Towards a Comprehensive Ontology Based ...

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/284913260

Towards a Comprehensive Ontology BasedInvestigation for Digital Forensics Cybercrime Article in International Journal on Communications Antenna and Propagation · October 2015 DOI: 10.15866/irecap.v5i5.6112

READS

51

2 authors, including: Amir Mohamed Talib Imam Muhammad bin Saud Islamic Univer… 37 PUBLICATIONS 93 CITATIONS SEE PROFILE

All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.

Available from: Amir Mohamed Talib Retrieved on: 05 May 2016

International Journal on Communications Antenna and Propagation (I.Re.C.A.P.), Vol. 5, N. 5 ISSN 2039 – 5086 October 2015

Towards a Comprehensive Ontology Based-Investigation for Digital Forensics Cybercrime Amir Mohamed Talib1, Fahad Omar Alomary2 Abstract – Cyber physical attacks against information and computer systems are a tangible and dangerous threat that requires an effective response. In this paper, digital forensics cybercrime ontology is proposed to collect, examine, analyze, prepare, acquire and preserve evidence of computer crimes of digital forensics in cyberspace. The power of the proposed ontology is to determine the difficulties of association of the digital crime types and their collection evidences in digital forensics cases. Ontology development has consists three main steps, 1) domain, purpose and scope setting, 2) important terms acquisition, classes and class hierarchy conceptualization and 3) instances creation. Digital forensics and ontology are two normally unrelated topics. Ontology congruent to this paper is method that will help to better understanding and defining terms of digital forensics. Our proposed digital forensics cybercrime ontology resulting from the Protégé has a total of 180 classes, 179 subclasses and 84 instances regarding digital forensics crime cases. Copyright © 2015 Praise Worthy Prize S.r.l. - All rights reserved.

Keywords: Digital Forensics, Cyber Crime, Ontology, Protégé and Web Ontology Language

I.

Readers that are interested in further details of OWL should refer to [6], [7] for additional information. The basic concepts in OWL are classes, individuals and properties. The basic construct in OWL are classes. Classes describe concepts in the knowledge domain. Properties can further define relationships between classes, constrain classes or describe various attributes of classes. There are two types of properties: object properties and data type properties. Object properties relate instances of one class to instances of another class. Data type properties relate instances of a class to Resource Description Framework (RDF) literals or XML Schema Data types. There are lots of characteristics that make Protégé a considerable selection for our proposed ontology. Protégé helps ontology development, using text mining and natural language processing to extract relevant terms from the scientific literature that can then be organized, Protégé allows vocabulary designers to capture, refine and ultimately formalize their intuitions without being forced to deal with distracting logical details early in the design process. There is a lack of using domain ontology in digital forensics field. Reasons for this is a multidisciplinary field of digital forensics, because knowledge of the technical aspects are not enough, it is necessary to know the law - legal aspects and implications of the process of presenting digital evidence in court. The aim was to define the basic concepts and create a new approach to the study of the scientific field. In this paper, section II presents a discussion of the existing ontology development in digital forensics domain.

Introduction

Within the past few years, a new class of crime scenes has become more prevalent, that crime committed with electronic or digital domain, particularly within cyberspace [1]. Digital forensics and ontology are two normally unrelated topics. Ontology congruent to this paper is method that will help to better understanding and defining terms of digital forensics. According to Pollit and Whiteledge [2], digital forensics is the science of collecting, preserving, examining, analyzing and presenting relevant digital evidence for use in judicial proceedings. Digital forensics is no longer associated only to a laboratory in police and security agencies, but it is also used outside that area. Ontology is “a formal, explicit specification of a shared conceptualization”. A conceptualization refers to an abstract model of a domain of interest. It captures the relevant concepts that exist in the domain and the relationships that hold among them [3]. In simple terms, ontology provides a vocabulary of concepts and relations with which to model a domain. This reusability approach is based on the assumption that if a modeling scheme, i.e., ontology, is explicitly specified and mutually agreed upon by the parties involved, and then it is possible to share, reutilize and extend knowledge [4], [5]. In this research, Web Ontology Language (OWL) [14], [15] is chosen to represent our security ontology because of its power to express meaning and semantics and complex relationships. This section gives a very broad overview of OWL to assist readers in understanding the following sections. Readers that are familiar with OWL concepts should skip this section.

Copyright © 2015 Praise Worthy Prize S.r.l. - All rights reserved

263

Amir Mohamed Talib, Fahad Omar Alomary

TABLE I EXISTING ONTOLOGIES IN DIGITAL FORENSICS DOMAIN

Section III provides an overview of our proposed ontology development in digital forensics domain. In, section IV presents some concluding remarks and future work.

II.

