Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers

Research Article

A Forensic Framework for Incident Analysis Applied to the Insider Threat

Download34 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-35515-8_22,
        author={Clive Blackwell},
        title={A Forensic Framework for Incident Analysis Applied to the Insider Threat},
        proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={12},
        keywords={Forensic incident framework incident questions insider threat Zachman’s framework},
        doi={10.1007/978-3-642-35515-8_22}
    }
    
  • Clive Blackwell
    Year: 2012
    A Forensic Framework for Incident Analysis Applied to the Insider Threat
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-35515-8_22
Clive Blackwell1
  • 1: Oxford Brookes University

Abstract

We require a holistic forensic framework to analyze incidents within their complete context. Our framework organizes incidents into their main stages of access, use and outcome to aid incident analysis, influenced by Howard and Longstaff’s security incident classification. We also use eight incident questions, extending the six from Zachman’s framework, to pose questions about the entire incident and each individual stage. The incident analysis using stage decomposition is combined with our three-layer incident architecture, comprising the social, logical and physical levels, to analyze incidents in their entirety, including human and physical factors, rather than from a technical viewpoint alone. We demonstrate the conjunction of our multilayered architectural structure and incident classification system with an insider threat case study, demonstrating clearly the questions that must be answered to organize a successful investigation. The process of investigating extant incidents also applies to proactive analysis to avoid damaging incidents.