IJCNS  Vol.2 No.9 , December 2009
Forensic Investigation in Communication Networks Using Incomplete Digital Evidences
Abstract: Security incidents targeting information systems have become more complex and sophisticated, and intruders might evade responsibility due to the lack of evidence to convict them. In this paper, we develop a system for Digital Forensic in Networking, called DigForNet, which is useful to analyze security incidents and explain the steps taken by the attackers. DigForNet combines intrusion response team knowledge with formal tools to identify the attack scenarios that have occurred and show how the system behaves for every step in the scenario. The attack scenarios construction is automated and the hypothetical concept is introduced within DigForNet to alleviate missing data related to evidences or investigator knowledge. DigForNet system supports the investigation of attack scenarios that integrate anti-investigation attacks. To exemplify the proposal, a case study is proposed.
Cite this paper: nullS. REKHIS, J. KRICHENE and N. BOUDRIGA, "Forensic Investigation in Communication Networks Using Incomplete Digital Evidences," International Journal of Communications, Network and System Sciences, Vol. 2 No. 9, 2009, pp. 857-873. doi: 10.4236/ijcns.2009.29100.

[1]   P. D. Dixon, “An overview of computer forensics,” IEEE Potentials, Vol. 24, No. 5, pp. 7–10, 2005.

[2]   P. Stephenson, “Modeling of post-incident root cause analysis,” International Journal of Digital Evidence, Vol. 2, No. 2, pp. 1–16, 2003.

[3]   T. Stallard and K. Levitt, “Automated analysis for digital forensic science: Semantic integrity checking,” Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, USA, 2003.

[4]   P. Gladyshev, “Finite state machine analysis of a blackmail investigation,” International Journal of Digital Evidence, Vol. 4, No. 1, 2005.

[5]   P. Gladyshev and A. Patel, “Finite state machine approach to digital event reconstruction,” Digital Investigation journal, Vol. 1, No. 2, pp. 130–149, 2004.

[6]   B. D. Carrier and E. H. Spafford, “Categories of digital investigation analysis techniques based on the computer history model,” Digital Investigation Journal, 3(S), pp. 121–130, 2006.

[7]   S. Willassen, “Hypothesis-Based investigation of digital timestamps,” Proceedings of Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, 2008.

[8]   S. Y. Willassen, “Timestamp evidence correlation by model based clock hypothesis testing,” Proceedings of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information, and Multimedia, 2008.

[9]   A. R. Arasteha, M. Debbabi, A. Sakhaa, and M. Saleh, “Analyzing multiple logs for forensic evidence,” Digital Investigation, Vol. 4, No. 1, pp. 82–91, 2007.

[10]   A. Pal, H. T. Sencar, and N. Memon, “Detecting file fragmentation point using sequential hypothesis testing,” Digital Investigation, Vol. 5, No. 1, pp. S2–S13, 2008.

[11]   S. P. Peisert, “A model of forensic analysis using goal- oriented logging,” PhD thesis, University of California, San Diego, 2007.

[12]   A. S. Huff, “Mapping strategic thought,” John Wiley & Sons, 1990.

[13]   J. Krichene, M. Hamdi, and N. Boudriga, “Collective computer incident response using cognitive maps,” IEEE International Conference on Systems, Man and Cybernetics, Hammamet, Tunisia, pp. 1080–1085, 2004.

[14]   S. Rekhis, J. Krichene, and N. Boudriga, “Dig for net: Digital Forensic in networking,” In Proceedings of the 3rd International Information Security Conference (SEC), Milan, Italy, 2008.

[15]   B. D. Carrier and E. H. Spafford, “An event-based digital forensic investigation framework,” Proceedings of Digital Forensic Research Workshop, 2004.

[16]   B. Mangnes, “The use of Levenshtein distance in computer forensics,” Master’s thesis, Gjovik University College, 2005.

[17]   E. Casey, “Digital evidence and computer crime,” Second Edition, Academic Press, 2004.

[18]   D. Drusinsky and J. L. Fobes, “Executable specifications: Language and applications,” The journal of Defense Soft- ware Engineering, Vol. 17, No. 9, pp. 15–18, 2004.

[19]   Y. Guan and A. K. Ghose, “Executable specifications for agent oriented conceptual modelling,” Proceedings of the IEEE/WIC/ACM International Conference on Intelligent Agent Technology (IAT), France, pp. 475–478, 2005.

[20]   M. Hamdi, J. Krichene, and N. Boudriga, “Collective com- puter incident response using cognitive maps,” Proceedings of IEEE conference on Systems, Man, and Cybernetics (IEEE SMC 2004), The Hargue, Netherland, 2004.

[21]   S. Rekhis and N. Boudriga, “A formal approach for the reconstruction of potential attack scenarios,” Proceedings of the International Conference on Information & Communication Technologies: From Theory to Applications (ICTTA), Damascus, Syria, 2008.

[22]   F. Kr?ger and S. Merz, “Temporal logic and state systems,” Springer, 2008.

[23]   S. Rekhis and N. Boudriga, “Formal forensic investigation eluding disk-based anti-forensic attacks,” Proceedings of Workshop on Information Security Applications, Jeju Island, Korea, 2005.

[24]   S. Garfinkel, “Anti-forensics: Techniques, detection and countermeasures,” Proceedings of the 2nd International Conference on I-Warfare and Security, Monterey, USA, 2007.

[25]   G. C. Kessler, “Anti-forensics and the digital investigator,” Proceedings of 5th Australian Digital Forensics Conference, Perth, Australia, 2007.