PROACTIVE CYBER FORENSIC ANALYSIS
Proactive And reactive cyber forensics investigation processes: A Systematic Literature Review(SLR)
A multi-component framework of cyber forensics investigation
Abstract—Digital Forensics can be defined as the ensemble of methods, tools and techniques used to collect, preserve and analyze digital data originating from any type of digital media involved in an incident with the purpose of extracting valid evidence for a court of law. In it investigations are usually performed as a response to a digital crime and, as such, they are termed Reactive Digital Forensic (RDF). This involves identifying, preserving, collecting, analyzing, and generating the final report. Although RDF investigations are effective, they are faced with many challenges, especially when dealing with anti-forensic incidents, volatile data and event reconstruction. To tackle these challenges, Proactive Digital Forensic (PDF) is required. By being proactive, DF is prepared for incidents. In fact, the PDF investigation has the ability to proactively collect data, preserve it, detect suspicious events, analyze evidence and report an incident as it occurs.
Index Terms—Digital forensics, Digital Proactive Forensics, Digital reactive forensics, Digital device storage, digital crime, Anti forensics, multi component framework
Computer crimes have increased tremendously and their degree of sophistication has also advanced, the volatility and dynamicity of the information that flows between devices require some proactive investigation. The reactive investigation is now becoming less practical since the increased sizes of the data that is being investigated and underlying technology of the devices that change tremendously make the tools made for digital reactive forensics useless In order to investigate anti-forensic attacks and to promote automation of the live investigation, a proactive and reactive functional process has been proposed.. The phases of the proposed proactive and reactive digital forensics investigation process have been mapped to existing investigation processes. The proactive component in the proposed process has been compared to the active component in the multi- component framework. All phases in the proactive component of the new process are meant to be automated. To this end, a theory for the proactive digital forensics is necessary to lay down a strong foundation for the implementation of a reliable proactive system.
The term anti-forensics refers to methods that prevent forensic tools, investigations, and investigators from achieve- ing their goals. Two examples of anti-forensic methods are data overwriting and data hiding. From a digital investigation perspective, anti-forensics can do the following:
- Prevent evidence collection.
- Increase the investigation time.
- Provide misleading evidence that can jeopardize the whole investigation.
- Prevent detection of digital crime.
To investigate crimes that rely on anti-forensic methods, more digital forensic investigation techniques and tools need to be developed, tested, and automated. Such techniques and tools are called proactive forensic processes. Proactive forensics has been suggested in. To date, however, the definition and the process of proactive forensics have not been explicated.
II. Proactive digital forensics
Proactive Digital Forensic Component has the ability to proactively collect data, preserve it, detect suspicious events, gather evidence, carry out the analysis and build a case against any questionable activities. In addition, an automated report is generated for later use in the reactive component. The evidence gathered in this component is the proactive evidence that relates to a specific event or incident as it occurs. As opposed to the reactive component, the collection phase in this component comes before preservation since no incident has been identified yet. Phases under the proactive component are defined as follows:
- Proactive Collection: automated live collection of predefined data in the order of volatility and priority, and related to a specific requirement of an organization or incident.
- Proactive Preservation: automated preservation, via hashing, of the evidence and the proactively collected data related to the suspicious event.
- Proactive Event Detection: detection of suspicious event via an intrusion detection system or a crime-prevention alert.
- Proactive Analysis: automated live analysis of the evidence, which might use forensics techniques such as data mining and outlier detection to sup- port and construct the initial hypothesis of the incident.
- Report: automated report generated from the proactive component analysis. This report is also important for the reactive component and can serve as the starting point of the reactive investigation.
III Reactive Digital Forensics
It the traditional or post-mortem approach of investigating a digital crime after an incident has occurred. This involves identifying, preserving, collecting, analyzing, and generating the final report. Two types of evidence are gathered under this component:
- Active: Active evidence refers to collecting all live (dynamic) evidence that exists after an incident. An example of such evidence is processes running in memory.
