Functional Requirements for Adding Digital Forensic Readiness as a Security Component in IoT Environments

For every contact made on a digital device, a trace is left behind; this means that every digital device contains some form of electronic evidence that may be associated to the behaviour of the users in a given environment. This evidence can be used to prove or disprove facts if a cyber-incident is detected. However, the world has seen a shift on how devices communicate and connect as a result of increased devices and connectivity, which has led to the creation of “smart environments” where the Internet of Things (IoT) plays a key role. Still, we can harness this proliferation of digital devices and smart environments to Digital Forensic (DF) technology which might help to solve the puzzle of how proactive strategies can help to minimise the time and cost needed to conduct a digital investigation. This article introduces the Functional Requirements (FRs) and processes needed when Digital Forensic Readiness (DFR) process is employed as a security component in the IoT-based environment. The paper serves as a continuation of the initially proposed architecture for adding DFR as a security component to IoT environment. The aspects and claims presented in this paper can be used as basic building blocks for implementing DFR technologies that guarantee security in the IoT-based environment. It is worth noting again that the processes that have been defined in this paper comply with the ISO/IEC 27043: 2015 International Standard

On digital forensic readiness in the cloud using a distributed agent-based solution : issues and challenges

The need to perform digital investigations has over the years led to the exponential growth of the field of Digital Forensics (DF). However, quite a number of challenges face the act of proving – for purposes of Digital Forensic Readiness (DFR) – that an electronic event has occurred in cyberspace. The problem that this research addresses involves the challenges faced when an Agent-Based Solution (ABS) is used in the cloud to extract Potential Digital Evidence (PDE) for DFR purposes. Throughout the paper the authors have modified the functionality of an initially malicious botnet to act as a distributed forensic agent to conduct this process. The paper focuses on the general, technical and operational challenges that are encountered when trying to achieve DFR in the cloud environment. The authors finally propose a contribution by assessing the possible solutions from a general, technical and operational point of view.National Research Foundation [grant number UID85794].http://www.tandfonline.com/loi/tajf202017-06-30hb2016Computer Scienc

Novel digital forensic readiness technique in the cloud environment

This paper examines the design and implementation of a feasible technique for performing Digital Forensic Readiness (DFR) in cloud computing environments. The approach employs a modified obfuscated Non-Malicious Botnet (NMB) whose functionality operates as a distributed forensic Agent-Based Solution (ABS) in a cloud environment with capabilities of performing forensic logging for DFR purposes. Under basic Service Level Agreements (SLAs), this proactive technique allows any organization to perform DFR in the cloud without interfering with operations and functionalities of the existing cloud architecture or infrastructure and the collected file metadata. Based on the evaluation discussed, the effectiveness of our approach is presented as the easiest way of conducting DFR in the cloud environment as stipulated in the ISO/IEC 27043: 2015 international standard, which is a standard of information technology, security techniques and incident investigation principles and processes. Through this technique, digital forensic analysts are able to maximize the potential use of digital evidence while minimizing the cost of conducting DFR. As a result of this process, the time and cost needed to conduct a Digital Forensic Investigation (DFI) is saved. As a consequence, the technique helps the law enforcement, forensic analysts and Digital Forensic Investigators (DFIs) during post-event response and in a court of law to develop a hypothesis in order to prove or disprove a fact during an investigative process, if there is an occurrence of a security incident. Experimental results of the developed prototype are described which conclude that the technique is effective in improving the planning and preparation of pre-incident detection during digital crime investigations. In spite of that, a comparison with other existing forensic readiness models has been conducted to show the effectiveness of the previously proposed Cloud Forensic Readiness as a Service (CFRaaS) model.The work was supported by National Research Foundation (Grant No. UID85794).The National Research Foundation (Grant No. UID85794)http://www.tandfonline.com/loi/tajf202018-01-31hb2017Computer Scienc

Functional requirements for adding digital forensic readiness as a security component in IoT environments