Author Brinson and colleagues [8]

Proposed Ontology Development in Digital Forensics Domain

Table I summarizes the existing ontologies used in digital forensics domain. The goals, capabilities, and the structure of our proposed ontology have been introduced to collect, examine, analyze, prepare, acquire and preserve evidence of computer crimes of digital forensics in cyberspace. Our Ontology was designed with the following objectives in mind:  Acting as a guidance to all cybercrime cases in digital forensics domain;  Bridge the gap of combination between the existing ontology (section II) an resolving their weaknesses;  Create ontologies that are easy to extend and provide reusability. During development and combination of ontology, we discovered that certain steps are better performed in iterations, as follows: II.1.

Paper Title

Defining the Scope and Purpose of Our Proposed Ontology

When creating ontology, one of the most important factors is the domain and scope in which it will be used. While our objectives outlined above are a good starting point, in order to create security ontologies that will be truly useful, we need to understand the types of questions that the ontology will be expected to answer. These ontologies will be used by anyone who knows how to express digital forensics requirements and capabilities. We must consider the various ways that the same statement can be expressed. Furthermore, we need to consider statements that are unlikely in order to limit the scope of the ontology. Statements that are either too broad or too specific are unlikely to be used and provide no useful information.

Subclasses and Instances Strengthens Weaknesses Used

A Cyber Forensics Ontology: Creating a New Approach to Studying Cyber Forensics Park and Cyber colleagues Forensics [9] Ontology for Cyber Criminal Investigation

Specialization, Underlying certification, the cyber and education forensics profession that could assist in curriculum development

Lack of advance cyber forensics methodologie s and techniques.

Cyber terrorism, general cyber crimes, hacking and fraud

Fails to provide the required knowledge to accomplish such objective

Hoss and Weaving Carver Ontologies to [10] Support Digital Forensics Analysis

Crime, Forensics Device, Legal, Digital Device and Forensics Information Integration

BoJin and Forensics in Cyber terror Li [11] Telecommuni and general cations, cyber crime Information, and Multimedia

Focuses on defining the types of evidences that can be collected to prove criminal intention for each type of cyber crime and possibility of using ontology in mining cyber crimes data Introduce an ontological approach leading to future development of an automated digital forensics analysis tool. define the concepts and relations among crime types, evidence collection, criminals and crime case and law Provide a guiding framework in which to place small scale digital devices Encapsulate all concepts of the digital forensics field and the relationship between them

Only an abstract structure for the required ontologies and their characteristic s are provided

More dealing with digital evidence rather than forensics

Harrill and R. P. Mislan [12]

A Small Scale Digital Device Forensics Ontology

Digital forensics and small scale digital devices

As we discussed, we reuse terms from the digital forensics data, distinct standard digital forensics library and digital forensics database and a distinct digital forensics data file. Compared to other related digital forensics ontologies, the strength of this ontology lies with the much needed details on the links between digital forensics’ type’s subontology and the digital forensics cases sub-ontologies. With this linkage, changes to digital forensics’ types could be traversed and specific actions could be triggered.

Kahvedzic and Kechadi [13]

DIALOG: A Framework for Modeling, Analysis and Reuse of Digital Forensics Knowledge

Digital forensics and knowledge associated with digital investigation cases


Int. Journal on Communications Antenna and Propagation, Vol. 5, N. 5

II.2.

Reusing Existing Ontologies

II.3.

Encoding of forensics knowledge associated with the Windows Registry

Enumerating Important Terms in the Ontology

Key terms used in this ontology are the nouns describing digital forensics domain, certifications, and

264


curriculum development since they are still questioned II.4.

Formally, an ontology is a tangled hierarchy of concepts (classes) related with properties. Fig. 2, Fig. 3, Fig. 4 and Fig. 5 present the main classes related to the digital forensics domain and the relationships among them. In this ontology were defined four main classes. The OWL representation of these classes is as follow: 1. Goals of digital forensics: this class represents the main goals of digital forensics as shown in Fig. 2. The main goals of digital forensics are: provide opinions about the digital information, recovering, identifying, preserving, analyzing, and presenting facts. 2. Digital forensics phases: this class represents the type of the main phases of digital forensics as shown in Fig. 3. The main phases of digital forensics are: readying phase, investigation phase, physical crime scene, digital crime scene investigation phase, presentation phase, and deployment phase. 3. Digital forensics branches: this class represents the some of digital forensics branches such as computer forensics, mobile device forensics, network forensics, forensic data analysis, and database forensics as shown in Fig. 4.

Defining the Properties of Classes—Slots

In this step, all important terms from Protégé guideline are listed and then conceptualize into concepts and relations among concepts to define related classes and class hierarchy. Digital forensics provides the backbone of the class hierarchy. The initial prototype of our ontology contains 211 classes that represent the digital forensics domain. Here, we represent the top-level classes in our proposed ontology. These classes represent the main concepts in the digital forensics domain. The top-level classes in our digital forensics ontology are shown in Fig. 1. II.5.

Defining the Classes and the Class Hierarchy for Individual Groups

Cyberspace user is a simple taxonomy that does not contain any property. Since we are interested in digital forensics, we associated with the top class security the properties described in digital forensics domain, so that every kind of digital forensics inherits these properties.

Fig. 1. Main class of digital forensics ontology



265


Fig. 2. Goals of digital forensics

Fig. 3. Digital forensics phases

Fig. 4. Digital forensics branches

4. Digital forensics tools: this class represents the tools of digital forensics as shown in Fig. 5. The tools of digital forensics are: volatile data, and persistent data.

Fig. 6. Assets Sub-ontology Fig. 5. Digital forensics tools

II.6.

The direct subclasses are: computer, digital device, peripherals, and also storage media.

Defining the Facets of the Slots

Here we define the cardinality constraints, and value restrictions. Properties modeling digital forensics domain have minimum cardinality 0, in order to allow us to represent the fact that companies rarely have enough satisfaction regarding digital forensics. In this section we are going to illustrate the subclasses and their slots:

2. Digital forensics analysis Currently there are ten types of digital forensics analysis namely media analysis, media management analysis, file system analysis, application analysis, network analysis, OS analysis, executable analysis, image analysis, and video analysis as illustrated in Fig. 7.

1. Forensics Assets Fig. 6 shows the forensics asset subclasses inherit from digital forensics domain subclasses in our ontology.

3. Digital forensics process models There are 14 processes models of digital forensics since 2001 as illustrated in Fig. 8.



266


Decisions concerning the modeling of instances (individuals in OWL) are dictated by the notion that from the perspective of representing digital forensics companies. There is no difference between, for example, two digital forensics companies. The ontology needs to represent the properties of digital forensics companies as well as their placement in the hierarchy. Our proposed digital forensics ontology resulting from the Protégé development process as illustrated below in Fig. 10 has a total of 180 main classes and 179 sub classes. The ontology is translated in OWL-DL, and we defined cardinality constraints, as well as functional properties.

Fig. 7. Digital forensics analysis

Fig. 8. Digital forensics process models Sub-ontology

Fig. 10. Number of the 180 main classes and 179 subclasses

These processes are: Abstract Digital Forensic Model, Integrated Digital Investigative Process, Extended Model of Cybercrime Investigations, Enhanced Digital Investigation Process Model, Digital Crime Scene Analysis Model, A Hierarchical, Objectives-Based Framework for the Digital Investigations Process, Framework for a Digital Investigation, Four Step Forensic Process, FORZA - Digital forensics investigation framework, Process Flows for Cyber Forensics Training and Operations, Common Process Model, Two-Dimensional Evidence Reliability Amplification Process Model, Digital Forensic Investigations Framework, and Systematic Digital Forensic Investigation Model (SRDFIM).

III. Conclusion and Future Work

Model editor method (instance editor) is used in order to create instances, which is an engine provided by environment, especially for model instantiation.

This paper shows how the need for a general and specific ontology for the digital forensics domain can be met. We have described an OWL-based ontology with its core concepts digital forensics asset, digital forensics analysis, digital forensics process models and digital forensics policy. All the core concepts are subclasses or instantiated to provide the domain vocabulary of digital forensics. Also, digital forensics ontology, especially focused on ontology development process is presented. Ontology can be developed based on three main steps, 1) Domain, purpose and scope setting. 2) Important terms acquisition, classes and class hierarchy conceptualization. 3) Instances creation. The approach used to collect, examine, analyze, prepare, acquire and preserve evidence of computer crimes of digital forensics in cyberspace, and ontology to maintain consistency within a heterogeneous digital forensics domain. A prototype system was developed using the Protégé. The prototype was based on the principles discussed in this paper and is being tested. The results gained from evaluating this system will help us determine the practical effectiveness of such systems. In the future, we plan to develop a feedback framework to acquire digital forensics from security professional teams and researchers to develop suitable criteria for reminding and recommending useful information to digital forensics companies. We hope that our ontology will be a trigger for discussions leading to even more detailed and acceptable ontologies in the domain of digital forensics.



4. Digital forensics policies Digital forensics policy is statement that clearly states which assets are forensically important; therefore this subclass has a relation to assets subclass as illustrated in Fig. 9.

Fig. 9. Digital forensics policies Sub-ontology

II.7.

Creating Instances

267


Acknowledgements

Authors’ information 1,2

College of Computer and Information Sciences, Information Technology Department, Al-Imam Muhammad Ibn Saud Islamic University, Riyadh, Kingdom of Saudi Arabia (KSA). E-mails: [email protected] [email protected]

The author would like to thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper.

