A Formal Approach to Analyzing Cyber-Forensics Evidence

TL;DR

This paper introduces a formal analysis process using Evidence Logic EL to help cyber-forensics analysts filter and interpret vast amounts of evidence efficiently, improving attack investigation accuracy.

Contribution

It presents a novel formal framework and reasoning procedure for analyzing cyber-forensics evidence, enhancing evidence filtering and consistency checking.

Findings

Effective filtering of evidence reduces analysis complexity

The reasoning process ensures evidence consistency

Application to a real case demonstrates practical utility

Abstract

The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.