Digital forensic investigation is a complex and time-consuming activity in response to a cybersecurity incident or cybercrime to answer questions related to it. These typically are what happened, when, where, how, and who is responsible. However, answering them is often very laborious and sometimes outright impossible due to a lack of useable data. The forensic-ready software systems are designed to produce valuable on-point data for use in the investigation with potentially high evidence value. Still, the particular ways to develop these systems are currently not explored. This paper proposes consideration of forensic readiness within security risk management to refine specific requirements on forensic-ready software systems. The idea is to re-evaluate the taken security risk decisions with the aim to provide trustable data when the security measures fail. Additionally, it also considers possible disputes, which the digital evidence can solve. Our proposed approach, risk-oriented forensic-ready design, composes of two parts: (1) process guiding the identification of the requirements in the form of potential evidence sources, and (2) supporting BPMN notation capturing the potential evidence sources and their relationship. Together they are aimed to provide a high-level overview of the forensic-ready requirements within the system. Finally, the approach is demonstrated on an automated valet parking scenario, followed by a discussion regarding its impact and usefulness within the forensic readiness effort.
翻译:为应对网络安全事件或网络犯罪,数字法证调查是一项复杂和耗时的活动,目的是回答与此有关的问题,通常发生在何时、何地、如何、何人负责,然而,由于缺少可用数据,答复往往非常费力,有时完全不可能。为法医准备的软件系统的设计是为了产生有价值的现场数据,供调查使用,具有潜在的高证据价值。然而,目前尚未探索开发这些系统的具体方法。本文件提议在安全风险管理中考虑法医准备情况,以完善关于法医准备软件系统的具体要求。设想是重新评估已作出的安全风险决定,以便在安全措施失败时提供可信赖的数据。此外,它还考虑可能发生的争议,因为数字证据可以解决这些争议。我们提出的方法,即面向风险的法医准备设计,包含两个部分:(1) 指导以潜在证据来源的形式确定要求的程序,(2) 支持英国法医网记录潜在证据来源及其关系。它们的目的是在系统内部就法医准备性要求进行高层次的概述。此外,还考虑到数字证据准备情况,通过自动化方式展示了法医准备情况。