Catálogo de publicaciones - libros

Forensic analysis requires a keen detective mind, but the human mind has neither the ability nor the time to process the millions of bytes on a typical computer hard disk. Digital forensic investigators need powerful tools that can automate many of the analysis tasks that are currently being performed manually.

This paper argues that forensic analysis can greatly benefit from research in knowledge discovery and data mining, which has developed powerful automated techniques for analyzing massive quantities of data to discern novel, potentially useful patterns. We use the term “evidence mining ” to refer to the application of these techniques in the analysis phase of digital forensic investigations. This paper presents a novel approach involving the specialization of CRISP-DM, a cross-industry standard process for data mining, to CRISP-EM, an evidence mining methodology designed specifically for digital forensics. In addition to supporting forensic analysis, the CRISP-EM methodology offers a structured approach for defining the research gaps in evidence mining.

This paper describes the design of an integrity-aware Forensic Evidence Management System (FEMS). The well-known Biba integrity model is employed to preserve and reason about the integrity of stored evidence. Casey’s certainty scale provides the integrity classification scheme needed to apply the Biba model. The paper also discusses the benefits of using an integrity-aware system for managing digital evidence.

System log files contain valuable evidence pertaining to computer attacks. However, the log files are often massive, and much of the information they contain is not relevant to the investigation. Furthermore, the files almost always have a flat structure, which limits the ability to query them. Thus, digital forensic investigators find it extremely difficult and time consuming to extract and analyze evidence of attacks from log files. This paper describes an automated attack-tree-based approach for filtering irrelevant information from system log files and conducting systematic investigations of computer attacks.

A pattern is an encapsulated solution to a problem in a given context that can be used to guide system design and evaluation. Analysis, design and architectural patterns are established formalisms for designing high quality software. Security patterns guide the secure design of systems by providing generic solutions that prevent a variety of attacks. This paper presents an attack pattern, a new type of pattern that is specified from the point of view of an attacker. The pattern describes how an attack is performed, enumerates the security patterns that can be applied to defeat the attack, and describes how to trace the attack once it has occurred. An example involving DoS attacks on VoIP networks is used to demonstrate the value of the formalism to security designers and forensic investigators.