Abstract
We require a holistic forensic framework to analyze incidents within their complete context. Our framework organizes incidents into their main stages of access, use and outcome to aid incident analysis, influenced by Howard and Longstaff’s security incident classification. We also use eight incident questions, extending the six from Zachman’s framework, to pose questions about the entire incident and each individual stage. The incident analysis using stage decomposition is combined with our three-layer incident architecture, comprising the social, logical and physical levels, to analyze incidents in their entirety, including human and physical factors, rather than from a technical viewpoint alone. We demonstrate the conjunction of our multilayered architectural structure and incident classification system with an insider threat case study, demonstrating clearly the questions that must be answered to organize a successful investigation. The process of investigating extant incidents also applies to proactive analysis to avoid damaging incidents.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Blackwell, C.: A Security Ontology for Incident Analysis. In: 6th Cyber Security and Information Intelligence Research Workshop. ACM press (2010)
Tanenbaum, A.S.: Computer Networks, 4th edn. Prentice-Hall (2003)
Zachman, J.: A framework for information systems architecture. IBM Systems Journal 26(3) (1987)
Department of Justice: Digital Forensics Analysis Methodology. Department of Justice (2007), http://www.justice.gov/criminal/cybercrime/forensics_chart.pdf
Howard, J.D.: An Analysis of Security Incidents on the Internet, 1989 – 1995, PhD thesis. Carnegie-Mellon University (1997), http://www.cert.org/research/JHThesis
Howard, J.D., Longstaff, T.A.: A common language for computer security incidents. Sandia National Laboratories (1998), http://www.cert.org/research/taxonomy_988667.pdf
Cappelli, D.M., Moore, A., Shimeall, T.J., Trzeciak, R.: Common sense guide to prevention and detection of insider threats, version 2.1., CERT (2006), http://www.cert.org/insider_threat
Cappelli, D.M., Moore, A., Shimeall, T.J., Trzeciak, R.: Common sense guide to prevention and detection of insider threats, version 3.1., CERT (2009), http://www.cert.org/archive/pdf/CSG-V3.pdf
Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of Insider IT Sabotage Across US Critical Infrastructures. TECHNICAL REPORT CMU/SEI-2008-TR-009, Software Engineering Institute, Carnegie Mellon University (2008)
Blackwell, C.: A Framework for Investigative Questioning in Incident Analysis and Response. In: 7th Annual IFIP WG 11.9 International Conference on Digital Forensics. Advances in Digital Forensics VII. Springer (2011)
Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A., Willke, B.J.: Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers’ Information, Systems, or Networks. TECHNICAL NOTE CMU/SEI-2006-TN-041, Software Engineering Institute, Carnegie Mellon University (2007)
Blackwell, C.: The insider threat: Combating the enemy within. IT Governance (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Blackwell, C. (2012). A Forensic Framework for Incident Analysis Applied to the Insider Threat. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-35515-8_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35514-1
Online ISBN: 978-3-642-35515-8
eBook Packages: Computer ScienceComputer Science (R0)