Adding Digital Forensic Readiness as a Security Component to the IoT Domain

The unique identities of remote sensing, monitoring, self-actuating, self–adapting and self-configuring “things” in Internet of Things (IoT) has come out as fundamental building blocks for the development of “smart environments”. This experience has begun to be felt across different IoT-based domains like healthcare, surveillance, energy systems, home appliances, industrial machines, smart grids and smart cities. These developments have, however, brought about a more complex and heterogeneous environment which is slowly becoming a home to cyber attackers. Digital Forensic Readiness (DFR) though can be employed as a mechanism for maximizing the potential use of digital evidence while minimizing the cost of conducting a digital forensic investigation process in IoT environments in case of an incidence. The problem addressed in this paper, therefore, is that at the time of writing this paper, there still exist no IoT architectures that have a DFR capability that is able to attain incident preparedness across IoT environments as a mechanism of preparing for post-event response process. It is on this premise, that the authors are proposing an architecture for incorporating DFR to IoT domain for proper planning and preparing in the case of security incidents. It is paramount to note that the DFR mechanism in IoT discussed in this paper complies with ISO/IEC 27043: 2015, 27030:2012 and 27017: 2015 international standards. It is the authors’ opinion that the architecture is holistic and very significant in IoT forensics

Real-time monitoring as a supplementary security component of vigilantism in modern network environments

© 2020, The Author(s). The phenomenon of network vigilantism is autonomously attributed to how anomalies and obscure activities from adversaries can be tracked in real-time. Needless to say, in today’s dynamic, virtualized, and complex network environments, it has become undeniably necessary for network administrators, analysts as well as engineers to practice network vigilantism, on traffic as well as other network events in real-time. The reason is to understand the exact security posture of an organization’s network environment at any given time. This is driven by the fact that modern network environments do, not only present new opportunities to organizations but also a different set of new and complex cybersecurity challenges that need to be resolved daily. The growing size, scope, complexity, and volume of networked devices in our modern network environments also makes it hard even for the most experienced network administrators to independently provide the breadth and depth of knowledge needed to oversee or diagnose complex network problems. Besides, with the growing number of Cyber Security Threats (CSTs) in the world today, many organisations have been forced to change the way they plan, develop and implement cybersecurity strategies as a way to reinforce their ability to respond to cybersecurity incidents. This paper, therefore, examines the relevance of Real-Time Monitoring (RTM) as a supplementary security component of vigilantism in modern network environments, more especially for proper planning, preparedness, and mitigation in case of a cybersecurity incident. Additionally, this paper also investigates some of the key issues and challenges surrounding the implementation of RTM for security vigilantism in our modern network environments

Digital forensic readiness intelligence crime repository

It may not always be possible to conduct a digital (forensic) investigation post-event if there is no process in place to preserve potential digital evidence. This study posits the importance of digital forensic readiness, or forensic-by-design, and presents an approach that can be used to construct a Digital Forensic Readiness Intelligence Repository (DFRIR). Based on the concept of knowledge sharing, the authors leverage this premise to suggest an intelligence repository. Such a repository can be used to cross-reference potential digital evidence (PDE) sources that may help digital investigators during the process. This approach employs a technique of capturing PDE from different sources and creating a DFR repository that can be able to be shared across diverse jurisdictions among digital forensic experts and law enforcement agencies (LEAs), in the form of intelligence. To validate the approach, the study has employed a qualitative approach based on a number of metrics and an analysis of experts\u27 opinion has been incorporated. The DFRIR seeks to maximize the collection of PDE, and reducing the time needed to conduct forensic investigation (e.g., by reducing the time for learning). This study then explains how such an approach can be employed in conjunction with ISO/IEC 27043: 2015

Error Level Analysis Technique for Identifying JPEG Block Unique Signature for Digital Forensic Analysis

The popularity of unique image compression features of image files opens an interesting research analysis process, given that several digital forensics cases are related to diverse file types. Of interest has been fragmented file carving and recovery which forms a major aspect of digital forensics research on JPEG files. Whilst there exist several challenges, this paper focuses on the challenge of determining the co-existence of JPEG fragments within various file fragment types. Existing works have exhibited a high false-positive rate, therefore rendering the need for manual validation. This study develops a technique that can identify the unique signature of JPEG 8 × 8 blocks using the Error Level Analysis technique, implemented in MATLAB. The experimental result that was conducted with 21 images of JFIF format with 1008 blocks shows the efficacy of the proposed technique. Specifically, the initial results from the experiment show that JPEG 8 × 8 blocks have unique characteristics which can be leveraged for digital forensics. An investigator could, therefore, search for the unique characteristics to identify a JPEG fragment during a digital investigation process

