An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS
6 CONTENTS
Chapter 1 Introduction "[The] [...] Golden Age of Digital Forensics, [...] is quickly coming to an end." [Garnkel, 2010] Ontologie, die Lehre des Seienden. (von ὄν seiend, Partizip von εἶναι sein, und λόγο(ς) Lehre) For a long time computers have been utilized for investigating criminal cases. Computer databases are used to nd information faster than in large paper document stores. If evidence has to be reconstructed, computers for example help reconstruct ripped up documents[De Smet, 2009]. As seen in television series, computers can help identify footprints[Huynh et al., 2003]. But computers and other electronic devices can contain evidence or be evidence themselves, too. Guidelines for what evidence can be found in which electronic device, how the evidence can be retrieved and what precautions to take are available for example in [National Institute of Justice (U.S.), 2001]. Digital forensics has to face several diculties. The solutions for these do not necessarily go in the same direction. On the one hand the available data should be processed completely. On the other hand this has to be done as fast as possible. One factor that leads to problems is the lately increasing number of mobile devices. Many of them have dierent structures and require dierent approaches. An additional point is that the memory of such a device cannot easily be taken out as it is possible to remove the hard disk from a common computer. This leads to problems if the memory is used as legal evidence. Another aspect is the amount of space available for and used by users. Today they can have large storage built in their computer. Furthermore most of them have several external storage media. All these points increase the complexity of retrieving the required information and the time needed for analysing it. Caused by the fact that the digital forensic analysis is based on traditional forensics, the rst approach comprises that the data is acquired rst and analysed later on. Caused by the rapidly growing amount of data, it is more ecient to rst lter what 7
- Page 1: Diplomarbeit An Ontology for Digita
- Page 4 and 5: Acknowledgement I would like to tha
- Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
- Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
- Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
- Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
- Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
- Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
- Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
- Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
- Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
- Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
- Page 32 and 33: 30 CHAPTER 4. FORENSICS
- Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
- Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
- Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
- Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
- Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
- Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
- Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
- Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
- Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
- Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
- Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
- Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Chapter 1<br />
Introduction<br />
"[The] [...] Golden Age of <strong>Digital</strong> <strong>Forensics</strong>, [...] is quickly<br />
com<strong>in</strong>g to an end." [Garnkel, 2010]<br />
Ontologie, die Lehre des Seienden.<br />
(von ὄν seiend, Partizip von εἶναι se<strong>in</strong>, und λόγο(ς) Lehre)<br />
For a long time computers have been utilized <strong>for</strong> <strong>in</strong>vestigat<strong>in</strong>g crim<strong>in</strong>al cases.<br />
Computer databases are used to nd <strong>in</strong><strong>for</strong>mation faster than <strong>in</strong> large paper<br />
document stores. If evidence has to be reconstructed, computers <strong>for</strong> example<br />
help reconstruct ripped up documents[De Smet, 2009]. As seen <strong>in</strong> television<br />
series, computers can help identify footpr<strong>in</strong>ts[Huynh et al., 2003].<br />
But computers and other electronic devices can conta<strong>in</strong> evidence or be<br />
evidence themselves, too. Guidel<strong>in</strong>es <strong>for</strong> what evidence can be found <strong>in</strong> which<br />
electronic device, how the evidence can be retrieved and what precautions to<br />
take are available <strong>for</strong> example <strong>in</strong> [National Institute of Justice (U.S.), 2001].<br />
<strong>Digital</strong> <strong>for</strong>ensics has to face several diculties. The solutions <strong>for</strong> these<br />
do not necessarily go <strong>in</strong> the same direction. On the one hand the available<br />
data should be processed completely. On the other hand this has to be done<br />
as fast as possible.<br />
One factor that leads to problems is the lately <strong>in</strong>creas<strong>in</strong>g number of<br />
mobile devices. Many of them have dierent structures and require dierent<br />
approaches. <strong>An</strong> additional po<strong>in</strong>t is that the memory of such a device cannot<br />
easily be taken out as it is possible to remove the hard disk from a common<br />
computer. This leads to problems if the memory is used as legal evidence.<br />
<strong>An</strong>other aspect is the amount of space available <strong>for</strong> and used by users. Today<br />
they can have large storage built <strong>in</strong> their computer. Furthermore most of<br />
them have several external storage media.<br />
All these po<strong>in</strong>ts <strong>in</strong>crease the complexity of retriev<strong>in</strong>g the required <strong>in</strong><strong>for</strong>mation<br />
and the time needed <strong>for</strong> analys<strong>in</strong>g it. Caused by the fact that the<br />
digital <strong>for</strong>ensic analysis is based on traditional <strong>for</strong>ensics, the rst approach<br />
comprises that the data is acquired rst and analysed later on. Caused by<br />
the rapidly grow<strong>in</strong>g amount of data, it is more ecient to rst lter what<br />
7