Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Forensic readiness of business information systems can support future forensics investigation or auditing on external/internal attacks, internal sabotage and espionage, and business fraud. To establish forensics readiness, it is essential for an organization to identify which fingerprints are relevant and where they can be located, to determine whether they are logged in a forensically sound way and whether all the needed fingerprints are available to reconstruct the events successfully. Also, a fingerprint identification and locating mechanism should be provided to guide potential forensics investigation in the future. Furthermore, mechanisms should be established to automate the security incident tracking and reconstruction processes. In this research, external and internal attacks are first modeled as augmented attack trees based on the vulnerabilities of business information systems. Then, modeled attacks are conducted against a honeynet that simulates an online business information system, and a forensic investigation follows each attack. Finally, an evidence tree, which is expected to provide the necessary contextual information to automate the attack tracking and reconstruction process in the future, is built for each attack based on fingerprints identified and located within the system.


Cappelli, D., Moore, A., Trzeciak, R., and Shimeall, T. (2009). Common sense guide to prevention and detection of inside threats, 3rd edition. White Paper of CMU CyLab.

Carrier, B. & Spafford, E. (2003, Fall). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2). Retrieved from http://www.cerias.purdue.edu/ssl/techreports-ssl/2003-29.pdf

Carrier, B. & Spafford, E. (2004, July). An event-based digital forensic investigation framework. In Proceedings of Digital Forensic Research Workshop. Retrieved from http://www.digitalevidence.org/papers/dfrws_event.pdf

Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (3rd edition). Burlington, MA: Elsevier.

CENZIC. (2008). Cenzic Application Security Trends Report -- Q1 2008. Retrieved from http://www2.cenzic.com/downloads/Cenzic_AppSecTrends_Q1_2008.pdf

CeBuSoft. (2013). CeBuSoft Accounting Information System. Retrieved from http://cebusoft-accounting-information-system.software.informer.com

Chen, P., Laih C., Pouget E., & Dacier M. (2005). Comparative survey of local honeypot sensor to assist network forensics. In Proceedings of the 1st International Workshop on Systematic Approach to Digital Forensics Engineering.

De Aalst, W., Van Hee, K., Van De Werf, J., Kumar, A., & Verdonk, M. (2009). Conceptual model for on line auditing. Retrieved from http://www.personal.psu.edu/axk41/olat09.pdf

Endicott-Popovsky, B., & Frincke, D. (2004). Adding the fourth “R”. In Proceeding of the 2004 IEEE Workshop on Information Assurance.

Endicott-Popovsky, B., Frincke, D.A., and Taylor, C.A. (2007, May). A theoretical framework for organizational network forensic readiness. Journal of Computers, 2(3), 1-11.

Espiner, T. (2008, Dec). Businesses urged to devise digital-forensics plans. ZDNet Web site. Retrieved from http://www.zdnet.com/businesses-urged-todevise-digital-forensics-plans-3039569682/

Fratto, M. (2008). 2008 security survey: we’re spending more, but data’s no safer than last year. InformationWeek Security. Retrieved from http://www.informationweek.com/security/management /2008-security-surveywere-spending-more/208800942

Gu, L., Liang, J., & Wang, J. (2005, December). Theoretical framework and method of detecting accounting fraud.

Journal of Modern Accounting and Auditing, 1(7), 66-71. Hoffman, P. (2007, January 25). RSA survey reports low level of trust in online banking security. eWeek News. Retrieved from http://www.eweek.com/c/a/Security/RSA-Survey-Reports-Low-Level-ofTrust-in-Online-Banking-Security/

The Honeynet Project. (2013). Retrieved from http://www.honeynet.org

Ingols, K., Lippmann, R., & Piwowarski, K. (2006). Practical attack graph generation for network defense. In Proceedings of 22nd IEEE Annual Computer Security Applications Conference.

Ingols, K., Chu, M., Lippmann, R., Webster, S., & Boyer, S. (2009). Modeling modern network attacks and countermeasures using attack graphs. In Proceedings of the 25th IEEE Annual Computer Security Applications Conference.

Jeyaraman, S. & Atallah, M. (2006). An empirical study of automatic event reconstruction systems. Journal of Digital Investigations, 3S, 108-115. Jha, S.,

Sheyner, O., & Wing, J. (2002). Two formal analyses of attack graphs. In Proceedings of the Computer Security Foundations Workshop, pp. 45-59.

Khattab, S., Melhem, R., Mosse, D., & Znati, T. (2006). Honeypot backpropagation for mitigating spoofing distributed denial-of-service attacks. In Proceedings of the 20th Parallel and Distributed Processing Symposium (IPDPS 2006), 25-29 April 2006.

Krasser, S., Grizzard, J., & Owen, H. (2005). The use of honeynets to increase computer network security and user awareness. Journal of Security Education, 1(2/3), 23-37.