- Reactive : refers to collecting all the static evidence remaining, such as an image of a hard drive.
gation process and references
Investigative Process for Digital Forensic Science
End-to-End Digital Investi- gation Process
Step by step DF investigation
The Hierarchical, Objective-based Frame- work
An Extended Model for E-Discovery Op- erations
FORZA – Digital Forensics Investigation Framework Incorporating Legal Issues
Proactive Vs Reactive Forensics Investigation framework
Event Trigger Function
Complexity of Digital Forensics investigation
Digital attacks are so complex that it is hard to investigate them forensically. The elements involved in a digital crime are located in a large multidimensional space and cannot be easily identified. With the increase of storage size and memory sizes, and the use of parallelism, virtualization and cloud, the parameters to take into account during an investigation can even become unmanageable.
Five fundamental principles
The five fundamental principles are stated below:
Principle 1 Consider the entire system. This includes the user space as well as the entire kernel space, file system, network stack, and other related subsystems.
Principle 2 Assumptions about expected failures, attacks, and attackers should not control what is logged. Trust no user and trust no policy, as we may not know what we want in advance.
Principle 3 Consider the effects of events, not just the actions that caused them, and how those effects may be altered by context and environment.
Principle 4 Context assists in interpreting and understanding the meaning of an event.
Principle 5 Every action and every result must be processed and presented in a way that can be analyzed and understood by a human forensic analyst.
These five are for reactive analysis , for proactive there must be some new principles. Soltan Abed Albari proposed the following two :
Principle 6 Preserve the entire history of the system.
Principle 7 Perform the analysis and report the results in real time.
By preserving the entire history of the system, we can go back in time and reconstruct what has happened and answer reliably all the necessary questions about an event or incident. The reconstructed timeline is based on the actual states of the system before and after the event or incident. In addition and due to the large amount of data, events and actions involved, performing a proactive analysis and reporting require real time techniques that use high-performance computing. The analysis phase should be automated and have the necessary intelligence to investigate the suspicious events in real time and across multiple platforms.
Figure 1 Relation between action ,target & events
In addition to the actions and events that the seven principles listed above emphasize, we introduce the notion of targets. A target is any resource or object related to the system under investigation e.g., a file, memory, register, etc. We will use an element of DF investigation to refer to a target, an action or an event. At a time t and as shown in Figure 3.1, the system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones.
A model for Proactive digital forensics
The model below has two major parts
- Forward system
- Feedback system
Forward system is the one upon which investigation is performed. Both systems the forward and the feedback can be modelled as a tuple (T,E,A), where T is a set of targets, E is a set of events, and A is a set of possible actions each of which is viewed as a transfer function of targets and events. To clarify this, each target f ∈ T is associated with a set S(f) representing the possible states in which it can be. The Cartesian product of S(f) for all targets f defines the state space of the system’s targets and we denote it by T . We do the same for every event e but we consider S(e) to contain two and only two elements, namely ↑ (triggered event) and ↓ (not triggered event). The Cartesian product of all the system’s events (S(e) for every event e) is denoted by E (status space). An action a is therefore a function from Γ × T × E to T × E, where Γ represents the time dimension. The evolution function ψ is defined from Γ × (T × E) × A to T × E by
ψ(t,(~r,~e),a) = a(t,~r,~e)3.
At a time t ∈ Γ, an event e is triggered if its status at time t is ↑, and not triggered ↓ otherwise. The notation ↑t e will be used to denote that the event e is triggered at time t
Figure 2 proactive model
The forward system has three things that are linked. Target, event and action
A target is any resource or object related to the system under investigation (e.g., a file, memory, register, etc.. We will use an element of DF investigation to refer to a target, an action or an event. At a time t system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones. Therefore to describe the dynamics of the system at a single instant t, one needs to know at least the states of the targets, the events generated and the actions executed at t. For a full description of the dynamics, these elements of investigation need to be specified at every instant of time; and the complete analysis of the dynamics of the system requires a large multidimensional space Equations
B. Events and Actions
Keeping track of all events and targets is expensive. To reduce them, a few classifications using preorder and equivalence relations. To illustrate the idea behind these classifications, imagine a botnet writing into a file. This event will trigger other events including checking the permission on the file, updating the access time of the file, and writing the data to the actual disk. The idea behind our formalization is to be able to know which events are important (maximal) and which ones can be ignored. The same thing holds for the targets .This will optimize the cost and time .
