Process Model of Digital Forensics Readiness Scheme (DFRS) as a Recommendation of Digital Evidence Preservation

Transcription

1 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic Process Model of Digital Forensics Readiness Scheme (DFRS) as a Recommendation of Digital Evidence Preservation Ahmad Luthfi Pusat Studi Forensika Digital Jurusan Teknik Informatika Universitas Islam Indonesia Yogyakarta, Indonesia ahmad.luthfi@uii.ac.id Yudi Prayudi Pusat Studi Forensika Digital Jurusan Teknik Informatika Universitas Islam Indonesia Yogyakarta, Indonesia prayudi@uii.ac.id Abstract For an organization, the guarantee of the integrity of business processes in the event of an incident, which may cause paralysis of information technology infrastructure, including resources in it is a strategic necessity. Though considered difficult, at least for the organization's management are able to minimize the impact of the incident on their business processes. One of the vital assets that will be the impact of an incident is the loss or damage to the digital evidence. This study was motivated by the importance of a process model that is concise and effective in the domain of Digital Forensics Readiness (DFR), considering that several sources have published earlier DFR models that broadly has the similar four entities, namely people, process, policy, and technology. This paper produces a model of a process called Digital Forensics Readiness Schema (DFRS), which is the result of the normalization of the process model published by Caroline Crime Report by incorporating some key elements of the 10 stages to 5 stages, without reducing the quality and capability of the existing business processes. Keywords- Digital Forensics Readiness, Schema, Key Element I. INTRODUCTION There is no doubt that almost all organizations or institutions currently rely heavily on information technology in running the business. Various strategies and aproaches have been done in an effort to minimize and reduce the risk resulting from the technology itself. Meanwhile, in terms of business that if there is an event that causes paralysis of business processes both natural and human causes, it would be very difficult to perform the recovery process of the business structure. Consequently, strategies scheme such as incident response, awareness workshops / training, until the disaster recovery or business continuity planning has become a critical component of the organizational structure. Besides the issue of recovery, an unwanted incident may also lead to other problems such as insurance claims, legal issues as well as regulatory issues. In the course of the recovery and investigation, the claim might arise for employees, third parties or even organization, for instance, with regard to what caused the incident. Could it be due to sabotage, negligence, malicious intent, or even fraud? Digital evidence becomes very important when these issues appear in an organization that uses information technology infrastructure, even in conditions of minimal use though. Digital evidence is vital that the most valuable asset in an organization or institution. Learn from the experience of two giant technology companies, namely Samsung and Apple, in which the central issue raised is about the patent infringement in At that time, Samsung declared legally and intentionally by the judge because removing evidence that communication because this company has a policy to eliminate the mail system within a period of two weeks [1]. The phenomenon of the loss of digital evidence and the failure of the preservation systems on an organization or a company is a good example of why digital forensics should have careful planning and well perform before the incident occurred and the post-incident itself. Before the incident of the security issues in information technology come about, the majority of organizations should have prepared some good things in business continuity and incident response plans to address problems that may arise after the incident. Nevertheless, in a business context, the main purpose of the organization is to minimize the impact of incidents on business processes. Therefore, in terms of preservation and management of digital evidence, forensic investigators and organizational interests often contradictory. To challenge such a conflict, an organization must be able to prepare a plan on how to effectively address both interests, the business continuity and success of digital forensics investigations. Digital Forensics Readiness (DFR) is illustrated as a pre-incident plan in the life cycle of Digital Forensic Investigation (Figure 1) associated with the digital evidence of identification, preservation, storage, analysis and minimizing the cost of the forensic investigation. In other words, the digital forensics readiness aims to manage digital evidence in a manner to provide a forensic investigation in a timely and cost-effective. Figure 1. Digital Forensic Investigation Lifecycle /15 $ IEEE DOI /CyberSec

