adding event reconstruction to a cloud forensic readiness

Adding Event Reconstruction to a Cloud Forensic Readiness Model

Presenter: V.R KebandeSupervisor: Prof Hein.S. Venter

University of Pretoria

What is the focus of Digital Investigations Currently?

Searching for Digital Evidence Collection of Digital Evidence Examining the Properties of Collected Evidence.

But why is that Evidence Really Evidence?Important Aspect: Need to Identify what CAUSED Evidence to have the properties it has.

Introduction

ER examines and analyses the evidence to identify why it has its characteristics [Carrier & Spafford, 2004].ER will pose the following questions:

Why Evidence has the properties Where could they have come from? When were they created?

This may help to create a hypothesis for a DFI

Reconstruction identifies events for which evidence exist to support their occurrence.

What is Event Reconstruction

Forensic Readiness-Maximizing an environment’s ability to collect credible Digital Evidence.

Minimizing the cost of forensic investigation during incident response [Rowlingson, 2004]

ISO/IEC 27043-”occurs before incident detection”

A Cloud Forensic Readiness Model

Proactive Approach

Retaining Critical Information

Collecting appropriate Digital Evidence

So, How can a Cloud be Forensically Ready?

High-level view of the Model

What is involved?

Event reconstruction* Event reconstruction Process

* High-level Process

* Detailed process

ProposedEnhanced Cloud Forensic readiness Model

Enhanced Cloud Forensic Readiness Model

Reconstruction

Reconstruction Process

P

S

A1

A2 A3

An

Wi Xi yi Znei

(Clu_N)

(Clu_N) (Clu_N)

(Clu_N)

Event search function

Similarity measure between events represented by Minkowskis’ distance function

A,B-Eventsp=1,2…to ∞ is [comparative metric for suitable distance metric between events] dMD-Is the distance metric for Minkowski Distance

Similarity Measure

),( BAd MDpp n

i ii BA ||1

Event reconstruction based on the distance function help achieve the following:

To be able to distinguish one event from the other

Predict behaviour of events Distinguish one event from the other through

focusing on the relationship between them Enables a discovery of the structure of events

Using distance metric

The ECFR can still be extended.

Conclusion