See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228851221

A Digital Investigation Tool based on Data Fusion in Management of Cyber

Security Systems

Article · January 2010

CITATIONS READS

6 327

3 authors, including:

Suneeta Satpathy Sateesh Kumar Pradhan

Sri Sri University Utkal University
45 PUBLICATIONS   162 CITATIONS    34 PUBLICATIONS   230 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Fusion and Mining in Education View project

cloud security View project

All content following this page was uploaded by Sateesh Kumar Pradhan on 14 January 2015.

The user has requested enhancement of the downloaded file.

International Journal of Information Technology and Knowledge Management
July-December 2010, Volume 2, No. 2, pp. 561-565

A Digital Investigation Tool based on Data Fusion in Management of

Cyber Security Systems
Suneeta Satpathy1, Sateesh K. Pradhan2 & B.B. Ray3

With overwhelming use of Internet, security in Cyberspace has become a prime concern. The forensic digital analysis as a
whole, in its relative infancy, is the unwilling victim of the rapid advancement of computer technology, so it is at the mercy
of ever more new and complex computing approaches. Forensic digital analysis is unique among the forensic sciences in
that it is inherently mathematical and generally comprises more data from an investigation than is present in other types of
forensics. The digital investigation process can be driven using numerous forensic investigation models. Among these is the
need to analyze forensic materials over complex chains of evidence in a wide variety of heterogeneous computing platforms,
environments and transports. This paper compares and contrasts different forensic investigation models and highlights the
main components of forensic investigation model. It also proposes a fusion based investigation tool by grouping and merging
the same activities or processes that provide the same output into an appropriate phase and mapping them into the domain of
data fusion. This grouping process of the activities will balance the investigation process and mapping them into data fusion
domain will produce more quality data for analysis and can produce potential legal digital evidence as an expert testimony
in the court of law.
Keywords: Information Technology, Digital Investigation, Digital Evidence, Data Fusion.

1. INTRODUCTION is not sufficient to successfully investigate the crime and nab

the criminal, but more important is to prosecute and
The unprecedented growth of Internet has spawned new administer justice, according to the law of the land. This
businesses, opportunities, ideas, and unfortunately, new requires an effective investigation tool, which fully supports
problems. Though the concept of availing services the detection and prosecution of cyber criminals.
electronically cutting across geographical boundaries is
exciting, there is a great deal of cynicism about the security The objective is to present an investigation tool,
aspects of vital information resources. The versatility of methodology and technology for design and deployment of
information technology used to commit sophisticated crimes data fusion applications in digital investigation. Section 2
is steadily increasing: which are being exploited by gives a brief description on digital investigation. Section 3
unscrupulous elements in the society for disrupting peace compares different forensic investigation models and
and causing mayhem. The society is moving from a paper highlights the main components of forensic investigation
based to a paperless scenario, from centralization to model. Section 3 outlines the theory of data fusion and its
decentralization, from controlled access to totally application in digital investigation. And a fusion based
independent access and so on. In such a scenario it becomes investigation tool is proposed by grouping and merging the
possible for anti-social elements [7] to cause havoc with same activities that provide the same output into an
minimum retribution from the existing criminal justice appropriate phase and mapping them into the domain of data
system. Legal support, criminal justice delivery system and fusion in section 5. Section 6 outlines the feasibility of the
international cooperation have not kept pace with the
proposed investigation tool.
technological advancements, which have taken place with
the advent of information technology. Computer crime
[5][6] is a new form of transnational crime, which requires 2. DIGITAL INVESTIGATION AND PROBLEM STATEMENT
concerted efforts by the Law Enforcement agencies, as the “Digital investigation is a process that uses science and
perpetrators of computer crimes can be more elusive than technology to examine digital evidence and that develops
ever before. To effectively combat the computer crime, it and tests theories, which can be entered into a court of law,
1
P.G Department of Computer Application, CEB, BPUT, to answer questions about events that occur”[6] [9].
Bhubaneswar.
Digital Investigation faces several problems. Some of
2
Department of Computer Engineering College of Computer
them are:
Science, King Khalid University, Abha
3
P.G Department of Computer Application, Utkal University, • Digital investigations are becoming more time
Bhubaneswar, INDIA consuming and complex as the volumes of data
Email: suneetasatpathy@rediffmail.com, sateeshind@yahoo.com requiring analysis continue to grow.
562 SUNEETA SATPATHY, SATEESH K. PRADHAN & B.B. RAY