For every contact made on a digital device, a trace is left behind; this means that every digital device contains some form of electronic evidence that may be associated to the behaviour of the users in a given environment. This evidence can be used to prove or disprove facts if a cyber-incident is detected. However, the world has seen a shift on how devices communicate and connect as a result of increased devices and connectivity, which has led to the creation of “smart environments” where the Internet of Things (IoT) plays a key role. Still, we can harness this proliferation of digital devices and smart environments to Digital Forensic (DF) technology which might help to solve the puzzle of how proactive strategies can help to minimise the time and cost needed to conduct a digital investigation. This article introduces the Functional Requirements (FRs) and processes needed when Digital Forensic Readiness (DFR) process is employed as a security component in the IoT-based environment. The paper serves as a continuation of the initially proposed architecture for adding DFR as a security component to IoT environment. The aspects and claims presented in this paper can be used as basic building blocks for implementing DFR technologies that guarantee security in the IoT-based environment. It is worth noting again that the processes that have been defined in this paper comply with the ISO/IEC 27043: 2015 International Standard.http://ijaseit.insightsociety.orgam2018Computer Scienc

Adding digital forensic readiness as a security component to the IoT domain

The unique identities of remote sensing, monitoring, self-actuating, self–adapting and self-configuring “things” in Internet of Things (IoT) has come out as fundamental building blocks for the development of “smart environments”. This experience has begun to be felt across different IoT-based domains like healthcare, surveillance, energy systems, home appliances, industrial machines, smart grids and smart cities. These developments have, however, brought about a more complex and heterogeneous environment which is slowly becoming a home to cyber attackers. Digital Forensic Readiness (DFR) though can be employed as a mechanism for maximizing the potential use of digital evidence while minimizing the cost of conducting a digital forensic investigation process in IoT environments in case of an incidence. The problem addressed in this paper, therefore, is that at the time of writing this paper, there still exist no IoT architectures that have a DFR capability that is able to attain incident preparedness across IoT environments as a mechanism of preparing for post-event response process. It is on this premise, that the authors are proposing an architecture for incorporating DFR to IoT domain for proper planning and preparing in the case of security incidents. It is paramount to note that the DFR mechanism in IoT discussed in this paper complies with ISO/IEC 27043: 2015, 27030:2012 and 27017: 2015 international standards. It is the authors’ opinion that the architecture is holistic and very significant in IoT forensics.http://ijaseit.insightsociety.orgam2018Computer Scienc

Mapping digital forensic application requirement specification to an international standard

A potential security incident may go unsolved if standardized forensic approaches are not applied during lawful investigations. This paper highlights the importance of mapping the digital forensic application requirement specification to an international standard, precisely ISO/IEC 27043. The outcome of this work is projected to contribute to the problem of secure DF tool creation, and in the process address Software Requirements Specification (SRS) as a process of digital evidence admissibility.http://www.elsevier.com/locate/fsirhj2021Computer Scienc

Digital forensic readiness in operational cloud leveraging ISO/IEC 27043 guidelines on security monitoring

An increase in the use of cloud computing technologies by organizations has led to cybercriminals targeting cloud environments to orchestrate malicious attacks. Conversely, this has led to the need for proactive approaches through the use of digital forensic readiness (DFR). Existing studies have attempted to develop proactive prototypes using diverse agent-based solutions that are capable of extracting a forensically sound potential digital evidence. As a way to address this limitation and further evaluate the degree of PDE relevance in an operational platform, this study sought to develop a prototype in an operational cloud environment to achieve DFR in the cloud. The prototype is deployed and executed in cloud instances hosted on OpenStack: the operational cloud environment. The experiments performed in this study show that it is viable to attain DFR in an operational cloud platform. Further observations show that the prototype is capable of harvesting digital data from cloud instances and store the data in a forensic sound database. The prototype also prepares the operational cloud environment to be forensically ready for digital forensic investigations without alternating the functionality of the OpenStack cloud architecture by leveraging the ISO/IEC 27043 guidelines on security monitoring.https://wileyonlinelibrary.com/journal/spy2Computer Scienc

A Novel Cloud Forensic Readiness Service Model

The ubiquity of the cloud has accelerated an abundance of modern Information and Communication Technology (ICT)-based technologies to be built based on the cloud infrastructures. This has increased the number of internet users, and has led to a substantial increase in the number of incidents related to information security in the recent past, in both the private and public sectors. This is mainly because criminals have increasingly used the cloud as an attack vector due to its prevalence, scalability and open nature. Such attacks have made it necessary to perform regular digital forensics analysis in cloud computing environments. Digital Forensics (DF) plays a significant role in information security by providing a scientific way of uncovering and interpreting evidence from digital sources that can be used in criminal, civil or corporate cases. It is mainly concerned with the investigation of crimes that are supported by digital evidence. Furthermore, DF is conducted for purposes of uncovering a potential security incident through Digital Forensic Investigations (DFIs). There is always some degree of uncertainty when cyber-security incidents occur in an organisation. This is because the investigation of cyber-security incidents, as compared to the investigation of physical crimes, is generally still in its infancy. Unless there are proper post-incident response and investigating strategies in place, there will always be questions about the level of trust and the integrity of digital forensic evidence in the cloud environment. The impact of cyber-security incidents can be enormous. Much damage has already been experienced in many organisations and a disparity between cyber-security incidents and digital investigations lies at the origin of where an incident is detected. Organisations need to reach a state of Digital Forensic Readiness (DFR), which implies that digital forensic planning, preparation must be in place, and that organisations can implement proper post-incident response mechanisms. However, research study on science and theories focused on the legal analysis of cloud computing has come under scrutiny because there are several constitutional and statutory provisions with regard to how digital forensic evidence can be acquired from Cloud Service Providers (CSPs). Nevertheless, for Digital Forensic Evidence (DFE) to satisfy admissibility conditions during legal proceedings in a court of law, acceptable DF processes should be systematically followed. Similarly, to enable digital forensic examination in cloud computing environments, it is paramount to understand the technology that is involved and the issues that relate to electronic discovery. At the time when this research thesis was being written, no forensic readiness model existed yet that focused on the cloud environment and that could help cloud-computing environments to plan and prepare to deal with cyber-security-related incidents. The aim of this research study is therefore to determine whether it is possible to achieve DFR in the cloud environment without necessarily having to modify the functionality and/or infrastructure of existing cloud architecture and without having to impose far-reaching architectural changes and incur high implementation costs. Considering the distributed and elastic nature of the cloud, there is a need for an easy way of conducting DFR by employing a novel software application as a prototype. In this research thesis, therefore, the researcher proposes a Cloud Forensic Readiness as a Service (CFRaaS) model and develops a CFRaaS software application prototype. The CFRaaS model employs the functionality of a malicious botnet, but its functionalities are modified to harvest digital information in the form of potential evidence from the cloud. The model digitally preserves such information and stores it in a digital forensic database for DFR purposes. The experiments conducted in this research thesis showed promising results because both the integrity of collected digital information and the constitutional and statutory conditions for digital forensic evidence acquisition have been maintained. Nevertheless, the CFRaaS software application prototype is important because it maximises the use of digital evidence while reducing the time and the cost needed to perform a DFI. The guidelines that have been used while conducting this process comply with ISO/IEC 27043:2015, namely Information Technology - Security techniques - Incident investigation principles and processes. The ISO/IEC 27043 international standard was used in this context to set the guidelines for common incident investigation processes. Based on this premise, the researcher was able to prove that DFR can be achieved in the cloud environment using this novel model. Nevertheless, the proposed CFRaaS concept prepares the cloud to be forensically ready for digital forensic investigations, without having to change the functionality and/or infrastructure of the existing cloud architecture. Several CFRaaS prototype implementation challenges have been discussed in this research thesis from a general, technical and operational point of view. Additionally, the researcher could relate the challenges to existing literature and eventually contributed by proposing possible high-level solutions for each associated challenge.Thesis (PhD)--University of Pretoria, 2017.University of Pretoria-UP Postgraduate Doctoral Research AwardUP Research SupportSpecial International Research AwardComputer SciencePhDUnrestricte

Conceptual model for crowd-sourcing digital forensic evidence

COVID-19 scourge has made it challenging to combat digital crimes due to the complexity of attributing potential security incidents to perpetrators. Existing literature does not accurately pinpoint relevant models/frameworks that can be leveraged for crowd-sourcing digital forensic evidence. This paper suggests using feature engineering approaches for crowd-sourcing digital evidence to profile potential security incidents, for example, in a COVID-19 scenario. The authors have proposed a conceptual Crowd-sourcing (CRWD) model with three main components: Forensic data collection, feature engineering and the application of machine learning approaches, and also assessment with standardized reporting. This contribution is significantly poised to solve future investigative capabilities for forensic practitioners and computer security researchers.http://www.springer.com/series/151792023-03-03hj2022Computer Scienc