On digital forensic readiness for information privacy incidents

Reddy, Kamil

26 September 2012

The right to information privacy is considered a basic human right in countries that recognise the right to privacy. South Africa, and other countries that recognise this right, offer individuals legal protections for their information privacy. Individuals, organisations and even governments in these countries often have an obligation under such laws to protect information privacy. Large organisations, for example, multinational companies and government departments are of special concern when it comes to protecting information privacy as they often hold substantial amounts of information about many individuals. The protection of information privacy, therefore, has become ever more significant as technological advances enable information privacy to be breached with increasing ease. There is, however, little research on holistic approaches to protecting information privacy in large organisations. Holistic approaches take account of both technical and non-technical factors that affect information privacy. Nontechnical factors may include the management of information privacy protection measures and other factors such as manual business processes and organisational policies. Amongst the protections that can be used by large organisations to protect information privacy is the ability to investigate incidents involving information privacy. Since large organisations typically make extensive use of information technology to store or process information, such investigations are likely to involve digital forensics. Digital forensic investigations require a certain amount of preparedness or readiness for investigations to be executed in an optimal fashion. The available literature on digital forensics and digital forensic readiness (DFR), unfortunately, does not specifically deal with the protection of information privacy, which has requirements over and above typical digital forensic investigations that are more concerned with information security breaches. The aim of this thesis, therefore, is to address the lack of research into DFR with regard to information privacy incidents. It adopts a holistic approach to DFR since many of the necessary measures are non-technical. There is, thus, an increased focus on management as opposed to specific technical issues. In addressing the lack of research into information privacy-specific DFR, the thesis provides large organisations with knowledge to better conduct digital forensic investigations into information privacy incidents. Hence, it allows for increased information privacy protection in large organisations because investigations may reveal the causes of information privacy breaches. Such breaches may then be prevented in future. The ability to conduct effective investigations also has a deterrent effect that may dissuade attempts at breaching information privacy. This thesis addresses the lack of research into information privacy-specific DFR by presenting a framework that allows large organisations to develop a digital forensic readiness capability for information privacy incidents. The framework is an idealistic representation of measures that can be taken to develop such a capability. In reality, large organisations operate within cost constraints. We therefore also contribute by showing how a cost management methodology known as time-driven activity-based costing can be used to determine the cost of DFR measures. Organisations are then able to make cost versus risk decisions when deciding which measures in the framework they wish to implement. Lastly, we introduce the concept of a digital forensics management system. The management of DFR in a large organisation can be a difficult task prone to error as it involves coordinating resources across multiple departments and organisational functions. The concept of the digital forensics management system proposed here allows management to better manage DFR by providing a central system from which information is available and control is possible. We develop an architecture for such a system and validate the architecture through a proof-of-concept prototype. / Thesis (PhD)--University of Pretoria, 2012. / Computer Science / unrestricted

