Proactive and Reactive Cyber Forensics Exploration Process

PROACTIVE CYBER FORENSIC ANALYSIS

Proactive And reactive cyber forensics exploration steps: A Organized Literature Review(SLR)

A multi-component framework of cyber forensics investigation

Abstract-Digital Forensics can be defined as the ensemble of methods, tools and techniques used to get, preserve and evaluate digital data from any type of digital media involved in an incident with the goal of extracting valid research for a courtroom of legislations. In it investigations are usually performed as a response to an electronic crime and, consequently, they are simply termed Reactive Digital Forensic (RDF). This involves identifying, conserving, collecting, studying, and generating the ultimate survey. Although RDF investigations work, they are faced with many challenges, especially when dealing with anti-forensic incidents, volatile data and event reconstruction. To take on these difficulties, Proactive Digital Forensic (PDF) is required. When you are proactive, DF is ready for incidents. Actually, the PDF research has the capacity to proactively collect data, maintain it, detect suspicious events, analyze research and article an occurrence as it occurs.

Index Terms-Digital forensics, Digital Proactive Forensics, Digital reactive forensics, Digital device storage, digital crime, Anti forensics, multi part framework

Introduction

Computer crimes have increased greatly and their amount of sophistication has also advanced, the volatility and dynamicity of the information that moves between devices require some proactive exploration. The reactive research is currently becoming less sensible because the increased sizes of the info that has been investigated and underlying technology of the devices that change greatly make the various tools made for digital reactive forensics ineffective In order to investigate anti-forensic disorders and to promote automation of the live research, a proactive and reactive functional process has been suggested. . The phases of the suggested proactive and reactive digital forensics research process have been mapped to existing research techniques. The proactive part in the suggested process has been compared to the active component in the multi- component platform. All stages in the proactive component of the new process are meant to be automated. To the end, a theory for the proactive digital forensics is essential to lay out a strong groundwork for the execution of a trusted proactive system.

I. Anti-Forensics

The term anti-forensics identifies methods that prevent forensic tools, investigations, and investigators from achieve- ing their goals. Two types of anti-forensic methods are data overwriting and data hiding. From an electronic investigation perspective, anti-forensics can do the next:

• Prevent facts collection.
• Increase the exploration time.
• Provide misleading facts that can jeopardize the whole investigation.
• Prevent detection of digital crime.

To investigate crimes that rely on anti-forensic methods, more digital forensic exploration techniques and tools need to be developed, tested, and computerized. Such techniques and tools are called proactive forensic techniques. Proactive forensics has been suggested in. Currently, however, the definition and the process of proactive forensics have never been explicated.

II. Proactive digital forensics

Proactive Digital Forensic Component has the ability to proactively collect data, protect it, detect dubious events, gather facts, carry out the research and build a case against any questionable activities. Furthermore, an automated article is made for later use in the reactive aspect. The evidence gathered in this element is the proactive information that relates to a particular event or incident as it occurs. As opposed to the reactive aspect, the collection stage in this part comes before preservation since no event has been recognized yet. Phases under the proactive component are defined as follows:

• Proactive Collection: programmed live assortment of predefined data in the order of volatility and priority, and related to a specific requirement of an organization or event.
• Proactive Preservation: computerized preservation, via hashing, of the evidence and the proactively gathered data related to the dubious event.
• Proactive Event Diagnosis: recognition of dubious event via an intrusion detection system or a crime-prevention alert.
• Proactive Examination: automated live research of the evidence, which can use forensics techniques such as data mining and outlier recognition to sup- slot and construct the initial hypothesis of the occurrence.
• Report: automated statement made from the proactive aspect analysis. This statement is also very important to the reactive part and can serve as the starting point of the reactive analysis. [1]

III Reactive Digital Forensics

It the original or post-mortem strategy of investigating an electronic crime after an incident has occurred. This calls for identifying, conserving, collecting, inspecting, and generating the final survey. Two types of evidence are collected under this component:

• Active: Active proof refers to collecting all live (dynamic) evidence that is present after an occurrence. A good example of such information is processes working in memory space.
• Reactive : identifies collecting all the static evidence remaining, such as a graphic of a hard drive.

