Upload
victor-kebande
View
49
Download
3
Tags:
Embed Size (px)
Citation preview
Adding Event Reconstruction to a Cloud Forensic Readiness Model
Presenter: V.R KebandeSupervisor: Prof Hein.S. Venter
University of Pretoria
What is the focus of Digital Investigations Currently?
Searching for Digital Evidence Collection of Digital Evidence Examining the Properties of Collected Evidence.
But why is that Evidence Really Evidence?Important Aspect: Need to Identify what CAUSED Evidence to have the properties it has.
Introduction
ER examines and analyses the evidence to identify why it has its characteristics [Carrier & Spafford, 2004].ER will pose the following questions:
Why Evidence has the properties Where could they have come from? When were they created?
This may help to create a hypothesis for a DFI
Reconstruction identifies events for which evidence exist to support their occurrence.
What is Event Reconstruction
Forensic Readiness-Maximizing an environment’s ability to collect credible Digital Evidence.
Minimizing the cost of forensic investigation during incident response [Rowlingson, 2004]
ISO/IEC 27043-”occurs before incident detection”
A Cloud Forensic Readiness Model
Proactive Approach
Retaining Critical Information
Collecting appropriate Digital Evidence
So, How can a Cloud be Forensically Ready?
High-level view of the Model
What is involved?
Event reconstruction* Event reconstruction Process
* High-level Process
* Detailed process
ProposedEnhanced Cloud Forensic readiness Model
Enhanced Cloud Forensic Readiness Model
Reconstruction
Reconstruction Process
P
S
A1
A2 A3
An
Wi Xi yi Znei
(Clu_N)
(Clu_N) (Clu_N)
(Clu_N)
Event search function
Similarity measure between events represented by Minkowskis’ distance function
A,B-Eventsp=1,2…to ∞ is [comparative metric for suitable distance metric between events] dMD-Is the distance metric for Minkowski Distance
Similarity Measure
),( BAd MDpp n
i ii BA ||1
Event reconstruction based on the distance function help achieve the following:
To be able to distinguish one event from the other
Predict behaviour of events Distinguish one event from the other through
focusing on the relationship between them Enables a discovery of the structure of events
Using distance metric
The ECFR can still be extended.
Conclusion