• Digital investigators are finding it increasingly Preparation, Approach, Strategy, Preservation, Collection,
difficult to use current tools to locate vital evidence Examination, Analysis, Presentation, Returning evidence.
within the massive volumes of data. Ciardhuain model [13]- Ciardhuain model consists of the
following: Awareness, Authorization, Planning, Notification,
• Log files are often large in size and multi-
Search and identify evidence, Collection, Transportation,
dimensional, which makes the digital investigation
Storage, Examination, Hypothesis, Presentation, Proof/
and search for supporting evidence more complex.
Defense, Dissemenation.
• Digital evidence [6] [9] by definition is information
After examination of the above mentioned investigation
of probative value stored or transmitted in digital
models, it was noted that: [13] [1]
form. It is fragile in nature and can easily be altered
or destroyed. It is unique when compared to other • Each preceding model modifies the previous.
forms of documentary evidence.
• Some of the models have very similar approaches.
• Forensic investigation tools available are unable to
• Some of the models concentrate on different areas
analyze all the data found on computer system to
of the investigation
reveal the overall pattern of the data set, which can
help digital investigators decide what steps to take • In all the above models no specific theory has been
next in their search. Also the data offered by defined which can be applied for processing the
computer forensic tools can often be misleading digital data, reducing the data while retaining the
due to the dimensionality, complexity and amount useful data, analysis of the data, keeping a record
of the data presented. of criminal profiles and digital evidence for its
future reference, presenting the evidence
3. EXISTING DIGITAL INVESTIGATION MODELS documentation as an expert testimony in the court
of law.
Over the years, several forensic investigation models have
been proposed, they include: Since the goals of the evidence preservation principles
are [3] [6]:
• Kruse and Heiser;
1. To maximize evidence availability and quality;
• Lee’s model;
2. Maintain the integrity of the evidence during the
• Casey’s model;
digital investigation process.
• DFRWS frame work meta-model;
While designing a forensic investigation model, the
• The Reith, Carr and Gunsch model; model should not concentrate on one particular type of case
investigation or on a certain stage. But it should provide the
• The Ciardhuain model.
general guidelines, approach and keep a balance in the
Kruse and Heiser model [4]- Kruser and Heiser stated processes identified by these models. It should incorporate
that forensic investigation consists of 3 basic components: the basic components of forensic investigation which are:
Acquire evidence, Authenticate evidence, Analyzing data. [10]
Lee model [13]- Lee proposed a model that consists of 4
• Preparation;
steps, they are: Recognition, Identification,
Individualization, Reconstruction. The steps proposed by • Investigation;
Lee refer to only a part of the forensic investigation process
• Presentation.
i.e the investigation stage (no preparation or presentation).
Casey’s model [6]- It is similar to that proposed by Lee,
the 1st and last stages are the same. It focuses on processing 4. NEED FOR APPLICATION OF DATA FUSION IN
and examining digital evidence (focuses on investigation). DIGITAL INVESTIGATION
The steps also include: Recognition, Preservation, The Law enforcement agencies are facing a novel challenge
Classification, Reconstruction. Digital forensic Research in terms of jurisdiction and identification of crimes
working group (DFRW) model [13] [12]-The DFRW perpetrated on the Internet, which do not know geographical
model includes crucial stages of the investigation and also boundaries, need a multi-lateral approach of investigation
includes the Presentation stage. It consists of the following and prosecution. They have to analyze enormous amount
stages: Identification, Preservation, Collection, Examination, of data and collection and analysis of such large amounts
Analysis, Presentation, Decision. The Reith, Carr and of data may degrade performance to unacceptable levels.
Gunsch model [11] - The Reith, Carr and Gunsch model Data fusion gains power and relevance for the counter cyber
included other components not found in the above terrorist mission because computer technology enables large
mentioned frameworks. It consists of: Identification, volumes of information to be processed in short times. Multi-
A DIGITAL INVESTIGATION TOOL BASED ON DATA FUSION IN MANAGEMENT OF CYBER SECURITY SYSTEMS 563