2 The business needs to collect and use digital evidence has been recognized in a number of recent papers. One important element of the set is about the company's policy to increase the activity of the computer and network forensics. Yasinsac and Manzano [2] had proposed six policy categories to facilitate the process of Digital Forensics Investigation (DFI). These six categories are: Figure 2. Categories of Policies to Facilitate DFI Categories are designed in Figure 2 is intended to help companies or organizations prevent computer crime and position themselves to respond to a successful attack by increasing their ability to do the DFI. On the other hand, Carrier and Spafford [3] found a model investigation is a process that prioritizes the investigation itself. In addition, the use phase of readiness to ensure that the operations and infrastructure that is used to fully support the investigation. Furthermore, the concept of readiness forensic according to Tan [4] had two big goals, among others: (1) maximize the ability of the environment to gather digital evidence that is credible, which means that any digital evidence the findings during the process of investigation must be reliable and certainly intact until the stage the trial, (2) minimize the cost of forensics during incident response, the point is that although the process of investigation can not be predicted when the time duration of a resolved completely, but nevertheless should be able to estimate the costs to be incurred in the process circuit. In this paper, proposed a process model Digital Forensics Readiness Scheme (DFRS) as a guide digital preservation of evidence. In some of the literature that has produced a model of the process in order DFR, is in principle a uniform terminology least on three entities, namely people, procedures or policies, and technologies. Unfortunately, of discussion papers that have not been touched in depth other aspects are also considered important that the full scheme of the DFR itself. The biggest contribution of this paper is to produce a new scheme DFR process which is the result of normalization of a DFR existing models with the merger of the few points of procedure and create a new terminology that is more concise but extensively. This study is also expected to be used as a reference for organizations, institutions, and companies in order to prepare resources for Digital Forensics Readiness. II. DIGITAL FORENSICS TERMINOLOGY A. Digital Forensics Domain Digital Forensics is one of the domains of science is still evolving and continues to be an important topic in the field of computer security. This discipline is considered to have unique characteristics because of involvement with other disciplines such as knowledge of the law field so that the analysis of digital evidence legally acceptable judicially [5], due to the nature of digital evidence is very volatile and can easily be lost or distorted. Thus, there is a need to preserve and handle digital evidence in a way that will ensure the absence of such action deviating destroy digital evidence. On the other hand, digital forensics science can also be used to recover lost files and for internal administration such as monitoring or abuse investigation. In short, science Digital Forensics can be used to track and investigate what may have happened or cause an incident, to retrieve lost data, and to gather evidence to be used by an organization to persons or organizations maintain. An organization is able to conduct digital investigations itself where the evidence does not have to come to the trial stage, such as for monitoring the performance of employees in order to know where that is considered acceptable. Such cases do not necessarily require the handling of legally acceptable evidence (chain of custody), but there is a possibility that the investigation could open cases that have the attributes that are interconnected requiring legal action suppose sabotage or fraud. In such cases, the evidence presented in court should be collected and documented in order to be legally acceptable. Digital forensics can also be used for investigations and audits can be very useful when investigating fraud. Auditors is qualified to use forensic tools and techniques to monitor and review compliance with organizational policies and regulatory requirements. As an illustration, digital forensics can help locate and track down unauthorized Internet access by employees, gaps and vulnerabilities in the network and malware incidents like attacks and intrusions can be analyzed to determine how the breach occurred to prevent future attacks. In the context of digital forensics, a business process model provides an overview linkage or relationalship between entities who conduct the activity and how it relates also to a single entity in each stage. Additionally, the model DFI process can also have the function and position of every actor and object. Differences in business models will have an impact on the overall differences in the handling of digital forensics activities, including the handling of digital evidence and even the chain of custody. Regrettably, until now there has been no comprehensive study concerning the issue of business models in the digital forensics as well as how the actual implementation among digital forensics practitioners. A business process model ever produced in a study conducted by Prayudi, Luthfi, et.al [6] where the digital business model through the chain of custody can be used as an initial step to build process models Digital Forensics Readiness (DFR). In this study, the issue of chain of custody would be one of the sub-terminology in the proposed process model, considering the importance of this prototype on a whole series of digital forensika investigation

