Knowledge Sharing and Reuse in Digital Forensic Domain a Review Jasmin Ćosić IT Section of Police Administration Ministry of Interior 77000 Bihać, BiH
[email protected]
Miroslav Bača Faculty of Organization and Informatics University of Zagreb 42000 Varaždin Hrvatska
[email protected]
Zoran Ćosić Statheros,d.o.o. Kaštel Stari, Split Hrvatska
[email protected]
Abstract: The rapid emergence of the new techniques in Information and Communication Technology (ICT) provides a potential innovation for digital investigations. In today’s world, digital forensic field relies on knowledge and knowledge management systems as an important resource. The aim of this paper is to make a literature review about knowledge, knowledge management and expert systems in digital forensic domain. Key Words: digital forensic, knowledge management, ontology
1 Introduction The rapid emergence of new techniques in ICT provides potential innovation for digital investigations. Digital devices may be the object of a crime, or an instrument to commit a criminal act. According [1], in 2006 damage caused by cyber crime was U.S. $ 1.45 billion, and for the first time was greater than the total market value of illegal drugs, while even in 2010 was U.S. $ 114 billion of direct and U.S. $ 274 billion of indirect damage. Therefore, there was a need to develop new scientific discipline that will deal with the problem of legal and lawful collection of digital evidence both in official (state, interstate), as well as corporate internal investigations. On the question “What is Digital Forensics?” Pollitt [2] highlighted that digital forensics is not an elephant, it is a process and not just one process, but a group of tasks and processes in investigation. According [3] digital forensic is the science of collecting, preserving, examining, analyzing and presenting relevant digital evidence for use in judicial proceedings. The final goal of every digital forensic investigation, which consists in several phases, is digital evidence, collected and presented in court room. The definition proposed by the Standard Working Group on Digital Evidence (SWGDE) is any information of probative value that is either stored or transmitted in a digital form.[4] Another definition proposed by the International Organization of Computer Evidence - IOCE is „...information stored or transmitted in binary form that may be relied upon in court“.[5] In today’s world, digital forensic field relies on knowledge and knowledge management system as an important resource. The reason for this relies in fact that changes in digital
technologies are in everyday occurrence and knowledge and knowledge management enable to create appropriate standards and procedures. Therefore is necessary to form new concepts and ideas from the existing information acquired from the existing knowledge. Ontology plays an important role in creating a common definition among the domains of information in a particular area. [6]
2 Knowledge management systems Knowledge Management (KM) has been defined as “the process by which an organization creates, captures, acquires, and uses knowledge to support and improve the performance of the organization”. [7] It is a field that has attracted much attention both in academic and practitioner circles. Most KM projects appear to be primarily concerned with knowledge that can be quantified and can be captured, codified and stored - an approach more deserving of the label Information Management. Recently there has been recognition that some knowledge cannot be quantified and captured, codified or stored. [8] Early KM was defined as an extension of Artificial Intelligence (AI). Knowledge was viewed as information: a item that can be codified, stored and transmitted from one place to another. Expert systems were created to 'capture' the knowledge of experts and stored in some books, reports, papers in hard form and in some database in electronic forms. The idea was to share this “stored knowledge” with another experts in same domain of knowledge. In early phases this experts were humans, and with rapid Information and Computers technology this experts become a machine (computers). Experts systems were created. In artificial intelligence, an expert system is a computer system that emulates the decision-making ability of a human expert.[9] Expert systems are designed to solve complex problems by reasoning about knowledge, like an expert, and not by following procedure and algorithm made by a human, as is the case in structured or object oriented programming. The problem that is sets to the scientist was: How to formalize stored knowledge and how to "prepare" it for computers consumption? On which way can machine use this knowledge and make decisions based on that knowledge? The answer appears in the form of discipline called “knowledge engineering” - discipline that involves integrating knowledge into computer systems in order to solve complex problems normally requiring a high level of human expertise.[10] It was necessary to form new concepts and ideas from the existing information acquired from the existing knowledge. Ontology plays an important role in creating a common definition among the domains of information in a particular area. According to Gruber [11] ontology is explicit specification of a conceptualization process. The term is borrowed from philosophy, where ontology is a systematic accounting of existence. In recent years the development of ontology’s-explicit formal specifications of the terms in the domain and relations among them (Gruber 1993) has been moving from the realm of Artificial-Intelligence laboratories to the desktops of domain experts. Ontology defines a common vocabulary for researchers who need to share information in a domain. It includes machine-interpretable definitions of basic concepts in the domain and relations among them. The Artificial-Intelligence literature contains many definitions of ontology. For the purposes of this guide ontology is used like a formal explicit description of concepts in a domain of discourse - classes (sometimes called concepts), properties of each concept describing various features and attributes of the concept (slots, roles or properties), and restrictions on slots (facets, role restrictions). An ontology together with a set of
individual instances of classes build a knowledge base.[12]
3 Digital forensic and KMS There is lack of quality published paper and research on the topic digital forensic and knowledge management. In recent years it was published few papers about ontology engineering in digital forensic domain. [13][14][15][6][16][17][18] Proposed ontology has involved basic set of concepts with definition of this concepts and taxonomy diagram. It is also proposed a frameworks (DIALOG, DEMF) for modeling, analyze and reuse a digital forensic knowledge. Biros, Weiser and Witfield in [19] present a developed National Repository of Digital Forensic Intelligence. This system has been implemented in the largest accredited digital forensics lab in the world and is currently being extended to many other local, state, and federal agencies to increase effectiveness and efficiency among analysts. Fenz and Ekerhart in [20] describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches. Huang [21] states that it is not possible to build an ontology that would be sufficiently "large" to include all concepts that occur and which are of interest to people who conduct forensic investigations. This statement is logical if we considering that there is no universal knowledge of the world and of the specific domain. The missing thing in this process is a formalization of digital forensic knowledge and facilitating to consume this knowledge by the experts and machine.