- Short Theory on Events
Let e1 and e2 be two events in E. We defined the relation ≤E on E as follows:
e1 ≤E e2 if and only if ( ⇐⇒ ) whenever the event e1 happens at a time t, the event e2 must also happen at a time t0 greater than or equal to t. Formally, this can be expressed as: e1 ≤E e2 ⇐⇒ (∀t ↑t e1 ⇒ ∃t0 ≥ t ↑t0 e2)
Subsequent events are those which are less than e .
- Short theory on targets
Let Ψ be the mapping from T to E (Figure 3.10) that associates each target with its change of status event. The mapping Ψ and ≤E induces a preorder relation ≤T defined by T1 ≤T T2 ⇐⇒ Ψ(T1) ≤E Ψ(T2)
Informally, this means that whenever target T1 changes at time t the target T2 must change at t0 ≥ t.
- Short Theory on Actions
The set of actions A is extended to ¯ A using the following operators:
An associative binary operator called sequential operator and denoted by ;. Given two actions a1 and a2, the action a1;a2 is semantically equivalent to carrying out a1 and then a2 (the two transfer functions are in series). Note that ∅A is a neutral element of A with respect to ; (i.e., a;∅A = ∅A;a = a for every action a).
A commutative binary operator called parallel operator and denoted by ||. In this case a1||a2 is equivalent to carrying a1 and a2 simultaneously (the two transfer functions are in parallel). The action ∅A is also a neutral element of A with respect to ||.
A conditional operator defined as follows. Given two conditions ci and ce in C, and an action a, the operator ciace represents the action of iteratively carrying out a only when ci is true and stopping when ce is false. That
is denoted by a ce. Note that if both are true, then ci a ce is a.
Zone Base Classification of Investigation Space
To address the limitation of the classification described previously and address the undesirability issue , classify the event and target state into a set of priority zones. These zones can be represented with different colors: green, yellow, and red; starting from a lower priority to a higher one. When important events/targets with high-priority levels are triggered, a more thorough analysis is expected. Moreover, the zones can be used as a quantifying matrix that provides numbers reï¬‚ecting the certainty level for the occurrence of an incident. In our case, this number is an important piece of information in the final report.
The high-priority events can involve one of the following: IDS, Antivirus, Firewall off and changing the windows system32 folder. On the other hand, the high-priority targets are the system32 folder, registry, network traï¬ƒc and memory dump.
Given that the number of targets and events are large, this classification is not enough, especially during the analysis phase. As such, we need to reduce the forensic space. Similar to the principal component analysis technique , we suggest restrict- ing the analysis to “important” targets and events based on a specific organization policy. This can be seen as projecting the full forensic space F onto a sub-space F0 in which the evidence is most probably located.
Figure 3 Zone base classification 
In this paper we proposed a new approach to resolve cybercrime using Proactive forensics with focusing on the Investigation space for proactive investigation. This paper reviews literature on Proactive forensic approaches and their processes. It has a method for proactive investigation to be carried out significantly. In order to investigate anti-forensics methods and to promote automation of the live investigation, a proactive functional process has been proposed. The proposed process came as result of SLR of all the processes that exist in literature. The phases of the proposed proactive digital forensics investigation process have been mapped to existing investigation processes.
For future work , the investigation space profiling is to be done on events and targets in the space.
- Proactive System for Digital Forensic Investigation, Soltan Abed Alharbi, 2014 University of Victoria
- Mapping Process of Digital Forensic Investigation Framework
- A new approach for resolving cybercrime in network forensics based on generic process model. Mohammad Rasmi1, Aman Jantan2, Hani Al-MimiY. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,
- A System for the Proactive, Continuous, and Eï¬ƒcient Collection of Digital Forensic Evidence
- Towards Proactive Computer-System Forensics
- Requirements-Driven Adaptive Digital Forensics
- Multi-Perspective Cybercrime Investigation Process Modeling
- A Forensic Traceability Index in Digital Forensic Investigation
- Network/Cyber Forensics
- Smartphone Forensics: A Proactive Investigation Scheme for Evidence Acquisition
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: