Visualisations against challenges in Digital Forensics

Leonidas Kalipolitis (Technical Manager at AEGIS IT Research Ltd).

As digital crimes continue to rise, the need for digital forensics also increases. Digital forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. Digital forensics as a discipline faces several challenges, both industrial and research ones:

Industrial Challenges

  • Security data is growing as organisations collect process, and analyse more than six terabytes of security data monthly (Cybersecurity Analytics and Operations in Transition,, 2017).
  • It is very difficult to keep up with the threat landscape as organisations are being overwhelmed by the scaling needs for big data forensics that consider both post-mortem and real-time processing and visualization of evidence.
  • Customers need to analyse security event data in real time for internal and external threat management which requires collecting, storing, analysing and reporting on log data for forensics and regulatory compliance, while maintaining the security and integrity of data.

Research Challenges

  • The growing size of heterogeneous data results in insufficient response times.
  • The growing sophistication of malware and attackers highlights the need for developing post compromise and real-time forensics services.
  • There is a need for advanced visualization methods to combine data from heterogeneous sources and to guide forensics investigators to identify areas warranting further review.
  • Intuitive, detailed and user-centric visualizations capable of managing, analysing and presenting large amount of forensics evidence in a user-friendly way have yet to be developed. Some of the drawbacks of existing visualisation frameworks include:
    • the need of utilisation of multiple tools;
    • the difficulty to take information seen in one visualization tool and obtain a different perspective in another tool;
    • many tools do not allow to import information from another tool;
    • significant amount of time to go through all of the tools, collect the data, and then create a coherent report that can potentially be used as evidence in the court of law.
  • Better collection of effective data for post-incident security analysis.
  • Current cyber-forensic methodologies are not always fully extensible to traditional control systems architectures.
  • Correlation of forensic data collected by disparate cyber-centric security procedures and technologies (Firewalls [FW], Intrusion Detection Systems [IDS], Intrusion Prevention Systems, [IPS], etc.), with device and control systems logging data.
  • Post-incident analysis is often dependent on vendor involvement, and any proactive understanding of device logging is often not required by the end user or incorporated into a defence-in-depth strategy.
  • Unforeseen interactions between the forensics tools and control systems.
  • Inclusion of real-time forensics tools for active analysis.
  • Increase in storage space on hard drives impacts both the performance utilization and the time when carrying out forensics tasks.

All these challenges point out that the application of information visualisation techniques to digital forensic data is invaluable. For example, gaining situational awareness of the status of a network consisting of multiple endpoint devices, network nodes like switches and network security appliances like firewalls and intrusion detection systems would be unrealistic for a human to perform manually.  The velocity of this data in a large network also tends to be very high. It would be extremely difficult for an analyst to maintain awareness of the hierarchy of the network and the typical activity which takes place across it; and to spot any anomalies in this.

Evidently, forensics data visualisation as the visual interpretation of high-dimensional, high-volume data is particularly appropriate for obtaining an overall view of a data set and locating important aspects within it. The main advantages of visualisations include: increased situational awareness; combination of data coming from heterogeneous resources and accommodation of different views that allow users to quickly switch among them and get different perspectives of the data. Some disadvantages on the other hand can be interfaces with too much clutter that may confuse the operator; rendering delays of views incorporating large amounts of data and worse, misleading of operators that can result to wrong assumptions.

In conclusion, visualisations are the single easiest way for the human brain to interpret information. By leveraging data visualizations more in a digital evidence investigation workflow, investigators can be able to discover more and new information that they might otherwise have missed and get to the key evidence in a much more efficient manner suitable for growing data volumes. Innovative visualisation techniques like time-based analysis and preconfigured data views according to the currently investigated security incident would provide a great push to both active (live) and post-mortem digital forensics analysis. CIPSEC offers the Forensics Service which incorporates such visualisation functionalities in the context of a comprehensive cyber-security solution and proves their usability in real-world environments of Critical Infrastructure facilities.