Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner1
Business Process Model and Notation for
Forensic-Ready Software Systems
Lukas Daubner, Raimundas Matulevičius, Barbora Buhnova, Tomas Pitner
daubner@mail.muni.cz
Faculty of Informatics, Masaryk University, Brno
October 21, 2021
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner2
Why Forensic Readiness?
̶ Digital forensic investigation is:
̶ Laborious
̶ Costly
̶ Time-consuming
̶ Delicate
̶ Success is never assured
̶ Data might be unavailable, corrupted, or tampered
̶ Error in evidence handling jeopardies the process
̶ Data might me misleading
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner3
What is Forensic Readiness?
̶ Original definition
̶ Maximizing the usefulness of incident evidence data
̶ Minimizing the cost of forensics during an incident response
̶ Systematic preparation for forensic investigation
̶ Proactive measures
̶ Opposed to actual investigation, which is reactive
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner4
What is Forensic Readiness?
̶ Approached as a set of general guidelines
̶ Collection of evidence
̶ Handling of evidence
̶ Presentation of evidence
̶ Staff training
̶ Escalation policies
̶ Increases likelihood of successful investigation
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner5
Forensic Readiness in Software Engineering
̶ Prepare software system during its development
̶ A.k.a. forensic-by-design
̶ Capable of:
̶ Conducting digital forensic processes in a forensically sound way
̶ Producing forensically sound evidence
̶ High-level non-functional requirement
̶ Measures for the failure of security measures
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner6
Forensic Readiness in Software Engineering
̶ It is true that software systems produce a lot of data
̶ Logs
̶ Documents
̶ Database records
̶ But can we trust them?
̶ Are they complete?
̶ Will they help us during the investigation?
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner7
Requirements
Forensic-Ready Software Systems
̶ High-level non-functional requirement
̶ Further decomposed into:
̶ Risk management to identify them
̶ Availability
̶ Relevance
̶ Minimality
̶ Linkability
̶ Completeness
̶ Non-repudiation
̶ Data provenance
̶ Legal compliance
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner8
Modeling Challenge
Forensic-Ready Software Systems
̶ Provide assistance to the risk management decisions
̶ Represent the requirements in a concreate system
̶ Model incident scenario and the relevant potential evidence
̶ Model relationships between the potential evidence
̶ Model lifecycle and properties of potential evidence
̶ Allow reasoning over the systems
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner9
BPMN4FRSS
BPMN for Forensic-Ready Software Systems
̶ Extension for BPMN 2.0
̶ Model risk management scenarios in BPMN
̶ Introduce the potential digital evidence
̶ Point of origin
̶ Handling
̶ Storage
̶ Relation to other pieces
̶ Possible extensions for specific evidence-assuring mechanism
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner10
Core concepts
BPMN for Forensic-Ready Software Systems
̶ Potential evidence
̶ Where it originates?
̶ Where is it stored?
̶ In what context it is handled?
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner11
Proof of potential digital evidence
BPMN for Forensic-Ready Software Systems
̶ Strengthening the potential evidence
̶ How is it obtained?
̶ When is it created?
̶ How it relates to the original?
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner12
Proof service
BPMN for Forensic-Ready Software Systems
̶ Strengthening the potential evidence using an external service
̶ Possibly 3rd party
̶ What type of service?
̶ How it creates the proof?
̶ Offloading the proof
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner13
Scenario View & Evidence View
BPMN for Forensic-Ready Software Systems
̶ But where are the relationships?
̶ Different needs
=
Different views
̶ One model,
two diagrams
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner14
Lifecycle process
BPMN for Forensic-Ready Software Systems
̶ Reusable model for evidence lifecycle
̶ Reduce the clutter
Business Process Model and Notation for Forensic-Ready
Software Systems — Daubner, Matulevičius, Buhnova, Pitner
15
Example scenario
̶ Autonomous parking
̶ Payment
̶ Generation of parking permit
̶ Risks:
̶ Parking permit injection
̶ Tampered access control
̶ Parking permit repudiation
̶ Zero-day attacks
Business Process Model and Notation for Forensic-Ready
Software Systems — Daubner, Matulevičius, Buhnova, Pitner
17
Example scenario
̶ Evidence View
̶ Relationships
̶ Common data fields
̶ Timing
̶ Strengthening
̶ Nominal execution will
contain everything
̶ Attack should not
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner18
Looking Forward
̶ Having model is just one step…
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner19
Looking Forward
̶ Automated analysis based on the models
̶ Model validation
̶ Hint analysis
̶ Attack scenario analysis
̶ Evidence Generation Analysis
̶ Dispute Analysis
Business Process Model and Notation for Forensic-Ready Software Systems — Daubner, Matulevičius, Buhnova, Pitner20
Conclusion
̶ Forensic readiness is an enhancement to security
̶ Security risk management can be extended for this purpose
̶ BPMN for Forensic-Ready Software Systems
̶ Representation of risk scenario and forensic-ready controls
̶ Scenario and Evidence view of the same model
̶ Foundation for validation and verification methods