Organisational Learning and Incident Response: Promoting Effective Learning Through The Incident Response Process

Effective response to information security incidents is a critical function of modern organisations. However, recent studies have indicated that organisations have adopted a narrow and technical view of incident response (IR), focusing on the immediate concern of detection and subsequent corrective actions. Although some reflection on the IR process may be involved, it is typically limited to technical issues and does not leverage opportunities to learn about the organisational security threat environment and to adapt incident response capabilities. Given the science of incident response is rooted in practice, it is not surprising that the same criticisms can be applied to much of IR literature. However, a review of literature in the area of organisational learning suggests that improvements can be made to the incident response process. This paper proposes that future incident response research must incorporate a learning focus, improve feedback timing on learning activities, facilitate double-loop learning and incorporate an informal learning perspective within both formal, procedural incident response processes as well as unstructured, informal environments

Human/Technology Co-Adaptation in the context of Cybersecurity

Understanding human-technology co-adaptation processes is becoming of utmost importance. Co-adaptation required among various actors is critical for their survival especially in turbulent environments such as the cyberspace. Indeed, cyberspace is marked by imminent cyber threats forcing IT stakeholders to act promptly, re-enforcing cybersecurity with complex and increasingly intrusive technologies with significant social impact. Based on a field study where a governmental organization (GO) acquired cybersecurity systems; and leveraging a constructive grounded theory extended with and abductive research, this study showcases that cybersecurity being as strong as its weakest actor, a requirement for a collective successful co-adaptation amongst various actors is of utmost importance. A technology-human co-adaptation model is proposed. It is processual in nature, with a holistic reach driven inspired by various adaptation dynamics such as power, identity, ethics and technology; that are driving the overall co-adaptation. Knowing what it takes for a better co-adaptation will allow cybersecurity stakeholders, managers and practitioners to bring more focus on pre-adaptation efforts facilitating the co-adaptation processes therefore allowing the acceleration of the much needed success of cybersecurity systems deployments or any other controversial but required technology

Digital evidence bags

This thesis analyses the traditional approach and methodology used to conduct digital forensic information capture, analysis and investigation. The predominant toolsets and utilities that are used and the features that they provide are reviewed. This is used to highlight the difficulties that are encountered due to both technological advances and the methodologies employed. It is suggested that these difficulties are compounded by the archaic methods and proprietary formats that are used. An alternative framework for the capture and storage of information used in digital forensics is defined named the `Digital Evidence Bag' (DEB). A DEB is a universal extensible container for the storage of digital information acquired from any digital source. The format of which can be manipulated to meet the requirements of the particular information that is to be stored. The format definition is extensible thereby allowing it to encompass new sources of data, cryptographic and compression algorithms and protocols as developed, whilst also providing the flexibility for some degree of backwards compatibility as the format develops. The DEB framework utilises terminology to define its various components that are analogous with evidence bags, tags and seals used for traditional physical evidence storage and continuity. This is crucial for ensuring that the functionality provided by each component is comprehensible by the general public, judiciary and law enforcement personnel without detracting or obscuring the evidential information contained within. Furthermore, information can be acquired from a dynamic or more traditional static environment and from a disparate range of digital devices. The flexibility of the DEB framework permits selective and/or intelligent acquisition methods to be employed together with enhanced provenance and continuity audit trails to be recorded. Evidential integrity is assured using accepted cryptographic techniques and algorithms. The DEB framework is implemented in a number of tool demonstrators and applied to a number of typical scenarios that illustrate the flexibility of the DEB framework and format. The DEB framework has also formed the basis of a patent application

Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations

Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them

Network Forensics and Log Files Analysis : A Novel Approach to Building a Digital Evidence Bag and Its Own Processing Tool

Intrusion Detection Systems (IDS) tools are deployed within networks to monitor data that is transmitted to particular destinations such as MySQL,Oracle databases or log files. The data is normally dumped to these destinations without a forensic standard structure. When digital evidence is needed, forensic specialists are required to analyse a very large volume of data. Even though forensic tools can be utilised, most of this process has to be done manually, consuming time and resources. In this research, we aim to address this issue by combining several existing tools to archive the original IDS data into a new container (Digital Evidence Bag) that has a structure based upon standard forensic processes. The aim is to develop a method to improve the current IDS database function in a forensic manner. This database will be optimised for future, forensic, analysis. Since evidence validity is always an issue, a secondary aim of this research is to develop a new monitoring scheme. This is to provide the necessary evidence to prove that an attacker had surveyed the network prior to the attack. To achieve this, we will set up a network that will be monitored by multiple IDSs. Open source tools will be used to carry input validation attacks into the network including SQL injection. We will design a new tool to obtain the original data in order to store it within the proposed DEB. This tool will collect the data from several databases of the different IDSs. We will assume that the IDS will not have been compromised

