Leveraging Human Thinking Style for User Attribution in Digital Forensic Process

User attribution, the process of identifying a human in a digital medium, is a research area that has receive significant attention in information security research areas, with a little research focus on digital forensics. This study explored the probability of the existence of a digital fingerprint based on human thinking style, which can be used to identify an online user. To achieve this, the study utilized Server-side web data of 43-respondents were collected for 10-months as well as a self-report thinking style measurement instrument. Cluster dichotomies from five thinking styles were extracted. Supervised machine-learning techniques were then applied to distinguish individuals on each dichotomy. The result showed that thinking styles of individuals on different dichotomies could be reliably distinguished on the Internet using a Meta classifier of Logistic model tree with bagging technique. The study further modeled how the observed signature can be adopted for a digital forensic process, using high-level universal modeling language modeling process- specifically, the behavioral state-model and use-case modeling process. In addition to the application of this result in forensics process, this result finds relevance and application in human-centered graphical user interface design for recommender system as well as in e-commerce services. It also finds application in online profiling processes, especially in e-learning system

Ontology‐driven perspective of CFRaaS

A Cloud Forensic Readiness as a Service (CFRaaS) model allows an environment to preemptively accumulate relevant potential digital evidence (PDE) which may be needed during a post‐event response process. The benefit of applying a CFRaaS model in a cloud environment, is that, it is designed to prevent the modification/tampering of the cloud architectures or the infrastructure during the reactive process, which if it could, may end up having far‐reaching implications. The authors of this article present the reactive process as a very costly exercise when the infrastructure must be reprogrammed every time the process is conducted. This may hamper successful investigation from the forensic experts and law enforcement agencies perspectives. The CFRaaS model, in its current state, has not been presented in a way that can help to classify or visualize the different types of potential evidence in all the cloud deployable models, and this may limit the expectations of what or how the required PDE may be collected. To address this problem, the article presents the CFRaaS from a holistic ontology‐driven perspective, which allows the forensic experts to be able to apply the CFRaaS based on its simplicity of the concepts, relationship or semantics between different form of potential evidence, as well as how the security of a digital environment being investigated could be upheld. The CFRaaS in this context follows a fundamental ontology engineering approach that is based on the classical Resource Description Framework. The proposed ontology‐driven approach to CFRaaS is, therefore, a knowledge‐base that uses layer‐dependencies, which could be an essential toolkit for digital forensic examiners and other stakeholders in cloud‐security. The implementation of this approach could further provide a platform to develop other knowledge base components for cloud forensics and security

A model for vulnerability forecasting.

Internet and network security forms an interesting and topical, yet challenging and developing research domain. In this domain, a taxonomy of information security technologies is identified. This taxonomy is divided into two mainline entities, namely proactive and reactive information security technologies. This thesis is specifically concerned with proactive information security technologies, the focus being on a specific proactive information security technology – vulnerability scanning. Vulnerability scanning is implemented by vulnerability scanner (VS) products. VS products are used proactively to conduct vulnerability scans to identify vulnerabilities so that they can be rectified before they can be exploited by hackers. However, there are currently many problems with state-of-the-art VS products. For example, a vulnerability scan is time-consuming and a vast number of system resources are occupied, leading to the degradation of network and system performance. Furthermore, VS products lack the intelligence that is required to deal with new vulnerabilities that appear like clockwork. Current VS products also differ extensively in the way that they can detect vulnerabilities, as well as in the number of vulnerabilities that they can detect. These problems motivated the researcher to create a model for vulnerability forecasting (VF). The uniqueness of the VF model lies in its holistic approach to addressing these problems while maintaining its end goal – that of being able to do a vulnerability forecast of how vulnerabilities will occur in the near future. Such a vulnerability forecast would, therefore, enable an organisation to use it proactively as part of a risk management scheme. Furthermore, in order to demonstrate the feasibility of implementing the proposed model, a report on the development of a prototype for vulnerability forecasting is included. Rather than reinventing the wheel, the prototype incorporates the use of current state-of-the-art VS products in its VF process. This is advantageous in the sense that the prototype is independent of a specific VS product. It is because of the latter that a standardisation technique had to be used to refer to vulnerabilities in the same way since different VS products do not refer to and detect similar vulnerabilities in the same way. This standardisation technique introduced in this thesis is known as harmonising vulnerability categories. This thesis contributes to the understanding of vulnerability scanning techniques and how vulnerability scanning can be utilised more effectively by doing vulnerability forecasting. The thesis also paves the way for numerous potential future research projects in the domain of Internet and network security.Prof. J.H.P. Elof

Real-time risk analysis : a modern perspective on network security with a prototype