Previous Work

Proactive Vs Reactive Forensics Research framework

Complexity of Digital Forensics investigation

Digital disorders are so complicated that it is hard to research them forensically. The elements involved in a digital criminal offenses are situated in a sizable multidimensional space and cannot be easily identified. With all the increase of storage space size and ram sizes, and the utilization of parallelism, virtualization and cloud, the parameters to take into consideration during a study may also become unmanageable.

Five important principles

The five fundamental principles are mentioned below:

Principle 1 Consider the entire system. This includes an individual space as well as the whole kernel space, document system, network stack, and other related subsystems.

Principle 2 Assumptions about expected failures, attacks, and attackers should not control what's logged. Trust no user and trust no insurance policy, as we might not exactly know what we wish beforehand.

Principle 3 Consider the consequences of events, not just the activities that caused them, and exactly how those results may be modified by framework and environment.

Principle 4 Framework assists in interpreting and understanding this is of a meeting.

Principle 5 Every action and every end result must be prepared and presented in a way that can be examined and understood by way of a human being forensic analyst.

These five are for reactive analysis, for proactive there has to be some new ideas. Soltan Abed Albari proposed the following two :

Principle 6 Preserve the entire background of the system.

Principle 7 Perform the evaluation and record the results in real time.

By preserving the whole history of the system, we can go back with time and reconstruct what has occurred and answer reliably all the required questions about a meeting or incident. The reconstructed timeline is based on the actual expresses of the system before and following the event or event. In addition and because of the massive amount data, occurrences and actions included, undertaking a proactive analysis and reporting require real-time techniques that use high-performance computing. The analysis stage should be automated and have the required intelligence to research the suspicious happenings in real time and across multiple systems.

Shape 1 Relation between action, focus on & occurrences[1]

In addition to the activities and events that the seven concepts listed above emphasize, we expose the notion of targets. A focus on is any tool or thing related to the machine under inspection e. g. , a document, memory, register, etc. We will use an element of DF inspection to refer to a aim for, an action or a meeting. At the same time t so that shown in Physique 3. 1, the system is in the process of performing an action that reacts to some targets and occasions, and produces new focuses on and occasions or modifies the prevailing ones.

A model for Proactive digital forensics

The model below has two major parts

1. Forward system
2. Feedback system

Forward system is the one upon which research is conducted. Both systems the forward and the opinions can be modelled as a tuple (T, E, A), where T is a set of goals, E is a set of situations, and A is a couple of possible activities each which is viewed as a transfer function of goals and happenings. To clarify this, each target f T is associated with a set in place S(f) representing the possible state governments in which it can be. The Cartesian product of S(f) for those focuses on f defines the state of hawaii space of the system's goals and we denote it by T. We do the same for each event e but we consider S(e) to contain two in support of two elements, namely † (activated event) and † (not triggered event). The Cartesian product of all system's events (S(e) for each and every event e) is denoted by E (status space). An action a is therefore a function from О T E to T E, where О signifies the time dimensions. The advancement function П is described from О (T E) A to T E by

П(t, (~r, ~e), a) = a(t, ~r, ~e)3.

At a period t О, a meeting e is activated if its status at time t is †, rather than triggered † otherwise. The notation †t e will be used to denote that the function e is brought about at time t

Physique 2 proactive model[1]

The onward system has three things that are associated. Goal, event and action

A. Target

A concentrate on is any resource or thing related to the machine under analysis (e. g. , a file, recollection, register, etc. . We will use an aspect of DF research to make reference to a focus on, an action or a meeting. At a time t system is in the process of performing an action that reacts for some targets and happenings, and produces new goals and occasions or modifies the existing ones. Therefore to spell it out the dynamics of the system at a single instant t, one must know at least the says of the goals, the events made and the activities carried out at t. For a full description of the dynamics, these components of investigation need to be given at every instant of the time; and the entire analysis of the dynamics of the machine requires a huge multidimensional space Equations

B. Incidents and Actions

Keeping an eye on all happenings and focuses on is expensive. To reduce them, a few classifications using preorder and equivalence relationships. To illustrate the theory behind these classifications, think about a botnet writing into a data file. This event will result in other events including verifying the agreement on the record, updating the access time of the document, and writing the data to the real disk. The theory behind our formalization is usually to be in a position to know which occurrences are essential (maximal) and those can be overlooked. A similar thing holds for the goals. This will improve the cost and time.

1. Short Theory on Events

Let e1 and e2 be two occurrences in E. We described the connection ‰E on E the following:

e1 ‰E e2 if and only if ( ‡‡ ) whenever the event e1 happens at a time t, the function e2 must also happen at a time t0 higher than or add up to t. Formally, this is portrayed as: e1 ‰E e2 ‡‡ (t †t e1 ‡ t0 ‰Ґ t †t0 e2)

Subsequent occurrences are those that are significantly less than e.

1. Short theory on targets

Let ОЁ be the mapping from T to E (Figure 3. 10) that affiliates each target with its change of status event. The mapping ОЁ and ‰E induces a preorder connection ‰T identified by T1 ‰T T2 ‡‡ ОЁ(T1) ‰E ОЁ(T2)

Informally, this means that whenever goal T1 changes at time t the mark T2 must change at t0 ‰Ґ t.

1. Short Theory on Actions

The group of activities A is extended to Ї A using the next operators:

An associative binary operator called sequential operator and denoted by ;. Given two actions a1 and a2, the action a1;a2 is semantically equivalent to carrying out a1 and then a2 (both transfer functions are in series). Note that A is a neutral element of an with respect to ; (i. e. , a;A = A;a = a for each and every action a).

A commutative binary operator called parallel operator and denoted by ||. In this case a1||a2 is the same as hauling a1 and a2 simultaneously (the two transfer functions are in parallel). The action A is also a natural element of the regarding ||.

A conditional operator thought as follows. Given two conditions ci and ce in C, and an action a, the operator ciace represents the action of iteratively conducting a only when ci is true and stopping when ce is phony. That

is denoted by way of a ce. Note that if both are true, then ci a ce is a.

Zone Base Classification of Investigation Space

To address the limitation of the classification described previously and addresses the undesirability concern, classify the event and target express into a couple of priority areas. These zones can be represented with different colors: renewable, yellowish, and red; beginning with a lower main concern to a higher one. When important situations/targets with high-priority levels are brought on, a more detailed research is expected. Moreover, the areas can be utilized as a quantifying matrix that delivers quantities reЇecting the certainty level for the incident of an incident. In our circumstance, this number can be an important little bit of information in the final report.

The high-priority situations can require one of the following: IDS, Antivirus, Firewall off and changing the glass windows system32 folder. Alternatively, the high-priority targets are the system32 folder, registry, network traЇЖc and ram dump.

Given that the amount of targets and events are large, this classification is not enough, especially during the analysis phase. So, we need to decrease the forensic space. Similar to the principal component evaluation strategy [59], we suggest restrict- ing the evaluation to "important" targets and events based on a specific firm policy. This can be viewed as projecting the entire forensic space F onto a sub-space F0 in which the evidence is most probably located.

Figure 3 Zone bottom classification [1]

Conclusion

In this paper we proposed a fresh approach to take care of cybercrime using Proactive forensics with concentrating on the Analysis space for proactive exploration. This newspaper reviews literature on Proactive forensic strategies and their functions. It has a way for proactive exploration to be carried out significantly. In order to research anti-forensics methods also to promote automation of the live investigation, a proactive useful process has been suggested. The proposed process emerged as consequence of SLR of all the processes which exist in books. The stages of the proposed proactive digital forensics exploration process have been mapped to existing research processes.

For future work, the investigation space profiling is usually to be done on occurrences and focuses on in the area.

References

1. Proactive System for Digital Forensic Inspection, Soltan Abed Alharbi, 2014 University of Victoria
2. Mapping Procedure for Digital Forensic Inspection Framework
3. A new way for resolving cybercrime in network forensics predicated on universal process model. Mohammad Rasmi1, Aman Jantan2, Hani Al-MimiY. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,
4. A System for the Proactive, Continuous, and EЇЖcient Collection of Digital Forensic Evidence
5. Towards Proactive Computer-System Forensics
6. Requirements-Driven Adaptive Digital Forensics
7. Multi-Perspective Cybercrime Investigation Process Modeling
8. A Forensic Traceability Index in Digital Forensic Investigation
9. Network/Cyber Forensics
10. Smartphone Forensics: A Proactive Analysis Scheme for Facts Acquisition