| dc.description.abstract | This thesis contributes to the tangible methods to prepare an enterprise for upcoming digital investigation with complete, pertinent, reliable, and privacy preserving evidence. Regarding an information security incident as a sequence of resource access events, we advise an enterprise to prepare for upcoming digital investigation with kernel traces to address the two fundamental questions of forensic readiness: ”what to log” and ”how to log”. After conducting a cost-benefit analysis of kernel tracing systems for decision-making on tracing granularity, we advise an enterprise to employ the dynamic instrumentation for flexibility and the static instrumentation for low overheads to prepare for digital forensics with reliable evidence and reasonable costs.
To provide architectural support for adjustable tracing granularity, we propose the architecture that integrates process tracking enhancement into the existing digital forensics framework. We also assess the practicality of process tracking enhancement on Microsoft Windows by implementing a file system monitor for comprehensive and reliable system-wide file system operation tracking, and alleviate the complexity and quantity problems in kernel traces through layers of abstraction. To alleviate the conflicts between accountability and privacy, we develop metrics for surveillance impact assessment to constantly ensure the negative consequences of process tracking enhancement are minimized. To demonstrate the legal effects of process tracking enhancement, we develop an automatic judgement summarizing system for analysing judgements for evidential reasoning, and propose a framework for evidential reasoning of kernel traces by integrating the narrative methods from attack graphs and languages, the argumentative methods from argumentation diagrams, and the probabilistic methods from Bayesian networks. | nb_NO |
