英语原文共 10 页,剩余内容已隐藏,支付完成后下载完整资料
Semantic Representation and Integration of Digital Evidence
Introduction
Digital investigations are increasingly becoming more complex dealing with the multitude and volume of digital evidence requiring analysis. According to, “digital evidence of an incident is any digital data that contain reliable information that supports or refutes a hypothesis about the incident”. The scope of digital evidence is constantly expanding, encompassing existing and new technologies such as computers, network logs and traffic captures, live memory, mobile devices etc. In this paper, the broader term of lsquo;digital investigationrsquo; is used as a bridging concept between lsquo;the use of scientifically derived and proven methodsrsquo; employed in the digital forensic science and the process that lsquo;investigates and learns from such security breaches. employed in incident response. Various frameworks and process models have been suggested due to the need to formalize and structure the set of techniques and methods employed during the different phases of the digital investigation. The analysis part is found to be the least formalized, often relying on the expertise and experience of the practitioner in order to assess the relevance of the data to the case and combine them in lsquo;revealingrsquo; ways - tasks which are surely time-consuming and error-prone when performed manually and under co-operative schemes.
Definitely, specialized forensic and security tools significantly contribute and (semi-)automate parts of the analysis of the large volumes of digital data that may be collected during the digital investigation process. Such tools can be considered as interpreters between the different layers of abstraction that data can be manifested in, thus making analysis more lsquo;investigator-friendlyrsquo;, in spite of additional types of errors they may introduce. As an example, dispersed sets of disk sectors are combined by a file-system analysis tool, in order to reconstruct an allocated fragmented file; or multiple network packets reassembled by a protocol analysis tool, in order to reconstruct an application-layer lsquo;conversationrsquo; enabling the investigator to review and assess their evidentiary value. However, such tools have been often characterized as first-generation tools, mostly suited for manual analysis and having serious limitations handling large volumes of data.
The aforementioned tool limitations become even more apparent, considering the distributed nature of digital evidence in modern cases that pose requirements for enhanced tool interoperability and rich capabilities for integrating and correlating evidence. A large variety of digital forensic and security tools exists nowadays, both commercial and open-source, however in most cases with a high degree of specialization on a specific type of data source (e.g. file-system analysis, network protocol analysis, volatile memory analysis etc.). Even sophisticated integrated forensic platforms that encompass multiple tools and features (e.g. navigation, search and presentation as described in) often rely on proprietary, unstructured and/or undocumented formats for representing and reporting their results thus impairing their further integration. The need for establishing a standardized set of abstractions and data formats covering the possible data types encountered during a digital investigation as well as combining the results of various tools has already been well-described in the literature.
In this paper, we extend on previous proposals , on employing Semantic Web technologies for the purposes of ontologically-based representation of digital evidence as well as (semi-)automated methods for evidence integration, especially across heterogeneous sources of data. We describe a method for semantically annotating digital evidence, integrating and searching over them as well as discuss a prototype implementation of a proof-of-concept platform that will be used as a basis for evaluating, further development and improvement of our approach.
Previous Work
The need for exchangeable and computer interpretable data formats across forensic applications has been quite evident as the field started maturing and has given rise to various approaches, although none yet quite widespread. One of the most prominent efforts has been the introduction of the Digital Forensics XML language (DFXML) as presented in. This is an XML vocabulary that can describe in a structured manner the contents of a disk image such as volumes, files or even fragments of a filersquo;s contents in the form of byte runs along with their relevant metadata such as name, size, timestamps etc. The lsquo;fi-walkrsquo; tool is also described in this paper that produces the DFXML representation given a disk image and supports existing digital evidence container formats such as AFF4 and EWF.
Similar approaches that have led to the definition of domain-specific XML languages have also been applied in other areas such as live memory forensics, network forensics (PDML and PSML) as well as more generic approaches such as the Digital Evidence Exchange (DEX) format and the XIRAF framework. Although XML provides a common syntax that facilitates data interchange and encoding concerns, it lacks in terms of expressivity of what these elements and attributes mean and how they relate to each other. Thus a software agent, is limited in terms of what additional conclusions can be drawn from the set of given data or how to link elements defined under different namespaces.
Other approaches have employed the Resource Description Framework (RDF) data model as a way of annotating digital evidence with additional metadata. RDF adopts a data model where statements about a resource are expressed in the form of subject-predicate-object statements. The AFF4 forensic format that acts as a container of digital evidence, has leveraged RDFrsquo;s support for arbitrary and expressive attributes of standard or custom types, for ass
剩余内容已隐藏,支付完成后下载完整资料
资料编号:[253776],资料为PDF文档或Word文档,PDF文档可免费转换为Word
课题毕业论文、文献综述、任务书、外文翻译、程序设计、图纸设计等资料可联系客服协助查找。
