Digital forensics investigators are facing new challengesevery day because there are a large variety of hightech
cybercrimes reported. For instance APT, Hacking,
Ransomware and DDOS etc. During the investigation,
investigators are often too concentrated on the evidence
itself, like reversing the malware for the detailed behaviors
or analyzing packets for credential leakage, but seldom or
having difficulties to draw out the whole picture of the
incident by correlating the seized/acquired evidences for
the intelligence purpose. All relevant data from seized
media should be utilized and analyzed, later transformed to
intelligence so as to build a profile of the potential suspect
with the corresponding attributes.
Based on the principle of Zachman Framework, we
propose and design an Investigation and Intelligence
Framework, which is an automated mechanism to identify
the potential suspect at the early stage for the ease of
the further investigation, correlating evidence to oversee
the entire picture of the cybercrime. Our framework has
adopted four of the intersections, i.e. When, Where, Who
and How. 4W of the incident should be the concerned
factors no matter what type of cybercrimes happened. To
fulfill this 4W concept, related artifacts including timeline,
location, identity and attack path would be effectively
recognized at the earlier phase, and investigators can tackle
the cybercrimes more successfully. Analyzing the evidences
with intelligence for example VirusTotal, PassiveTotal,
PhishTank and MalProfile, the artifacts can be transformed
into new pieces of intelligence and build the possible story
of the incident/crime for further investigation.
A tool is developed to correlate the evidence (by
integrating with Rekall Memory Forensics Framework[3],
Pypcap library for pcap extraction, Python Registry and
Exif library to extract useful artifacts). Together with
intelligence sources, the tool will apply probability model
and algorithms to correlate evidence. It will then return
the confidence level, risk scores and possible attack path/
incident type for the collected evidence and suggest which
worth further investigation. This will provide a big picture
of the cybercrime story and build a potential profile of the
suspect so as to help investigation more effectively.
Музыка
Фильмы
ТВ Шоу
Категории видео
