Bilgisayarla İşlenen Suçlara Hızlı Müdahale, İnceleme, Analiz ve Raporlama Süreçlerinin Yeni Nesil Adli Bilişim Yöntemleri İle Etkin Yönetimi

Year 2024, EARLY VIEW, 1 - 1

Abdulkerim Oğuzhan Alkan , İbrahim Dogru , İsmail Atacak

https://doi.org/10.2339/politeknik.1255535

Abstract

Saldırı vektörlerinin hacmindeki ve hızındaki üstel büyüme, bilgisayarla işlenen suçların hızlı artışı, kurumsal saldırı yüzeyi ve yönetilecek veri miktarının çok büyük hacimlere ulaşması, bireysel ve kurumsal siber güvenlik içinde %100 ihlal önlemenin artık gerçekçi bir beklenti olmadığının kabul edilmesine yol açmıştır. Adli bilişim açısından klasik adli bilişim yöntemleri ile geleneksel yaklaşım; adli vakada diski sökmek, imajını almak ve incelemek artan veri miktarının büyüklüğüyle birlikte çok zaman almakta ve hızlı müdahaleyi zorlaştırmaktadır. Ortalama 20 terabaytlık bir diskin sadece imajını almak (bir elektronik delilin kopyasının oluşturulması) 2 gün sürmektedir. Olay yeri müdahalesinde sadece delil niteliği taşıyan belgeleri toplayan özel bir araçla (Binalyze AIR) bilgisayarı kapatmadan, tüm delillerin (Disk Kanıtı, Hafıza Kanıtı, Tarayıcı Kanıtı, NTFS Kanıtı, Kayıt Kanıtı, Ağ Kanıtı, Olay Günlükleri Kanıtı, WMI Kanıtı, Süreç Yürütme Kanıtı vb.) hash’ini alarak, kopyalayıp ön rapor oluşturulabilmekte ve bu süreci çok kısa bir sürede tamamlayabilmekte ve geleneksel adli bilişim yöntemleri ile tıkanan olay yeri inceleme ve bilgisayarla işlenen suçlara hızlı müdahale, inceleme, analiz ve raporlama süreçlerinin etkin yönetimini sağlamakta ve bilimsel literatüre yenilikçi bir çözüm sunmaktadır. Bu çalışmada Binalyze AIR ve Binalyze Tactical yazılımları kullanılarak çağdaş adli bilişim teknikleri ile çalışmalar yapılarak elde edilen sonuçlar karşılaştırmalı olarak ortaya konulmuştur.

Keywords

Geleneksel adli bilişim, çağdaş adli bilişim, binalyze air, binalyze tactical.

Effective Management of Rapid Intervention, Investigation, Analysis And Reporting Processes on Crimes Committed By Computer With New Generation Forensic Informatics Methods

Abstract

Because of the exponential growth in the volume and speed of attack vectors, the rapid growth of computer crimes, the corporate attack surface and the enormous volumes of data, preventing the cyber-attacks has become very difficult. In terms of forensics, classical forensic methods in a traditional approach which include removing the disk, gettng its image and examining the image takes a lot of time with the increasing amount of data so that this situation leads to make quick intervention too difficult against cyber attack and it takes a lot of time. For example, on average, getting an image of harddisk which include 20 terabyte capacity takes 2 days of time. As a solution, with a special tool (Binalyze AIR) that collects only evidentiary documents getting hash of all evidences (Disk Proof, Proof of Memory, Proof of Scanner, Proof of NTFS, Proof of Log, Proof of Network, Proof of Event Logs, Proof of WMI, Proof of Process Execution, etc.) and collects only the documents that have the quality of evidence, thus this process can be completed in a very short time. It provides effective management of crime scene investigation and fast response to crimes committed by computer, investigation, analysis and reporting processes blocked with traditional forensic methods and offers an innovative solution to the scientific literature. In summary, in this study, the results obtained by using modern forensic techniques (Binalyze AIR and Binalyze Tactical software) are presented in comparison with classical forensic methods.

Keywords

Traditional forensics, contemporary forensics, binalyze air, binalyze tactical.

