Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Towards Automation in Digital Investigations: Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.ORCID iD: 0000-0002-5115-1453
2016 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations.

Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging.

This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching.

In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays.

Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Place, publisher, year, edition, pages
Stockholm: Department of Computer and Systems Sciences, Stockholm University , 2016. , 139 p.
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 16-004
Keyword [en]
Computer forensics, network forensics, mobile devices, mobile forensics, cloud computing, semantic web, hypervisors, virtualization, remote acquisition, automation, evidence analysis, correlation, P2P, bittorrent
National Category
Computer Science
Research subject
Computer Science; Information Systems Security
Identifiers
URN: urn:nbn:se:su:diva-130742OAI: oai:DiVA.org:su-130742DiVA: diva2:932924
Presentation
2016-04-25, L30, Nod Building, Borgarfjordsgatan 12 (Nodhuset), Campus Kista, Stockholm, 10:00 (English)
Opponent
Supervisors
Available from: 2016-06-17 Created: 2016-06-02 Last updated: 2016-06-20Bibliographically approved
List of papers
1. LEIA: The Live Evidence Information Aggregator: Towards Efficient Cyber-Law Enforcement
Open this publication in new window or tab >>LEIA: The Live Evidence Information Aggregator: Towards Efficient Cyber-Law Enforcement
2013 (English)In: World Congress on Internet Security (WorldCIS), IEEE Computer Society Digital Library, 2013, 156-161 p.Conference paper, Published paper (Refereed)
Abstract [en]

Given the complexity and velocity of the interactions among vastly heterogeneous elements on the Internet; the colossal amounts of information generated and exchanged, coupled with the increasingly evasive nature of new forms of electronic crimes, as well as the relative immaturity of current Digital Forensics tools, Law Enforcement Agencies are easily outpaced and overwhelmed with the types of electronic crimes experienced today. In this paper, we describe the architecture of a comprehensive automated Digital Investigation platform termed as the Live Evidence Information Aggregator (LEIA). It makes use of the strong points of hypervisor technologies, large scale distributed file systems, the resource description framework (RDF), peer-to-peer networks, and innovative collaborative mechanisms in order to introduce a level of speed, accuracy and efficiency to match up with the imminent age of massively distributed cybercrime in the context of Internet of Things.

Place, publisher, year, edition, pages
IEEE Computer Society Digital Library, 2013
Keyword
Digital Forensics, Cybercrime, Digital Evidence, Big Data, Hadoop, Hypervisors, P2P, Collaborative Live Investigation
National Category
Information Systems
Research subject
Computer and Systems Sciences; Information Systems Security
Identifiers
urn:nbn:se:su:diva-114705 (URN)10.1109/WorldCIS.2013.6751038 (DOI)978-1-908320-22-3 (ISBN)
Conference
World Congress on Internet Security (WorldCIS), London, 9-12 Dec. 2013
Available from: 2015-03-09 Created: 2015-03-09 Last updated: 2016-06-17Bibliographically approved
2. On the Network Performance of Digital Evidence Acquisition of Small Scale Devices over Public Networks
Open this publication in new window or tab >>On the Network Performance of Digital Evidence Acquisition of Small Scale Devices over Public Networks
2015 (English)In: The Journal of Digital Forensics, Security and Law, ISSN 1558-7215, E-ISSN 1558-7223, Vol. 10, no 3, 59-86 p.Article in journal (Refereed) Published
Abstract [en]

While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made on the importance of the efficiency of the network communication in the evidence acquisition phase, in order to retrieve potentially evidentiary information remotely and with immediacy. Through a proof of concept implementation, we demonstrate the live, remote evidence capturing capabilities of such a system on small scale devices, highlighting the necessity for better throughput and availability envisioned through the use of Peer-to-Peer overlays.

Keyword
Digital Forensics, Digital Evidence, Remote acquisition, Proactive forensics, Mobile devices, P2P, Network performance Availability
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-122847 (URN)000363877200004 ()
Available from: 2015-11-11 Created: 2015-11-10 Last updated: 2017-12-01Bibliographically approved
3. Semantic Representation and Integration of Digital Evidence
Open this publication in new window or tab >>Semantic Representation and Integration of Digital Evidence
2013 (English)In: Procedia Computer Science, ISSN 1877-0509, E-ISSN 1877-0509, Vol. 22, 1266-1275 p.Article in journal (Refereed) Published
Abstract [en]

The ever-increasing complexity and sophistication of computer and network attacks challenge society's dependability on digital infrastructure. Digital investigations recover and reconstruct the digital trails of such events and may employ practices from various subfields (computer, network forensics), each with its own set of techniques and tools. Integration of evidence from heterogeneous sources of data (e.g. disk images, network packet captures, logs) is often a manual and time- consuming process relying significantly on the investigator's expertise. In this paper, we propose and develop an approach, based on the Semantic Web framework, for ontologically representing and integrating digital evidence. The presented approach enhances existing forensic analysis techniques by providing partial and eventually full automation of the investigative process.

Keyword
Digital evidence, Ontology, Semantic Web, Evidence Integration, Knowledge Representation
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-97234 (URN)10.1016/j.procs.2013.09.214 (DOI)
Conference
17th International Conference in Knowledge Based and Intelligent Information and Engineering Systems - KES 2013
Available from: 2013-12-05 Created: 2013-12-05 Last updated: 2017-12-06Bibliographically approved
4. Improving Distributed Forensics and Incident Response in Loosely Controlled Networked Environments
Open this publication in new window or tab >>Improving Distributed Forensics and Incident Response in Loosely Controlled Networked Environments
2016 (English)In: International Journal of Security and Its Applications, ISSN 1738-9976, Vol. 10, no 1, 385-414 p.Article in journal (Refereed) Published
Abstract [en]

Mobile devices and virtualized appliances in the Internet of Things can be end nodes on varying networks owned by different parties over time, while still seamlessly participating in licit or illicit activities. Digital Forensics and Incident Response (DFIR) tools today struggle to perform digital investigations in such loosely controlled networked environments as they face several challenges including: scarcity of resources, availability, trust, privacy, data volumes, velocity and variety. In this paper we analyze the state of research in DFIR in networked environments, identifying the challenges facing DFIR tools particularly in loosely controlled network environments. We present the requirements for a system to address these challenges at the various steps of the typical digital investigation methodology. From this we identify the need for support from Peer to Peer (P2P) overlays and discuss their relative merits and drawbacks in order to identify those that would best support DFIR in loosely controlled networked environments. Finally we incorporate both structured and unstructured P2P overlays in various capacities in our architecture in order to organize devices in loosely controlled networks, using context information, thus enabling efficient capture, analysis and reporting of artifacts of use in digital investigations.

Keyword
Digital Forensics, Incident Response, P2P Overlays, Open Distributed Systems, Uncontrolled Environment, Internet of Things
National Category
Computer Science
Research subject
Information Systems Security
Identifiers
urn:nbn:se:su:diva-128806 (URN)000376639500035 ()
Available from: 2016-04-04 Created: 2016-04-04 Last updated: 2017-11-30Bibliographically approved

Open Access in DiVA

fulltext(2478 kB)207 downloads
File information
File name FULLTEXT01.pdfFile size 2478 kBChecksum SHA-512
53867edf1d2f14216debb8654e4f5485a00d1815080458d41dcd5c01f87c78723e2397d8c9b0d5c8004a089466f25916a896f4bcea60b4e97e9ceaa566e03d8e
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Homem, Irvin
By organisation
Department of Computer and Systems Sciences
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 207 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 1069 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf