Article

A knowledge-based system for supporting the soundness of digital forensic investigations

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Performing a technically and legally sound digital forensic investigation leads to digital evidence that can be used in courts of law. However, there is no single model of a standardized procedure that investigators should abide by. This paper presents a knowledge-based system that formally specifies information about investigative procedures in accordance with standards and guidelines such as ISO/IEC 27037, ISO/IEC 27041, ISO/IEC 27042, ISO/IEC 27043, NIST’s Guide to Integrating Forensic Techniques into Incident Response and Interpol’s Guidelines for Digital Forensics First Responders. The knowledge base is created in a description logic and it represents an ontological model. The model unifies concepts from different standards and guidelines, thus enabling the system to aid investigators in executing investigative procedures that will result in admissible digital evidence. The paper uses network forensics as a case study, but it can be customized to other digital forensics domains.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... These cover the following topics: the validity and reliability of digital forensic tools and methods (ISO/IEC 27041:2015, Guidance on assuring suitability and adequacy of incident investigative methods) and the phases of the process that involve examination (or analysis) and interpretation. The promotion of best practices in forensic acquisition and examination of digital evidence is the primary goal of the ISO27041:2015 digital forensics standards [26]. It is hoped that standardization will lead Ehigiator Egho-Promise et al. ...
Article
Full-text available
Digital forensics in cloud computing environments presents significant challenges due to the distributed nature of data storage, diverse security practices employed by service providers, and jurisdictional complexities. This study aims to develop a comprehensive framework and improved methodologies tailored for conducting digital forensic investigations in cloud settings. A pragmatic research philosophy integrating positivist and interpretivist paradigms guides an exploratory sequential mixed methods design. Qualitative methods, including case studies, expert interviews, and document analysis were used to explore key variables and themes. Findings inform hypotheses and survey instrument development for the subsequent quantitative phase involving structured surveys with digital forensics professionals, cloud providers, and law enforcement agencies, across the globe. The multi-method approach employs purposive and stratified random sampling techniques, targeting a sample of 100-150 participants, across the globe, for qualitative components and 300-500 for quantitative surveys. Qualitative data went through thematic and content analysis, while quantitative data were analysed using descriptive and inferential statistical methods facilitated by software such as SPSS and R. An integrated mixed methods analysis synthesizes and triangulates findings, enhancing validity, reliability, and comprehensiveness. Strict ethical protocols safeguard participant confidentiality and data privacy throughout the research process. This robust methodology contributed to the development of improved frameworks, guidelines, and best practices for digital forensics investigations in cloud computing, addressing legal and jurisdictional complexities in this rapidly evolving domain.
... We understand expert systems as a special type of knowledge system, which is characterized by the use of knowledge obtained exclusively from an expert and some other characteristics, such as a specially oriented explanatory mechanism. Recently, there has been a blurring of the differences between these terms, or the originally conceived exclusively expert systems are already conceived as more general knowledge systems [32]. ...
Article
Full-text available
The issues that the construction sector currently faces with regard to productivity and efficiency are well acknowledged. In the construction industry, there is plenty of space for efficiency to improve, with an increasing number of new tools and methods coming out. One of the solutions to increase efficiency is the application of modern methods of construction. The modern methods of construction, especially dry construction techniques, are developing so that there is a larger volume of high-quality production with a shorter time for procurement. Not only in the construction of skeletons but also in the finishing works, it is a huge advantage if there are implemented techniques that eliminate traditional wet construction works and thus shorten the construction time. On the other hand, however, the question of efficiency in relation to their costs is raised. Based on theoretical and empirical research, the aim of this study is to demonstrate the potential of modern dry construction systems and solutions for finishing works, especially in relation to the construction time and construction cost. For this purpose, an expert knowledge system, named the complex COMBINATOR, was developed. Through a set of simulations with the help of the COMBINATOR, the effects of different combinations of dry construction systems and techniques (DCSTs) and traditional wet construction systems and techniques (WCSTs) on the time and cost of finishing construction works were measured. Based on the results of simulations carried out through the complex COMBINATOR with an inference engine that enabled these simulations, the potential of dry construction techniques for the implementation of finishing works in the construction of residential buildings was demonstrated. Without simulating the effects of the individual technological models for finishing construction works in relation to two of the most important parameters of construction projects, namely time and cost, it would not be possible to obtain the resulting parameters for different combinations of DCSTs and WCSTs from the study presented. Therein lies the huge importance of the presented knowledge system for deciding on the benefits of DCSTs.
Article
Full-text available
Cybersecurity solutions are highly based on data analysis. Currently, it is not enough to make an automated decision; it also has to be explainable. The decision-making logic traceability should be provided in addition to justification by referencing different data sources and evidence. However, the existing security ontologies, used for the implementation of expert systems and serving as a knowledge base, lack interconnectivity between different data sources and computer-readable linking to the data source. Therefore, this paper aims to increase the possibilities of ontology-based cyber intelligence solutions, by presenting a security ontology structure for data storage to the ontology from different text-based data sources, supporting the knowledge traceability and relationship estimation between different security documents. The proposed ontology structure is tested by storing data of three text-based data sources, and its application possibilities are provided. The study shows that the structure is adaptable for different text data sources and provides an additional value related to security area extension.
Article
Full-text available
An increase in the use of cloud computing technologies by organizations has led to cybercriminals targeting cloud environments to orchestrate malicious attacks. Conversely, this has led to the need for proactive approaches through the use of digital forensic readiness (DFR). Existing studies have attempted to develop proactive prototypes using diverse agent‐based solutions that are capable of extracting a forensically sound potential digital evidence. As a way to address this limitation and further evaluate the degree of PDE relevance in an operational platform, this study sought to develop a prototype in an operational cloud environment to achieve DFR in the cloud. The prototype is deployed and executed in cloud instances hosted on OpenStack: the operational cloud environment. The experiments performed in this study show that it is viable to attain DFR in an operational cloud platform. Further observations show that the prototype is capable of harvesting digital data from cloud instances and store the data in a forensic sound database. The prototype also prepares the operational cloud environment to be forensically ready for digital forensic investigations without alternating the functionality of the OpenStack cloud architecture by leveraging the ISO/IEC 27043 guidelines on security monitoring.
Chapter
Full-text available
Companies often have to comply with more than one security standard and refine parts of security standards to apply to their domain and specific security goals. To understand which requirements different security standards stipulate, a systematic overview or mapping of the relevant natural language security standards is necessary. Creating such standards mappings is a difficult task; to discover which methodologies and tools researchers and practitioners propose and use to map security standards, we conducted a systematic literature review. We identified 44 resources published between 2004 and 2018 using ACM Digital Library, IEEEXplore, SpringerLink, ScienceDirect, dblp and additional grey literature sources. We found that research focuses either on manual methods or on security ontologies to create security standards mappings. We also observed an increase in scientific publications over the investigated timespan which we attribute to the ISO 27001 standard update in 2013 and the EU GDPR coming into effect in 2018.
Article
Full-text available
With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for representing and exchanging digital forensic information. Such a standard representation can support correlation between different data sources, enabling more effective and efficient querying and analysis of digital evidence. This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information. The suitability of CybOX for representing objects and relationships that are common in forensic investigations is demonstrated with examples involving digital evidence. The capability to represent provenance by leveraging CybOX is also demonstrated, including specifics of the tool used to process digital evidence and the resulting output. An example is provided of an ongoing project that uses CybOX to record the state of a system before and after an event in order to capture cause and effect information that can be useful for digital forensics. An additional open-source schema and associated ontology called Digital Forensic Analysis eXpression (DFAX) is proposed that provides a layer of domain specific information overlaid on CybOX. DFAX extends the capability of CybOX to represent more abstract forensic-relevant actions, including actions performed by subjects and by forensic examiners, which can be useful for sharing knowledge and supporting more advanced forensic analysis. DFAX can be used in combination with other existing schemas for representing identity information (CIQ), and location information (KML). This work also introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.
Conference Paper
Full-text available
We describe an extension of the description logic under- lying OWL-DL,SHOIN, with a number of expressive means that we believe will make it more useful in prac- tice. Roughly speaking, we extend SHOIN with all expressive means that were suggested to us by ontology developers as useful additions to OWL-DL, and which, additionally, do not affect its decidability and practica- bility. We consider complex role inclusion axioms of the form R S ˙ v R or S R ˙ v R to express prop- agation of one property along another one, which have proven useful in medical terminologies. Furthermore, we extend SHOIN with reflexive, antisymmetric, and irreflexive roles, disjoint roles, a universal role, and con- structs 9R.Self, allowing, for instance, the definition of concepts such as a "narcist". Finally, we consider negated role assertions in Aboxes and qualified number restrictions. The resulting logic is called SROIQ. We present a rather elegant tableau-based reasoning al- gorithm: it combines the use of automata to keep track of universal value restrictions with the techniques de- veloped for SHOIQ. The logic SROIQ has been adopted as the logical basis for the next iteration of OWL, OWL 1.1.
