Proactive and Reactive Cyber Forensics Investigation Process

proactive and Reactive Cyber Forensics Investigation ProcessPROACTIVE CYBER FORENSIC ANALYSISproactive And antiphonal cyber rhetoricals probe processes A musical arrangementatic Literature Review(SLR)A multi-component framework of cyber forensics probeAbstractdigital Forensics can be defined as the ensemble of methods, tools and techniques used to gather, preserve and analyze digital selective information originating from all type of digital media involved in an incident with the purpose of extracting valid demo for a court of law. In it investigations argon usually performed as a response to a digital crime and, as such, they are termed Reactive Digital Forensic (RDF). This involves identifying, preserving, collecting, analyzing, and generating the final report. Although RDF investigations are effective, they are faced with many challenges, particularly when dealing with anti-forensic incidents, volatile info and event reconstruction. To tackle these challenges, Proactive Digital Forensic (PDF) is required. By being proactive, DF is prepared for incidents. In fact, the PDF investigation has the ability to proactively collect data, preserve it, detect suspicious events, analyze narrate and report an incident as it occurs.Index TermsDigital forensics, Digital Proactive Forensics, Digital oxidizable forensics, Digital device storage, digital crime, Anti forensics, multi component frameworkIntroductionComputer crimes have increased tremendously and their degree of sophistication has also advanced, the unpredictability and dynamicity of the information that flows between devices require some proactive investigation. The reactive investigation is now becoming less practical since the increased sizes of the data that is being investigated and cardinal technology of the devices that change tremendously make the tools made for digital reactive forensics useless In order to investigate anti-forensic attacks and to advertise automation of the live investig ation, a proactive and reactive functional process has been proposed.. The phases of the proposed proactive and reactive digital forensics investigation process have been mapped to existing investigation processes. The proactive component in the proposed process has been compared to the active component in the multi- component framework. All phases in the proactive component of the new process are meant to be automated. To this end, a hypothesis for the proactive digital forensics is necessary to lay down a strong foundation for the implementation of a reliable proactive transcription.I. Anti-ForensicsThe term anti-forensics refers to methods that prevent forensic tools, investigations, and investigators from achieve- ing their goals. Two examples of anti-forensic methods are data overwriting and data hiding. From a digital investigation perspective, anti-forensics can do the followingPrevent indorse collection.Increase the investigation conviction. impart misleading evidence th at can jeopardize the whole investigation.Prevent detection of digital crime.To investigate crimes that rely on anti-forensic methods, more digital forensic investigation techniques and tools need to be developed, tested, and automated. Such techniques and tools are called proactive forensic processes. Proactive forensics has been suggested in. To date, however, the definition and the process of proactive forensics have not been explicated.II. Proactive digital forensicsProactive Digital Forensic Component has the ability to proactively collect data, preserve it, detect suspicious events, gather evidence, carry out the analysis and build a study against any questionable activities. In addition, an automated report is generated for later use in the reactive component. The evidence gathered in this component is the proactive evidence that relates to a specific event or incident as it occurs. As opposed to the reactive component, the collection phase in this component comes before sa ving since no incident has been identified yet. Phases under the proactive component are defined as followsProactive Collection automated live collection of predefined data in the order of volatility and priority, and related to a specific requirement of an organization or incident.Proactive Preservation automated preservation, via hashing, of the evidence and the proactively collected data related to the suspicious event.Proactive Event Detection detection of suspicious event via an intrusion detection body or a crime-prevention alert.Proactive abridgment automated live analysis of the evidence, which might use forensics techniques such as data mining and outlier detection to sup- port and construct the initial hypothesis of the incident. announce automated report generated from the proactive component analysis. This report is also important for the reactive component and can serve as the starting point of the reactive investigation.1III Reactive Digital ForensicsIt the tradition al or post-mortem approach of investigating a digital crime after an incident has occurred. This involves