References [1]

[2] [3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

Amir Mohamed Talib is an Assistant Professor in Information Technology Department, College of Computer and Information Sciences at AlImam Muhammad Ibn Saud Islamic University, Riyadh, Kingdom of Saudi Arabia (KSA). He holds a B.Sc in Computer Engineering from Technological & Science University, Sudan (2006), M.Sc in Computer Science from Universiti Putra Malaysia (2009), and PhD in Software Engineering field at Faculty of Computer Science and Information System at Universiti Putra Malaysia (2012). He has more than 4 years of teaching experience and with about 3 years of system development experience as a system developer at Ejtihad Company, Malaysia. He currently teaches system analysis and design, and software engineering course at both undergraduate and graduate levels. His research interests include Knowledge Management, Information and Network Security, Software Engineering, Computer Supported Collaborative of Work, and Workflow Management. He has also published and wrote books, articles, and technical papers in numerous journals and conference proceedings with regards to his research interest.

E. Casey, Digital Evidence and Computer Crime: Forensics Science, Computers and the Internet: Academic press, Third Edition, 2011. M. Pollitt and A. Whitledge, "Exploring Big Haystacks," In Advances in Digital Forensics II: Springer, 2006, pp. 67-76. T. R. Gruber, "Toward Principles for the Design of Ontologies used for Knowledge Sharing," International Journal of Humancomputer Studies, vol. 43, pp. 907-928, 1995. B. Tsoumas, S. Dritsas, and D. Gritzalis, "An Ontology-based Approach to Information Systems Security Management," In Computer Network Security: Springer, 2005, pp. 151-164. A. Talib, R. Atan, R. Abdullah, and M. Azmi, "Security Ontology Driven Multi Agent System Architecture for Cloud Data Storage Security: Ontology Development," International Journal of Computer Science and Network Security, vol. 12, pp. 63-72, 2012. D. L. McGuinness and F. Van Harmelen, "OWL Web Ontology Language Overview," W3C Recommendation, vol. 10, p. 2004, 2004. Jabar, M., Khalefa, M., Abdullah, R., Abdullah, S., Meta-Analysis of Ontology Software Development Process, (2014) International Review on Computers and Software (IRECOS), 9 (1), pp. 29-37. A. Brinson, A. Robinson, and M. Rogers, "A Cyber Forensics Ontology: Creating a New Approach to Studying Cyber Forensics," Digital Investigation, vol. 3, pp. 37-43, 2006. H. Park, S. Cho, and H.-C. Kwon, "Cyber Forensics Ontology for Cyber Criminal Investigation," In Forensics in Telecommunications, Information and Multimedia: Springer, 2009, pp. 160-165. A. M. Hoss and D. L. Carver, "Weaving Ontologies to Support Digital Forensics Analysis," In Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, 2009, pp. 203-205. X. D. BoJin and Y. W. H. Li, "Forensics in Telecommunications, Information, and Multimedia," In Third International ICST Conference, E-Forensics 2010, Shanghai, China, Springer, 2011. D. C. Harrill and R. P. Mislan, "A Small Scale Digital Device Forensics Ontology," Small Scale Digital Device Forensics Journal, vol. 1, p. 242, 2007. D. Kahvedzic and T. Kechadi, "DIALOG: A Framework for Modeling, Analysis and Reuse of Digital Forensics Knowledge," Digital Investigation, vol. 6, pp. S23-S33, 2009. Narayana, S., Saradhi Varma, G., Govardhan, A., Discovering Relevant Semantic Associations Based on User Specified Context, (2015) International Review on Computers and Software (IRECOS), 10 (8), pp. 805-813. Nagarajan, G., Thyagharajan, K., Rule-Based Semantic Content Extraction in Image using Fuzzy Ontology, (2014) International Review on Computers and Software (IRECOS), 9 (2), pp. 266277.

Fahad Omar Alomary is an Assistant Professor in Information Technology Department, College of Computer and Information Sciences at Al-Imam Muhammad Ibn Saud Islamic University, Riyadh, Kingdom of Saudi Arabia (KSA). He holds a Bachelor of Science in Electronics Engineering from College of Technology, Riyadh, Kingdom of Saudi Arabia (2002). Masters of Science in Computer Engineering, and Masters of Science in Engineering Management from Florida Institute of Technology, Melbourne, FL, United State (2008). Doctoral of Science in Computer Engineering in field of Data Networking from Florida Institute of Technology, Melbourne, FL, United State (2013). He has more than 7 years of working experience. Currently, he is chair of Information Technology Department in College of Computer and Information Sciences at Al-Imam Muhammad Ibn Saud Islamic University. Also, he teaches Information Networks and Digital Libraries, academic advising, and supervising the graduation projects. His research interests include Computer Networking, Data Management, and Information Security.



268