Larson, C. (2008, February). Accounting Fraud and Institutional Investors. PhD Dissertation, University of Michigan.

Levine, J., Grizzard, B., & Owen, H. (2004). Using honeynets to protect large enterprise networks. IEEE Security and Privacy, 2(6), 73-75..

Levine, J., Labella, R., Owen, H., Contis, D., & Culver, B. (2003). The use of honeynets to detect exploited system across large enterprise networks. In Proceedings of the 2003 IEEE Workshop on Information Assurance.

Mauw, S. & Oostdijk, M. (2005). Foundations of attack trees. In Won, D., Kim, S., eds., International Conference on Information Security and Cryptology – ICISC 2005. Volume 3935 of LNCS, Springer, 186–198.

Moore, A., Cappelli, D. & Trzeciak, R. (2008). The “big picture” of insider IT sabotage across U.S. critical infrastructures. Software Engineering Institute, Carnegie Mellon University.

Poolsapassit, N. & Ray, I. (2007). Investigating computer attacks using attack trees. In IFIP International Federation for Information Processing, Vol. 242. Advanced Digital Forensics III.

Pouget, F. & Dacier, M. (2004). Honeypot-based Forensics. In Proceedings Of AusCERT Asia Pacific Information technology Security Conference 2004(AusCERT2004).

Ramzan, Z. (2008, December 24). Security trends of 2008 and predictions for 2009. Net Security News. Retrieved from http://www.netsecurity.org/article.php?id=1194

Romney, M. & Steinbart, P. (2008). Accounting Information Systems, 11th ed. ISBN: 0136015182. Prentice Hall.

Robb, D. (2008, February 8). Top 5 security trends. Enterprise Planet News. Retrieved from http://www.enterpriseitplanet.com/security/features/article.php/3726926

Rowlinson, R. (2004, Winter). A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3). Retrieved from http://www.utica.edu/academic/institutes/ecii/publications /articles/A0B13342- B4E0-1F6A-156F501C49CF5F51.pdf

RSA Security. (2008). 2008 CSI Computer Crime & Security Survey. Retrieved from http://i.zdnet.com /blogs/csisurvey2008.pdf .2008

Saini, V., Duan, Q., & Paruchuri, V. (2008, April). Threat modeling using attack trees. Journal of Computing Sciences in Colleges, 23(4), 124-131.

Schneier, B. (1999, December). Attack trees: Modeling security threats. Dr. Dobb’s Journal, 24(12), 21-29.

Seltxer, L. (2006, December 4). Is online banking too dangerous? eWeek News. Retrieved from http://www.eweek.com/c/a/Security/Is-Online-Banking-TooDangerous/

Siponen, M., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. TDatabase for Advances in Information Systems, 38(1), 60-80.

Spitzner, L. (2003a). Honeypots: catching the insider threat. In Proceedings of the 19PthP Annual Computer Security Applications Conference.

Spitzner, L. (2003b, March). The Honeynet Project: Trapping the hackers. IEEE Security and Privacy, 1(2), 15-23.

Straub, D.W. (1990, September). Effective IS security: An empirical study. Information System Research, 1(3), 255-276.

Swiderski, F. & Snyder, W. (2004). Threat modeling (Microsoft Professional). Microsoft Press.

Tan, J. (2001, July 17). Forensics readiness. Retrieved from http://isis.poly.edu/kulesh/forensics/forensic_readiness.pdf

Tang, Y. & Daniels, T. (2005). A simple framework for distributed forensics. In Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops.

Todtmann, B., Riebach, S., & Rathgeb, E. (2007). The honeynet quarantine: reducing collateral damage caused by early intrusion response. In Proceedings of the 6th International Conference on Networking.

Valentine, A. (2007). Art of preserving digital evidence. Available at HTUhttp://www.onlinebankingreview.com.au/DigitalEvidence.phpUTH.

Watson, D. (2007, January). Honeynets: A tool for counterintelligence in online security. Network Security, 2007(1), 4-8.

Williamson, G. (2006, Fall). Enhanced authentication in online banking. Journal of Economic Crime Management, 4(2). Retrieved from http://utica.edu/academic/institutes/ecii/publications/articles /51D6D996-90F2- F468-AC09C4E8071575AE.pdf

Wilson, W. & Wolfe, H. (2003, June). Management strategies for implementing forensic security measures. Information Security Technical Report, 8(2), 55- 64.

Yasinsac, A. and Manzano, Y. (2001). Policies to enhance computer and network forensics. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security.

Zhang, L. & Guan, Y. (2008). Detecting click fraud in pay-per-click streams of online advertising networks. In Proceedings of 28th IEEE International Conference on Distributed Computing Systems.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.