Digital Forensonomics the Economics of Digital Forensics

Transcription

1 Digital Forensonomics the Economics of Digital Forensics Richard E Overill Department of Informatics, King s College London, Strand, London WC2R 2LS, UK richard.overill@kcl.ac.uk Abstract. This paper introduces the economics of digital forensics (EDF) and describes the use of template patterns based on Bayesian network architectures for producing cost effective digital forensic investigations, making use of econometric quantities such as return on investment or cost benefit ratio to prioritise the recovery of digital evidential traces. A case study involving an actual distributed denial of service (DDoS) prosecution.is presented exemplifying the practical application of these ideas. Keywords: economics; digital forensics; cost-effectiveness metrics, return on investment, cost benefit ratio 1 Introduction and Background The economics of information security (EIS) has become a well-established research area [1], as evidenced by the continuing annual series of WEIS workshops beginning in 2002 [2]. EIS has provided many valuable insights for understanding the economic forces driving trends in both cybercrime and information security strategies. The economics of digital forensics (EDF) can be developed in a somewhat similar manner, in order to assist digital forensic investigators in prioritising and scheduling investigations so as to optimise their cost-effectiveness. In the resource constrained, investigation overloaded environment of a present day digital forensics laboratory (DFL), such an approach can lead to both early abandonment of unpromising investigations and also to gaining quick wins of low-hanging fruit in other investigations. The approach makes use of the fact that while no two digital forensics investigations are identical, a relatively large proportion of investigations can be categorised as belonging to one of a relatively small number of templates, each of which can be represented as a pattern. This is a consequence of the empirical observation that cyber-crime, and hence its forensic investigation, generally follows a Pareto distribution, also known informally as an 80:20 law. For example, in the Hong Kong Special Administrative Region of the People s Republic of China, it was recently estimated that 80% of all digital crimes investigated by law enforcement can be categorised as one of just five basic e-crime templates [3]. This is probably due to the ready availa-

2 bility of exploit kits, which tends to result in a preponderance of lookalike cybercrimes. In order to exploit this observation, it is necessary to develop cost-effective template patterns for the forensic investigation of these frequently occurring cybercrimes (FOCs). Such templates are constructed by defining, for each FOC, the anticipated digital evidential traces that would need to be recovered in order to make a criminal case with a realistic chance of securing a conviction at trial. For each evidential trace the associated resource implications for its recovery, analysis and interpretation, measured in terms of investigator-hours and specialised equipment utilisation (where appropriate), are itemised, together with an estimate of its probative value (or evidential weight) to the case. In general, by no means all evidential traces contribute the same probative value to a case. For example, the evidence that the seized computer was connected to the internet at the material time, whilst essential to enable the launch of a DDoS attack, would not of itself be of high probative value since virtually all computers are internet-connected most of the time. On the other hand, evidence that computer contained DDoS command and control (C&C) launch software at the material time would be of high probative value if the forensic investigation concerned a suspected DDoS attack. 2 Theory and Methodology The essence of this approach is to prioritise the evidence recovery schedule so that the high probative value, low resource consuming evidential traces (the low-hanging fruit ) are recovered first, while low probative value, high resource intensive evidential traces (which are subject to the Law of Diminishing Returns) are deferred until it is clear whether they are actually required for the probable success of the case. There are a number of economics related metrics that can be employed to prioritise the recovery of the evidential traces, most notably return-on-investment (RoI) and costbenefit ratio (CBR) [4]. Alternatively, one can assign costs and weights to each evidential trace, and then schedule them in order of increasing cost within decreasing probative value [5]. The monetised cost of recovering a specific expected digital evidence trace is evaluated as the estimated (typically average) number of examiner hours required multiplied by the estimated (typically average) hourly cost (including overheads) of an examiner plus the hourly cost of using any specialist equipment. The weights or probative values of the expected evidential traces are agreed and assigned by experienced expert examiners and normalised to sum to unity. Then, for the recovery of expected evidential trace E i, (RoI) i = (CBR) i -1 = (probative-value) i / [(#examiner-hours) i (hourly-cost)] (1) The template pattern generated for each category of frequently occurring cybercrime investigation is conveniently represented by a Bayesian network (BN) architecture [6]. A BN is a directed acyclic graph (DAG) in which the leaf nodes represent the expected evidential traces E i and the interior nodes represent the sub-hypotheses H j which in turn combine to form the root hypothesis H for the digital forensic investiga-

