Proactive and Reactive Cyber Forensics Investigation Process

proactive and oxidizable Cyber rhetoricals Investigation ProcessPROACTIVE CYBER FORENSIC depth psychologyproactive And labile cyber forensics investigation processes A Systematic Literature Review(SLR)A multi- grammatical constituent framework of cyber forensics investigation face-liftdigital forensics gouge be define as the ensemble of methods, tools and techniques used to collect, preserve and analyze digital entropy originating from slightly(prenominal)(prenominal) type of digital media involved in an incident with the purpose of extracting valid say for a court of law. In it investigations ar usu exclusivelyy performed as a response to a digital crime and, as such, they ar end pointed Reactive digital Forensic (RDF). This involves identifying, preserving, collection, analyzing, and generating the utmost give notice (of). Although RDF investigations atomic number 18 effective, they argon go about with many challenges, especially when dealing with anti-forensic in cidents, volatile data and particular reconstruction. To tackle these challenges, Proactive Digital Forensic (PDF) is look atd. By being proactive, DF is prepared for incidents. In fact, the PDF investigation has the ability to proactively collect data, preserve it, detect peculiar consequences, analyze yard and report an incident as it occurs.Index TermsDigital forensics, Digital Proactive Forensics, Digital excited forensics, Digital device remembering, digital crime, Anti forensics, multi component frameworkIntroduction information processing system crimes have increased tremendously and their degree of sophistication has too advanced, the irritability and dynamicity of the information that flows among devices require some proactive investigation. The reactive investigation is now becoming less practical since the increased sizes of the data that is being suss outd and under(a)lying technology of the devices that change tremendously make the tools made for digital reac tive forensics deceitful In redact to investigate anti-forensic attacks and to promote automation of the live investigation, a proactive and reactive usable process has been proposed.. The phases of the proposed proactive and reactive digital forensics investigation process have been mapped to exist investigation processes. The proactive component in the proposed process has been compared to the active component in the multi- component framework. All phases in the proactive component of the new process are meant to be automated. To this end, a theory for the proactive digital forensics is required to lay down a strong foundation for the implementation of a reliable proactive system.I. Anti-ForensicsThe term anti-forensics refers to methods that pr fount forensic tools, investigations, and investigators from achieve- ing their goals. Two examples of anti-forensic methods are data overwriting and data hiding. From a digital investigation perspective, anti-forensics mess do the f ollowingPr pillowcase evidence collection.Increase the investigation epoch.Provide misleading evidence that sack up jeopardize the whole investigation.Prevent detection of digital crime.To investigate crimes that rely on anti-forensic methods, more digital forensic investigation techniques and tools occupy to be developed, tested, and automated. Such techniques and tools are called proactive forensic processes. Proactive forensics has been suggested in. To date, however, the definition and the process of proactive forensics have not been explicated.II. Proactive digital forensicsProactive Digital Forensic particle has the ability to proactively collect data, preserve it, detect suspicious events, gather evidence, carry out the depth psychology and institute a case against any questionable activities. In addition, an automated report is generated for later use in the reactive component. The evidence gathered in this component is the proactive evidence that relates to a specific event or incident as it occurs. As opposed to the reactive component, the collection phase in this component comes before preservation since no incident has been identified yet. Phases under the proactive component are specify as followsProactive Collection automated live collection of predefined data in the order of volatility and priority, and related to a specific requirement of an organization or incident.Proactive Preservation automated preservation, via hashing, of the evidence and the proactively collected data related to the suspicious event.Proactive Event Detection detection of suspicious event via an intrusion detection system or a crime-prevention alert.Proactive Analysis automated live analysis of the evidence, which might use forensics techniques such as data mining and outlier detection to sup- port and construct the sign hypothesis of the incident.Report automated report generated from the proactive component analysis. This report is also classical for the reactiv e component and roll in the hay serve as the offset point of the reactive investigation.1III Reactive Digital ForensicsIt the traditional or post-mortem approach of investigating a digital crime after an incident has occurred. This involves