3 B. Digital Forensics Readiness In a guide published by the Communications Electronics Security Group (CESG) number 18 stated that the Digital Forensics Readiness is "The achievement of an Appropriate level of capability by an organization in order for it to be Able to collect, preserve, protect and analyze digital evidence so that this evidence can be Effectively used in any legal matters, in disciplinary matters, in an employment tribunal or court of law [7] ". While Rowlingson [8] defines the DFR to maximize its potential in an effort to use digital evidence and minimize the costs of the investigation. On a long drive business processes of an organization or company, will typically produce and left many records (logs) of digital evidence. The data and the records could be an important piece of evidence in the case of an unwanted incident. Some digital evidence is stored and maintained as part of the disaster recovery and business continuity processes and document-retention policies. For example, it can be in the form of a backup file. Monitoring records, such as CCTV footage is also part of the digital evidence. There are still other digital evidence that may not be taken seriously, and it may be required only in the case of incidents, which may not be available. Such evidence may take the form of casual communication such as , social networking, and activities performed on workstations and devices [9]. This is certainly not easy to predict when digital evidence may be necessary. Into the bargain, the use of digital evidence is quite possible for internal purposes, legal or regulatory requirements, or other external reasons. Digital Forensic Readiness to help organizations streamline their activities so that the retrieval of digital evidence becomes easier by reducing complexity. That is, the digital evidence properly recorded and stored even before the incident occurred [8], without interruption of operations. The following figure is a list of scenarios where digital evidence will be necessary. The volatile characteristic of digital evidence requires that this process be treated with caution in order to maintain the chain of custody aspect. Forensic readiness plan aims to ensure that in the case of digital evidence is required, it will be available and in an acceptable form. The consequences of this condition is the need of staff training and have appropriate policies in place to ensure compliance with established policies and procedures that have been established. In addition, forensic readiness planning can also serve to complement the plans of other organizations in a process of investigation, including disaster recovery, business continuity and document-retention policies. Disaster recovery and business continuity conventional process usually concentrate on the low-frequency or highimpact events; however forensic readiness plan may also include event-high or low frequencies as a result. Forensic preparedness planning is part of the risk management approach to quality information. Risk areas have been identified and assessed, and measures must be taken to avoid and minimize the impact of such risks. Organizations with better risk assessment and information security framework will find it easier to adopt the forensic readiness. Therefore, according to Rowlingson [8] forensic readiness plan should have the following objectives: Collecting evidence accepted by law without disrupting ongoing business processes Gathering evidence of crimes targeting potential and disputes that could have a negative impact on an organization Allows investigation to proceed at a cost comparable to the incidence Minimize interruptions in operation by the investigation Ensure that the impact of positive evidence on the outcome of any legal action III. DIGITAL FORENSICS READINESS CONCEPTUAL MODEL In some papers that discuss specifically about Digital Forensics Readiness (DFR), has been split 4 the reference entities in the conceptual development of this study, namely: People, Process, Policy, and Technology [10]. The explanation of the four categories can be illustrated in Figure 4 as follows: Figure 3. The Digital Forensic Scenario Figure 4. Digital Forensic Conceptual Model In order to understand in all four categories, can be seen in the explanation following table: TABLE I. 4 ENTITIES IN DIGITAL FORENSICS READINESS No Categories Justification 1 People In this category, basically have to consider two things, namely Computer Incident

4 Response Team (CIRT), and Security Awareness. Implementation of this is in the form of activities such as recruitment of experienced members of CIRT, segregation of duties and security training and computer security awareness campaigns. Build capacity to safely collect legally acceptable evidence is a key component of DFR [8]. The aim is to ensure that all human resources of an organization can contribute to the prevention and detection of security incidents [11]. The research shows that building a response team should involve many departments of different organizations such as the legal and public relations [12]. 2 Process Process categories related to activities that ensure the integrity of the evidence. Two major events in the category is the Incident Response Plan (IRP), and Investigation Methodology. In this includes ensuring that the operational documents such as plans incident response and forensic methodology are in place [13]. This condition is quite crucial because it provides organizations with implementation guidance to meet the requirements set by the regulatory framework and policies of the organization. 