Forensic readiness denotes the capability of a system to support
digital forensic investigations of potential, known incidents by preserving
in advance data that could serve as evidence explaining how
an incident occurred. Given the increasing rate at which (potentially
criminal) incidents occur, designing software systems that are
forensic-ready can facilitate and reduce the costs of digital forensic
investigations. However, to date, little or no attention has been
given to how forensic-ready software systems can be designed systematically.
In this paper we propose to explicitly represent evidence
preservation requirements prescribing preservation of the minimal
amount of data that would be relevant to a future digital investigation.
We formalise evidence preservation requirements and propose
an approach for synthesising specifications for systems to meet
these requirements. We present our prototype implementation—
based on a satisfiability solver and a logic-based learner—which
we use to evaluate our approach, applying it to two digital forensic
corpora. Our evaluation suggests that our approach preserves
relevant data that could support hypotheses of potential incidents.
Moreover, it enables significant reduction in the volume of data
that would need to be examined during an investigation.
Funding
Study on Aerodynamic Characteristics Control of Slender Body Using Active Flow Control Technique