Information privacy

Information privacy management

Digital forensics

Digital forensic readiness

Digital forensic readiness management

Privacy

Time-driven activity-based costing

UCTD

A Chain of findings for digital investigations

De Souza, Pedro

January 2013

Digital Forensic investigations play a vital role in our technologically enhanced world, and it may incorporate a number of different types of evidence — ranging from digital to physical. During a Digital Forensics investigation an investigator may formulate a number of hypotheses, and in order to reason objectively about them, an investigator must take into account such evidence in its entirety, relying on multiple sources. When formulating such objective reasoning an investigator must take into account not only inculpatory evidence but also exculpatory evidence and evidence of tampering. In addition, the investigator must factor in the reliability of the evidence used, the potential for error (tool and human based) and they must factor in the certainty with which they can make various claims. By doing so and creating a detailed audit trail of all actions performed by the investigator they can be better prepared against challenges against their work when it is presented. An investigator must also take into account the dynamic aspects of an investigation, such as certain evidence no longer being admissible, and they must continuously factor these aspects into their reasoning, to ensure that their conclusions still hold. Investigations may draw over a large period of time, and should the relevant information not be captured in detail, it may be lost or forgotten, affecting the reliability of an investigator’s findings and affecting future investigators’ capability to build on and continue an investigator’s work. In this dissertation we investigate whether it is possible to provide a formalised means for capturing and encoding an investigator’s reasoning process, in a detailed and structured manner. By this we mean we would like to capture and encode an investigator’s hypotheses, their arguments, their conclusions and the certainty with which they can make such claims, as well as the various pieces of evidence (digital and physical) that they use as a foundation for their arguments. We also want to capture the steps an investigator took when formulating these arguments and the steps an investigator took in order to get evidence into its intended form. The capturing of such a detailed reasoning process helps to allow for a more thorough reconstruction of an investigator’s finding, further improving the reliability that can be placed in them. By encoding the investigator’s reasoning process, an investigator can more easily receive feedback on the impacts that the various dynamic aspects of an investigation have upon their reasoning. In order to achieve these goals, our dissertation presents a model, called the Chain of Findings, allowing investigators to formulate and capture their reasoning process throughout the investigation, using a combination of goal-driven and data-driven approaches. When formulating their reasoning, the model allows investigators to treat evidence, digital and physical, uniformly as building blocks for their arguments and capture detailed information of how and why they serve their role in an investigator’s reasoning process. In addition, the Chain of Findings offers a number of other uses and benefits including the training of investigators and Digital Forensic Readiness. / Dissertation (MSc)--University of Pretoria, 2013. / gm2014 / Computer Science / unrestricted

Digital Forensic Readiness

Digital Forensic investigations

Investigator

Chain of Findings

UCTD

Digital forensic readiness for IOT devices

Kruger, Jaco-Louis

January 2019

The Internet of Things (IoT) has evolved to be an important part of modern society. IoT devices can be found in several environments such as smart homes, transportation, the health sector, smart cities and even facilitates automation in organisations. The increasing dependence on IoT devices increases the possibility of security incidents in the physical or cyber environment. Traditional methods of digital forensic (DF) investigations are not always applicable to IoT devices due to their limited data processing resources. A possible solution for conducting forensic investigations on IoT devices is to utilise a proactive approach known as digital forensic readiness (DFR). This dissertation firstly aims to conduct a thorough review of the available literature in the current body of knowledge to identify a clear process that can be followed to implement DFR tailored for IoT devices. This dissertation then formulates requirements for DFR in IoT based on existing forensic techniques. The requirements for DFR in IoT give rise to the development of a model for DFR in IoT, which is then implemented in a prototype for IoT devices. The prototype is subsequently tested and evaluated on IoT devices that conduct proactive DFR in a simulation of a smart home system. Finally, the dissertation illustrates the feasibility of the DFR processes for IoT and serves as a basis for future research with regards to DFR in IoT. This dissertation will impact future research with regards to developing a standard for DFR in IoT. / Dissertation (MSc)--University of Pretoria, 2019. / Computer Science / MSc / Unrestricted

UCTD

Computer science

Digital forensic readiness

Internet of things (IoT)

Digital forensics

Proposing a maturity assessment model based on the digital forensic readiness commonalities framework

Claims, Ivan Prins

January 2013

Magister Commercii (Information Management) - MCom(IM) / The purpose of the study described in this thesis was to investigate the structure required to implement and manage digital forensic readiness within an enterprise. A comparative analysis of different digital forensic readiness frameworks was performed and, based on the findings of the analysis, the digital forensic readiness commonalities framework (DFRCF) was extended. The resultant structure was used to design a digital forensic readiness maturity assessment model (DFRMAM) that will enable organisations to assess their forensic readiness. In conclusion, both the extended DFRCF and the DFRMAM are shown to be validated by forensic practitioners, using semi-structured interviews. A qualitative research design and methodology was used to perform a comparative analysis of the various digital forensic readiness frameworks, to comprehend the underlying structures. All the participant responses were recorded and transcribed. Analysis of the findings resulting from the study showed that participants mostly agreed with the structure of the extended DFRCF; however, key changes were introduced to the extended DFRCF. The participants also validated the DFRMAM, and the majority of respondents opted for a checklist-type MAM. Digital forensic readiness is a very sensitive topic since organisations fear that their information might be made public and, as a result, increase their exposure to forensic incidents and reputational risk. Because of this, it was difficult to find participants who have a forensic footprint and are willing, able, and knowledgeable about digital forensic readiness. This study will contribute to the body of knowledge by presenting an original, validated DFRCF and DFRMAM. Practitioners and organisations now have access to non-proprietary DFRMAM.

