DR GARETH DIGBY A Systems-based Approach To Cyber

Investigations

Introduction

• This presentation outlines some of the issues associated

with cyber investigation evidence collection, analysis and

presentation

• Simple holistic, system thinking approaches are outlined

to help overcome the issues

Background

• The presentation builds on the Gareth Digby’s and Zane

Scott’s, the authors, experience

• Providing system thinking approaches to understand and

tackle complex problems

• Undertaking industrial investigations

Forensic Investigations

System

People Environment

Incident

An Incident

• “Failure is an unacceptable difference between expected and observed performance”

• Leonards, American Society of Civil Engineers, 1982

• Three phases of process-related incidents • Change from normal to an abnormal operating state

• Breakdown of control of abnormal operating phase

• Loss of control (of energy accumulations)

• Guidelines for Investigating Chemical Process Incidents, Center for Chemical Process Safety, American Institute of Chemical Engineers, 2003

• Causes may be a combination of interrelated deficiencies • Hence the complexity and confusion usually associated with an

incident

Evidence

• Evidence has to support opinion

• Evidence must be compelling and show through a

preponderance of evidence that the fact is proven

• Evidence has to be reliable

• The chain of custody must be maintained

ProvenKnown

Investigation Phases

Capture

Preserve

Analyze

Present

Capture

• Digital evidence is volatile

• We want to capture appropriate evidence in a timely

manner

Preserve

Analyze

• We want to analyze the evidence and then develop a

hypothesis that we can test

• The Scientific Method:

• Collect data

• Establish potential causes and hypothesis

• Test for validity

Analyze, contd.

• However

• Hypothesize

• Collect data

• Test

• …. Constrains the exploration of an answer

Present

• Digital systems are inherently complex

• Evidence includes a temporal component

• The evidence, analysis and hypothesis have to be

explained to non-specialists

Simplify Clarify

The Conundrum

• Capture

• Look in appropriate places for evidence

• Analysis

• Consider all aspects

• Presentation

• Effective visualization of complex data

Use a systematic, holistic approach to collection, analysis

and presentation of evidence

People-System-Environment Matrix

Before During After

Environm

ent

System

People

• Encourages thinking

about the environment

and people as well as

the system of interest

• Reminds us to think

about the temporal

aspects

People-System-Environment Matrix

• Alternatively known as the 9-Box Matrix

• Developed by A. Chapanis and P. Fitts of the US Army

Aero Medical Laboratory

• Bibliography

• “Utilizing The Human, Machine and Environment Matrix In

Investigations”, D. Curry, et al, Packer Engineering,

Naperville, IL

Examples of Use

• Using the approach to document evidence from an

incident at an oil storage depot

• Using the approach to document evidence from an

assignment created for teaching computer forensics

Oil Storage Depot Incident Scenario

Based on a review of the Buncefield Major Incident Investigation Board reports http://www.hse.gov.uk/comah/investigation-reports.htm

Example People-System-Environment

Matrix Before During After

Environm

ent

System

People

Cold

Weather Vapor

Contamination

Explosion Containment

damage Mist reported

before incident

Tank overfill causes

vapor cloud

Tank filling

overnight

Control room

operators start

transfer

Cold weather

conditions Firefighters

respond Firefighting foam

contaminates water

Why overfill?

Broken level alarm

Why ignition?

Possibly start of

fire pumps when

alarm raised

Why? Why?

Fictional Scenario

• In June 2009, King Claudius, following an incident in

which a banned play was performed, exiled Hamlet.

• However it came to light that Hamlet may have been

unknowingly setup by others.

• Apologies to Tom Stoppard, “Rosencrantz

& Guildenstern Are Dead”

People

• King Claudius

• Queen Gertrude

• Hamlet

• Rosencrantz

• Guildenstern

• Ophelia

Environment

• Maryland

• New Jersey

• Car

System(s)

• Rosencrantz’s laptop

• Guildenstern's laptop

• Email

• Instant messaging

• USB memory stick

• GPS

Example People-System-Environment

Matrix Before During After

Environm

ent

System

People

Use Case Showing Temporal Aspects

Activity Diagram Showing Hypothesis

Simulate To Test Hypothesis

Summary

• Collection

• Analysis

• Presentation

Conclusion

The presentation has shown how issues associated with

the

• Collection

• Analysis

• Presentation

… of evidence in cyber investigations can be helped

through

• taking a holistic and systematic approach to the

identification of evidence and

• the use of existing systems methods to present the

temporal, interrelated nature of the evidence