Modelling for Operational Forensics

Modelling for Operational Forensics

Dr Barry Hood explores a novel approache to support operational forensics with formal models.

  MJ Corby1 defines Operational Forensics as “The application of computer forensic techniques to the identification of occurrences and underlying causes of observed computerbased events”. I want to extend this definition to not just computer forensic techniques, but to include other relevant forensic techniques. This extension is justified by the aims of operational forensics laid out below. Whereas Computer or Digital Forensics is concerned with the gathering of evidence for prosecution or disciplinary action, Operational Forensics is more concerned with gathering evidence for the purpose of correction and improvement. Thus a forensic investigation of an incident with an operational intent has the following aims:

• To find root causes rather than just proximate causes
• To extend the investigation beyond the normal contexts to any additional ones relevant to improvement
• To approach matters holistically and systematically with the intent of providing effective (doing the right thing) and efficacious (doing it right) solutions for prevention in the future

As can be seen from the above, digital or computer forensics is a part of operational forensics. In the case of traditional digital or computer forensics the process can stop when sufficient evidence is available for prosecution. An operational analysis can only really stop when the root cause or causes of the incident are found. A digital forensic analysis in going beyond legal evidential requirements is becoming operational in character.

Operational Forensics Needs

In order to carry out the sort of investigation required for operational forensics the process has to cover more than just Physical and Digital Forensics. It needs to cover all of the security areas. This leads to the following operational forensic areas being indentified:

• Physical
• Digital
• Procedural
• Personnel
• Organizational

The latter two can be usefully conjoined into a single area which for want of a better word I shall call Psychosocial Forensics. In addition to looking at all the relevant security arenas, an operational view requires – if it is to be truly effective and efficacious – a method that is holistic and systematic in its approach. If all these areas are to be investigated under operational forensic analysis then there is a need for an approach that allows all these areas to be consistently and coherently investigated. Models that can represent relevant aspects of all these different areas would be useful. They would enable an operational forensic analysis to move from one area to another as required by the evidence. In the two parts of this paper I briefly investigate the use of some models for operational forensic analysis that can be used to guide the improvements activity. What do models bring to forensic analysis and especially operational forensics? They bring the following:

• Formality – notions and representations that are Ill founded
• Focus – a model represents an aspect of reality not all of it
• Reasoning – a good model enables reliable reasoning
• Sharing – a model can be easily shared for both comment and retention for future reuse
• Guidance – a relevant model can guide the direct of investigation increasing its efficiency

I will explore briefly three modelling paradigms in relation to operational forensics: contextual, behavioural and conceptual.

Security Zones as Crime Scenes

One of the useful paradigms in relation to security analysis is that of a Security Zone. Developed out of safety zones in 2004 by work at the University of York and implicit in Microsoft’s Threat Modelling work. A Security Zone represents any partitioning of the world, physical, logical, social that has security relevance. Examples of security zones are clear secured rooms, a PC, example of logical zones are a user account, a database and an application. Security zones can also be Temporal. That secured room could be considered as consisting of two temporal security zones – the room during working hours and the room outside working hours. People can also be considered as a security zone, in which case social engineering may be the relevant security feature of interest. Zones can be both static and mobile. An example of the later is a data packet on a network. It has been suggested that Digital or Computer Forensics is more comparable with a Crime Scene Investigation (CSI) than true forensic work as carried out in the context of physical investigations. What I propose is that each security zone be treated as a crime scene in just the same way as a physical situation. Each is connected to the main scene but each having unique characteristics that affect the investigation within that zone. The use of security zones with their associated entry points leads naturally to a set of forensic questions. Which entry points where involved in the incident, how where they used and where any unknown entry points used? By tracing the entry points backwards through the respective security zones the path of events that led to the incident can begin to be traced out, at least in terms of entry points and security zones used. This in turn can lead to the examination of the relevant security policies associated to each entry point and zone looking for fails within them or in their workings.

 The full article appears in Issue 2 of Digital Forensics Magazine, published 1st February 2010. You must log in with a valid subscription to read on...