Digital Forensic Readiness (DFR)

Maturity Assessment Model (DFRMAM)

Goals and Objectives of DFR

DFR Model

Design Principles

Digital forensic practitioners

Digital forensic readiness for wireless sensor network environments

Mouton, Francois

24 January 2012

The new and upcoming field of wireless sensor networking is unfortunately still lacking in terms of both digital forensics and security. All communications between different nodes (also known as motes) are sent out in a broadcast fashion. These broadcasts make it quite difficult to capture data packets forensically and, at the same time, retain their integrity and authenticity. The study presents several attacks that can be executed successfully on a wireless sensor network, after which the dissertation delves more deeply into the flooding attack as it is one of the most difficult attacks to address in wireless sensor networks. Furthermore, a set of factors is presented to take into account while attempting to achieve digital forensic readiness in wireless sensor networks. The set of factors is subsequently discussed critically and a model is proposed for implementing digital forensic readiness in a wireless sensor network. The proposed model is next transformed into a working prototype that is able to provide digital forensic readiness to a wireless sensor network. The main contribution of this research is the digital forensic readiness prototype that can be used to add a digital forensics layer to any existing wireless sensor network. The prototype ensures the integrity and authenticity of each of the data packets captured from the existing wireless sensor network by using the number of motes in the network that have seen a data packet to determine its integrity and authenticity in the network. The prototype also works on different types of wireless sensor networks that are in the frequency range of the network on which the prototype is implemented, and does not require any modifications to be made to the existing wireless sensor network. Flooding attacks pose a major problem in wireless sensor networks due to the broadcasting of communication between motes in wireless sensor networks. The prototype is able to address this problem by using a solution proposed in this dissertation to determine a sudden influx of data packets within a wireless sensor network. The prototype is able to detect flooding attacks while they are occurring and can therefore address the flooding attack immediately. Finally, this dissertation critically discusses the advantages of having such a digital forensic readiness system in place in a wireless sensor network environment. Copyright / Dissertation (MSc)--University of Pretoria, 2012. / Computer Science / unrestricted

Digital forensic readiness

Flooding detection

Flooding attacks

Communication

Digital forensics

Wireless sensor network (WSN)

Security

Sensor networks

Broadcasting

Wireless networks

UCTD

Identifying and analysing forensic artefacts of specific attacks on a Programmable Logic Controller / Identifiera och analysera kriminaltekniska artefakter för specifika attacker på en Programmerbar Logisk Styrenhet

