Australian Digital Forensics Conference
Document Type
Conference Proceeding
Publisher
SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
Abstract
In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting point for incident analysis to a forensic practitioner who has to investigate on the vast amount of network traffic collected using the cyber blackbox. Experimental results show this approach is effectively able to reduce the amount of data to search by dividing doubtful flows from normal traffic. Finally, we discuss the results with the forensically meaningful point of view and present further works.
DOI
10.4225/75/57b40079fb893
Comments
13th Australian Digital Forensics Conference, held from the 30 November – 2 December, 2015 (pp. 114-147), Edith Cowan University Joondalup Campus, Perth, Western Australia.