Ontology‐driven perspective of CFRaaS

A Cloud Forensic Readiness as a Service (CFRaaS) model allows an environment to preemptively accumulate relevant potential digital evidence (PDE) which may be needed during a post‐event response process. The benefit of applying a CFRaaS model in a cloud environment, is that, it is designed to prevent the modification/tampering of the cloud architectures or the infrastructure during the reactive process, which if it could, may end up having far‐reaching implications. The authors of this article present the reactive process as a very costly exercise when the infrastructure must be reprogrammed every time the process is conducted. This may hamper successful investigation from the forensic experts and law enforcement agencies perspectives. The CFRaaS model, in its current state, has not been presented in a way that can help to classify or visualize the different types of potential evidence in all the cloud deployable models, and this may limit the expectations of what or how the required PDE may be collected. To address this problem, the article presents the CFRaaS from a holistic ontology‐driven perspective, which allows the forensic experts to be able to apply the CFRaaS based on its simplicity of the concepts, relationship or semantics between different form of potential evidence, as well as how the security of a digital environment being investigated could be upheld. The CFRaaS in this context follows a fundamental ontology engineering approach that is based on the classical Resource Description Framework. The proposed ontology‐driven approach to CFRaaS is, therefore, a knowledge‐base that uses layer‐dependencies, which could be an essential toolkit for digital forensic examiners and other stakeholders in cloud‐security. The implementation of this approach could further provide a platform to develop other knowledge base components for cloud forensics and security

Taxonomy for digital forensic evidence

The conference aimed at supporting and stimulating active productive research set to strengthen the technical foundations of engineers and scientists in the continent, through developing strong technical foundations and skills, leading to new small to medium enterprises within the African sub-continent. It also seeked to encourage the emergence of functionally skilled technocrats within the continent.Modern society has increased its dependencies on digital systems and computer networks in almost every area of life today. Although this dependency is good it has opened a whole new world of possibilities for criminals to exploit. This has been seen in areas where criminals are able to use existing digital systems to share information and to reinforce their hacking techniques for nefarious purposes. As a result, major potential security risks, such as malicious insiders, data loss or leakage and policy violations have now invaded our digital world with worrying trends of digital and cyber-crimes. This, therefore, has made computer based information a primary source of digital evidence in many legal matters and digital investigations. The understanding of the different types of information generated by computer systems is thus an importance aspect of any digital forensic investigation process. For this reason, this paper reviews existing digital forensic research literature and highlights the different types of digital evidence that can potentially be admissible in our courts of law today. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. The taxonomy classifies a large number of Digital Forensic Evidence (DFE) into a few well-defined and easily understood categories which can be useful, for example, the future developments of digital forensic tools. In addition, the taxonomy can also be helpful to practitioners, for example, in classifying the different types of DFE that can be admissible in courts. The main contribution of this research is, therefore, to propose a taxonomy for DFE that can assist digital forensic analysts and forensic practitioners to understand the different types of evidence with ease and their applicability in different legal matters.Strathmore University; Institute of Electrical and Electronics Engineers (IEEE

Quantifying the need for supervised machine learning in conducting live forensic analysis of emergent configurations (ECO) in IoT environments

© 2020 The Author(s) Machine learning has been shown as a promising approach to mine larger datasets, such as those that comprise data from a broad range of Internet of Things devices, across complex environment(s) to solve different problems. This paper surveys existing literature on the potential of using supervised classical machine learning techniques, such as K-Nearest Neigbour, Support Vector Machines, Naive Bayes and Random Forest algorithms, in performing live digital forensics for different IoT configurations. There are also a number of challenges associated with the use of machine learning techniques, as discussed in this paper

Extended-Chacha20 Stream Cipher With Enhanced Quarter Round Function

Chacha20 is a widely used stream cipher known for using permutation functions to enhance resistance against cryptanalysis. Although the existing literature highlights its strengths, it is worth further exploring its potential susceptibility to differential attacks. This paper proposes an Extended Chacha20 (EChacha20) stream cipher, which offers a slight improvement of Chacha20. It incorporates enhanced Quarter Round Functions QR-F with 32-bit input words and Add , Rotate , and XOR (ARX) operations on 16, 12, 8, 7, 4, and 2 constants. Using these improved QR-Fs , we expect EChacha20 to be more secure and effective against attacks than Chacha20. The threat model leveraged in this paper considers attacker assumptions based on the Bellare-Rogaway Model (B-RM) and the Chosen Plaintext Attack (CPA) to assess the potential security weaknesses. Then, the study analyzes the EChacha20 cipher using the NIST Statistical Test Suite (NSTS) and demonstrates its effectiveness against differential cryptanalysis. A differential attack addresses this challenge, where the study comprehensively analyses the differences between original and flipped bits. The NSTS has been used to statistically analyze the outcome for uniformity and evaluate the randomness of generating sequences of tests considering 1000 tests based on a range of [{0,1}]. Uniformity is evaluated based on the p-values test against a battery of passing sequences, and 100% is achieved from Runs and Serial (2): Test 1 , respectively. The performance evaluation metrics leveraged include encryption speed, decryption speed, and memory usage. Based on the test conducted, it has been observed that with increased QR-F , EChacha20 maintains a good balance in speed although slightly higher than Chacha20; however, with also slightly high memory usage compared to Chacha20. Despite that, a comparative study has been conducted against state-of-the-art studies, and the outcome has been reported to show the significance of the current study. Ultimately, the outcome indicates that the EChacha20 cipher has improved QR-F and security properties compared to Chacha20 and may provide a more robust encryption solution for various applications. © 2023 The Authors