3 tion [7]. After populating the interior nodes with conditional probabilities (likelihoods) and assigning prior probabilities to the root node, the BN will then propagate these probabilities using Bayesian inference to produce a posterior probability for the root hypothesis. However, it is the architecture of the BN together with the definition of each sub-hypothesis and its associated evidential traces, which define the template pattern characterising the specific investigation category. See Figure 1 and Table 1 for an example of such a BN based template pattern from an actual Hong Kong police investigation of a suspected extortion-based DDoS attack launched from a seized computer [8]. 3 Implementation and Results A prototype implementation of the scheme described above has been made in Java at King s College London under the auspices of an ICUK-funded Proof of Concept award, and subsequently licenced to Intellas UK for further commercial development [9]. It should be noted that such template patterns may be employed during each phase of a digital forensic investigation, namely, the triage, preliminary inspection and indepth examination stages [10]. A more detailed consideration of the role of costeffective prioritisation and scheduling during the triage stage of digital forensic examinations has been given in [11]. As an actual example, we take the DDoS case alluded to above and detailed in Table 1 and Figure 1. Note that Table 1 also contains the unordered RoI values calculated by Equation (1) using a notional cost metric. After ordering the RoI values into descending order we obtain: {E 3, E 13, E 15 }, {E 1, E 2, E 4, E 5, E 6, E 7 }, {E 8, E 9, E 10, E 11, E 12, E 14 } where the braces enclose sets of evidential traces possessing equal RoI values. However, as it stands the above scheme does not take account of the absence of exonerating evidential traces, which we term collectively anti-evidence, Ē. In the present DDoS example, we noted above that there is at least one piece of (low probative value) evidence, which, if it were absent, would immediately cause the case to fail; namely, that the seized computer was connected to the internet at the material time. If we label this anti-evidential trace Ē 1 and continue enumerating the set Ē, then the Ē i should be recovered first (in order of increasing likelihood if this can be inferred). If any Ē i is absent then the investigation should immediately be abandoned. The modified scheme: {Ē 1 }, {E 3, E 13, E 15 }, {E 1, E 2, E 4, E 5, E 6, E 7 }, {E 8, E 9, E 10, E 11, E 12, E 14 }

4 represents a cost-effective prioritisation strategy for the recovery and analysis of the E i in the absence of any other overriding considerations (see below). In particular, if one or more evidential traces of highest probative value are not recovered, it may be possible to abandon the investigation at that point since the minimum requisite probative value for building a case with a realistic chance of securing a conviction at trial may now be unattainable. Equally, it may be possible to terminate the investigation without the expenditure of resources associated with recovering the last few evidential traces of lowest probative value provided that any notional probative value threshold for securing a conviction beyond a reasonable doubt has already been comfortably exceeded. In either case, scarce investigative resources are thereby conserved for use in other digital forensic investigations. Although the posterior output of the BN itself is not of direct relevance to the prioritization strategy described here, recent studies have demonstrated that the BN posterior output is rather insensitive to the exact choice of BN conditional probability values (likelihoods) [12, 13]. However, it has been shown to be much more strongly dependent on whether or not one or more evidential traces are unrecoverable [14]. 4 Caveats and Conclusions A number of caveats regarding the use of cost-effective prioritisation schemes such as that de-scribed here are in order. In circumstances where there may be imminent danger to human life or safety (for example, in a suspected child abduction case) it is clearly inappropriate to employ cost-effectiveness as a criterion. Additionally, where outsourced requests for information from other agencies may involve lag times of days or even weeks (for example, MLAT requests to law enforcement organisations in other countries), it will be necessary to hyper-prioritise such requests in order that the delay in response does not hold up the progress of the entire investigation; such Critical Path phenomena can be handled in a straightforward manner provided that the estimated (typically average) delay is known [11]. In conclusion, it may be stated that BN architectures provide useful template patterns for characterising digital FOCs. Given the empirical evidence that the occurrence of digital crimes follows a Pareto distribution, and that DFL resources are overloaded with investigative work, a cost-effective strategy for the forensic investigation of such crimes involves recovering each anticipated evidential trace in order of decreasing RoI (or increasing CBR), thereby enabling unpromising investigations to be terminated early on while already successful investigations may not need to run their full course. Acknowledgements. The author acknowledges Dr Frank Y W Law (Inspector, Hong Kong Police Department) for supplying the DDoS BN architecture (Figure 1) and the associated evidential weights and costs (Table 1). A helpful discussion with Dr David