References

• [1] C. Karagiannis and K. Vergidis, “Digital evidence and cloud forensics: contemporary legal challenges and the power of disposal,” Information, 12(5): 181, (2021).
• [2] A. R. Javed, W. Ahmed, M. Alazab, Z. Jalil, K. Kifayat, and T. R. Gadekallu, “A comprehensive survey on computer forensics: State-of-the-art, tools, techniques, challenges, and future directions,” IEEE Access, 10: 11065–11089, (2022).
• [3] W. Ahmed, F. Shahzad, A. R. Javed, F. Iqbal, and L. Ali, “Whatsapp network forensics: Discovering the ip addresses of suspects,” in 2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 1–7, (2021).
• [4] A. Rehman Javed, Z. Jalil, S. Atif Moqurrab, S. Abbas, and X. Liu, “Ensemble adaboost classifier for accurate and fast detection of botnet attacks in connected vehicles,” Transactions on Emerging Telecommunications Technologies, 33(10): 4088, (2022).
• [5] N. Al Mutawa, J. Bryce, V. N. Franqueira, A. Marrington, and J. C. Read, “Behavioural digital forensics model: Embedding behavioural evidence analysis into the investigation of digital crimes,” Digital Investigation, 28: 70–82, (2019).
• [6] M. Hina, M. Ali, A. R. Javed, F. Ghabban, L. A. Khan, and Z. Jalil, “Sefaced: Semantic-based forensic analysis and classification of e-mail data using deep learning,” IEEE Access, 9: 98398–98411, (2021).
• [7] A. R. Javed, M. Usman, S. U. Rehman, M. U. Khan, and M. S. Haghighi, “Anomaly detection in automated vehicles using multistage attention-based convolutional neural network,” IEEE Transactions on Intelligent Transportation Systems, 22(7): 4291–4300, (2020).
• [8] O. Çıtlak, M. Dörterler, and İ. Doğru, “A hybrid spam detection framework for social networks,” Politeknik Dergisi, 1–1, (2022).
• [9] S. Sachdeva, B. L. Raina, and A. Sharma, “Analysis of digital forensic tools,” Journal of Computational and Theoretical Nanoscience, 17(6): 2459–2467, (2020).
• [10] S. L. Garfinkel, “Digital forensics research: The next 10 years,” digital investigation, 7: S64–S73, (2010).
• [11] C. M. da Silveira et al., “Methodology for forensics data reconstruction on mobile devices with Android operating system applying in-system programming and combination firmware,” Applied Sciences, 10812): 4231, (2020).
• [12] A. R. Javed, Z. Jalil, W. Zehra, T. R. Gadekallu, D. Y. Suh, and M. J. Piran, “A comprehensive survey on digital video forensics: Taxonomy, challenges, and future directions,” Engineering Applications of Artificial Intelligence, 106: 104456, (2021).
• [13] R. K. M. Galvão, “Computer Forensics with The Sleuth Kit and The Autopsy Forensic Browser,” The International Journal of FORENSIC COMPUTER SCIENCE, 1: 41–44, (2006).
• [14] B. V. Prasanthi, “Cyber forensic tools: a review,” International Journal of Engineering Trends and Technology (IJETT), 41(5): 266–271, (2016).
• [15] B. Popović, K. Kuk, and A. Kovačević, “Comprehensive forensic examination with Belkasoft evidence center,” in International Scientific Conference" Archibald Reiss Days", Belgrade, 2-3 October 2018, 2: 419–433, (2018).
• [16] R. Messier, Operating system forensics. Syngress, (2015).
• [17] V. K. Sanap and V. Mane, “Comparative study and simulation of digital forensic tools,” Int J Comput Appl, 975: 8887, (2015).
• [18] Y. I. N. Dan, “The Application of X-Ways Forensics in Digital Forensics,” Chinese Journal of Forensic Sciences, 05: 73.
• [19] L. K. Lau, “The X-Ways Forensics Practitioner’s Guide,” The Journal of Digital Forensics, Security and Law: JDFSL, 9(3): 59, (2014).
• [20] B. Shavers and E. Zimmerman, X-Ways Forensics Practitioner’s Guide. Newnes, (2013).
• [21] S. Hong et al., “ENCASE: An ENsemble ClASsifiEr for ECG classification using expert features and deep neural networks,” in 2017 Computing in cardiology (cinc), 1–4, (2017).
• [22] H. Kim, N. Bruce, S. Park, and H. Lee, “EnCase forensic technology for decrypting stenography algorithm applied in the PowerPoint file,” in 2016 18th International Conference on Advanced Communication Technology (ICACT), 722–725, (2016).
• [23] F. Carbone, Computer forensics with FTK. Packt Pub., (2014).
• [24] K. J. Kuchta, “Your computer forensic toolkit,” Inf. Secur. J. A Glob. Perspect., 10(4): 1–12, (2001).
• [25] A. Yudhana, I. Riadi, and I. Anshori, “Identification of Digital Evidence Facebook Messenger on Mobile Phone With National Institute of Standards Technology (Nist) Method,” Jurnal Ilmiah Kursor, 9(3), (2018).
