The document discusses developing software systems that are forensic-ready by ensuring evidence preservation requirements are met. It proposes formalizing the forensic domain through a model of the environment and behaviors. This model represents contexts, primitive events, complex events and system states. Preservation specifications can then be automatically generated based on the environment description and hypotheses about incidents to only preserve relevant, minimal data.

1. 03/10/17 © Lero 2015 1
Dalal Alrajeh
On Evidence Preservation
Requirements for
Forensic-ready Systems
Liliana Pasquale Bashar Nuseibeh

2. 03/10/17 © Lero 2015 2
Mo#va#on
Objec&ve
Conclusion
Our Solu&on
Evalua&on
Outline

3. 03/10/17 © Lero 2015 3
Motivation
So4ware systems are becoming more and more pervasive.
Enterprise
so4ware systems
Mobile and cloud
applica&ons
Internet of Things Social networks

4. 03/10/17 © Lero 2015 4
Motivation
So/ware systems are becoming more and more pervasive.
The risk of so4ware systems being targeted or exploited for
malicious use is increasing.
Ø The number of iden&ty the4 incidents has increased to 95% in
2016 [Symantec Internet Security Threat Report 2017]
Ø AOacks on IoT devices are gaining momentum
- German Steel Mill Cyber AOack in 2014 [Lee et al. 2014]

5. 03/10/17 © Lero 2015 5
It is not always possible to prevent incidents.
A digital inves#ga#on is performed to explain an incident.
Ø The first step consists in the preserva#on of data
relevant to the incident.

6. 03/10/17 © Lero 2015 6
Ø The first step consists in the preserva#on of data
relevant to the incident.
Example
A digital inves#ga#on is performed to explain an incident.
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Incident: Exfiltra&on of the confiden&al document

7. 03/10/17 © Lero 2015 7
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Ø The first step consists in the preserva#on of data
relevant to the incident.
Example
A digital inves#ga#on is performed to explain an incident.
Incident: Exfiltra&on of the confiden&al document
file: doc

8. 03/10/17 © Lero 2015 8
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Ø The first step consists in the preserva#on of data
relevant to the incident.
Example
A digital inves#ga#on is performed to explain an incident.
Incident: Exfiltra&on of the confiden&al document
file: docfile: docfile: doc

9. 03/10/17 © Lero 2015 9
Ø The first step consists in the preserva#on of data
relevant to the incident.
Example
A digital inves#ga#on is performed to explain an incident.
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Access Logs System Logs
A digital inves&ga&on is performed to explain how the document exfiltrated.

10. 03/10/17 © Lero 2015 10
Data may not be available during an inves&ga&on
Collec&ng all data is not a viable solu&on
However…
Regula&ons (e.g., GDPR) disallow access to data that are
not relevant to the purpose of the inves&ga&on.

11. 03/10/17 © Lero 2015 11
Data may not be available during an inves&ga&on
Collec&ng all data is not a viable solu&on
Regula&ons (e.g., GDPR) disallow access to data that are
not relevant to the purpose of the inves&ga&on.
However…
Ø Stored in a vola&le memory.
Ø Not preserved by so4ware systems.
- Only 57% of the data related to security breaches are logged in a
proprietary health care so4ware system [King2017].

12. 03/10/17 © Lero 2015 12
Data may not be available during an inves&ga&on
Collec&ng all data is not a viable solu&on
However…
Regula&ons (e.g., GDPR) disallow access to data that are
not relevant to the purpose of the inves&ga&on.
Ø Stored in a vola&le memory.
Ø Not preserved by so4ware systems.
- Only 57% of the data related to security breaches are logged in a
proprietary health care so4ware system [King2017].

13. 03/10/17 © Lero 2015 13
Data may not be available during an inves&ga&on
Collec&ng all data is not a viable solu&on
Ø Can increase computa&onal complexity of analysis.
However…
Regula&ons (e.g., GDPR) disallow access to data that are
not relevant to the purpose of the inves&ga&on.
Ø Stored in a vola&le memory.
Ø Not preserved by so4ware systems.
- Only 57% of the data related to security breaches are logged in a
proprietary health care so4ware system [King2017].

14. 03/10/17 © Lero 2015 14
Data may not be available during an inves&ga&on
Collec&ng all data is not a viable solu&on
Ø Can increase computa&onal complexity of analysis.
However…
Regula&ons (e.g., GDPR) disallow access to data that are
not relevant to the purpose of the inves&ga&on.
Ø Stored in a vola&le memory.
Ø Not preserved by so4ware systems.
- Only 57% of the data related to security breaches are logged in a
proprietary health care so4ware system [King2017].

