Investigating Proactive Digital Forensics Leveraging Adversary Emulation

Valentine Machaka; Titus Balan

doi:10.3390/app12189077

Applied Sciences (Sep 2022)

Investigating Proactive Digital Forensics Leveraging Adversary Emulation

Valentine Machaka,
Titus Balan

Affiliations

Valentine Machaka: Department of Forensic Accounting & Auditing, School of Business & Management Sciences, Harare Institute of Technology, Belvedere, Harare P.O. Box BE 277, Zimbabwe
Titus Balan: Department of Electronics and Computers, Faculty of Electrical Engineering and Computer Sciences, “Transilvania” University of Brasov, 1 Politehnicii Street, 500024 Brasov, Romania

DOI: https://doi.org/10.3390/app12189077
Journal volume & issue: Vol. 12, no. 18
p. 9077

Abstract

Read online

Traditional digital forensics techniques are becoming obsolete due to rapid technological change. Proactive digital forensic investigations (PDFI) solve the challenges of cloud computing forensics such as evidence identification, collection, preservation, and timelining from heterogeneous cumulative data. Cumulative data heterogeneity poses significant challenges to the sound collection of electronically stored information (ESI) or digital evidence across cloud endpoints and/or networked systems. In addition, the distribution of networked systems and/or cloud environments makes it impossible for forensics investigators to be present at several premises to perform the investigation. Hence, it is important to have PDFI in place to ensure continuous operation in the event of a cyberattack, because it does not require the presence of an investigator at the target location. In this study, researchers put the idea of proactive digital forensics to the test and concluded that it is an indispensable tool for networked systems and cloud computing environments in response to modern-day digital forensics challenges. This research was based on an experimental computer science and engineering approach using a virtualised environment simulating an information communication infrastructure. To generate evidence (digital artefacts), and validate the proof-of-concept, adversary emulation was used by adapting the MITRE ATT&CK framework. Research results have shown that PDFI improves digital forensics activities in terms of speed and accuracy, thereby providing credible and timely comprehensive digital evidence. Enhanced Incident detection capabilities enable an analyst to focus much more on forensic investigation functions and thus perform their tasks effectively. However, the legality of live and/or remote forensics is still of great concern in several jurisdictions, thereby affecting the credibility of digital artefacts obtained in this manner. Nevertheless, where possible, the law component should also be kept up to date with modern-day technologies to solve any inconveniences caused by the ever-growing technology demands.

Published in Applied Sciences

ISSN: 2076-3417 (Online)
Publisher: MDPI AG
Country of publisher: Switzerland
LCC subjects: Technology: Engineering (General). Civil engineering (General); Science: Biology (General); Science: Physics; Science: Chemistry
Website: http://www.mdpi.com/journal/applsci

About the journal

Abstract

Keywords