Authors: Sophia Petra Krišáková, Pavol Sokol, Rastislav Krivoš-Belluš
Abstract
The number of cyber-attacks is constantly growing, and their sophistication is increasing due to new techniques and strategies of attackers. Organisations must continuously improve their methods of detecting and responding to these attacks to protect their networks and information systems. The time between the occurrence of a security incident and its identification takes an average of 100 – 200 days, with organisations having a response time of between 50 – 70 days. Our work aims to reduce this time so that organisations can respond to security incidents more quickly. In this work, we use graph theory for forensic analysis in the Windows operating system. The main objective of the work is to identify digital evidence and the relationships between them. For this purpose, we work with datasets from various Capture the Flag (CTF) competitions. We describe the processing stages of the digital evidence and their transformation into graphs and then identify anomalies and cycles in the graphs in order to provide readers with a deeper insight.
Introduction
In the digital world, data and network security is a key concern for organisations of all sizes and industries. With the rise of cyber-attacks and their ever-changing nature, organisations must constantly adapt to protect their assets and ensure the security of their information. Cyber attackers are continuously developing new ways to penetrate systems and gain unauthorised access to sensitive data. As these attacks become more sophisticated, the challenge for organisations is to identify them as quickly as possible and respond appropriately—and ideally, proactively.
One of the main issues in responding to security attacks is the time between the occurrence of a security incident, its identification, and the subsequent response. This timeframe can be significant, often measured in hundreds of days, which gives attackers ample opportunity to cause damage without being detected. In addition, even after an incident is identified, organisations require time to resolve it and restore normal operations.
Our research focuses on the security incident response process, including digital forensics. The main aim is to reduce the time required to resolve a security incident and to provide organisations with a way to respond more quickly and effectively. In this article, we focus on how graph theory, applied to individual forensic artefacts available in the Windows operating system and the NTFS file system, can contribute to this goal. Graph analysis enables the identification of relationships between different pieces of digital evidence and their attributes, thereby providing a deeper understanding of the nature of an attack.
To achieve this objective, we specify the following partial research objectives:
- What attributes of forensic artefacts are best suited for graph representation?
- How can specific properties of graphs help identify key forensic artefacts and relationships in digital forensics?
This paper is divided into six sections. Section 2 discusses papers relevant to this research. Section 3 specifies the methods employed, including the collection and processing of digital evidence. Section 4 outlines how graph theory is applied to digital evidence and explores graph generation options. Section 5 discusses the lessons learned from applying graph properties to digital evidence. Section 6 provides a summary, including suggestions for future research.