identifying, preserving, collecting, analyzing, and generating the final report. Two types of evidence are gathered under this componentActive Active evidence refers to collecting all live (dynamic) evidence that exists after an incident. An example of such evidence is processes running in memory.Reactive refers to collecting all the static evidence remaining, such as an image of a hard drive. foregoing WorkProactive Vs Reactive Forensics Investigation frameworkComplexity of Digital Forensics investigationDigital attacks are so complex that it is hard to investigate them forensically. The elements involved in a digital crime are located in a large multidimensional space and deposenot be easily identified. With the increase of storage size and memory sizes, and the use of parallelism, virtualization and cloud, the parameters to take into account during an investigation go off even become unmanageable. louver fundamental principlesThe five fundamental principles are put ind belowPrinciple 1 Consider the immaculate system. This includes the user space as well as the entire kernel space, file system, nedeucerk stack, and other(a) related subsystems.Principle 2 Assumptions about expected failures, attacks, and attackers should not control what is logged. Trust no user and trust no policy, as we may not have sex what we want in advance.Principle 3 Consider the effects of events, not just the bring throughs that caused them, and how those effects may be altered by place setting and environment.Principle 4 Context assists in interpreting and understanding the meaning of an event.Principle 5 every(prenominal) save and every result must be processed and presented in a way that can be analyzed and understood by a human forensic analyst.These five are for reactive analysis , for proactive there must be some new principles. Soltan Abed Albari proposed the following deuce Principle 6 Preserve the entire history of the system.Principle 7 Perform the analysis and report the results in real succession.By preserving the entire history of the system, we can go back in clock and reconstruct what has happened and answer reliably all the necessary questions about an event or incident. The reconstructed convictionline is base on the actual states of the system before and after the event or incident. In addition and ascribable to the large amount of data, events and actions involved, performing a proactive analysis and reporting require real metre techniques that use high-performance computing. The analysis phase should be automated and have the necessary intelligence to investigate the suspicious events in real time and across multiple platforms. Figure 1 Relation between action ,target events1In addi tion to the actions and events that the seven principles listed above emphasize, we introduce the notion of targets. A target is any resource or object related to the system under investigation e.g., a file, memory, register, etc. We go forth use an element of DF investigation to refer to a target, an action or an event. At a time t and as shown in Figure 3.1, the system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones.A model for Proactive digital forensicsThe model below has two major partsForward systemFeedback systemForward system is the one upon which investigation is performed. some(prenominal) systems the forward and the feedback can be modelled as a tuple (T,E,A), where T is a set of targets, E is a set of events, and A is a set of possible actions each of which is viewed as a transfer business office of targets and events. To clarify this, each target f T is associated wit h a set S(f) representing the possible states in which it can be. The Cartesian product of S(f) for all targets f defines the state space of the systems targets and we denote it by T . We do the same for every event e but we consider S(e) to contain two and only two elements, namely (triggered event) and (not triggered event). The Cartesian product of all the systems events (S(e) for every event e) is denoted by E (status space). An action a is therefore a function from T E to T E, where represents the time dimension. The evolution function is defined from (T E) A to T E by(t,(r,e),a) = a(t,r,e)3.At a time t , an event e is triggered if its status at time t is , and not triggered otherwise. The government note t e will be used to denote that the event e is triggered at time t Figure 2 proactive model1The forward system has three things that are linked. Target, event and actionA. TargetA target is any resource or object related to the system under investigation (e.g., a file, memory, register, etc.. We will use an element of DF investigation to refer to a target, an action or an event. At a time t system is in the process of executing an action that reacts to some targets and events, and produces new targets and events or modifies the existing ones. Therefore to describe the dynamics of the system at a iodine instant t, one needs to know at least the states of the targets, the events generated and the actions executed at t. For a plenteous description of the dynamics, these elements of investigation need to be specified at every instant of time and the fatten analysis of the dynamics of the system