identifying, preserving, collecting, analyzing, and generating the final report. Two types of evidence are gathered under this componentActive Active evidence refers to collecting all live (dynamic) evidence that exists after an incident. An example of such evidence is processes running in memory.Reactive refers to collecting all the static evidence remaining, such as an image of a hard drive.Previous WorkProactive Vs Reactive Forensics Investigation frameworkComplexity of Digital Forensics investigationDigital attacks are so complex that it is hard to investigate them forensically. The elements involved in a digital crime are located in a large multidimensional blank shell and cannot be easily identified. With the increase of storage size and memory sizes, and the use of parallelism, virtualization and cloud, the parameters to take into account during an investigation can ev en become unmanageable.Five fundamental principlesThe five fundamental principles are stated below commandment 1 Consider the entire system. This includes the user space as well as the entire kernel space, file system, network stack, and early(a) related subsystems. regulation 2 Assumptions about expected failures, attacks, and attackers should not control what is logged. Trust no user and trust no policy, as we may not know what we urgency in advance.Principle 3 Consider the effects of events, not just the actions that caused them, and how those effects may be altered by context and environment.Principle 4 Context assists in interpreting and understanding the meaning of an event.Principle 5 Every action and every result must be processed and presented in a way that can be analyzed and understood by a human forensic analyst.These five are for reactive analysis , for proactive there must be some new principles. Soltan Abed Albari proposed the following two Principle 6 Preserve th e entire history of the system.Principle 7 Perform the analysis and report the results in real time.By preserving the entire history of the system, we can go back in time and reconstruct what has happened and come reliably all the necessary questions about an event or incident. The reconstructed timeline is undercoatd on the actual states of the system before and after the event or incident. In addition and due to the large amount of data, events and actions involved, performing a proactive analysis and reporting require real time techniques that use superior computing. The analysis phase should be automated and have the necessary intelligence to investigate the suspicious events in real time and across multiple platforms. work 1 Relation between action ,target events1In addition to the actions and events that the seven principles listed above emphasize, we introduce the notion of targets. A target is any resource or objective lens related to the system under investigation e.g ., a file, memory, register, etc. We will use an element of DF investigation to refer to a target, an action or an event. At a time t and as shown in convention 3.1, the system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones.A model for Proactive digital forensicsThe model below has two major partsForward systemFeedback systemForward system is the one upon which investigation is performed. Both systems the forward and the feedback can be modelled as a tuple (T,E,A), where T is a tempered of targets, E is a mark off of events, and A is a set of possible actions each of which is viewed as a transfer function of targets and events. To clarify this, each target f T is associated with a set S(f) representing the possible states in which it can be. The Cartesian product of S(f) for all targets f defines the state space of the systems targets and we denote it by T . We do the same for eve ry event e but we consider S(e) to contain two and only two elements, namely (triggered event) and (not triggered event). The Cartesian product of all the systems events (S(e) for every event e) is denoted by E (status space). An action a is therefore a function from T E to T E, where represents the time dimension. The phylogenesis function is defined from (T E) A to T E by(t,(r,e),a) = a(t,r,e)3.At a time t , an event e is triggered if its status at time t is , and not triggered otherwise. The notation t e will be used to denote that the event e is triggered at time t Figure 2 proactive model1The forward system has three things that are linked. Target, event and actionA. TargetA target is any resource or object related to the system under investigation (e.g., a file, memory, register, etc.. We will use an element of DF investigation to refer to a target, an action or an event. At a time t system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones. Therefore to describe the dynamics of the system at a single instant t, one needs to know at least the states of the targets, the events generated and the actions executed at t. For a full description of the dynamics, these elements of investigation need to be specified at every instant of time and the complete analysis of the dynamics of the system requires a large multidimensional space Equations B. Events and ActionsKeeping track of