D4I-Digital forensics framework for reviewing and investigating cyber attacks
Athanasios Dimitriadis, Boonserm Kulvatunyou, Nenad Ivezic, Ioannis Mavridis
Many companies have cited lack of cyber-security as the main barrier to Industrie 4.0 or digitalization. Security functions include protection, detection, response and investigation. Cyber-attack investigation is important as it can support the mitigation of damages and maturing future prevention approaches. Nowadays, the investigation of cyber-attacks has evolved more than ever leveraging combinations of intelligent tools and digital forensics processes. Intelligent tools (such as YARA rules, and Indicators of Compromise) are effective only when there is prior knowledge about software and mechanisms used in the cyber-attack, i.e., they are not attack-agnostic. Therefore, the effectiveness of these intelligent tools is inversely proportional to the number of the never-seen-before software and mechanisms utilized. Digital forensic processes, while not suffering from such issue, lack the ability to provide in-depth support to a cyber-attack investigation. The reason being that there are insufficient details in the examination and analysis phases of the processes where the actual investigation takes place. This paper proposes a framework for digital forensics investigation of cyber-attacks called D4I (Digital FORensics framework for Investigation of cyber-attacks in Industrie 4.0 or digitalization), focusing on enhancing the examination and analysis phases. The framework introduces two key properties. First, the framework proposes a digital artifacts categorization and mapping to the generalized steps of attacks - Cyber-Kill-Chain. Second, it provides detailed steps for the examination and analysis phases. As a result, D4I provides a step-by- step way to investigate cyber-attacks that is not only attack-agnostic but also provides sufficient details for repeatable and effective investigation.