Figure 1 Knowledge Management for Non-routine and Unstructured Sense Making[22] Figure 1 present a Knowledge Management presented as intelligence in action as it is a composite construct resulting from interaction of data, information, rules, procedures, best practices and traits such as attention, motivation, commitment, creativity and innovation. [22] Today, there is no concrete implementation of created ontology in digital forensic field
for decision support or to have a expert systems in digital forensic domain. The reason for can be a lack of interest of the market, complex implementation and high level of expertise required to implement systems.
4 Conclusion and future research Today there is a great need to (re)use knowledge and use KMS in digital forensic field. An intelligent systems based on stored knowledge can help investigators, prosecutors and judges in digital forensic process. Acceptability of digital evidence is feature that is determinate with set of conditions that must be fulfilled, to digital evidence was accepted by the court in the courtroom. Future research will be focused to develop an ontology for a basis for creating a KMS for acceptability digital evidence by the court.
6 References [1]
Symantec.com, “Cyber Crime Report 2011,” Cyber Crime Report 2011, 2011. [Online]. Available: http://us.norton.com/content/en/us/home_homeoffice/html/cybercrimereport/. [Accessed: 01-Nov-2011].
[2]
M. Pollit, “Six blind men from Indostan.Digital forensic research workshop,” in DFRWS-Digital FOrensic Research Workshop, 2004.
[3]
M. Pollit and A. Whiteledge, “Exploring big Haystack,Data Mining and Knowledge Management,” in Advances in Digital Forensic II IFIP, 2006.
[4]
Scientific Working Group on Digital Evidence (SWGDE) and I. O. on D. E. (IOCE), “Digital Evidence: Standards and Principles,” 1999. [Online]. Available: http://www.fbi.gov/about-us/lab/forensic-sciencecommunications/fsc/april2000/swgde.htm#Definitions. [Accessed: 11-Nov2011].
[5]
“IOCE Princips and Definition,” IOCE COnference, 1999. [Online]. Available: http://www.ioce.org/core.php?ID=5.
[6]
J. Cosic, Z. Cosic, and M. Bača, “An Ontological Approach to Study and Manage Digital Chain of Custody of Digital Evidence,” Journal of Information and Organizational Sciences, vol. 35, no. 1, pp. 1-13, 2011.
[7]
T. Kinley, “Adult learning,” Adult learning, vol. 10, no. 2, pp. 2-5, 1998.
[8]
P. Hilderet and C. Kimble, “The duality of knowledge,” Information Research, vol. 8, no. 1, 2002.
[9]
P. Jackson, Introduction To Expert Systems. Addison Wesley, 1998.
[10]
E. Feigenbaum and P. McCorduck, “The fifth generation (1st ed.,” in The fifth generation (1st ed.), Addison-Wesley, 1983.
[11]
T. R. Gruber, “A Translation Approach to Portable Ontology Specifications,” Knowledge Creation Diffusion Utilization, vol. 5, pp. 199-220, 1993.
[12]
N. F. Noy and D. L. Mcguinness, “Ontology Development 101 : A Guide to Creating Your First Ontology,” 2001.
[13]
H. Park, S. Cho, and H.-chul Kwon, “Cyber Forensics Ontology for Cyber Criminal Investigation,” in E-FORENSICS 2009 - 2nd International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia, 2009, pp. 160 - 165.
[14]
D. C. Harrill and R. P. Mislan, “A Small Scale Digital Device Forensics ontology,” SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, vol. 1, no. 1, pp. 1-7, 2007.
[15]
A. Brinson, A. Robinson, and M. Rogers, “A cyber forensics ontology: Creating a new approach to studying cyber forensics,” Digital Investigation, vol. 3, pp. 37-43, Sep. 2006.
[16]
D. Kahvedžić and T. Kechadi, “DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge,” Digital Investigation, vol. 6, p. S23S33, Sep. 2009.
[17]
L. D. Carver and M. A. Hoss, “Weaving ontologies to support digital forensic analysis,” in ISI’09 Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, 2009, pp. 203-205.
[18]
M. Swimmer, “Towards An Ontology of Malware Classes,” pp. 1-16, 2008.
[19]
D. P. Biros, M. Weiser, and J. Witfield, “Managing Digital Forensic Knowledge An Applied Approach,” 2007.
[20]
S. Fenz and A. Ekelhart, “Formalizing Information Security Knowledge,” in Proceedings of the 2009 ACM symposium on Information, computer and communications security, 2009, pp. 183-194.
[21]
J. Huang, A. Yasinsac, and P. J. Hayes, “Knowledge Sharing and Reuse in Digital Forensics,” Digital Investigation, pp. 1-6, 2011.
[22]
Y. Malhotra, “Why Knowledge Management Systems Fail ?,” in Handbook of Knowledge Management, C.W.Hosapple, Ed. Springer-Verlag, Heidelberg, 2002.
