Abstract
Digital forensics involves credible evidence collection from digital assets and analysis to conclusively attribute events to users and sources. Traditional forensic methods only focus on preserving the evidence and audit trail generated. Further they have the standard practices for evidence collection by invoking these methods manually. In this paper, we present EventTracker which has the features of traditional methods to monitor and track file system and user activity, and can also dynamically invoke evidence collection based on events of interest. EventTracker allows the user to specify the kind of evidence required for an event type giving more flexibility to the user. It also allows users to define custom event types and monitor the system and evidence be logged safely. We implement a proof of concept code of EventTracker integrating several open source facilities and also furnish details of experiments with a handful of custom event types. We also perform a measurement study with file monitoring and quantify the frequency and number of changes typical system operations do to the underlying file system and conclude that the number of changes is often high which warrants automated techniques for investigation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
accessdata.com. Accessed 18 July 2022
security.opentext.com/encase-forensic . Accessed 20 July 2022
www.ossec.net. Accessed 12 July 2022
www.tripwire.com. Accessed 12 July 2022
www.elastic.co/beats/auditbeat. Accessed 12 July 2022
github.com/gorakhargosh/watchdog. Accessed 12 July 2022
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening. Accessed 12 July 2022
www.mongodb.com. Accessed 12 July 2022
github.com/504ensicsLabs/LiME. Accessed 12 July 2022
www.volatilityfoundation.org. Accessed 12 July 2022
www.elastic.co/elastic-stack. Accessed 12 July 2022
Chen, L., et al.: Detecting advanced attacks based on linux logs. In: BigDataSecurity’20: Proceedings of the IEEE 6th International Conference on Big Data Security on Cloud, pp. 60–64 (2020)
Cheng, Q., Wu, C., Zhou, S.: Discovering attack scenarios via intrusion alert correlation using graph convolutional networks. IEEE Commun. Lett. 25(5), 1564–1567 (2021)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45474-8_6
Feng, Y., et al.: Attack graph generation and visualization for industrial control network. In: CCC 2020: Proceedings of the 39th Chinese Control Conference, pp. 7655–7660 (2020)
Haas, S., Fischer, M.: Gac: graph-based alert correlation for the detection of distributed multi-step attacks. In: SAC 2018: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 979–988 (2018)
Haas, S., Fischer, M.: On the alert correlation process for the detection of multi-step attacks and a graph-based realization. SIGAPP Appl. Comput. Rev. 19(1), 5–19 (2019)
Hubballi, N., Suryanarayanan, V.: False alarm minimization techniques in signature-based intrusion detection systems: A survey. Comput. Commun. 49, 1–17 (2014)
Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_6
Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference, pp. 370–379 (2004)
Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: CISIS 2011: Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems, pp. 58–67 (2011)
T, C., Nadjm-Tehrani, S., Burschka, S., Burbeck, K.: Alarm reduction and correlation in defence of IP networks. In: 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 229–234 (2004)
Acknowledgement
This work is financially supported by funding through SPARC project via grant number “SPARC/2018-2019/P448”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sangwan, A., Jain, S., Hubballi, N. (2022). WiP: EventTracker-Event Driven Evidence Collection for Digital Forensics. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-23690-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23689-1
Online ISBN: 978-3-031-23690-7
eBook Packages: Computer ScienceComputer Science (R0)