5 Llewellyn-Jones (Liverpool John Moores University) at Cyberpatterns 2013 is also gratefully acknowledged. References [1] Anderson R & Moore T, The economics of information security, Science (27 October 2006), Vol. 314 no pp [2] WEIS, see for links to previous WEIS workshops. [3] Kwan M & Law F, personal communication (2010) [4] Cohen F, Two models of digital forensic investigation, Proceedings of the 4th IEEE workshop on systematic approaches to digital forensic engineering (SADFE), Berkeley, CA, USA; May pp [5] Overill R E, Kwan Y K, Chow K P, Lai K Y & Law Y W, A Cost-Effective Digital Forensics Investigation Model, Advances in Digital Forensics V, Ch.15, pp , Springer (2009). [6] Pearl J, Fusion, propagation and structuring in belief networks, Artificial Intelligence, Vol. 29, pp , [7] Kwan M, Chow K-P, Law F & Lai P. Reasoning about evidence using Bayesian network, Advances in Digital Forensics IV, Ch. 22, pp , Springer (2008) [8] Law F, personal communication (2010). [9] Digital Forensic Advisor, ICUK KCL-021 Proof of Concept award (2010). [10] Casey E, Ferraro M & Nguyen L. Investigation delayed is justice denied: proposals for expediting forensic examinations of digital evidence. Journal of Forensic Sciences 54(6) (2009) [11] Overill, R E, Silomon, J A M & Roscoe, K A, Triage Template Pipelines in Digital Forensic Investigations, Digital Investigation, 10 (2013) in press. DOI: [12] Overill R E, Silomon J A M, Kwan Y K, Chow K P, Law Y W & Lai K Y, Sensitivity Analysis of a Bayesian Network for Reasoning about Digital Forensic Evidence, 4th International Workshop on Forensics for Future Generation Communication Environments (F2GC-2010), in Proc. HumanCom-2010: 3rd International Conference on Human-Centric Computing, Cebu, Philippines, August 2010, IEEE Press, pp [13] Kwan M, Overill R, Chow K-P, Tse H, Law F & Lai P, Sensitivity Analysis of Digital Forensic Reasoning in Bayesian Network Mod-els, Advances in Digital Forensics VII, pp , Springer (2011), Proc. 7th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, 30 January - 2 February [14] Overill, R E and Silomon, J A M, Six Simple Schemata for Approximating Bayesian Belief Networks, in Cyberforensics: Issues and Perspectives, Proc. 1st International Conference on Cybercrime, Security and Digital Forensics (ed. GRS Weir), Glasgow, UK, June 2011, pp

6 Table 1. BN template data for forensic investigation of a suspected DDoS attack Key Description Weight Cost RoI H The seized computer was used to launch a DDoS attack against a target computer. H1 The seized computer was used to access the target computer H2 The seized computer was used to launch a DDoS attack E1 IP address of target computer was found on seized 1/15 1 1/15 computer E2 URL of target computer was found on seized computer 1/15 1 1/15 E3 IP address of target computer matched the accessed 2/15 1 2/15 IP address logged by the ISP E4 Log file records on seized computer indicate target 1/15 1 1/15 computer was accessed E5 Extortion messages to the victim were found on 1/15 1 1/15 seized computer E6 Seized computer s IP address matched attacking IP 1/15 1 1/15 address logged by the ISP E7 DDoS tools were found on seized computer 1/15 1 1/15 E8 Log file records show seized computer was used to 1/30 1 1/30 search for online DDoS tools E9 Log file records show seized computer was used to 1/30 1 1/30 download online DDoS tools E10 A BotNet C&C program was found on the seized 1/30 1 1/30 computer E11 Log file records show seized computer was used to 1/30 1 1/30 search for online BotNet tools E12 Log file records show seized computer was used to 1/30 1 1/30 download online BotNet tools E13 Log file records show seized computer was used to 2/15 1 2/15 launch DDoS attack on target E14 Log file records show the seized computer was connected 1/30 1 1/30 to a BotNet E15 IP address of seized computer matched that of Bot- Net C&C program 2/15 1 2/15

7 E1 E2 H1 E3 E4 E5 H E6 E7 E8 E9 H2 E10 E11 E12 E13 E14 E15 Fig. 1. BN template pattern for forensic investigation of a suspected DDoS attack