sensor data fusion is an evolving technology, concerning • Data reduction (reduces the representation of the
the problem of how to fuse data from multiple sensors in dataset into a smaller volume to make analysis
order to make a more accurate estimation of the environment more practical and feasible).
and to generate information of a superior quality [2][4][8].
It is a formal framework in which the means and tools for
the alliance of data originating from different sources are
expressed. The first data fusion methods were primarily
applied in the military domain, in recent years these methods
have also been applied to problems in the civilian domain
and various non-military applications (e.g., air traffic
controls, robotics, image processing, remote sensing,
hazardous wastes tracking, environmental data fusion, etc.).
It also provides an important functional framework for
building next generation security systems. A more recent
idea is the application of data fusion techniques to the area
of information security [14, 15]. Tim Bass presented a Data
Fusion model, based on the Joint Directors of Laboratories
(JDL) Functional Data Fusion Process Model [14].
Fig. 1: Fusion based Forensic Investigation Tool
The main goal of data fusion system is [2]
• Reliability - to obtain better results than the best Table. 1
individual data source is capable of providing. Activities at Different Levels in
Fusion based Investigation Tool
• Completeness - no direct way of measuring
required property. Data Fusion Levels Activities
Source Events of the crime scene. Sources are
• Improvement - the need to take more factors, or
identified only when crime has been
influencing quantities, into account.
reported and authorization is given to
• Comprehension - the need to reduce information the Investigating agencies.
overload. Data Collection and The first step where data collected from
Pre-Processing [2,4] various sources are fused and processed
to produce data specifying semantically
5. PROPOSED FUSION BASED INVESTIGATION TOOL
understandable and interpretable
This paper proposes a fusion based investigation tool (fig- attributes of objects. The collected data
1) by grouping and merging the digital investigation are aligned in time, space or
activities or processes that provide the same output into an measurement units and the extracted
appropriate phase and mapping them into the domain of information during processing phase is
data fusion (Table-2). This grouping process of the activities saved to the knowledge database or
will balance the investigation process and mapping them knowledgebase.
into data fusion domain will produce more quality data for Low level fusion [2,4] Concerned with data cleaning (removes
analysis and can produce potential legal digital evidence to irrelevant information), data
be presented as an expert testimony in the court of law. It is transformation (converts the raw data
into structured information), data
motivated by Data fusion model proposed by the JDL [2]
reduction (reduces the representation of
that fuses data from various heterogeneous sources in order
the dataset into a smaller volume to
to attain low false alarm rates and high threat detection rates. make analysis more practical and
The data fusion process at different progressions is feasible). It reduces a search space into
further explained in (Table-1). smaller, more easily managed parts
which can save valuable time during
• Preprocessing; digital investigation.
• Processing of events in various levels of fusion; Data estimation It is based on a model of the system
behavior stored in the feature database
• Decision making; and the knowledge acquired by the
knowledgebase. It estimates the state of
• Evidence accumulation; the event. After extracting features from
• Data transformation (converts the raw data into the structured datasets, fusion based
structured information); Contd...
564 SUNEETA SATPATHY, SATEESH K. PRADHAN & B.B. RAY

Contd... definition of important

investigation tool will save them to an events, definition of
information product database. unimportant events,
High level fusion[2,4] Develops a background description of elimination procedure.
relations between entities. It consists of Investigation/ Low level Fusion Crime type, common
event and activity interpretation and Examination/ reference format events
eventually contextual interpretation. Its Analysis should be aligned,
results are indicative of destructive alignment procedure.
behavior patterns. It effectively extends High level Fusion Develops a background
and enhances the completeness, description of relations
consistency, and level of abstraction of between entities. Event
the situation description produced by and activity interpretation
refinement. It involves the use of data and eventually contextual
mining functionalities such as interpretation. Results
classification and clustering to extract are indicative of
useful patterns among the data. The destructive behavior
results obtained would be indicative of patterns. Extends and
destructive behavior patterns. enhances the completeness,
Decision level fusion[2,4] Analyzes the current situation and consistency, and level of
projects it into the future to draw abstraction of the
inferences about possible outcomes. It situation description
identifies intent, lethality, and produced by Refinement.
opportunity and finally decision of the Decision Level Log Files, File, Events
fusion result is taken in this level. Fusion log, Data, Information
Result can be stored in the log book in Evidence, Evidence
a predefined format from which Report.
evidence report can be generated. The
Presentation in Forensic Log Book/ Evidence Explanation,
same can be stored for future reference.
the court of law User Interface Evidence Disposed,
User interface It is a means of communicating results New Policies, New
to a human operator. Evidence Report investigation
prepared and generated is represented p r o c e d u r e s ,
as evidence to the problem solved by Investigation Closed.
using the tool.
Storage Database for future Database can be used to
Forensic Log Book[5,6,9] The digital information are recorded reference store the crime types
with a pre-defined format like date and criminal profiles and
time of the event, type of event, and intent, lethality which
success or failure of the event, origin will be helpful for them
of request for authentication data and in solving crime cases in
name of object for object introduction future.
and deletion. A time stamp is added to
all data logged. The time line can be
6. FEASIBILITY
seen as a recording of the event. The
log book can be used as an expert The proposed tool can be useful as an evidence acquisition
opinion or legal digital evidence. tool for supplying the Offline admissible legal digital
evidence for the Investigating agencies including
Table. 2 preservation and continuity of evidence, and transparency
Mapping Phases of Digital Investigation Model into of the forensic methods. As the admissibility and weight
Fusion based investigation Tool
are the two determinants in the legal acceptability of digital
Investigation Phase Mapping into Output evidence [9], the courts deal with issues related to the
Fusion based difference between the novel scientific evidence and the
investigation Tool legal evidence. There are three requirements for the evidence
Preparation source A w a r e n e s s , to be admissible in the court [6]:
Authorization, Plan, • Authentication (showing a true copy of the
Warrant, Notification, original);
Confirmation.
collection and Preprocessing Potential Evidence • The best evidence rule (presenting the original);
preservation Sources, Media, Devices, • Exceptions to the hearsay rule. (allowable
 A DIGITAL INVESTIGATION TOOL BASED ON DATA FUSION IN MANAGEMENT OF CYBER SECURITY SYSTEMS 565

