Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.1.79

A Study on the Setting Method of the File System Audit Function of Windows for Enhancing Forensic Readiness  

Lee, Myeong-Su (Center for Information Security Technologies, Korea University)
Lee, Sang-Jin (Center for Information Security Technologies, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.1, 2017 , pp. 79-90 More about this Journal
Abstract
If digital forensic investigators can utilize file access logs when they audit insider information leakage cases or incident cases, it would be helpful to understand user's behaviors more clearly. There are many known artifacts related to file access in MS Windows. But each of the artifacts often lacks critical information, and they are usually not preserved for enough time. So it is hard to track down what has happened in a real case. In this thesis, I suggest a method to utilize SACL(System Access Control List) which is one of the audit functions provided by MS Windows. By applying this method of strengthening the Windows's audit settings, even small organizations that cannot adopt security solutions can build better environment for conducting digital forensic when an incident occurs.
Keywords
File Access Audit; System Access Control List; SACL; Digital Forensics; Forensic Readiness;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Microsoft, "Audit Policy," https://technet.microsoft.com/en-us/library/cc766468 (v=ws.10).aspx, 2016
2 Murugiah Souppaya, Karen Kent and Paul. M. Johnson, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist," NIST Special Publication 800.68, vol. 68, Oct, 2005
3 R. BICKEL, M. Cook and J. Haney, "Guide to Securing Microsoft Windows XP," National Security Agency, pp. 1-129, Oct. 2002
4 Bill Mathers, "Audit Policy Recommendations," https://technet.microsoft.com/en -us/windows-server-docs/identity/ad-d s/plan/security-best-practices/audit-policy-recommendations, Microsoft, 2016
5 KISA, "Detailed check items of ISMS certification standard," http://isms.kisa.or.k r/kor/notice/dataView.jsp?p_No=48&b_No=48&d_No=114&cgubun=&cPage=1&searchType=ALL&searchKeyword =isms, KISA, May. 2013
6 Microsoft, "Audit File System," https://technet.microsoft.com/ko-kr/library/dd7 72661(v=ws.10).aspx, Microsoft, Jun. 2009
7 Microsoft, "Audit Process Creation," https://technet.microsoft.com/ko-kr/librar y/dd941613(v=ws.10).aspx, Jun. 2009
8 Microsoft, "Access Control Lists," https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx, Microsoft, 2016
9 Eric. M. Hutchins, Michael J. Cloppert and Rohan M. Amin, "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," Leading Issues in Information Warfare & Security Research, pp. 80-94, Mar. 2011
10 ISO, "Information technology - Security techniques - Information security management systems - Requirements," ISO/IEC 27001:2013, Oct, 2013
11 Symantec, "Internet Security Threat Report 2016," https://www.symantec.com/content/dam/symantec/docs/reports /istr-21-2016-en.pdf, vol. 21, Symantec, Apr. 2016,
12 LIGHTCYBER, "CYBER WEAPONS 2016 REPORT," http://lightcyber.com/wp-cy ber-weapons-report-lp/, LIGHTCYBER, Jun. 2016
13 FireEye, "M-TRENDS 2016," https://ww w2.fireeye.com/WEB-M-Trends-2016-K O.html, FireEye, Feb. 2016