all events and targets is expensive. To reduce them, a few classifications using preorder and equivalence relations. To illustrate the idea behind these classifications, imagine a botnet writing into a file. This event will trigger other events including checking the permission on the file, updating the access time of the file, and writing the data to the actual disk. The idea behind our formalisation is to be able to know which events are important (maximal) and which ones ca n be ignored. The same thing holds for the targets .This will optimize the cost and time .Short conjecture on EventsLet e1 and e2 be two events in E. We defined the relation E on E as followse1 E e2 if and only if ( ) whenever the event e1 happens at a time t, the event e2 must also happen at a time t0 greater than or equal to t. Formally, this can be expressed as e1 E e2 (t t e1 t0 t t0 e2)Subsequent events are those which are less than e .Short theory on targetsLet be the mapping from T to E (Figure 3.10) that associates each target with its change of status event. The mapping and E induces a preorder relation T defined by T1 T T2 (T1) E (T2)Informally, this means that whenever target T1 changes at time t the target T2 must change at t0 t.Short Theory on ActionsThe set of actions A is extended to A using the following operatorsAn associative binary operator called sequential operator and denoted by . Given two actions a1 and a2, the action a1a2 is semantically eq to ca rrying out a1 and then a2 (the two transfer functions are in series). Note that A is a neutral element of A with respect to (i.e., aA = Aa = a for every action a).A commutative binary operator called parallel operator and denoted by . In this case a1a2 is kindred to carrying a1 and a2 simultaneously (the two transfer functions are in parallel). The action A is also a neutral element of A with respect to .A conditional operator defined as follows. Given two conditions ci and ce in C, and an action a, the operator ciace represents the action of iteratively carrying out a only when ci is true and stopping when ce is false. Thatis denoted by a ce. Note that if both are true, then ci a ce is a.Zone Base compartmentalisation of Investigation SpaceTo address the limitation of the classification described previously and address the undesirability issue , classify the event and target state into a set of priority zones. These zones can be represented with different colors green, yellow, a nd red starting from a lower priority to a higher one. When important events/targets with high-priority levels are triggered, a more thorough analysis is expected. Moreover, the zones can be used as a quantifying matrix that provides numbers reecting the certainty level for the position of an incident. In our case, this number is an important piece of information in the final report.The high-priority events can involve one of the following IDS, Antivirus, Firewall off and changing the windows system32 folder. On the other hand, the high-priority targets are the system32 folder, registry, network trac and memory dump.Given that the number of targets and events are large, this classification is not enough, especially during the analysis phase. As such, we need to reduce the forensic space. Similar to the principal component analysis technique 59, we suggest restrict- ing the analysis to important targets and events based on a specific organization policy. This can be seen as projecti ng the full forensic space F onto a sub-space F0 in which the evidence is most probably located.Figure 3 Zone base classification 1ConclusionIn this paper we proposed a new approach to resolve cybercrime using Proactive forensics with focusing on the Investigation space for proactive investigation. This paper reviews literature on Proactive forensic approaches and their processes. It has a method for proactive investigation to be carried out significantly. In order to investigate anti-forensics methods and to promote automation of the live investigation, a proactive functional process has been proposed. The proposed process came as result of SLR of all the processes that exist in literature. The phases of the proposed proactive digital forensics investigation process have been mapped to existing investigation processes.For future work , the investigation space profiling is to be done on events and targets in the space.ReferencesProactive System for Digital Forensic Investigation, So ltan Abed Alharbi, 2014 University of VictoriaMapping Process of Digital Forensic Investigation FrameworkA new approach for resolving cybercrime in network forensics based on generic process model. Mohammad Rasmi1, Aman Jantan2, Hani Al-MimiY. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,A System for the Proactive, Continuous, and Ecient Collection of Digital Forensic EvidenceTowards Proactive Computer-System ForensicsRequirements-Driven Adaptive Digital ForensicsMulti-Perspective Cybercrime Investigation Process ModelingA Forensic Traceability Index in Digital Forensic InvestigationNetwork/Cyber ForensicsSmartphone Forensics A Proactive Investigation intention for Evidence Acquisition