Building an open framework for establishing and maintaining the chain of custody in forensic analysis of digital evidence

Krajnji cilj svake digitalne forenzičke istrage je zakonito pribavljen digitalni dokaz i prihvaćen od strane suda. To znači da svaki dokaz mora biti prikupljen kroz proces digitalne forenzičke istrage, a koji ne može početi bez naredbe suda, tužiteljstva ili uprave ukoliko se radi o internim istragama u poduzećima. U samom procesu digitalne forenzičke istrage mora se sačuvati i dokazati nepovredivost digitalnog dokaza kroz dokazivanje nepovredivosti lanca dokaza. To znači da se mora znati svakog trenutka, tko je, što, kada, kako, zašto i gdje dolazio u kontakt sa digitalnim dokazima. Ukoliko dođe do prekida lanca dokaza sud takve dokaze neće prihvatiti. Osnovni cilj ovoga rada je znanstveno istraživanje koje će dati uvid u pregled metoda održanja lanca digitalnih dokaza i metoda zaštite integriteta digitalnih dokaza, te pojašnjenje pojma životnog ciklusa digitalnih dokaza. Cilj je ukazati na nedostatke postojećih metoda i definiranja novih pravaca istraživanja u rješavanju problema lanca digitalnih dokaza primjenom ontologija digitalnih dokaza putem DEMF (engl. Digital Evidence Management Framework) kroz koji bi se u svakom trenutku digitalne istrage točno znao odgovor na sva bitna pitanja sudionika u procesu digitalne istrage, ali bi se i održavao lanac dokaza. Krajnji cilj je formalno opisati pojmove koji se javljaju u procesu upravljanja digitalnim dokazima, te izgraditi okvir koji bi pomogao sudcima i drugim osobama kojese bave prihvatljivošću digitalnih dokaza. U radu je izgrađena ontologija digitalnih dokaza i lanca dokaza, definirana su osnovna poslovna pravila (engl. if-then rules) a koja su glavni pokretač okvira koji omogućuje da se odredi koji je dokaz formalno prihvatljiv a koji ne. Urađena je i provjera valjanosti i vrednovanje izrađene ontologije, te su kreirane i instance koje su poslužile za testiranje okvira. U radu je pored toga po prvi puta prezentirano stanje u sudovima u Bosni i Hercegovini, gdje je urađeno preliminarno istraživanje uz pomoć metode anketiranja, a vezano za digitalne dokaze, dokazivanje nepovredivosti lanca dokaza, te konstrukt prihvatljivosti digitalnih dokaza.The ultimate goal of every digital forensic investigation is lawfully acquiredand by the court accepteddigital evidence. This means that all the evidence must be collected through the process of digital forensic investigation, which cannotbegin without the order of the court, prosecution or administrative case of internal investigations in enterprises.The integrity of digital evidence must be preserved and prove, on the way proving the inviolability of the chain of evidence. This means that weanytimemust: know, who, what, when, how, why and where they come into contact with digital evidence. If there is an interruption of the chain, the court will not accept theevidence. The main aim of this thesisis scientific research that will give insight into the methods of maintaining the chain of digital evidence, methods to provethe integrity of digital evidenceand clarification of the life cycle of digital evidence. The goal isto address the shortcomings of existing methods, and defining new directions of research in solving chain of digital evidence problems using the ontology of digital evidence through "DEMF" - Digital Evidence Management Framework. The reason is to exactly know answer all the important questions participants in the digital investigation, but would also maintain the chain of evidence. The ultimate goal is to formally describe concepts that occur in the process of managing digital evidence, and build a framework to help judges and other persons engaged in the admissibility of digital evidence. Ontology of digital evidence and the chain of evidence aredeveloped, basic business rules (if-then rules) are defined, which are the main driver framework that allows determiningwhich evidence is formally acceptable and which isnot. Validation and evaluation of ontologyare constructed, and few instances created, that were used for the framework testing.In addition, in this paperispresented, a preliminary research conducted atthe courts in Bosnia and Herzegovina, related to digital evidence, proving the inviolability of the chain of evidence, and construct the admissibility of digital evidence