exceptions are when confession, business or other [2] David L. Hall, Sonya A.H. McMullen, “Mathematical
official records are involved). Techniques in Multisensor Data Fusion”, 2nd edition, Artech
House, 2004.
From an evidence perspective, the law enforcement [3] D. Brezinski and T. Killalea, “Guidelines for Evidence
agencies will seek something that they can proof and Collection and Archiving”, RFC3227, February 2002.
demonstrate to others long after the event is over. [4] E. Waltz and J. Linas, “Multisensor Data Fusion”. Artech
House, Boston, MA, 1990.
7. CONCLUSION [5] E. Casey (ed.), “Handbook of Computer Crime
Investigation”, Academic Press, 2001.
Profiling, identifying, tracing, and apprehending cyber
[6] E. Casey, “Digital Evidence and Computer Crime”, 2nd
suspects are the important issues of research today. Different
Edition, Elsevier Academic Press, 2004.
tools have been developed to detect the misuse and
[7] H Lipson, “Tracking and Tracing Cyber Attacks: Technical
suspicious activities, but very few of them have the provision Challenges and Global Policy Issues (CMU/SEI-2002-SR-
to help law enforcement agencies. They require adequate 009)”, CERT Coordination Center, November 2002.
evidence in order to penalize the criminal, thus, heavily [8] http://www.data-fusion.org.
depending on reports of forensic scientists. To collect the [9] J. Danielsson, “Project Description a System for Collection
digital evidence is not an easy task. Within a computer and Analysis of Forensic Evidence”, Application to NFR,
system the anonymity afforded by the criminal encourages April 2002.
destructive behavior while making it extremely difficult to [10] Michael Kohn, Jhp Eloff, Ms Olivier. “Framework for
prove the identity of the criminal. In this paper we have Digital Forensic Investigation: Information and Computer
given the idea of constructing a proprietary fusion based Security Architectures Research Group (ICSA)”, University
investigation tool for investigative agencies which can work of Pretoria.
at a stretch, process different types data both syntactically [11] Reith, M., Carr, c. and Gunsch, G.: “An Examination of
Digital Forensic Model”, International of Digital Evidence.
and semantically, filter out the files required for forensic
Fall 2002, 1, Issue 3, 2002.
analysis to retrieve the legal digital evidence. The output of
[12] Siti Rahayu Selamat, Robiah Yusof, Shahrin Sahib.:
fusion-based investigation systems will be the estimates of “Mapping Process of Digital Forensic Investigation
the identity of a threat source, the malicious activity, Framework”. IJCSNS International Journal of Computer
taxonomy of the threats, the attack rates, and an assessment Science and Network Security, 8, No.10, October 2008.
of the potential severity of the projected targets. Our future [13] Seamus O Ciardhuain. “An Extended Model of Cybercrime
work includes extending the investigation tool to analyze Investigation”, Journal of Digital Evidence Summer 2004;
different cyber crime cases. 3, Issue 1.
[14] T. Bass, “Multi-sensor Data Fusion for Next Generation
Distributed Intrusion Detection System”, In Proceedings
REFERENCES
of the IRIS National Symposium on Sensor and Data
[1] Baryamureeba, V., Tushabe, F.: “The Enhanced Digital Fusion, 1999.
Investigation Process Model”, Makere University Institute [15] Varshney, “Distributed Detection and Data Fusion”,
of Computer Science, Uganda 2004. Springer-Verlag, New York, NY., 1995.

View publication stats