M.Sc.The present study was undertaken in a bid within the realm of the existing Internet working environment to meet the need for a more secure network-security process in terms of which possible risks to be incurred by Internet users could be identified and controlled by means of the appropriate countermeasures in real time. On launching the study, however, no such formal risk-analysis model has yet been developed specifically to effect risk analysis in real time. This, then, gave rise to the development of a prototype specifically aimed at the identification of risks that could pose a threat to Internet users' private data — the so-called "Real-time Risk Analysis" (RtRA) prototype. In so doing, the principal aim of the study, namely to implement the RtRA prototype, was realised. Following, an overview of the research method employed to realise the objectives of the study. Firstly, background information on and the preamble to the issues and problems to be addressed were provided, as well as a well-founded motivation for the study. The latter included theoretical studies on current network security and Transmission Control Protocol/Internet Protocol (TCP/IP). Secondly, the study of existing TCP/IP packet-intercepting tools available on the Internet brought deeper insight into how TCP/IP packets are to be intercepted and handled. In the third instance, the most recent development in network security — firewalls — came under discussion. The latter technology represents a "super-developed" TCP/IP packet-intercepting tool that implements the best known security measures. In addition, the entire study was based on firewall technology and the model that was developed related directly to firewalls. Fourthly, a prototype, consisting of three main modules, was implemented in a bid to prove that RtRA is indeed tenable and practicable. In so doing, the second module of the prototype, namely the real-time risk-identification and countermeasure-execution module, was given special emphasis. The modus operandi of the said prototype was then illustrated by means of a case study undertaken in a simulated Internet working environment. The study culminated in a summation of the results of and the conclusions reached on the strength of the research. Further problem areas, which could become the focal points of future research projects, were also touched upon

Smart Digital Forensic Readiness Model for Shadow IoT Devices

Internet of Things (IoT) is the network of physical objects for communication and data sharing. However, these devices can become shadow IoT devices when they connect to an existing network without the knowledge of the organization’s Information Technology team. More often than not, when shadow devices connect to a network, their inherent vulnerabilities are easily exploited by an adversary and all traces are removed after the attack or criminal activity. Hence, shadow connections pose a challenge for both security and forensic investigations. In this respect, a forensic readiness model for shadow device-inclusive networks is sorely needed for the purposes of forensic evidence gathering and preparedness, should a security or privacy breach occur. However, the hidden nature of shadow IoT devices does not facilitate the effective adoption of the most conventional digital and IoT forensic methods for capturing and preserving potential forensic evidence that might emanate from shadow devices in a network. Therefore, this paper aims to develop a conceptual model for smart digital forensic readiness of organizations with shadow IoT devices. This model will serve as a prototype for IoT device identification, IoT device monitoring, as well as digital potential evidence capturing and preservation for forensic readiness

Using time-driven activity-based costing to manage digital forensic readiness in large organisations

A digital forensic readiness (DFR) programme consists of a number of activities that should be chosen and managed with respect to cost constraints and risk. Traditional cost systems, however, can not provide the cost of individual activities. This makes it difficult or impossible for organisations to consider cost when making decisions about specific activities. In this paper we show that the relatively new cost system, time-driven activity-based costing (TDABC), can be used to determine the cost of implementing and managing activities required for DFR. We show through analysis and simulation that the cost information from a TDABC model can be used for such decisions. We also discuss some of the factors that ought to be considered when implementing or managing the use of TDABC in a large organisation.http://link.springer.com/journal/10796mv201

Scenario-Based Digital Forensic Investigation of Compromised MySQL Database

Insider and outsider database threats have more often than not posed a greater challenge as far as integrity and investigation of databases is concerned. Database forensic investigation is a process through which scientifically proven methods can be used to create a hypothesis that can prove or disprove the occurrence of a potential security incident. This paper explores the techniques that can be used to conduct forensic investigations of a compromised MySQL database. The authors have simulated investigative scenarios that have aided to conduct forensic investigative processes and the results are promising

Using e-coins to ensure fair sharing of donor funds amongst HIV healthcare facilities

Donor funds are available for treatment of many diseases such as HIV. However, privacy constraints make it hard for donor organisations to verify that they have not sponsored the same patient twice --- or sponsored a patient whose treatment was also sponsored by another donor. This paper presents a protocol based on digital cash that enables donor organisations to obtain a proof (in the form of an e-coin) from healthcare providers for patients such a provider claims to have treated. These coins are distributed to patients at the beginning of a funding cycle. The major challenge is to issue a unique coin to a patient --- even if the coin is reissued. This is achieved without giving anyone access to a national database of identities; all databases contain effectively concealed information. Reissued coins will be identical to previous coins with a probability that can be decided beforehand