Forensic-Ready Risk Management for Software Systems — Daubner, Maksović1
Forensic-Ready Risk Management for
Software Systems
Lukas Daubner, Sofija Maksović
daubner@mail.muni.cz
Faculty of Informatics, Masaryk University, Brno
March 31, 2022
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović2
Why Forensic Readiness?
̶ Digital forensic investigation is:
̶ Laborious
̶ Costly
̶ Time-consuming
̶ Delicate
̶ Success is never assured
̶ Data might be unavailable, corrupted, or tampered
̶ Error in evidence handling jeopardies the process
̶ Data might me misleading
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović3
What is Forensic Readiness?
̶ Original definition
̶ Maximizing the usefulness of incident evidence data
̶ Minimizing the cost of forensics during an incident response
̶ Systematic preparation for forensic investigation
̶ Proactive measures
̶ Opposed to actual investigation, which is reactive
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović4
What is Forensic Readiness?
̶ Approached as a set of general guidelines
̶ Collection of evidence
̶ Handling of evidence
̶ Presentation of evidence
̶ Staff training
̶ Escalation policies
̶ Increases likelihood of successful investigation
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović5
Forensic Readiness in Software Engineering
̶ Prepare software system during its development
̶ A.k.a. forensic-by-design
̶ Capable of:
̶ Conducting digital forensic processes in a forensically sound way
̶ Producing forensically sound evidence
̶ High-level non-functional requirement
̶ Measures for the failure of security measures
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović6
Forensic Readiness in Software Engineering
̶ It is true that software systems produce a lot of data
̶ Logs
̶ Documents
̶ Database records
̶ But can we trust them?
̶ Are they complete?
̶ Will they help us during the investigation?
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović7
Requirements
Forensic-Ready Software Systems ̶
What exactly should be implemented?
̶ We need some guideline to identify the requirements
̶ In other words, for what investigation should we prepare for?
̶ We can consider the reason for investigation as a risk
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović8
Forensic-Ready Risk Management
̶ Risk management has been discussed within forensic readiness
̶ However, there is a very little methodological support
̶ The focus here is to conceptualize the process
̶ What do we have (assets, evidence)
̶ What do we need from forensic readiness (goals)
̶ What are the threats to the system (risks)
̶ What it fits together (scenarios)
̶ What to do with it (decisions)
̶ What to implement (requirements, controls)
9
Domain Model
Forensic-Ready Risk Management
̶ Based on ISSRM
̶ Information System Security Risk Management
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović10
Asset-Related Concepts
Forensic-Ready Risk Management
̶ Anything of value
̶ Business asset
̶ IS asset
̶ Potential Evidence
̶ Data that have value to the organization
̶ Evidence Source
̶ Where the evidence come from
̶ Evidence Store
̶ Where can you find it, if you need it
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović11
Risk-Related Concepts
Forensic-Ready Risk Management
̶ Goal – Answer to “Why?”
̶ Prove an impact of a risk
̶ Handling disputes
̶ Demonstrate compliance
̶ Support evidence release
̶ Risk
̶ Undesired occurrence + negative consequence
̶ Scenario
̶ How is a Goal addressed, using the Potential Evidence and the Risk it covers
̶ It creates a partial ordering of Potential Evidence w.r.t. creation time
12
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović13
Treatment-Related Concepts
Forensic-Ready Risk Management
̶ Treatment – “What to do next”
̶ Scenario Avoidance
̶ Scenario Enhancement
̶ Scenario Retention
̶ Scenario Transfer
̶ Requirement
̶ Condition to be satisfied
̶ Control
̶ Add or modify Potential Evidence/Store/Source
̶ Documentation
̶ Establish or modify Policy/Practice
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović14
Hands-On Demo
̶ Try how the concepts fits together
̶ Identify and evaluate the scenarios
̶ Fill in the available potential evidence
̶ Think about completeness of the scenario
̶ Evaluate the potential evidence
̶ Is it trustable?
̶ Is there enough?
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović15
Analysis of Forensic Readiness Scenarios
̶ The problem is how to evaluate and prioritize what is needed.
̶ Scenario coverage
̶ Do we have enough potential evidence?
̶ Are there any blind spots?
̶ Where are the evidentiary/risk hot-spots?
̶ Potential evidence quality
̶ Is the evidence non-disputable?
̶ What is the chances of having it available?
̶ Validity of the model
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović16
Analysis of Forensic Readiness Scenarios
̶ The problem is how to evaluate and prioritize what is needed.
̶ Scenario coverage
̶ Do we have enough potential evidence?
̶ Are there any blind spots?
̶ Where are the evidentiary/risk hot-spots?
̶ Potential evidence quality
̶ Is the evidence non-disputable?
̶ What is the chances of having it available?
̶ Validity of the model
Metrics
…which are not yet
defined…
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović17
Risk Coverage Analysis
Analysis of Forensic Readiness Scenarios
̶ How to be sure that we have overed everything?
̶ Can we distinguish between the nominal and abnormal?
̶ Utilization of models
̶ Forensic readiness (BPMN4FRSS)
̶ Risks (Risk-Oriented BPMN)
̶ Simulations of the modelled scenario
̶ Find the probability of potential evidence occurrence
̶ Find the hot spots/indicators
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović18
Validity and Hints Analysis
Analysis of Forensic Readiness Scenarios
̶ Analysis of BPMN4FRSS models
̶ Check the model validity
̶ Provide hints to enhance the model
̶ Cover the blind spots
̶ Add evidence on strategic spots
̶ Improve non-disputability
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović19
Validity and Hints Analysis
Analysis of Forensic Readiness Scenarios
̶ Analysis of BPMN4FRSS models
̶ Check the model validity
̶ Provide hints to enhance the model
̶ Cover the blind spots
̶ Add evidence on strategic spots
̶ Improve non-disputability
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović20
Validity and Hints Analysis
Analysis of Forensic Readiness Scenarios
̶ Analysis of BPMN4FRSS models
̶ Check the model validity
̶ Provide hints to enhance the model
̶ Cover the blind spots
̶ Add evidence on strategic spots
̶ Improve non-disputability
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović21
Validity and Hints Analysis
Analysis of Forensic Readiness Scenarios
Forensic-Ready Risk Management for Software Systems — Daubner, Maksović22
Conclusion
̶ Forensic readiness is about preparation when things go wrong
̶ We need to know why, what, when, who, how
̶ We need to defend against or support accusations
̶ We need to show that we did everything we could
̶ We need to effectively support law enforcement
̶ Risk management
̶ Determine our current status
̶ Plan and prioritize what to implement
̶ Analysis support, validation, verification
̶ Be sure that we are going the right direction