesameserver "> http ://..:8080/ openrdf - sesame / < entry key =" volatility " >../ volatility -2.1/ vol .py < entry key =" icat " >../ TSK / icat < entry key =" skipprocesses "> true Listing A.1: Conguration of the tool(shortened) Start Start loading Ontology Start writing User . rdfs (2.0 KB ) Finished writing User . rdfs Start writing Filesystem . rdfs (8.0 KB ) Finished writing Filesystem . rdfs Start writing Forensic . rdfs (1.0 KB ) Finished writing Forensic . rdfs Start writing Registry . rdfs (4.0 KB ) Finished writing Registry . rdfs Start writing Process . rdfs (2.0 KB ) Finished writing Process . rdfs Start writing Hardware . rdfs (1.0 KB ) 71
- Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
- Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
- Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
- Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
- Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
- Page 32 and 33: 30 CHAPTER 4. FORENSICS
- Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
- Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
- Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
- Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
- Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
- Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
- Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
- Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
- Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
- Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
- Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
- Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
- Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
- Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
- Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
- Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
- Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
- Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
- Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
- Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
- Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST
- Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU
- Page 80 and 81: 78 APPENDIX C. SCREENSHOTS Figure C
- Page 82 and 83: 80 APPENDIX C. SCREENSHOTS Figure C
- Page 84 and 85: 82 APPENDIX C. SCREENSHOTS Figure C
- Page 86 and 87: 84 APPENDIX C. SCREENSHOTS
- Page 88 and 89: 86 BIBLIOGRAPHY [Carrier, 2012c] Ca
- Page 90 and 91: 88 BIBLIOGRAPHY [Microsoft, 2010] M
- Page 92: 90 BIBLIOGRAPHY [W3C, 2004] W3C (20
Appendix A<br />
Extraction tool list<strong>in</strong>gs<br />
<br />
<br />
< properties ><br />
< comment > ExtractIn<strong>for</strong>mation - Config - File <br />
< entry key =" samdump2 " >/ usr / b<strong>in</strong> / samdump2 <br />
< entry key =" started " >1353417866724 <br />
< entry key =" sesamerepo "> case1 <br />
< entry key =" ramimage " >../ cases / case1 / zeus . vmem <br />
< entry key =" fsstat " >../ TSK / fsstat <br />
< entry key =" hddimage " >../ cases / case1 / zeus . raw <br />
< entry key =" threadcount " >10 <br />
< entry key =" skipregistry "> true <br />
< entry key =" reglookup " >../ reglookup / reglookup <br />
< entry key =" ontology " >../ ONTO <br />
< entry key =" database "> sesame <br />
< entry key =" datadir " >../ cases / case1 / extracted <br />
< entry key =" bkhive " >/ usr / b<strong>in</strong> / bkhive <br />
< entry key =" python " >/ usr / b<strong>in</strong> / python <br />
< entry key =" fls " >../ TSK / fls <br />
< entry key =" hddimageoffset " >63 <br />
< entry key =" baseuri "> http :// www .0 x221b . org / <br />
< entry key =" mmls " >../ TSK / mmls <br />
< entry key =" sesameserver "> http ://..:8080/ openrdf - sesame / <br />
< entry key =" volatility " >../ volatility -2.1/ vol .py <br />
< entry key =" icat " >../ TSK / icat <br />
< entry key =" skipprocesses "> true <br />
<br />
List<strong>in</strong>g A.1: Conguration of the tool(shortened)<br />
Start<br />
Start load<strong>in</strong>g <strong>Ontology</strong><br />
Start writ<strong>in</strong>g User . rdfs (2.0 KB )<br />
F<strong>in</strong>ished writ<strong>in</strong>g User . rdfs<br />
Start writ<strong>in</strong>g Filesystem . rdfs (8.0 KB )<br />
F<strong>in</strong>ished writ<strong>in</strong>g Filesystem . rdfs<br />
Start writ<strong>in</strong>g Forensic . rdfs (1.0 KB )<br />
F<strong>in</strong>ished writ<strong>in</strong>g Forensic . rdfs<br />
Start writ<strong>in</strong>g Registry . rdfs (4.0 KB )<br />
F<strong>in</strong>ished writ<strong>in</strong>g Registry . rdfs<br />
Start writ<strong>in</strong>g Process . rdfs (2.0 KB )<br />
F<strong>in</strong>ished writ<strong>in</strong>g Process . rdfs<br />
Start writ<strong>in</strong>g Hardware . rdfs (1.0 KB )<br />
71