Embedding Forensic Capabilities into Networks: Addressing Inefficiencies in Digital Forensics Investigations

Endicott-Popovsky, Barbara; Frincke, Deborah A.

doi:10.1109/iaw.2006.1652087

Cited by 17 publications

(19 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that we consider tsi to be an abstraction over real-time clock variables that may be obtained following techniques such as [16], [7]. The generation of such abstractions is outside the scope of the paper.…”

Section: Operational Preservation Specificationmentioning

confidence: 99%

See 1 more Smart Citation

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

View full text Add to dashboard Cite

Forensic readiness denotes the capability of a system to support digital forensic investigations of potential, known incidents by preserving in advance data that could serve as evidence explaining how an incident occurred. Given the increasing rate at which (potentially criminal) incidents occur, designing software systems that are forensic-ready can facilitate and reduce the costs of digital forensic investigations. However, to date, little or no attention has been given to how forensic-ready software systems can be designed systematically. In this paper we propose to explicitly represent evidence preservation requirements prescribing preservation of the minimal amount of data that would be relevant to a future digital investigation. We formalise evidence preservation requirements and propose an approach for synthesising specifications for systems to meet these requirements. We present our prototype implementationbased on a satisfiability solver and a logic-based learner-which we use to evaluate our approach, applying it to two digital forensic corpora. Our evaluation suggests that our approach preserves relevant data that could support hypotheses of potential incidents. Moreover, it enables significant reduction in the volume of data that would need to be examined during an investigation.

show abstract

Section: Operational Preservation Specificationmentioning

confidence: 99%

“…Request permissions from permissions@acm.org. of digital data from digital sources, for proof of incident and ultimately for prosecution of criminal activity [16,36]. Such data often comprises log entries indicating the occurrence of events in the digital sources placed within the environment in which an incident can occur.…”

Section: Introductionmentioning

confidence: 99%

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

View full text Add to dashboard Cite

show abstract

“…Digital forensics is an emerging area within the broader domain of computer security whose main focus is the discovery and preservation of digital evidence for proof of criminal wrongdoing and ultimate prosecution of criminal activity (Endicott-Popovsky and Frincke, 2006). Computer evidence is becoming a routine part of criminal cases with nearly 85% of the current caseloads involving digital evidence (Meadaris, 2006).…”

Section: Introductionmentioning

confidence: 99%

Specifying digital forensics: A forensics policy approach

Taylor

Endicott-Popovsky

Frincke

2007

Digital Investigation

View full text Add to dashboard Cite

PolicyComputer security System specification Forensic properties a b s t r a c t In this paper we present an approach to digital forensics specification based on forensic policy definition. Our methodology borrows from computer security policy specification, which has accumulated a significant body of research over the past 30 years. We first define the process of specifying forensics properties through a forensics policy and then present an example application of the process. This approach lends itself to formal policy specification and verification, which would allow for more clarity and less ambiguity in the specification process.

show abstract

“…The same is true of the lack of technical forensics standardization both in the industry and academia. Despite the growing awareness and academic research on proactive forensics, its specification and implementation is still not consistent in the digital forensics community [4].…”

Section: Introductionmentioning

confidence: 99%