3 Policy This classification intends to note that the company's policy can improve computer and network forensics. Additionally, the policies to facilitate digital forensic investigations. The current categories are designed to help companies prevent computer crime and position themselves to respond to a successful attack by increasing their ability to conduct investigations. Digital forensics policy can add some information security policy, show that the interdependence of the policy will be. Thus, this policy should not be developed in silos, but should inform each other [14]. While policies are important, they alone will not guarantee a forensic readiness entire organization. Technology is the primary enabler, making sure that people have the tools to implement proactive and reactive as guided by policies and processes can be defined. 4 Technology Under normal conditions, an organization needs to ensure that the appropriate technology is used not only to enable business operations, but also to prevent and detect computer incidents. To provide more clarity on the role of technology or forensic readiness system, such as what is presented by [4] that presents the idea of forensic readiness system as one part of the overall corporate forensic readiness. It is important for organizations to know their sources of potential evidence and to determine what happens when data is evidence of potential [15]. Meanwhile, if viewed from the perspective of law enforcement agencies, forensic process starts when a crime was committed or when the crime was discovered and reported. The concept of readiness forensics, once delivered by Hoolachan and Glisson [16], which states that organizations can precede the occurrence of crimes by preparing the environment in front and in doing this, the organization will benefit not only in cases where the prosecution to be a problem, but also in limiting the risk of their own business. Figure 5. Digital Forensic Conceptual Model In Figure 5, illustrated a concept model has 3 main attributes, namely: Policies and Procedures, that is the process of responding to incident response and handling security-related incidents involving information and communication technology infrastructure and data involved in it. Incident response is traditionally not reactive in nature, but also focusing mainly on technical issues [17]. Incident Management, there are two important things that must be done before the investigator perform recovery of digital evidence, namely: first, make sure the system log can record all activity in as much detail as possible. Secondly, that there should be arrangements for increasing the appropriate response. The benefits derived from this step is what could be called the initial reaction 'quick and dirty' for specific cases, and provide follow-up if that previously failed to achieve the objectives [18]. Response Team, in principle, the communication between the team members, internal departments and external networks is essential to create an environment sense to effectively combat and deal with the incident response. Incident response team organization may require outside assistance, taking into account the cost aspect is very important in dealing with an incident [19]. IV. DIGITAL FORENISCS READINESS IMPLEMENTATION A. DFR Key Activities A forensic readiness plan intended to prepare an organization for the event that can not be predicted. In

5 preparation, an organization should review and analyze the technical security controls, policies, procedures and expertise. This can be done by a skilled forensic investigator, who can recommend the right change and the actions that can be taken to correct what is in place and ensure readiness stats forensics well [20]. Figure 6. Key Activities in Implementing a Forensic Readiness In a description released by Calorina Crime Report [21], there are 10 steps in terms of preparing for the digital forensics investigation process, as follows: 1. Define the Business Scenarios, which helps to streamline where and how to concentrate the collection of evidence storage. 2. Identify Potential Sources Evidence, which identify the sources of digital evidence is a priority and has the potential to unlock value or confidential solve a case. 3. Determine Evidence Collection, which ensures the type or classification of digital evidence that will be accumulated. 4. Establish Capacity for Secure Evidence of building capacity to collect evidence safely and forensically sound collection. 5. Proper Chain of Custody, which sets policy for the proper chain of custody of digital evidence. 6. Ensure Monitoring Target Detection, ensuring target detection monitoring and prevention of major incidents. 7. Specify the circumtances, which details the circumstances in which the point of escalation digital full official investigation should be initiated. 8. Educate and Train Staff, namely to increase the capacity and capability of staff in incident response and awareness to ensure that they understand their role in the process of digital evidence and the importance and sensitivity of it. 9. Evidence-based Document Cases, which is documented evidence-based case, describing the incident and its impact on the next activity. 