Forsberg, Rebecka

January 2022

In Industrial Computer Systems, Programmable Logic Controllers (PLCs) are essential components since they control physical processes. Altering these could have enormous consequences as they can control processes in nuclear plants, gas pipelines and water supplies. Over the years, PLCs have become more and more connected since it facilitates their configuration and programming remotely. More connected does also means that they could be more vulnerable to attacks. Therefore, it would be desirable to be able to do a forensic investigation and interpret the artefacts if an incident happens, especially since PLCs control such vital functions. There exists little research about this area, but it does not discuss how to evaluate or interpret possible artefacts forensic investigation could reveal. This thesis aims to answer what artefacts are left in the system after two specific attacks. The result showed that some artefacts is left. One of the attacks does not leave so much specific artefacts that one could conclude how the attack happened, but for the other one, it was possible to conclude how they got remote access to the system. However, these artefacts were possible to cover up by deleting the IP address that was added in order to get remote access to the system. In other words, the only persistent artefacts left in the system after the attacks and cover-ups was metadata about created, modified, and removed files. Future work would be to expand and include more attacks to get a better overview of the overall forensic abilities of the PLC. / I industriella datorsystem är PLC (Programmable Logic Controllers) viktiga komponenter eftersom de styr fysiska processer. Att ändra dessa kan få enorma konsekvenser eftersom de kan styra processer i kärnkraftverk, gasledningar och vattenförsörjning. Under årens lopp har PLC:er blivit mer och mer uppkopplade eftersom det underlättar deras konfiguration och programmering på distans. Mer uppkopplade betyder också att de kan vara mer sårbara för attacker. Därför vore det önskvärt att kunna göra en kriminalteknisk undersökning och tolka bevisningen om en incident inträffar, särskilt eftersom PLC:er kontrollerar sådana vitala funktioner. Det finns lite forskning om detta område, men den diskuterar inte hur man ska utvärdera eller tolka eventuella bevis som den kriminalteknisk undersökningen kan avslöja. Denna avhandling syftar till att svara på vilka artefakter som finns kvar i systemet efter två specifika attacker. Resultatet visade att en del bevis finns kvar. En av attackerna lämnar inte så mycket specifika bevis att man kunde dra slutsatsen hur attacken gick till, men för den andra gick det att dra slutsatsen hur de fick fjärråtkomst till systemet. Dessa artefakter var dock möjliga att dölja genom att radera IP-adressen som lades till för att få fjärråtkomst till systemet. Med andra ord, det enda ihållande bevisningen som fanns kvar i systemet efter attackerna och mörkläggningarna var metadata om skapade, modifierade och borttagna filer. Framtida arbete skulle vara att expandera och inkludera fler attacker för att få en bättre överblick över PLC:s övergripande forensiska förmågor.

Industrial Cyber Security forensics

Programmable Logic Controller

Forensic analysis

Artefacts

Forensic readiness

Industriell cybersäkerhet forensik

Programmerbar logikkontroller

Forensik analys

Artefakter

Forensisk mogenhet

Computer Sciences

Datavetenskap (datalogi)

Developing a multidisciplinary digital forensic readiness model for evidentiary data handling

Pooe, El Antonio

05 1900

There is a growing global recognition as to the importance of outlawing malicious computer related acts in a timely manner, yet few organisations have the legal and technical resources necessary to address the complexities of adapting criminal statutes to cyberspace. Literature reviewed in this study suggests that a coordinated, public-private partnership to produce a model approach can help reduce potential dangers arising from the inadvertent creation of cybercrime havens. It is against this backdrop that the study seeks to develop a digital forensic readiness model (DFRM) using a coordinated, multidisciplinary approach, involving both the public and private sectors, thus enabling organisations to reduce potential dangers arising from the inadvertent destruction and negating of evidentiary data which, in turn, results in the non-prosecution of digital crimes. The thesis makes use of 10 hypotheses to address the five research objectives, which are aimed at investigating the problem statement. This study constitutes qualitative research and adopts the post-modernist approach. The study begins by investigating each of the 10 hypotheses, utilising a systematic literature review and interviews, followed by a triangulation of findings in order to identify and explore common themes and strengthen grounded theory results. The output from the latter process is used as a theoretical foundation towards the development of a DFRM model which is then validated and verified against actual case law. Findings show that a multidisciplinary approach to digital forensic readiness can aid in preserving the integrity of evidentiary data within an organisation. The study identifies three key domains and their critical components. The research then demonstrates how the interdependencies between the domains and their respective components can enable organisations to identify and manage vulnerabilities which may contribute to the inadvertent destruction and negating of evidentiary data. The Multidisciplinary Digital Forensic Readiness Model (M-DiFoRe) provides a proactive approach to creating and improving organizational digital forensic readiness. This study contributes to the greater body of knowledge in digital forensics in that it reduces complexities associated with achieving digital forensic readiness and streamlines the handling of digital evidence within an organisation. / Information Science / Ph.D. (Information Systems)

Digital forensics

Forensic readiness

Computer forensics

Planning

Investigation

Risk management

Evidence

Cybercrime

Multidisciplinary approach

Triangulation

Grounded theory

Systematic literature review

Qualitative research

005.87

Computer crimes

Digital Forensic Science

Computer security