• [26] M. R. Arshad, M. Hussain, H. Tahir, S. Qadir, F. I. A. Memon, and Y. Javed, “Forensic analysis of tor browser on windows 10 and android 10 operating systems,” IEEE Access, 9: 141273–141294, (2021).
• [27] B. Carrier, File system forensic analysis. Addison-Wesley Professional, (2005).
• [28] M. Alazab, S. Venkatraman, and P. Watters, “Effective digital forensic analysis of the NTFS disk image,” Ubiquitous Computing and Communication Journal, 4(1): 551–558, (2009).
• [29] V. L. Thing, K.-Y. Ng, and E.-C. Chang, “Live memory forensics of mobile phones,” digital investigation, 7: S74–S82, (2010).
• [30] S. Rahman and M. N. A. Khan, “Review of live forensic analysis techniques,” International Journal of Hybrid Information Technology, 8(2): 379–88, (2015).
• [31] A. Rasool and Z. Jalil, “A review of web browser forensic analysis tools and techniques,” Researchpedia Journal of Computing, 1(1): 15–21, (2020).
• [32] V. K. Devendran, H. Shahriar, and V. Clincy, “A comparative study of email forensic tools,” Journal of Information Security, 6(2): 111, (2015).
• [33] A. Yasinsac and Y. Manzano, “Honeytraps, a network forensic tool,” in Sixth Multi-Conference on Systemics, Cybernetics and Informatics, (2002).
• [34] E. S. Pilli, R. C. Joshi, and R. Niyogi, “Network forensic frameworks: Survey and research challenges,” digital investigation, 7(1–2): 14–27, (2010).
• [35] M. Barni, M. C. Stamm, and B. Tondi, “Adversarial multimedia forensics: Overview and challenges ahead,” in 2018 26th European signal processing conference (EUSIPCO), 962–966, (2018).
• [36] G. R. Panigrahi, N. K. Barpanda, and S. Mishra, “A review on: The rise in cyber forensics & innovations”, (2021).
• [37] Ş. Şentürk, T. Apaydın, and H. Yaşar, “Image and file system support framework for a digital mobile forensics software,” in 2020 Turkish National Software Engineering Symposium (UYMS), 1–3, (2020).
• [38] F. Faust, A. Thierry, T. Müller, and F. Freiling, “Technical report: Selective imaging of file system data on live systems,” arXiv preprint arXiv:2012.02573, (2020).
• [39] R. Palutke, F. Block, P. Reichenberger, and D. Stripeika, “Hiding process memory via anti-forensic techniques,” Forensic Science International: Digital Investigation, 33: 301012, (2020).
• [40] F. Block, R. Palutke, P. Reichenberger, and D. Stripeika, “Hiding Process Memory via Anti-Forensic Techniques,” Proceedings of Black Hat Briefings USA, (2020).
• [41] K. Hausknecht, D. Foit, and J. Burić, “RAM data significance in digital forensics,” in 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1372–1375, (2015).
• [42] G. Varshney, P. Iyer, P. Atrey, and M. Misra, “Evading DoH via live memory forensics for phishing detection and content filtering,” in 2021 International Conference on COMmunication Systems & NETworkS (COMSNETS), 1–4, (2021).
• [43] R. Chiramdasu, G. Srivastava, S. Bhattacharya, P. K. Reddy, and T. R. Gadekallu, “Malicious url detection using logistic regression,” in 2021 IEEE International Conference on Omni-Layer Intelligent Systems (COINS), 1–6, (2021).
• [44] O. Çıtlak, M. Dörterler, and İ. A. Doğru, “A survey on detecting spam accounts on Twitter network,” Social Network Analysis and Mining, 9(1): 1–13, (2019).
• [45] C. Rupa, G. Srivastava, S. Bhattacharya, P. Reddy, and T. R. Gadekallu, “A machine learning driven threat intelligence system for malicious URL detection,” in Proceedings of the 16th International Conference on Availability, Reliability and Security, 1–7, (2021).
• [46] R. Nelson, A. Shukla, and C. Smith, “Web browser forensics in google chrome, mozilla firefox, and the tor browser bundle,” Digital Forensic Education: An Experiential Learning Approach, 219–241, (2020).
• [47] S. L. Garfinkel, “Digital forensics research: The next 10 years. digital investigation, 7,”, 10: S64-S73, (2010).
• [48] R. U. Rahman and D. S. Tomar, “A new web forensic framework for bot crime investigation,” Forensic Science International: Digital Investigation, 33: 300943, (2020).
• [49] N. Shafqat, “Forensic investigation of user’s web activity on Google Chrome using various forensic tools,” IJCSNS Int. J. Comput. Sci. Netw. Secur, 16(9): 123–132, (2016).
• [50] A. Ghafarian, “An empirical analysis of email forensics tools,” Available at SSRN 3624617, (2020).