short-paper

Language-based Integration of Digital Forensics & Incident Response

Authors:

Christopher Stelly,

Vassil RoussevAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 27, Pages 1 - 6

https://doi.org/10.1145/3339252.3339278

Published: 26 August 2019 Publication History

Get Access

Abstract

In the cybersecurity domain, the level of standardization and interoperability among cybersecurity products from different vendors, including open-source ones, is fairly low. Although understandable from a business perspective, this deficiency makes it difficult and expensive for analysts to put together custom solutions and to have visibility across their entire IT infrastructure. It also hampers the adoption of custom data analytics and AI solutions, and slows down the exchange of threat detection and mitigation solutions.

Recently, the Nugget domain specific language (DSL) has been proposed as a solution to the integration of digital forensics computations. The essential idea is to use a data flow language, somewhat similar to SQL, and an extensible run-time environment to decouple the specification of forensic computations from their implementation.

In this paper, we study the integration of Nugget with security monitoring tools; specifically, we integrate Google's GRR incident response framework, and the de facto standard for log aggregation: Splunk. We demonstrate the utility of this type standardization to both tool developers and end-user analysts/IT administrators. We discuss potential implications of having such a DSL becoming widely adopted across the entire domain of cybersecurity.

References

[1]

M.I. Cohen, D. Bilby, and G. Caronni. 2011. Distributed forensics and incident response in the enterprise. Digital Investigation 8 (2011), S101 -- S110. The Proceedings of the Eleventh Annual DFRWS Conference.

Digital Library

Google Scholar

[2]

Michael Cohen, Simson Garfinkel, and Bradley Schatz. 2009. Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation 6 (2009), S57 -- S68. The Proceedings of the Ninth Annual DFRWS Conference.

Digital Library

Google Scholar

[3]

Andreas Ekelhart, Elmar Kiesling, and Kabul Kurniawan. 2018. Taming the logs - Vocabularies for semantic security analysis. Procedia Computer Science 137 (2018), 109--119. Proceedings of the 14th International Conference on Semantic Systems 10th âĂŞ 13th of September 2018 Vienna, Austria.

Google Scholar

[4]

Google. 2019. Google Rapid Response. https://github.com/google/grr https://github.com/google/grr.

Google Scholar

[5]

Xie Ming. 2016. Remote live forensics for Android devices. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE, IEEE, 374--375.

Crossref

Google Scholar

[6]

MITRE. 2014. CCE - Common Event Expression. http://cee.mitre.org/. Accessed: 2019-03-25.

Google Scholar

[7]

Andreas Moser and Michael I. Cohen. 2013. Hunting in the enterprise: Forensic triage and incident response. Digital Investigation 10, 2 (2013), 89--98. Triage in Digital Forensics.

Digital Library

Google Scholar

[8]

Peter Sommer. 2010. Forensic science standards in fast-changing environments. Science & Justice 50, 1 (2010), 12--17. Special Issue: 5th Triennial Conference of the European Academy of Forensic Science.

Crossref

Google Scholar

[9]

Splunk. 2019. Splunk Log Management. https://www.splunk.com/ https://www.splunk.com/.

Google Scholar

[10]

Christopher Stelly and Vassil Roussev. 2018. Nugget: A digital forensics language. Digital Investigation 24 (2018), S38 -- S47.

Crossref

Google Scholar

[11]

Johannes StÃijttgen and Michael Cohen. 2014. Robust Linux memory acquisition with minimal target impact. Digital Investigation 11 (2014), S112 -- S119. Proceedings of the First Annual DFRWS Europe.

Crossref

Google Scholar

Cited By

View all

Shepherd BJacob A(2024)A Detailed Investigation on Digital Technology and AI in Social SectorsFuture of Digital Technology and AI in Social Sectors10.4018/979-8-3693-5533-6.ch002(33-62)Online publication date: 27-Sep-2024
https://doi.org/10.4018/979-8-3693-5533-6.ch002
Monteiro TSanchez OMoraes G(2024)Exploring off-chain voting and blockchain in decentralized autonomous organizationsRAUSP Management Journal10.1108/RAUSP-08-2023-016259:4(335-349)Online publication date: 12-Sep-2024
https://doi.org/10.1108/RAUSP-08-2023-0162

Recommendations

Enhancing credibility of digital evidence through provenance-based incident response handling
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Digital forensics are becoming increasingly important for the investigation of computer-related crimes, white-collar crimes and massive hacker attacks. After an incident has been detected an appropriate incident response is usually initiated with the ...
A forensic approach to incident response
InfoSecCD '10: 2010 Information Security Curriculum Development Conference

An incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs ...
Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
233
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)2

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Shepherd BJacob A(2024)A Detailed Investigation on Digital Technology and AI in Social SectorsFuture of Digital Technology and AI in Social Sectors10.4018/979-8-3693-5533-6.ch002(33-62)Online publication date: 27-Sep-2024
https://doi.org/10.4018/979-8-3693-5533-6.ch002
Monteiro TSanchez OMoraes G(2024)Exploring off-chain voting and blockchain in decentralized autonomous organizationsRAUSP Management Journal10.1108/RAUSP-08-2023-016259:4(335-349)Online publication date: 12-Sep-2024
https://doi.org/10.1108/RAUSP-08-2023-0162

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Enhancing credibility of digital evidence through provenance-based incident response handling

A forensic approach to incident response

Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response