Leveraging CybOX™ to standardize representation and exchange of digital forensic information

Details

Ressource 1Download: 1-s2.0-S1742287615000158-main.pdf (1384.64 [Ko])
State: Public
Version: Final published version
Serval ID
serval:BIB_0A04DCFD1BC9
Type
Article: article from journal or magazin.
Collection
Publications
Title
Leveraging CybOX™ to standardize representation and exchange of digital forensic information
Journal
Digital Investigation
Author(s)
Casey Eoghan, Back Greg, Barnum Sean
ISSN
1742-2876
Publication state
Published
Issued date
2015
Peer-reviewed
Oui
Volume
12
Pages
S102 - S110
Language
english
Abstract
With the growing number of digital forensic tools and the increasing use of digital forensics in various contexts, including incident response and cyber threat intelligence, there is a pressing need for a widely accepted standard for representing and exchanging digital forensic information. Such a standard representation can support correlation between different data sources, enabling more effective and efficient querying and analysis of digital evidence. This work summarizes the strengths and weaknesses of existing schemas, and proposes the open-source CybOX schema as a foundation for storing and sharing digital forensic information. The suitability of CybOX for representing objects and relationships that are common in forensic investigations is demonstrated with examples involving digital evidence. The capability to represent provenance by leveraging CybOX is also demonstrated, including specifics of the tool used to process digital evidence and the resulting output. An example is provided of an ongoing project that uses CybOX to record the state of a system before and after an event in order to capture cause and effect information that can be useful for digital forensics. An additional open-source schema and associated ontology called Digital Forensic Analysis eXpression (DFAX) is proposed that provides a layer of domain specific information overlaid on CybOX. DFAX extends the capability of CybOX to represent more abstract forensic-relevant actions, including actions performed by subjects and by forensic examiners, which can be useful for sharing knowledge and supporting more advanced forensic analysis. DFAX can be used in combination with other existing schemas for representing identity information (CIQ), and location information (KML). This work also introduces and leverages initial steps of a Unified Cyber Ontology (UCO) effort to abstract and express concepts/constructs that are common across the cyber domain.
Keywords
Digital forensics, Standard representation, Digital forensic ontology, Digital forensic XML, CybOX, DFXML, DFAX
Open Access
Yes
Create date
16/01/2019 21:09
Last modification date
20/08/2019 12:32
Usage data