Building an open framework for establishing and maintaining the chain of custody in forensic analysis of digital evidence

Krajnji cilj svake digitalne forenzičke istrage je zakonito pribavljen digitalni dokaz i prihvaćen od strane suda. To znači da svaki dokaz mora biti prikupljen kroz proces digitalne forenzičke istrage, a koji ne može početi bez naredbe suda, tužiteljstva ili uprave ukoliko se radi o internim istragama u poduzećima. U samom procesu digitalne forenzičke istrage mora se sačuvati i dokazati nepovredivost digitalnog dokaza kroz dokazivanje nepovredivosti lanca dokaza. To znači da se mora znati svakog trenutka, tko je, što, kada, kako, zašto i gdje dolazio u kontakt sa digitalnim dokazima. Ukoliko dođe do prekida lanca dokaza sud takve dokaze neće prihvatiti. Osnovni cilj ovoga rada je znanstveno istraživanje koje će dati uvid u pregled metoda održanja lanca digitalnih dokaza i metoda zaštite integriteta digitalnih dokaza, te pojašnjenje pojma životnog ciklusa digitalnih dokaza. Cilj je ukazati na nedostatke postojećih metoda i definiranja novih pravaca istraživanja u rješavanju problema lanca digitalnih dokaza primjenom ontologija digitalnih dokaza putem DEMF (engl. Digital Evidence Management Framework) kroz koji bi se u svakom trenutku digitalne istrage točno znao odgovor na sva bitna pitanja sudionika u procesu digitalne istrage, ali bi se i održavao lanac dokaza. Krajnji cilj je formalno opisati pojmove koji se javljaju u procesu upravljanja digitalnim dokazima, te izgraditi okvir koji bi pomogao sudcima i drugim osobama kojese bave prihvatljivošću digitalnih dokaza. U radu je izgrađena ontologija digitalnih dokaza i lanca dokaza, definirana su osnovna poslovna pravila (engl. if-then rules) a koja su glavni pokretač okvira koji omogućuje da se odredi koji je dokaz formalno prihvatljiv a koji ne. Urađena je i provjera valjanosti i vrednovanje izrađene ontologije, te su kreirane i instance koje su poslužile za testiranje okvira. U radu je pored toga po prvi puta prezentirano stanje u sudovima u Bosni i Hercegovini, gdje je urađeno preliminarno istraživanje uz pomoć metode anketiranja, a vezano za digitalne dokaze, dokazivanje nepovredivosti lanca dokaza, te konstrukt prihvatljivosti digitalnih dokaza.The ultimate goal of every digital forensic investigation is lawfully acquiredand by the court accepteddigital evidence. This means that all the evidence must be collected through the process of digital forensic investigation, which cannotbegin without the order of the court, prosecution or administrative case of internal investigations in enterprises.The integrity of digital evidence must be preserved and prove, on the way proving the inviolability of the chain of evidence. This means that weanytimemust: know, who, what, when, how, why and where they come into contact with digital evidence. If there is an interruption of the chain, the court will not accept theevidence. The main aim of this thesisis scientific research that will give insight into the methods of maintaining the chain of digital evidence, methods to provethe integrity of digital evidenceand clarification of the life cycle of digital evidence. The goal isto address the shortcomings of existing methods, and defining new directions of research in solving chain of digital evidence problems using the ontology of digital evidence through "DEMF" - Digital Evidence Management Framework. The reason is to exactly know answer all the important questions participants in the digital investigation, but would also maintain the chain of evidence. The ultimate goal is to formally describe concepts that occur in the process of managing digital evidence, and build a framework to help judges and other persons engaged in the admissibility of digital evidence. Ontology of digital evidence and the chain of evidence aredeveloped, basic business rules (if-then rules) are defined, which are the main driver framework that allows determiningwhich evidence is formally acceptable and which isnot. Validation and evaluation of ontologyare constructed, and few instances created, that were used for the framework testing.In addition, in this paperispresented, a preliminary research conducted atthe courts in Bosnia and Herzegovina, related to digital evidence, proving the inviolability of the chain of evidence, and construct the admissibility of digital evidence