Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics via AEGIS Visualization toolkit 16/10/2018

Published byKevin Klein Modified over 5 years ago

Similar presentations

Presentation on theme: "Digital Forensics via AEGIS Visualization toolkit 16/10/2018"— Presentation transcript:

1 Enhancing Critical Infrastructure Protection with innovative SECurity framework
Digital Forensics via AEGIS Visualization toolkit 16/10/2018 Leonidas Kallipolitis, AEGIS The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no

2 Introduction - Definitions
Computer Forensics: Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. Electronic record: any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Critical Infrastructure: those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (USA Patriot Act of 2001)

3 Industrial challenges
The statement [1]: “Europe must create conditions to support European start-ups and emerging/promising cyber-technologies like a European SIEM and Forensics Data Analytics” Security data is growing, organizations collect, process, and analyze more than six terabytes of security data monthly [2]. Difficult to keep up with the threat landscape organizations are being overwhelmed by the scaling needs for big data forensics that consider both post-mortem and real-time processing and visualization of evidence [2]. Customers need to analyze security event data in real time for internal and external threat management Collect, store, analyze and report on log data for forensics and regulatory compliance, while maintaining the security and integrity of data. [1] European Cybersecurity Industry Leaders. A report to M. Gunther H. Oettinger European, Commissioner for Digital Economy and Society. Recommendations on Cybersecurity for Europe [2] Enterprise Strategy Group. Cybersecurity Analytics and Operations in Transition

4 Research challenges (1)
Growing size of heterogeneous data results in insufficient response time Growing sophistication of malware and attackers highlights the need for developing post compromise and real-time forensics services Need for advanced visualization methods to combine data from heterogeneous sources and to guide forensics investigators to identify areas warranting further review Intuitive, detailed and user-centric visualizations capable of managing, analyzing and presenting in a user-friendly way large amount of forensics evidence. Existing visualization frameworks drawbacks: utilization of multiple tools is required difficult to take information seen in one visualization tool and obtain a different perspective in another tool many tools do not allow to import information from another tool. significant amount of time to go through all of the tools, collect the data, and then create a coherent report that can potentially be used as evidence in the court of law.

5 Research challenges (2)
Better collection of effective data for post-incident security analysis Current cyber-forensic methodologies are not always fully extensible to traditional control systems architectures Correlation of forensic data collected by disparate cyber-centric security procedures and technologies (Firewalls [FW], Intrusion Detection Systems [IDS], Intrusion Prevention Systems, [IPS], etc.), with device and control systems logging data. Post-incident analysis is often dependent on vendor involvement, and any proactive understanding of device logging is often not required by the end user or incorporated into a defence-in-depth strategy Unforeseen interactions between the forensics tools and control systems Inclusion of real-time forensics tools for active analysis Increase in storage space on hard drives impacts both the performance utilization and the time when carrying out forensics tasks Which brings us to visualization techniques.

6 Visualization Emphasis on visualization
Silver bullet for “active” (live) forensics? Pros: Provides good overview (situational awareness) Allows combining data from different sources Accommodates different views Cons: Clutter may confuse operator Creating the views may cause delays Worse, may lead the operator into wrong assumptions.

7 AEGIS Forensics Visualisation Toolkit
Intuitive, detailed and connected visualisations CI-customised via CIPIs monitoring Innovative Forensic Services Timeline analysis Preconfigured Views

8 Critical Infrastructure Performance Indicators
Key requirement is to define the Critical Infrastructure Performance Indicators (CIPIs) appropriate for the application. Monitoring various CIPIs the forensics system can detect off-nominal behaviour. Examples include: CPU load - Memory utilization Disk size - disk usage  (e.g. free space per partition) Number of current processes Authentication event Software installation - installation of new/fresh packages ssh  login attempts (over a period of 1 hour) concurrent ssh sessions > 0 concurrent http sessions > 1 Also non-CIPI data are collected, e.g. :    Layer 2 connections (Ethernet) Layer 3 connections (IP) Running processes (name, cpu, memory, uid, etc)

9 Timeline Analysis Event Analysis View allows to scroll forward or backward in time Example: Event occurs at time t0 Operator can use the timeline analysis tool to see events that led to the event compare current event with previous (similar) events tool allows direct comparison of current with historical states. as more data comes in, operator can investigate outcomes.

10 Timeline of CIPI Visualisations

11 Preconfigured views Event characterised by affected CIPIs
Benefit of AEGIS forensic toolkit is that “knowledge” gained during an analysis can be utilised in future similar incidents Event characterised by affected CIPIs Operator response is stored in the event file Specific views brought up Events selected – highlighted during analysis Etc. Actions can be collected in a “script” to be run when similar event is observed. Benefits: Speeds up incident response Makes event reporting faster – easier Allows operator to concentrate on the analysis rather than bringing up the required views. Should be used only by experienced personnel May lead operator to wrong analysis (fight the last battle).

12 Disk Analysis Acquire, Authenticate and Analyse data
Follow forensic tool guidelines Keep chain of custody FVT securely stores images of disk and offers visualisations of relevant CIPIs

13 Disk Analysis

14 Conclusions Visualisation is crucial to active (live) Digital Forensics Analysis The AEGIS visualisation toolkit is customised for the needs of Forensics Analysis for CIs Key FVT Innovations Critical Infrastructure Performance Indicators Timeline Analysis Preconfigured Views Disk Analysis

15 Thank you Digital Forensics via AEGIS Visualization toolkit 16/10/2018
Leonidas Kallipolitis, AEGIS The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no

Download ppt "Digital Forensics via AEGIS Visualization toolkit 16/10/2018"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Security Controls – What Works

Security Controls – What Works
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Nick Wainwright HP Labs / Effectsplus project. The report of a consultation of the Future Internet Assembly – a cross disciplinary assembly of researchers.

Nick Wainwright HP Labs / Effectsplus project. The report of a consultation of the Future Internet Assembly – a cross disciplinary assembly of researchers.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
The big Data security Analytics Era Is Here Reporter : Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU

The big Data security Analytics Era Is Here Reporter : Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Case Study : Morcom Trading – P BSC 21

Case Study : Morcom Trading – P BSC 21
COEN 252 Computer Forensics Collecting Network-based Evidence.

COEN 252 Computer Forensics Collecting Network-based Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Similar presentations

Ads by Google