10. Ensure Legal Review, namely ensuring legal review in order to facilitate appropriate action in response to the incident. B. DFR Normalization Key activities of DFR in Figure 6, it can be seen that there are 10 steps in the process of investigation when analyzed in terms of time and energy will require no small cost. Inspite of these measures are assumed to have strong dependencies, but the impact of the length of time, resources, and costs must also be considered in view of an investigator also has a high workload. On the basis of this condition, this paper proposes that the process of normalization activities with the aim of the stages of the process becomes more compact by not reducing the quality of existing business processes. In the field of databases, normalization is "a process in the which the data attributes within a model data are organized to increase of the cohesion of entity types. In other words, the goal of a data normalization is to reduce and even Eliminate redundancy of data "[22]. Therefore, in this study would have normalized by making a new classification of 10 key previous activity, then enter each key into a new classification in accordance with the role and description of these elements. Figure 7. Key Activities Forensic Readiness Normalization C. DFR Schema Based on the results of normalization in Figure 6, it can be made a new scheme that can be used to implement the DFR to an organization or institution who need guidance in order to preserve digital evidence. The illustration DFRS proposed are as follows: Figure 8. Key Activities Digital Forensic Readiness Schema (DFRS)

6 With the results of normalization in the previous stages, based on Figure 8, the current key activities DFRS now has five stages, namely business process, evidence collection, chain of custody, legal aspect, and staff capability. Normalization is done by combining one or several stages which have a dual role (redundancy) on the previous stages (10 stages) as shown in Figure 7. In this DFRS process model, there is a one-stage process that does not have multiple and overlapping processes over stage other, namely on the key Chain of Custody. Due to this element is one of the 'life' is important in the process of digital forensics investigation, then the key can stand alone. V. SUMMARY This paper discussed how the stages on Digital Forensics Readiness (DFR) within the framework of the preservation of digital evidence. Normalization of the results conducted on 10 components of DFR, upon consideration of redundancy description of the process and minimize the duration and cost of the investigation, it has proposed a new scheme called Digital Forensics Readiness Schema (DFRS). In principle, DFRS have to accommodate the interests and the need to conduct an investigation in order readiness digital forensika process. In the future, further research of this paper is to perform testing of process models DFRS to ascertain whether the normalization of the key components of DFR avoid mistakes or reduce the capabilities of the role of each of the existing elements. REFERENCES [1] Mouhtaropoulos A., C. Li, and M. Grobler, Digital Forensic Readiness : Are We There Yet?, vol. 9, no. 3, pp , [2] Yasinsac A., and Y. Manzano, Policies to Enhance Computer and Network Forensics, Proc IEEE, pp. 5 6, [3] Carrier B., and E. Spafford, Getting physical with the digital investigation process, Int. J. Digit. Evid., vol. 2, no. 2, pp. 1 20, [4] Tan J., Forensic readiness, [5] Sule D., Digital Forensics 101: Case Study Using FTK Imager, eforensics Magazine, [6] Prayudi. Y, Luthfi, A., & Pratama AR., Pendekatan Model Ontologi Untuk Merepresentasikan Body of Knowledge Digital Chain of Custody, Cybermatika ITB, vol. 2(2), pp , [7] C.E.S. Group, Digital Continuity to Support Forensic Readiness [8] Rowlingson R., International Journal of Digital Evidence Winter 2004, Volume 2, Issue 3 Decoy Systems : A New Player in Network Security and Computer Incident Response International Journal of Digital Evidence, vol. 2, no. 3, pp. 1 9, [9] Sommer P., Digital Evidence, Digital Investigations and E- dislosure: A Guide to Forensic Readiness for Organizations, Security Advisers and Lawyers, 3rd Edition, Inf. Assur. Advis. Counc. [10] Pooe and L. Labuschagne, A conceptual model for digital forensic readiness, Secur. South Africa (ISSA), [11] Von Solms, C. Louwrens, C. Reekie, A control framework for digital forensics., IFIP Adv. Inf. Commun. Technol., pp , [12] Garcia C., Proactive and reactive forensics., [13] M. G. Jaatun, E. Albrechtsen, M. B. Line, I. A. Tøndel, and O. H. Longva, A framework for incident response management in the petroleum industry, Int. J. Crit. Infrastruct. Prot., vol. 2, no. 1 2, pp , [14] Grobler, C. P. Louwrens, and S. H. Von Solms, A framework to guide the implementation of proactive digital forensics in organizations, in ARES th International Conference on Availability, Reliability, and Security, 2010, pp [15] Yusoff, R. Ismail, and Z. Hassan, Common Phases of Computer Forensics Investigation Models, International Journal of Computer Science and Information Technology, vol. 3, no. 3. pp , [16] Hoolachan, Organizational handling of digital evidence, in Proceedings of the Conference on Digital Forensics, Security and Law., 2010, pp [17] Shinder, Understanding cybercrime prevention., Scene Cybercrime, 2nd ed, pp , [18] David J., Incident response., Netw. Secur., pp , [19] Lamis T., A forensic approach to incident response, in nformation Security Curriculum Development Conference, 2010, pp [20] Evan W., Forensic Readiness Assessment, [21] C. C. Report, Forensic Readiness Checklist, [22] Kent W., A Simple Guide to Five Normal Forms in Relational Database Theory, Commun. ACM, vol. 26, pp ,