Research Article
A Forensic Framework for Incident Analysis Applied to the Insider Threat
@INPROCEEDINGS{10.1007/978-3-642-35515-8_22, author={Clive Blackwell}, title={A Forensic Framework for Incident Analysis Applied to the Insider Threat}, proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={12}, keywords={Forensic incident framework incident questions insider threat Zachman’s framework}, doi={10.1007/978-3-642-35515-8_22} }- Clive Blackwell
Year: 2012
A Forensic Framework for Incident Analysis Applied to the Insider Threat
ICDF2C
Springer
DOI: 10.1007/978-3-642-35515-8_22
Abstract
We require a holistic forensic framework to analyze incidents within their complete context. Our framework organizes incidents into their main stages of access, use and outcome to aid incident analysis, influenced by Howard and Longstaff’s security incident classification. We also use eight incident questions, extending the six from Zachman’s framework, to pose questions about the entire incident and each individual stage. The incident analysis using stage decomposition is combined with our three-layer incident architecture, comprising the social, logical and physical levels, to analyze incidents in their entirety, including human and physical factors, rather than from a technical viewpoint alone. We demonstrate the conjunction of our multilayered architectural structure and incident classification system with an insider threat case study, demonstrating clearly the questions that must be answered to organize a successful investigation. The process of investigating extant incidents also applies to proactive analysis to avoid damaging incidents.