requires a large multidimensional space Equations B. Events and ActionsKeeping track of all events and targets is expensive. To reduce them, a few classifications use preorder and equivalence relations. To illustrate the idea behind these classifications, imagine a botnet writing into a file. This event will trigger other events including checking the permission on the file, updating the nettle time of the file, and writing the data to the actual disk. The idea behind our formalization is to be able to know which events are important (maximal) and which ones can be ignored. The same thing holds for the targets .This will optimize the cost and time .Short Theory on EventsLet e1 and e2 be two events in E. We defined the relation E on E as followse1 E e2 if and only if ( ) whenever the event e1 happens at a time t, the event e2 must also happen at a time t0 greater than or equal to t. Formally, this can be expressed as e1 E e2 (t t e1 t0 t t0 e2)Subsequent events are those which are less than e .Short theory on targetsLet be the mapping from T to E (Figure 3.10) that associates each target with its change of status event. The mapping and E induces a preorder relation T defined by T1 T T2 (T1) E (T2)Informally, this means that whenever target T1 changes at time t the target T2 must change at t0 t.Short Theory on ActionsT he set of actions A is extended to A using the following operatorsAn associative binary operator called sequential operator and denoted by . Given two actions a1 and a2, the action a1a2 is semantically equivalent to carrying out a1 and then a2 (the two transfer functions are in series). Note that A is a neutral element of A with respect to (i.e., aA = Aa = a for every action a).A commutative binary operator called parallel operator and denoted by . In this case a1a2 is equivalent to carrying a1 and a2 simultaneously (the two transfer functions are in parallel). The action A is also a neutral element of A with respect to .A conditional operator defined as follows. Given two conditions ci and ce in C, and an action a, the operator ciace represents the action of iteratively carrying out a only when ci is true and stopping when ce is false. Thatis denoted by a ce. Note that if both are true, then ci a ce is a.Zone Base Classification of Investigation SpaceTo goal the limitation of th e classification described previously and address the undesirability issue , classify the event and target state into a set of priority zones. These zones can be represented with different colors green, yellow, and red starting from a lower priority to a higher one. When important events/targets with high-priority levels are triggered, a more constitutional analysis is expected. Moreover, the zones can be used as a quantifying matrix that provides numbers reecting the demonstration level for the occurrence of an incident. In our case, this number is an important piece of information in the final report.The high-priority events can involve one of the following IDS, Antivirus, Firewall off and changing the windows system32 folder. On the other hand, the high-priority targets are the system32 folder, registry, network trac and memory dump.Given that the number of targets and events are large, this classification is not enough, especially during the analysis phase. As such, we need to reduce the forensic space. Similar to the principal component analysis technique 59, we suggest restrict- ing the analysis to important targets and events based on a specific organization policy. This can be seen as projecting the sufficient forensic space F onto a sub-space F0 in which the evidence is most probably located.Figure 3 Zone base classification 1ConclusionIn this paper we proposed a new approach to reconcile cybercrime using Proactive forensics with focusing on the Investigation space for proactive investigation. This paper reviews literature on Proactive forensic approaches and their processes. It has a method for proactive investigation to be carried out significantly. In order to investigate anti-forensics methods and to promote automation of the live investigation, a proactive functional process has been proposed. The proposed process came as result of SLR of all the processes that exist in literature. The phases of the proposed proactive digital forensics invest igation process have been mapped to existing investigation processes.For future work , the investigation space profiling is to be done on events and targets in the space.ReferencesProactive System for Digital Forensic Investigation, Soltan Abed Alharbi, 2014 University of VictoriaMapping Process of Digital Forensic Investigation FrameworkA new approach for resolving cybercrime in network forensics based on generic process model. Mohammad Rasmi1, Aman Jantan2, Hani Al-MimiY. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,A System for the Proactive, Continuous, and Ecient Collection of Digital Forensic EvidenceTowards Proactive Computer-System ForensicsRequirements-Driven Adaptive Digital ForensicsMulti-Perspective Cybercrime Investigation Process ModelingA Forensic Traceability Index in Digital Forensic InvestigationNetwork/Cyber ForensicsSmartphone Forensics A Proactive Investigation Scheme for Evidence Acquisition