An Ontology for Digital Forensics in IT Security Incidents - OPUS

More documents

Recommendations

Info

22 CHAPTER 4. FORENSICS 4.2.3.1 Registry Information about the registry data can be found in random access memory and on the hard disk but there is a dierence. In the memory there are parts of the registry that are only necessary at runtime and can therefore not be found on the disk. Forensically interesting is the dierence of the data from the two sources. One cause for dierences is that changes in the registry are not always immediately written to disk respectively memory. Another one is that malware tries to manipulate the computer by changing one or both sources. The naming of the dierent parts of the registry is inspired by the Microsoft Windows registry structure. Other conguration stores can also be mapped to this model even though the main target system is the Microsoft Windows family. The registry is made up of hives. Hives are the dierent les that contain conguration information. One hive contains the data of both sources to make it easier to spot dierences. The hives themselves have a tree structure, so every entry in the tree, called key, can have hive-values, the nal conguration data, and sub-keys. The keys can have a state-ag that tells whether it can be found only in volatile memory or in both sources. The hive-values are tuples with key, value and data type of the value. An example hive is shown in gure 4.3. As prior mentioned, the conguration of other systems can be mapped to this structure. For example the conguration of the Gnome Desktop is also structured as a tree[The GNOME Project, 2011]. 4.2.3.2 Network Similar to the registry data this data is acquired from one or more of the sources above. Interesting network information include current IP addresses and connections, gateways, and name server. If the malware for example wants to redirect the user to manipulated or forged websites it may change the name server as done by the DNSChanger[Federal Bureau of Investigation, 2011]. 4.2.3.3 Other data on a computer Of course there is more information stored on a computer. One example are log les. These can provide information about events on the system and when they occurred. From this perspective they are forensically interesting. As mentioned in [Kruse and Heiser, 2001, pp 291f] they are not necessarily trustworthy. At rst logging has to be enabled and working prior to the incident. Then there is the question about authenticity of the log entries. Some malware can create and/or edit log entries and thus obfuscate or delete traces. If the log is for example a normal le on the computer, it is similarly
4.2. DATA 23 root Hive1 Root subkey subkey subkey state Browser System Firewall "S" subkey state state state value History value value "S" value "V" value "S" value value state History1 www.informatik.uni-augsburg.de REG_SZ History2 www.google.com/search?q=ontology REG_SZ "V" Bookmark1 www.uni-augsburg.de REG_SZ Bookmark2 www.google.de REG_SZ Uptime 08150815 DWORD Status 1 DWORD Computername MyComputer REG_SZ Figure 4.3: Sample registry hive
Page 1: Diplomarbeit An Ontology for Digita
Page 4 and 5: Acknowledgement I would like to tha
Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
Page 8 and 9: 6 CONTENTS
Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
Page 32 and 33: 30 CHAPTER 4. FORENSICS
Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
Page 74 and 75:
72 APPENDIX A. EXTRACTION TOOL LIST
Page 76 and 77:
74 APPENDIX A. EXTRACTION TOOL LIST
Page 78 and 79:
76 APPENDIX B. FORENSIC TOOLS OUTPU
Page 80 and 81:
78 APPENDIX C. SCREENSHOTS Figure C
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
84 APPENDIX C. SCREENSHOTS
Page 88 and 89:
86 BIBLIOGRAPHY [Carrier, 2012c] Ca
Page 90 and 91:
88 BIBLIOGRAPHY [Microsoft, 2010] M
Page 92:
90 BIBLIOGRAPHY [W3C, 2004] W3C (20
show all

An Ontology for Digital Forensics in IT Security Incidents - OPUS

Create successful ePaper yourself

Delete template?

Save as template?