Leveraging CybOX™ to standardize representation and exchange of digital forensic information

Détails

Ressource 1Télécharger: 1-s2.0-S1742287615000158-main.pdf (1384.64 [Ko])
Etat: Public
Version: Final published version
ID Serval
serval:BIB_0A04DCFD1BC9
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Titre
Leveraging CybOX™ to standardize representation and exchange of digital forensic information
Périodique
Digital Investigation
Auteur(s)
Casey Eoghan, Back Greg, Barnum Sean
ISSN
1742-2876
Statut éditorial
Publié
Date de publication
2015
Peer-reviewed
Oui
Volume
12
Pages
S102 - S110
Langue
anglais
Résumé
With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for representing and exchanging digital forensic information. Such a standard representation can support correlation between different data sources, enabling more effective and efficient querying and analysis of digital evidence. This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information. The suitability of CybOX for representing objects and relationships that are common in forensic investigations is demonstrated with examples involving digital evidence. The capability to represent provenance by leveraging CybOX is also demonstrated, including specifics of the tool used to process digital evidence and the resulting output. An example is provided of an ongoing project that uses CybOX to record the state of a system before and after an event in order to capture cause and effect information that can be useful for digital forensics. An additional open-source schema and associated ontology called Digital Forensic Analysis eXpression (DFAX) is proposed that provides a layer of domain specific information overlaid on CybOX. DFAX extends the capability of CybOX to represent more abstract forensic-relevant actions, including actions performed by subjects and by forensic examiners, which can be useful for sharing knowledge and supporting more advanced forensic analysis. DFAX can be used in combination with other existing schemas for representing identity information (CIQ), and location information (KML). This work also introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.
Mots-clé
Digital forensics, Standard representation, Digital forensic ontology, Digital forensic XML, CybOX, DFXML, DFAX
Open Access
Oui
Création de la notice
16/01/2019 22:09
Dernière modification de la notice
20/08/2019 13:32
Données d'usage