Article
In parallel with the exponentially growing number of computing devices and IoT networks, the data storage and processing requirements of digital forensics are also increasing. Therefore, automation is highly desired in this field, yet not readily available, and many challenges remain, ranging from unstructured forensic data derived from diverse sources to a lack of semantics defined for digital forensic investigation concepts. By formally describing digital forensic concepts and properties, purpose‐designed ontologies enable integrity checking via automated reasoning and facilitate anomaly detection for the chain of custody in digital forensic investigations. This article provides a review of these ontologies, and investigates their applicability in the automation of processing traces of digital evidence. This article is categorized under: • Digital and Multimedia Science > Artificial Intelligence • Digital and Multimedia Science > Cybercrime Investigation • Digital and Multimedia Science > Cyber Threat Intelligence
Article
Nowadays, more than ever, digital forensics activities are involved in any criminal, civil or military investigation and represent a fundamental tool to support cyber-security. Investigators use a variety of techniques and proprietary software forensics applications to examine the copy of digital devices, searching hidden, deleted, encrypted, or damaged files or folders. Any evidence found is carefully analysed and documented in a “finding report” in preparation for legal proceedings that involve discovery, depositions, or actual litigation. The aim is to discover and analyse patterns of fraudulent activities. In this work, a new methodology is proposed to support investigators during the analysis process, correlating evidence found through different forensics tools. The methodology was implemented through a system able to add semantic assertion to data generated by forensics tools during extraction processes. These assertions enable more effective access to relevant information and enhanced retrieval and reasoning capabilities.
Article
In the field of digital forensics it is crucial for any practitioner to possess the ability to make reliable investigative decisions which result in the reporting of credible evidence. This competency should be considered a core attribute of a practitioner's skill set and it is often taken for granted that all practitioners possess this ability; in reality this is not the case. A lack of dedicated research and formalisation of investigative decision making models to support digital forensics practitioner's is an issue given the complexity of many digital investigations. Often, the ability to make forensically sound decisions regarding the reliability of any findings is arguably an assumed trait of the practitioner, rather than a formally taught competency. As a result, the digital forensic discipline is facing increasing recent scrutiny with regards to the quality and validity of evidence it's practitioners are producing. This work offers the Digital Evidence Reporting and Decision Support (DERDS) framework, designed to help the practitioner assess the reliability of their ‘inferences, assumptions of conclusions’ in relation to any potentially evidential findings. The structure and application of the DERDS framework is discussed, demonstrating the stages of decision making a practitioner must undergo when evaluating the accuracy of their findings, whilst also recognising when content may be deemed unsafe to report.
Chapter
The growing number of investigations involving digital traces from various data sources is driving the demand for a standard way to represent and exchange pertinent information. Enabling automated combination and correlation of cyber-investigation information from multiple systems or organizations enables more efficient and comprehensive analysis, reducing the risk of mistakes and missed opportunities. These needs are being met by the evolving open-source, community-developed specification language called CASE, the Cyber-investigation Analysis Standard Expression. CASE leverages the Unified Cyber Ontology (UCO), which abstracts and expresses concepts that are common across multiple domains. This paper introduces CASE and UCO, explaining how they improve upon prior related work. The value of fully-structured data, representing provenance, and action lifecycles are discussed. The guiding principles of CASE and UCO are presented, and illustrative examples of CASE are provided using the default JSON-LD serialization.
Conference Paper
This chapter accompanies the foundational lecture on Description Logics (DLs) at the 7th Reasoning Web Summer School in Galway, Ireland, 2011. It introduces basic notions and facts about this family of logics which has significantly gained in importance over the recent years as these logics constitute the formal basis for today’s most expressive ontology languages, the OWL (Web Ontology Language) family. We start out from some general remarks and examples demonstrating the modeling capabilities of description logics as well as their relation to first-order predicate logic. Then we begin our formal treatment by introducing the syntax of DL knowledge bases which comes in three parts: RBox, TBox and ABox. Thereafter, we provide the corresponding standard model-theoretic semantics and give a glimpse of the alternative way of defining the semantics via an embedding into first-order logic with equality. We continue with an overview of the naming conventions for DLs before we delve into considerations about different notions of semantic alikeness (concept and knowledge base equivalence as well as emulation). These are crucial for investigating the expressivity of DLs and performing normalization. We move on by reviewing knowledge representation capabilities brought about by different DL features and their combinations as well as some model-theoretic properties associated thereto. Subsequently, we consider typical reasoning tasks occurring in the context of DL knowledge bases. We show how some of these tasks can be reduced to each other, and have a look at different algorithmic approaches to realize automated reasoning in DLs. Finally, we establish connections between DLs and OWL. We show how DL knowledge bases can be expressed in OWL and, conversely, how OWL modeling features can be translated into DLs. In our considerations, we focus on the description logic SROIQ\mathcal{SROIQ} which underlies the most recent and most expressive yet decidable version of OWL called OWL 2 DL. We concentrate on the logical aspects and omit data types as well as extralogical features from our treatise. Examples and exercises are provided throughout the chapter.
Ensuring conformance to process standards through formal verification
  • Kabaale