A Formal Approach to Analyzing Cyber-Forensics Evidence
This addresses the challenge for cyber-forensics analysts in handling increasing data from cyber-attacks, though it appears incremental as it builds on existing formal methods.
The paper tackles the problem of analyzing large volumes of cyber-forensics evidence by proposing a formal analysis process using Evidence Logic (EL) and monotonic reasoning with tableau rules to filter evidence and identify crucial attack information or reduce complexity, applied in a case study.
The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.