Skip to main content
SpringerLink
Log in
Book cover

International Conference on Digital Forensics and Cyber Crime

ICDF2C 2011: Digital Forensics and Cyber Crime pp 268–281Cite as

A Forensic Framework for Incident Analysis Applied to the Insider Threat

  • Conference paper

Abstract

We require a holistic forensic framework to analyze incidents within their complete context. Our framework organizes incidents into their main stages of access, use and outcome to aid incident analysis, influenced by Howard and Longstaff’s security incident classification. We also use eight incident questions, extending the six from Zachman’s framework, to pose questions about the entire incident and each individual stage. The incident analysis using stage decomposition is combined with our three-layer incident architecture, comprising the social, logical and physical levels, to analyze incidents in their entirety, including human and physical factors, rather than from a technical viewpoint alone. We demonstrate the conjunction of our multilayered architectural structure and incident classification system with an insider threat case study, demonstrating clearly the questions that must be answered to organize a successful investigation. The process of investigating extant incidents also applies to proactive analysis to avoid damaging incidents.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Blackwell, C.: A Security Ontology for Incident Analysis. In: 6th Cyber Security and Information Intelligence Research Workshop. ACM press (2010)

    Google Scholar 

  2. Tanenbaum, A.S.: Computer Networks, 4th edn. Prentice-Hall (2003)

    Google Scholar 

  3. Zachman, J.: A framework for information systems architecture. IBM Systems Journal 26(3) (1987)

    Google Scholar 

  4. Department of Justice: Digital Forensics Analysis Methodology. Department of Justice (2007), http://www.justice.gov/criminal/cybercrime/forensics_chart.pdf

  5. Howard, J.D.: An Analysis of Security Incidents on the Internet, 1989 – 1995, PhD thesis. Carnegie-Mellon University (1997), http://www.cert.org/research/JHThesis

  6. Howard, J.D., Longstaff, T.A.: A common language for computer security incidents. Sandia National Laboratories (1998), http://www.cert.org/research/taxonomy_988667.pdf

  7. Cappelli, D.M., Moore, A., Shimeall, T.J., Trzeciak, R.: Common sense guide to prevention and detection of insider threats, version 2.1., CERT (2006), http://www.cert.org/insider_threat

  8. Cappelli, D.M., Moore, A., Shimeall, T.J., Trzeciak, R.: Common sense guide to prevention and detection of insider threats, version 3.1., CERT (2009), http://www.cert.org/archive/pdf/CSG-V3.pdf

  9. Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of Insider IT Sabotage Across US Critical Infrastructures. TECHNICAL REPORT CMU/SEI-2008-TR-009, Software Engineering Institute, Carnegie Mellon University (2008)

    Google Scholar 

  10. Blackwell, C.: A Framework for Investigative Questioning in Incident Analysis and Response. In: 7th Annual IFIP WG 11.9 International Conference on Digital Forensics. Advances in Digital Forensics VII. Springer (2011)

    Google Scholar 

  11. Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A., Willke, B.J.: Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers’ Information, Systems, or Networks. TECHNICAL NOTE CMU/SEI-2006-TN-041, Software Engineering Institute, Carnegie Mellon University (2007)

    Google Scholar 

  12. Blackwell, C.: The insider threat: Combating the enemy within. IT Governance (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Oxford Brookes University, Oxford, OX33 1HX, UK

    Clive Blackwell

Authors
  1. Clive Blackwell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science and Informatics, University College Dublin, 4, Dublin, Ireland

    Pavel Gladyshev

  2. Department of Computer and Information Technology, Purdue University, 47907, West Lafayette, IN, USA

    Marcus K. Rogers

Rights and permissions

Reprints and permissions

Copyright information

© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Blackwell, C. (2012). A Forensic Framework for Incident Analysis Applied to the Insider Threat. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35515-8_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35514-1

  • Online ISBN: 978-3-642-35515-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation