Forensic Analysis as Iterative Learning

  • Eoghan CaseyEmail author
  • Bruce Nikkel
Part of the International Series in Operations Research & Management Science book series (ISOR, volume 288)


This chapter covers the added value of forensic analysis in cybersecurity of critical infrastructure. In the context of the current threat landscape, this chapter details the role of forensic analysis in cybersecurity, concentrating on forensic preparedness, incident scope assessment, forensic intelligence, and an agile cycle for iteratively improving security using insights gathered from scrutinizing prior cyberattacks.



Thanks to Christopher Daywalt for his collaboration and talents investigating sophisticated network intrusions and malware.


  1. 1.
    Barnum, S.: Enabling effective cyber threat intelligence and information sharing. In: Proceedings of the International Conference on Cyber Security. Fordham University, New York (2013)Google Scholar
  2. 2.
    CASE: An international standard for sharing cyber-investigation traces. Cyber-Investigation Analysis Standard Expression (2019).
  3. 3.
    Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic, Waltham (2004)Google Scholar
  4. 4.
    Casey, E.: Investigating sophisticated security breaches. Commun. ACM 49(2), 48–55 (2006)CrossRefGoogle Scholar
  5. 5.
    Casey, E.: Standarization of forming and expressing preliminary evaluative opinions on digital evidence. Digital Investigation 32 (2020)Google Scholar
  6. 6.
    Casey, E., Daywalt, C., Johnston, A.: Chapter 4 - Intrusion investigation. In: Casey, E., et al. (eds.) Handbook of Digital Forensics and Investigation, pp. 135–206. Academic Press, San Diego (2010)CrossRefGoogle Scholar
  7. 7.
    Casey, E., Back, G., Barnum, S.: Leveraging cybox to standardize representation and exchange of digital forensic information. Digit. Investig. 12, 102–110 (2015)CrossRefGoogle Scholar
  8. 8.
    Casey, E., Barnum, S., Griffith, R., Snyder, J., van Beek, H., Nelson, A.: Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. J. Digit. Investig. 22, 14–45 (2017)CrossRefGoogle Scholar
  9. 9.
    Casey, E., Ribaux, O., Roux, C.: The kodak syndrome: risks and opportunities created by decentralization of forensic capabilities. J. Forensic Sci. 64(1), 127–136 (2019)CrossRefGoogle Scholar
  10. 10.
    Chaffetz, J., Meadows, M., Hurd, W.: The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress (2016)Google Scholar
  11. 11.
    CHDS: Department of Defense Cyber Crime Center. Center for Homeland Defense and Security (2019).
  12. 12.
    DC3 Malware Configuration Parser (DC3-MWCP) (2020).
  13. 13.
    DHS: Automated Indicator Sharing (AIS). U.S. Department of Homeland Security, CISA (2019).
  14. 14.
    DHS/FBI: Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructures Sectors. U.S. Department of Homeland Security, CISA (2018).
  15. 15.
    Elyas, M., Ahmad, A., Maynard, S., Lonie, A.: Digital forensic readiness: expert perspectives on a theoretical framework. Comput. Secur. 52, 70–89 (2015)CrossRefGoogle Scholar
  16. 16.
    Europol: Internet Organized Crime Threat Assessment. Technical Report, European Cybercrime Center (2019).
  17. 17.
    Good practice guide forensic readiness. UK National Technical Authority for Information Assurance (2016)Google Scholar
  18. 18. Technical Report About the Espionage Case at Ruag. (2016).
  19. 19.
    Grispos, G., Glisson, W., Storer, T.: Enhancing security incident response follow-up efforts with lightweight agile retrospectives. Digit. Investig. 22, 62–73 (2017)CrossRefGoogle Scholar
  20. 20.
    Johnston, A., Reust, J.: Network intrusion investigation preparation and challenges. Digit. Investig. 3(3), 118–126 (2006)CrossRefGoogle Scholar
  21. 21.
    Kovacs, E.: Hackers Behind Triton ICS Malware Hit Additional Critical Infrastructure Facility, SecurityWeek (2019).
  22. 22.
    Lee, R.: The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey. SANS (2017)Google Scholar
  23. 23.
    Malin, C., Casey, E., Aquilina, J.: Malware Forensics: Investigating and Analyzing Malicious Code. Syngress Press (2008)Google Scholar
  24. 24.
    MISP: Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing. Malware Information Sharing Platform (2019).
  25. 25.
    Nikkel, B.: Practical Forensic Imaging. No Starch Press, San Francisco (2016)Google Scholar
  26. 26.
    NIST: Draft NIST roadmap for improving critical infrastructure cybersecurity version 1.1. National Institute of Standards and Technology (2017).
  27. 27.
    NIST: Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology (2018).
  28. 28.
    Pollitt, M., Casey, E., Jaquet-Chiffelle, D.O., Gladyshev, P.: A framework for harmonizing forensic science practices and digital/multimedia evidence. Technical Report, The Organization of Scientific Area Committees for Forensic Science (2018)Google Scholar
  29. 29.
    Ribaux, O., Walsh, S., Margot, P.: The contribution of forensic science to crime analysis and investigation: Forensic intelligence. Forensic Sci. Int. 156(2), 171–181 (2006)CrossRefGoogle Scholar
  30. 30.
    Roberts, S., Brown, R.: Intelligence-Driven Incident Response: Outwitting the Adversary. O’Reilly Media, Waltham (2017)Google Scholar
  31. 31.
    Sherstobitoff, R., Malhotra, A.: Operation sharpshooter. Techical Report, McAffee (2018).
  32. 32.
    Strom, B., Applebaum, A., Miller, D., Nickels, K., Pennington, A., Thomas, C.: MITRE ATT&CK: Design and Philosophy, MITRE Product MP18030 (2019). Project No.: 01ADM105-PI.
  33. 33.
    SWGDE: Swgde digital multimedia evidence glossary. SWGDE (2016).
  34. 34.
    Zhang, E.A.: Indictment: Conspiracy to Damage Protected Computers. U.D.C.S.D (2018).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Criminal SciencesUniversity of LausanneLausanneSwitzerland
  2. 2.Bern University of Applied SciencesBern, BielSwitzerland

Personalised recommendations