
A path towards forensic ready systems
There is no doubt that Cyber Security is becoming increasingly important especially because of the advent of IoT and various other large scale systems. The involvement of a diverse range of devices not only makes Cyber Security important, but it also makes the task of securing your systems a lot harder. The heterogeneity of the devices in an IoT (or other large systems) opens up a lot of doors of intruders. With every device having its own hardware and software vulnerabilities, and their own standards, it is an incredibly challenging task to come up with a secure architecture. To top it all off, every device has its own computational limits, so you will most likely be bottlenecked by the lowest computational limits.
Since we don’t really have a fool proof way of securing systems, especially the large scale systems, we are simply waiting for the inevitable. And this is understandable as well. We can’t really come up with a 100% secure system. So, what happens after an attack happens? Forensics. Forensics happen.
This might sound a little detective-y but it is what happens. Once a system is compromised, forensic teams start searching for clues to reverse engineer the attack and figure out how the system was compromised. But, the problem with this approach is that it’s really easy for the attacker to cover his/her attacks. For example, if an attacker logged in via an employee’s system and erased the trace from the log files then it will be very hard for the forensics team to get all the clues. This was a very simple and not-very-well-thought-out example but you get the point.
So, all of this leads us to forensic ready systems. You might have already guessed where I am with this. Researchers are now focusing on forensic ready systems that proactively saves the important data that could help in the post-crime scene. The basic idea is to incorporate features that allows systems to keep track of important information that could be useful later on during the investigation. This will not only speed up the investigation process but it will also shrink the data that the forensics team have to go through.
The path to making forensic ready systems isn’t a piece of cake though. Not only do scientists have to come up with proper methods that can be integrated in the software or system development cycle, but they also have to come up with techniques to make the already developed systems forensics ready. There’s also a huge question regarding the data or information that needs to be kept safe. Researchers not only have to identify the exact information that is worth keeping but they also have to consider the budget and various other limitations. So, for example, let’s say that you have decided to save the events log in a separate forensics hard drive. Now the question is, how often do you save it? How would you identify the specific events that would be helpful in forensics? This is a very small and, again, not-very-well-thought-out example but you get the point. When talking about huge systems, a forensic ready feature can take up a huge amount of resources and take up a considerable chunk of your budget.
But, it is suffice to say that there has been some spark in this direction especially at The Irish Software Research Centre. Right now there aren’t any tools or methods developed for the forensic read systems but I am sure we are about to witness a new research direction and, hopefully, a new discipline.
