Quantitative evaluation of the results of digital forensic investigations: a review of progress

Overill, Richard E.; Collie, Jan

doi:10.1080/20961790.2020.1837429

Cited by 5 publications

(4 citation statements)

References 28 publications

(26 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…where parameter e i ∈ [1, ∞) represents the scale of importance of potential digital evidence, specified as probative value. In particular, probative value is defined as the degree of significance of digital evidence used to decide whether the evidence supports a particular hypothesis in a legal case [36]. Formally, let E i denote the set of probative values for microservice i.…”

Section: Strategies and Utility Functionsmentioning

confidence: 99%

Adaptive Observability for Forensic-Ready Microservice Systems

Monteiro

Zisman

et al. 2023

IEEE Trans. Serv. Comput.

View full text Add to dashboard Cite

Microservice-based applications may include multiple instances of microservices running on containerised infrastructures. These infrastructures pose challenges to digital investigations of security incidents because digital evidence can be destroyed when containers are terminated. Observability techniques are used to facilitate the investigation of incidents in microservice systems. However, existing observability approaches do not address security incidents when there is a need to perform digital forensic investigations. Furthermore, approaches to proactively support digital forensic investigations are limited to security incidents that are known a priori. In this paper, we propose an adaptive observability approach based on game theory. The approach addresses the challenge of implementing forensic-ready microservice systems while considering uncertainties in security incidents. Our approach provides evidence collection capabilities for microservice systems and continually adapts to improve the forensic readiness of microservices. Specifically, the approach uses game theory to model and reason about the interactions between users and microservices, determining the optimal time and manner for observing microservices before the occurrence of security incidents. The performance of the approach has been assessed and compared with other observability approaches. Results of the evaluation indicate that adaptive observability outperforms other observability approaches, with improvements ranging from 3.1% up to 42.50%.

show abstract

Section: Strategies and Utility Functionsmentioning

confidence: 99%

Adaptive Observability for Forensic-Ready Microservice Systems

Monteiro

Zisman

et al. 2023

IEEE Trans. Serv. Comput.

View full text Add to dashboard Cite

show abstract

“…In this context, creating interoperable and auditable forensic procedures is a hard task, especially due to the lack of standardised reporting mechanisms. Moreover, qualitative aspects such as the outcomes and conclusions supported by the forensic analysis are often not reported accurately in an attempt to balance between technicality and comprehensibility, hindering the robustness of the findings [196]- [198]. Of particular relevance is the communication and readability of such reports, especially if these are to be interpreted by law practitioners, judges, and other stakeholders who do not always have the necessary technical background about the forensic tools nor the underlying technologies analysed [199], [200].…”

Section: Forensic Readability and Reportingmentioning

confidence: 99%

“…The above implies the development of advanced machine learning and AI algorithms and tools that will underpin future digital forensics investigations. An important part of these systems is undoubtedly understanding the scope of the investigation and the explainability of the results [257], which is critical to assess the impact of current investigations and quantify their effectiveness [198], a critical step to ensure the implementation of the proper measures. The latter is a crucial part of AI and machine learning modules that have to be introduced as in order for a piece of evidence to be admissible in a court of law, one has to justify not only how and from where it has been collected but to also prove the relevance to the case, how it was used, and why it is linked with the rest of the evidence.…”

Section: B Open Issues and Future Trendsmentioning

confidence: 99%

Research Trends, Challenges, and Emerging Topics in Digital Forensics: A Review of Reviews

et al. 2022

View full text Add to dashboard Cite

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the projects LOCARD (https://locard.eu) (Grant Agreement no. 832735) and CyberSec4Europe (https://www.cybersec4europe.eu) (Grant Agreement no. 830929). F. Casino was supported by the Beatriu de Pinós programme of the Government of Catalonia (Grant No. 2020 BP 00035). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors.

show abstract

“…The investigation process is highly dependent on the device type and environment used, which means that digital forensics has more than one branch because digital devices can include traditional computers, mobile devices, and network devices such as routers [28]. Furthermore, the continual emergence of new types of cybercrime necessitates adaptive investigation process models, new technology, and cutting-edge techniques to combat these incidents [29], [30]. The most significant objective of digital forensics is to gather evidence to respond to the 5Ws and How (5WH) questions: what occurred, who was involved, and when, where, why, and how an incident occurred.…”

Section: Introductionmentioning

confidence: 99%

A Novel Digital Forensic Framework for Data Breach Investigation

et al. 2023

View full text Add to dashboard Cite

Data breaches are becoming an increasingly prevalent and global concern due to their massive impact. One of the primary challenges in investigating data breach incidents is the unavailability of a specific framework that acknowledges the characteristics of a data breach incident and provides clear steps on how the investigative framework can comprehensively answer what, who, when, where, why, and how (5WH) questions. This paper aims to develop a novel digital forensic investigation framework that can overcome these data breach investigation challenges. The proposed framework utilizes the data breach breakdown phases to analyze data breach incidents according to their characteristics. The main contribution of our work is a novel digital forensic framework for data breach investigation that enhances the 5WH analysis depth by utilizing evidence classification and artifact visualization based on data breach breakdown phases. Furthermore, we design the framework components to provide comprehensive analysis results that make it easier for investigators to summarize the answers to the 5WH questions. To validate the framework, we apply it to a case study of enterprise-level data breach incidents. Based on the case study analysis, the proposed investigation framework successfully provides all the answers to the 5WH questions. This comprehensive answering ability is the study's fundamental strength compared to other digital forensic investigation frameworks.INDEX TERMS data breach, digital forensics, framework, investigation.

show abstract

Quantitative evaluation of the results of digital forensic investigations: a review of progress

Cited by 5 publications

References 28 publications

Adaptive Observability for Forensic-Ready Microservice Systems

Adaptive Observability for Forensic-Ready Microservice Systems

Research Trends, Challenges, and Emerging Topics in Digital Forensics: A Review of Reviews

A Novel Digital Forensic Framework for Data Breach Investigation

Contact Info

Product

Resources

About