1. 03/10/17 © Lero 2015 1
Use of Organisational Topologies for
Forensic Investigations
1st International Workshop on Software Engineering and Digital
Forensics (SERF)
George Grispos, Sorren Hanvey & Bashar Nuseibeh

2. 03/10/17 © Lero 2015 2
Agenda
Motivation
– Forensic enabled systems
Organisational structures
– The use of Organisational Structures for Forensic
Readiness
Organisational Topology
– Mapping structure to topology
– Types of organisational topology
Insights to be gained from topology awareness

3. 03/10/17 © Lero 2015 3
Motivation
Highly regulated business environments
– Increasingly important that organisations have
digital forensics capabilities.
The need to investigate security incidents
and data breaches to
– Establish root cause.
– Prevent similar future incidents.

4. 03/10/17 © Lero 2015 4
Need of the hour
Availability of residual data from systems.
– Extraction capabilities
– Associated cost
Organisations must implement forensic-
ready systems and infrastructure.
Peisert, 2007; King et al., 2015; Kafali et al., 2016;
Stephenson, 2003; Grispos et al., 2015;
Tan, 2001; Rowlingson, 2004; Rimmer, 2014; Sule, 2014

5. 03/10/17 © Lero 2015 5
Towards Forensic-Ready Systems:
Numerous solutions have been explored:
Implementing policies and processes.
Aligning systems with forensics objectives.
Ensuring that the human resources of an
organisation contribute towards
investigations.
Rowlingson, 2004; Grispos et al., 2013
Reddy et al., 2013
Tan, 2001; Solms et al., 2006

6. 03/10/17 © Lero 2015 6
Focus
Availability of residual data from systems.
– Ensuring extraction capabilities
– Reducing associated cost
Ensuring that the human resources of an
organisation contribute towards
investigations.
Establish and implement an organisational
structure that takes into consideration digital
forensics.
Grobler et al., 2007; 2010; Elyas et al., 2015

7. 03/10/17 © Lero 2015 7
Organisational Structure
Organisational structures:
Are concerned with the relationships between
the various members of an organisation.
Tell us, within an organisation,
– “who has the resources”,
– “who talks to whom”,
– “who is accountable for what”,
– “what you can do on your own and what you must do
with others”
Donaldson, 1999
WhiJngton, 2006

8. 03/10/17 © Lero 2015 8
Organisational Structure

9. 03/10/17 © Lero 2015 9
Organisational Structures for Forensic
Readiness
Organisations can establish and prepare an
organisational structure that will support
digital forensics efforts.
– An organisational structure should define the
roles that will handle forensic investigations.
– An organisational structure that takes digital
forensics into consideration is likely to encourage
forensic readiness.
Grobler & Louwrens, 2007
Elyas et al., 2015

10. 03/10/17 © Lero 2015 10
Challenges
The adoption of forensic ready organisational
structures is challenging:
Hard to achieve without a formally defined
process.
Organisations rarely succeed in making
changes in their structure.
The theories and approaches to manage
structural changes are often contradictory.
Colombo & Delmastro, 2002
Todnem, 2005

11. 03/10/17 © Lero 2015 11
Vision
The use of topological constructs, to provide a
richer representation of organisational
structure, will aid in future
forensic investigations.

12. 03/10/17 © Lero 2015 12
Organisational Topology
Topology is defined as:
“the study of shapes and spaces, including properties such
as connectedness and boundary”
Organisational topology refers to the
representation of organisational structure
based on the topological constructs of:
– Containment
– Proximity
– Reachability

13. 03/10/17 © Lero 2015 13
Use of Organisational Topology: Goals
Allow forensic investigators to conduct
enhanced investigations by identifying:
– Location of assets to be investigated.
– Stakeholders of interest.
Aid in the engineering of forensic-ready
systems
– Allocation of roles and responsibilities.

14. 03/10/17 © Lero 2015 14
Types of Topology
Organisational structure consists of multiple
entities:
– Stakeholders
– Assets
– Access Privileges
The paper defines 3 types of topology:
– Stakeholder Topology
– Cyber Topology
– Workflow Topology

15. 03/10/17 © Lero 2015 15
Stakeholder Topology
Represents the
stakeholder’s role and
responsibilities.
In addition, it defines
the lines of
accountability.

16. 03/10/17 © Lero 2015 16
Stakeholder Topology
Containment (STc(S1,S2)):
– A direct relationship
between S1 and a
hierarchically lower
stakeholder S2

17. 03/10/17 © Lero 2015 17
Stakeholder Topology
Proximity (STp(S3,S2)):
– S3 has a relationship to a
hierarchically lower
stakeholder S2, through
one of their subordinates
S1

18. 03/10/17 © Lero 2015 18
Stakeholder Topology
Reachability (STr(S4,S2)):
– S4 has a relationship to a
hierarchically lower
stakeholder S2, through
the external intervention
of S1

19. 03/10/17 © Lero 2015 19
Cyber Topology
Represents the the
relationships
between different
objects and how
they are
connected.

20. 03/10/17 © Lero 2015 20
Cyber Topology
Containment:
– A relationship that
represents the
objects stored on a
physical machine.

21. 03/10/17 © Lero 2015 21
Cyber Topology
Proximity:
– A relationship that
represents the
objects co-located
on the same
physical machine.

22. 03/10/17 © Lero 2015 22
Cyber Topology
Reachability:
– A relationship that
expresses whether
two or more objects
are virtually
connected.

23. 03/10/17 © Lero 2015 23
Workflow Topology
Represents the
structure of workflow
within the organisation.
It define the flow of
instructions for
different tasks.

24. 03/10/17 © Lero 2015 24
Workflow Topology
Containment (WTc(S1, A1)):
– The relationship exists if a
stakeholder S1 has direct
access priviledges over the
asset A1

25. 03/10/17 © Lero 2015 25
Workflow Topology
Proximity (WTp(S2, A1)):
– The relationship exists if a
stakeholder S2 has a
proximity relationship with a
stakeholder S1, STp(S2,S1),
while S1 has a containment
relationship with asset A1,
WTc(S1, A1)

26. 03/10/17 © Lero 2015 26
Workflow Topology
Reachability (WTr(S3, A1)):
– The relationship exists if a
stakeholder S3 has a
reachability relationship with
a stakeholder S1, STr(S3,S1),
while S1 has a containment
relationship with asset A1,
WTc(S1, A1)

27. 03/10/17 © Lero 2015 27
Topology Awareness
Topology awareness refers to the insights
derived from the analysis of different
topological representations of organisational
structures.

28. 03/10/17 © Lero 2015 28
Topology Awareness: Insights
Enhance Organisational Forensic Readiness.
Support Forensic-Enabled Structures.
Guide change in Organisational Structures.

29. 03/10/17 © Lero 2015 29
Organisational Forensic Readiness
Stakeholder topology:
– Would describe the chain of
accountability within an
organisation.
– Would allow an investigator
to identify the boundaries
of an incident.

30. 03/10/17 © Lero 2015 30
Organisational Forensic Readiness
Cyber Topology:
– Would be used to
identify the path of
an attack.

31. 03/10/17 © Lero 2015 31
Organisational Forensic Readiness
Workflow Topology:
– Defines the different
paths an instruction can
take before execution.
– Would be used to
identify where an
incident-causing
instruction has
originated.
– Identifies the best
source of data for an
investigation to
examine the incident.

32. 03/10/17 © Lero 2015 32
Forensic-Enabled Structures
Stakeholder
Topology:
– Allows for the
assigning of
investigatory
responsibility to a
stakeholder based
on a cost based
analysis.

33. 03/10/17 © Lero 2015 33
Forensic-Enabled Structures
Cyber topology:
– Investigators can
identify the assets
that need to be
investigated based
on their
relationships with a
compromised asset.

34. 03/10/17 © Lero 2015 34
Forensic-Enabled Structures
Workflow Topology:
– Would allows
investigators to
identify the
stakeholders with
access to the
required data that
can enhance an
investigation.

35. 03/10/17 © Lero 2015 35
Changes in Organisational Structures
Organisations are often in a state of change,
adapting to various triggers limiting the
effectiveness of an established forensics-
enabled organisational structure.
The use of topology would allow an
organisation to automate the allocation of
roles and responsibilities.
Topology awareness can inform and drive
structural change.

36. 03/10/17 © Lero 2015 36
Research Challenges Raised
Extending the topological definitions to
better represent specific forensic readiness
requirements.
Mapping existing structural representations
to the relationships defined.
Incorporating Organisational Topology into
a Forensic Readiness Ecosystem.

37. 03/10/17 © Lero 2015 37
Conclusions
We have proposed the idea for using
topology to express an organisational
structure.
We propose the use of topological
properties such as containment, proximity
and reachability to define a representation
of such an organisational structure.

38. 03/10/17 © Lero 2015 38
Thank You