15. 03/10/17 © Lero 2015 15
Mo&va&on
Objec#ve
Conclusion
Our Solu&on
Evalua&on

16. 03/10/17 © Lero 2015 16
Objective
Support the development of so4ware systems
that are forensic-ready [Tan2001].
Ø Perform the ac&vi&es of a digital inves&ga&on
proac&vely to reduce cost.
Our focus is on ensuring that evidence
preserva#on requirements are met.
Ø Relevant data and the minimal amount of
data should be preserved.

17. 03/10/17 © Lero 2015 17
Objective
FR Controller Storage
Investigator
preserve
(event)
CCTVNFCCOMPUTER
receive(event)

18. 03/10/17 © Lero 2015 18
Ø Environment and hypotheses are defined manually by the domain expert
and are assumed to be correct.
Ø The hypotheses of an incident are known in advance.
Ø Dynamic changes of the environment are not considered.
Objective
FR Controller Storage
Investigator
preserve
(event)
CCTVNFCCOMPUTER
receive(event)
Assump#ons
Forensic domain
Model
Domain
Expert
Environment
Hypotheses
Specification
Generation
PS

19. 03/10/17 © Lero 2015 19
Objective
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Environment
file: doc
Hypothesis
FR Controller Storage
Investigator
preserve
(event)
CCTVNFCCOMPUTER
receive(event)
Forensic domain
Model
Domain
Expert
Environment
Hypotheses
Specification
Generation
PS

20. 03/10/17 © Lero 2015 20
Objective
employee: aliceemployee: bob laptop: m2 laptop: m3
desktop: m1
location: r01
reader: nfc
camera: cctv
Environment
file: doc
Hypothesis
Relevance
sys_copy(doc,…,m1)
sys_open(doc,m1)
Minimality
sys_copy(doc,…,m1)sys_mount(…, m1),
sys_copy(doc,…,m1)sys_login(…, m1),
FR Controller Storage
Investigator
preserve
(event)
CCTVNFCCOMPUTER
receive(event)
Domain
Expert
Environment
Hypotheses
Specification
Generation
PS
Forensic domain
Model

21. 03/10/17 © Lero 2015 21
Mo&va&on
Objec&ves
Conclusion
Our Solu#on
Evalua&on
Our Solu#on
Ø Formalisa&on
- Forensic domain model
- Preserva&on requirements & specifica&on
Ø Preserva&on specifica&on genera&on

22. 03/10/17 © Lero 2015 22
Context
Behaviour
Forensic Domain Model
Environment

23. 03/10/17 © Lero 2015 23
Context
Ø Declares
• types and instances
• rela&onships between instances
- e.g., mounted(usb1, m1) or in(alice,m1)
Behaviour
Forensic Domain Model
Environment

24. 03/10/17 © Lero 2015 24
Forensic Domain Model
Environment
Context
Ø Declares
• types and instances
• rela&onships between instances
- e.g., mounted(usb1, m1) or in(alice,m1)
Behaviour
Ø Describes the environment dynamics

25. 03/10/17 © Lero 2015 25
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Primi#ve Events
Ø Indicate occurrence of an atomic ac&on
Ø Can be observed from digital devices
Environment Behaviour

26. 03/10/17 © Lero 2015 26
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Primi#ve history
Primi#ve
Events
Environment Behaviour

27. 03/10/17 © Lero 2015 27
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Primi#ve
Events
Environment Behaviour
Ø Indicate the execu&on of human ac&vi&es
Complex Events

28. 03/10/17 © Lero 2015 28
enter
(alice, r01)
Primi#ve
Events swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Complex
Events
Environment Behaviour
Ø Can indicate the execu&on of human ac&vi&es
Ø Can trigger changes in the environment state
Complex Events
in
(alice, r01)
State

29. 03/10/17 © Lero 2015 29
enter
(alice, r01)
login
(bob, m1)
Primi#ve
Events swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Complex
Events
Ø Can indicate the execu&on of human ac&vi&es
Ø Can trigger changes in the environment state
Complex Events
Environment Behaviour
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
State

30. 03/10/17 © Lero 2015 30
enter
(alice, r01)
login
(bob, m1)
mount
(usb1, m1)
copy
(bob, doc, m1)
unmount
(usb1, m1)
Complex
Events
Primi#ve
Events swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
Environment Behaviour
logged
(bob, m1)
in
(alice, r01)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
logged
(bob, m1)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
Ø Can indicate the execu&on of human ac&vi&es
Ø Can trigger changes in the environment state
Complex Events
in
(alice, r01)
State

31. 03/10/17 © Lero 2015 31
A conjecture about an incident over a past discrete &me history.
Hypotheses
copy(E, doc, m1) and mounted(S,m1)Example:
enter
(alice, r01)
login
(bob, m1)
mount
(usb1, m1)
copy
(bob, doc, m1)
unmount
(usb1, m1)
Complex
Events
Primi#ve
Events swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
logged
(bob, m1)
in
(alice, r01)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
logged
(bob, m1)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
State

32. 03/10/17 © Lero 2015 32
A conjecture about an incident over a past discrete &me history.
Hypotheses
copy(E, doc, m1) and mounted(S,m1)Example:
History sa&sfying the hypothesis
enter
(alice, r01)
login
(bob, m1)
mount
(usb1, m1)
copy
(bob, doc, m1)
unmount
(usb1, m1)
Complex
Events
Primi#ve
Events swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
logged
(bob, m1)
in
(alice, r01)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
logged
(bob, m1)
mounted
(usb, m1)
logged
(bob, m1)
in
(alice, r01)
in
(alice, r01)
State

33. 03/10/17 © Lero 2015 33
A specifica#on meets the preserva#on requirements if:
Ø For every primi&ve history of the environment sa&sfying the
hypothesis, this history is logged.
Preservation Specification
Statements that prescribe when primi&ve events must be preserved.
!preserved(sys_copy(E,doc,m1),T)
preserved(sys_login(E,m1),T1) ∧
preserved(sys_mount(S,m1),T1) ∧
forall T3 > T2 > T1
!(preserved(sys_logout(E,m1),T2)) U
received(sys_copy(E,doc,m1),T3)and
!preserved(sys_unmount(E,m1),T2) U
received(sys_copy(E,doc,m1),T3)
preserved(sys_copy(E,doc,m1),T)
received(sys_copy(E,doc,m1),T)
DomPre:
DomPost:
ReqPre:
ReqTrig:
OP: preserve((sys_copy(…),T)

34. 03/10/17 © Lero 2015 34
Preservation Specification
Statements that prescribe when primi&ve events must be preserved.
History
sa#sfying
hypothesis
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
preserve
(swipe_card
(alice, nfc))
preserve
(cctv_access
(alice, cctv))
preserve
(sys_login
(bob, m1))
preserve
(sys_mount
(usb1, m1))
preserve
(sys_copy
(bob,doc, m1))
A specifica#on meets the preserva#on requirements if:
Ø For every primi&ve history of the environment sa&sfying the
hypothesis, this history is preserved.
Expected
Log
!preserved(sys_copy(E,doc,m1),T)
preserved(sys_login(E,m1),T1) ∧
preserved(sys_mount(S,m1),T1) ∧
forall T3 > T2 > T1
!(preserved(sys_logout(E,m1),T2)) U
received(sys_copy(E,doc,m1),T3)and
!preserved(sys_unmount(E,m1),T2) U
received(sys_copy(E,doc,m1),T3)
preserved(sys_copy(E,doc,m1),T)
received(sys_copy(E,doc,m1),T)
DomPre:
DomPost:
ReqPre:
ReqTrig:
OP: preserve(sys_copy)

35. 03/10/17 © Lero 2015 35
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Specification Generation
Forensic domain
Model
Input: - Forensic domain model (Environment, Hypotheses)
- Preserva&on specifica&on (PS), if available.

36. 03/10/17 © Lero 2015 36
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
A specifica&on (PS’) that sa&sfies the preserva&on
requirement.
Specification Generation
Forensic domain
Model
Input:
Output:
- Forensic domain model (Environment, Hypotheses)
- Preserva&on specifica&on (PS), if available.

37. 03/10/17 © Lero 2015 37
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
swipe_card
(alice, nfc)
cctv_access
(alice, cctv)
sys_login
(bob, m1)
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Checks the feasibility of
the hypotheses within
the environment.
sys_copy
(bob,doc, m1)
Ø Abduc&on problem of finding Δ+ and Δ- such that
Posi#ve history (Δ+)
Nega#ve history (Δ-)
History Generation
Env, Δ+ ⊨ H Env, Δ- ⊭ H and
yes

38. 03/10/17 © Lero 2015 38
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Checks the feasibility of
the hypotheses within
the environment.
Failure to find posi#ve histories (Δ+)
Ø Infeasible hypothesis
Ø Incomplete environment model
Ø Insufficient bound
History Generation
no

39. 03/10/17 © Lero 2015 39
swipe_card
(alice, nfc)
1 3 4 5
cctv_access
(alice, cctv)
sys_login
(bob, m1)
sys_mount
(usb1, m1)
sys_copy
(bob,doc, m1)
sys_unmount
(usb1, m1)
62
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
preserve
(swipe_card
(alice, nfc))
preserve
(cctv_access
(alice, cctv))
preserve
(sys_login
(bob, m1))
preserve
(sys_mount
(usb1, m1))
preserve
(sys_copy
(bob,doc, m1))
Δ+
Log+
Specification Verification
Verifies whether the
exis&ng specifica&on
ensures preserva&on of
events corresponding to
the generated histories.
Δ+
If the current specifica&on does not cover the histories:

40. 03/10/17 © Lero 2015 40
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
preserve
(swipe_card
(alice, nfc))
preserve
(cctv_access
(alice, cctv))
preserve
(sys_login
(bob, m1))
preserve
(sys_mount
(usb1, m1))
preserve
(sys_copy
(bob,doc, m1))
Log+
Specification Synthesis
Induc&vely sythesise a
specifica&on that
prescribes to preserve
Log+ and not Log-.
Ø Induc&ve synthesis problem of learning PS’ such that
Env, PS’ ⊨ Log+ Env, PS’ ⊭ Log-
preserve
(swipe_card
(alice, nfc))
preserve
(cctv_access
(alice, cctv))
preserve
(sys_login
(bob, m1))
preserve
(sys_copy
(bob,doc, m1))
Log-
Δ+
and

41. 03/10/17 © Lero 2015 41
Outline
Mo&va&on
Objec&ves
Conclusion
Our Solu&on
Evalua#on

42. 03/10/17 © Lero 2015 42
Ø Prototype Implementa#on [hYps://github.com/lpasquale/kEEPER]
Evaluation
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Forensic domain
Model

43. 03/10/17 © Lero 2015 43
Evaluation
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Forensic domain
Model
Forensic domain model
- Declara&ve program with constraints (Event Calculus)
Ø Prototype Implementa#on [hYps://github.com/lpasquale/kEEPER]

44. 03/10/17 © Lero 2015 44
Evaluation
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Forensic domain
Model
Forensic domain model
- Declara&ve program with constraints (Event Calculus)
History Genera&on and Specifica&on Verifica&on
- Boolean Constraint Solver (Clingo)
Ø Prototype Implementa#on [hYps://github.com/lpasquale/kEEPER]

45. 03/10/17 © Lero 2015 45
Evaluation
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Forensic domain
Model
Forensic domain model
- Declara&ve program with constraints (Event Calculus)
History Genera&on and Specifica&on Verifica&on
- Boolean Constraint Solver (Clingo)
Specifica&on Synthesis
- Logic Based Learner (XHAIL)
Ø Prototype Implementa#on [hYps://github.com/lpasquale/kEEPER]

46. 03/10/17 © Lero 2015 46
Evaluation
History
Generation
Specification Generation
Specification
Verification
Specification
Synthesis
yes (B)
Domain Expert
Environment
ε
Hypotheses
PS
PS'
FR
Controller
Forensic domain
Model
Ø Prototype Implementa#on [hYps://github.com/lpasquale/kEEPER]
Ø Incident scenarios data-sets [digitalcorpora.org]
- University Harassment
- Corporate Exfiltra&on

47. 03/10/17 © Lero 2015 47
Evaluation
the data streams in the entire data-set. Moreover, not all
s preserved were necessary to support the hypotheses. For
rio, only 956 data streams corresponding to HTTP trac
ng from the Mozilla browser were necessary to support
fore, although our specication consistently reduces the
f data to be analysed by an investigator, it does not com-
nsure the minimality requirement since 2874 (69%) data
were not relevant to support h2.
Table 2: Number of events preserved.
SUE SC EM SAE
# Events
h1 0 – – –
h2 – 2 3830
300
h3 – – –
Total: 4132 events
o applied our approach to a more complex corporate exl-
- Only h2 is supported in the dataset:
- An anonymous email is sent from a browser associated with a
cookie idenfied through an email address (jcoach@gmail.com).
Could the hypotheses be supported by the incident data-set?
What data relevant to the hypotheses we avoid preserving?
The data-set includes 577, 760 network data streams exchanged.
0.71% of the en#re
data-set
Our approach:

48. 03/10/17 © Lero 2015 48
Future work
Ø Facilitate the definion of the forensic domain model.
Ø Handle changes of the environment to adapt the preservaon
specificaon at runme.
Ø Manage tradeoffs with other conflicng requirements.
ü Ensure preservaon of relevant events.
ü Provide insights about evidence preservaon capabilies of
exisng so4ware.
ü Prescribe preservaon of fewer data.
Conclusion
First step towards a rigorous approach to
developing forensic-ready systems.

49. 03/10/17 © Lero 2015 49
THANK YOU

50. 03/10/17 © Lero 2015 50
Scalability
longer histories are required a solution would be to
se the considered hypothesis into simpler ones that
evaluated separately and require shorter histories to
ed.
# Traces
Time (s)
. Spec generation time for an increasing number of traces.
Time (s)
VIII. R
Existing research on fore
on identifying high level s
implement to be forensic-re
use focus groups to elicit
tives (e.g., regulatory compl
and capabilities (organisatio
Reddy and Venter [21] pre
ment system taking into a
domain specific information
requirements), and costs
costs). The forensic readine
dardised (ISO/IEC 27043:2
implement pre-incident co
activities, and detection of
of these approaches has a
implement forensic readine
Shield et al. [26] propos
proactive evidence preserva
ronments like cloud system
is not a viable solution, as i
# Traces
Fig. 5. Spec generation time for an increasing number o
Time (s)
Traces Length
Fig. 6. Spec generation time for traces having an increasin
D. Discussion
Our results demonstrate that the events that our
specification requires preserving are relevant to ex
the incident scenarios took place. The amount of da
Increasing number of histories Increasing number of histories
length

51. 03/10/17 © Lero 2015 51
University Harassment Scenario
An Academic receives harassment emails
• h1: an email is sent to an academic by someone using an external
address
• h2: an anonymous email is sent by an individual who can be
idenfied through the browser and the cookie id (referring to
the email address of the offender)
• h3: an anonymous email is sent by an individual who cannot
be idenfied
H
H
o the
’s ra-
- and
er set
com-
ions.
peci-
olled
ot be
ation
gger-
(See
take place includes students and academic staff who can send
emails by using the university and students’ residence internal
network. The available data-set (TCP packets captured) al-
lowed us to preserve events related to the network traffic that
transits through one of the routers placed inside the students’
residence. We modelled the following hypotheses: h1) an email
is sent to an academic by someone using an external address;
h2) an anonymous email is sent by an individual who can be
identified through the browser and the cookie id (referring to
the email address of the offender); h3) an anonymouns email
is sent by an individual who cannot be identified.
TABLE I
PERFORMANCE FOR THE HARASSMENT SCENARIO.
Instances Execution time (s)
#Pos #Neg Length HI SV SG Total
h1 1 / 4 0 1 ⇠0 0.01 0.23 0.24
h2 1 / 32 4 3 0.08 0.19 39.913 40.183
h3 1 / 8 0 1 0.01 0.03 0.301 0.341
Performance

52. 03/10/17 © Lero 2015 52
Ø Specifica#on genera#on for 2 incident scenarios
data-sets [digitalcorpora.org]
- University Harassment
- Corporate Exfiltraon
Evaluation
Ø For each scenario we asked[digitalcorpora.org]
- Could the hypotheses be supported by the incident
data-set?
- Does our approach prescribe preservaon of logging
events that are not in the data-set?
- Are there data relevant to the incident hypotheses
that our approach does not prescribe to preserve?
Relevance
Minimality

53. 03/10/17 © Lero 2015 53
Are all hypotheses supported by the incident data-set?
- Only h2 is supported in the dataset:
- An incoming set-cookie message associated with
jcoach@gmail.com and received by IP 192.168.015.004 was
preserved.
Evaluation
h1: an email is sent to an academic by someone using an external address;
h2: an anonymous email is sent by an individual idenfiable through the cookie and
his/her browser agents;
h3: an anonymous email is sent by an individual who cannot be idened.