Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Improving Distributed Forensics and Incident Response in Loosely Controlled Networked Environments
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.
2016 (English)In: International Journal of Security and Its Applications, ISSN 1738-9976, Vol. 10, no 1, p. 385-414Article in journal (Refereed) Published
Abstract [en]

Mobile devices and virtualized appliances in the Internet of Things can be end nodes on varying networks owned by different parties over time, while still seamlessly participating in licit or illicit activities. Digital Forensics and Incident Response (DFIR) tools today struggle to perform digital investigations in such loosely controlled networked environments as they face several challenges including: scarcity of resources, availability, trust, privacy, data volumes, velocity and variety. In this paper we analyze the state of research in DFIR in networked environments, identifying the challenges facing DFIR tools particularly in loosely controlled network environments. We present the requirements for a system to address these challenges at the various steps of the typical digital investigation methodology. From this we identify the need for support from Peer to Peer (P2P) overlays and discuss their relative merits and drawbacks in order to identify those that would best support DFIR in loosely controlled networked environments. Finally we incorporate both structured and unstructured P2P overlays in various capacities in our architecture in order to organize devices in loosely controlled networks, using context information, thus enabling efficient capture, analysis and reporting of artifacts of use in digital investigations.

Place, publisher, year, edition, pages
2016. Vol. 10, no 1, p. 385-414
Keywords [en]
Digital Forensics, Incident Response, P2P Overlays, Open Distributed Systems, Uncontrolled Environment, Internet of Things
National Category
Computer Sciences
Research subject
Information Systems Security
Identifiers
URN: urn:nbn:se:su:diva-128806DOI: 10.14257/ijsia.2016.10.1.35ISI: 000376639500035OAI: oai:DiVA.org:su-128806DiVA, id: diva2:916816
Available from: 2016-04-04 Created: 2016-04-04 Last updated: 2018-10-30Bibliographically approved
In thesis
1. Towards Automation in Digital Investigations: Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments
Open this publication in new window or tab >>Towards Automation in Digital Investigations: Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments
2016 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations.

Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging.

This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching.

In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays.

Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Place, publisher, year, edition, pages
Stockholm: Department of Computer and Systems Sciences, Stockholm University, 2016. p. 139
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 16-004
Keywords
Computer forensics, network forensics, mobile devices, mobile forensics, cloud computing, semantic web, hypervisors, virtualization, remote acquisition, automation, evidence analysis, correlation, P2P, bittorrent
National Category
Computer Sciences
Research subject
Computer Science; Information Systems Security
Identifiers
urn:nbn:se:su:diva-130742 (URN)
Presentation
2016-04-25, L30, Nod Building, Borgarfjordsgatan 12 (Nodhuset), Campus Kista, Stockholm, 10:00 (English)
Opponent
Supervisors
Available from: 2016-06-17 Created: 2016-06-02 Last updated: 2018-01-10Bibliographically approved
2. Advancing Automation in Digital Forensic Investigations
Open this publication in new window or tab >>Advancing Automation in Digital Forensic Investigations
2018 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Digital Forensics is used to aid traditional preventive security mechanisms when they fail to curtail sophisticated and stealthy cybercrime events. The Digital Forensic Investigation process is largely manual in nature, or at best quasi-automated, requiring a highly skilled labour force and involving a sizeable time investment. Industry standard tools are evidence-centric, automate only a few precursory tasks (E.g. Parsing and Indexing) and have limited capabilities of integration from multiple evidence sources. Furthermore, these tools are always human-driven.

These challenges are exacerbated in the increasingly computerized and highly networked environment of today. Volumes of digital evidence to be collected and analyzed have increased, and so has the diversity of digital evidence sources involved in a typical case. This further handicaps digital forensics practitioners, labs and law enforcement agencies, causing delays in investigations and legal systems due to backlogs of cases. Improved efficiency of the digital investigation process is needed, in terms of increasing the speed and reducing the human effort expended. This study aims at achieving this time and effort reduction, by advancing automation within the digital forensic investigation process.

Using a Design Science research approach, artifacts are designed and developed to address these practical problems. Summarily, the requirements, and architecture of a system for automating digital investigations in highly networked environments are designed. The architecture initially focuses on automation of the identification and acquisition of digital evidence, while later versions focus on full automation and self-organization of devices for all phases of the digital investigation process. Part of the remote evidence acquisition capability of this system architecture is implemented as a proof of concept. The speed and reliability of capturing digital evidence from remote mobile devices over a client-server paradigm is evaluated. A method for the uniform representation and integration of multiple diverse evidence sources for enabling automated correlation, simple reasoning and querying is developed and tested. This method is aimed at automating the analysis phase of digital investigations. Machine Learning (ML)-based triage methods are developed and tested to evaluate the feasibility and performance of using such techniques to automate the identification of priority digital evidence fragments. Models from these ML methods are evaluated in identifying network protocols within DNS tunneled network traffic. A large dataset is also created for future research in ML-based triage for identifying suspicious processes for memory forensics.

From an ex ante evaluation, the designed system architecture enables individual devices to participate in the entire digital investigation process, contributing their processing power towards alleviating the burden on the human analyst. Experiments show that remote evidence acquisition of mobile devices over networks is feasible, however a single-TCP-connection paradigm scales poorly. A proof of concept experiment demonstrates the viability of the automated integration, correlation and reasoning over multiple diverse evidence sources using semantic web technologies. Experimentation also shows that ML-based triage methods can enable prioritization of certain digital evidence sources, for acquisition or analysis, with up to 95% accuracy.

The artifacts developed in this study provide concrete ways to enhance automation in the digital forensic investigation process to increase the investigation speed and reduce the amount of costly human intervention needed.

 

Place, publisher, year, edition, pages
Stockholm: Department of Computer and Systems Sciences, Stockholm University, 2018. p. 149
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 18-002
Keywords
Digital Forensics, Machine Learning, Computer Forensics, Network Forensics, Predictive Modelling, Distributed Systems, Mobile Devices, Mobile Forensics, Memory Forensics, Android, Semantic Web, Hypervisors, Virtualization, Remote Acquisition, Evidence Analysis, Correlation, P2P, Bittorrent
National Category
Computer Systems Communication Systems Telecommunications Computer Sciences Computer Engineering Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-161555 (URN)978-91-7797-521-2 (ISBN)978-91-7797-520-5 (ISBN)
Public defence
2018-12-17, L30, NOD-huset, Borgarfjordsgatan 12, Kista, 14:00 (English)
Opponent
Supervisors
Available from: 2018-11-22 Created: 2018-10-30 Last updated: 2018-11-16Bibliographically approved

Open Access in DiVA

fulltext(472 kB)315 downloads
File information
File name FULLTEXT01.pdfFile size 472 kBChecksum SHA-512
9a4720807bbe1b1acc25e6afe5493028f673137409a34c69736dd32bd7ceb50f37e27abc36d56740d88fa1bcf13881d8946059884a29073fdb6c307d28e01d6b
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Search in DiVA

By author/editor
Homem, IrvinKanter, TheoRahmani, Rahim
By organisation
Department of Computer and Systems Sciences
In the same journal
International Journal of Security and Its Applications
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 315 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 1123 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf