image: Enabling Digital Forensic Investigators in Handling Smart City Infrastructure Investigation
Credit: SUTD
With technological advancements and a growing awareness about the United Nations (UN) Sustainable Development Goals (SDGs), interconnected systems within cities that capture real-time data indicators reflecting chosen SDGs are a way forward. Known as smart city infrastructure (SCI), these systems are vital to nations in assessing their alignment with the UN SDGs. As the role of smart city infrastructure becomes apparent, it inevitably becomes a prime target for adversaries and cyber criminals.
“Digital forensic investigators have had the short end of the stick for far too long. They often contend with tight timelines and vast amounts of data during investigations. Moreover, if collaboration is required on uncommon platforms such as SCI, investigators must establish a common term of reference for investigation. They also need to identify threats, corresponding digital evidence sources and crimes committed. Such activities can take considerable amounts of time and effort,” explained Dr Tok Yee Ching, a Research Fellow from the Automated Systems SEcuriTy (ASSET) Research Group at the Singapore University of Technology and Design (SUTD).
To assist digital forensic investigators and law enforcement agencies conducting investigations on SCI in the future, Dr Tok, together with Singapore Institute of Technology student Davis Yang Zheng and SUTD Associate Professor Sudipta Chattopadhyay, developed an ontology [Smart City Ontological Paradigm Expression (SCOPE)] for SCI threats, cybercrime and digital investigation. His paper, titled “A Smart City Infrastructure ontology for threats, cybercrime and digital forensic investigation” was published in Forensic Science International: Digital Investigation.
Ontologies are representations, definitions and relations of concepts and data within a specific domain. By using ontologies, complex domains can be understood more easily via consistent and structured representation of knowledge. SCOPE was envisioned to be an attractive aid for digital forensic investigators and adheres to international standardisation standards. SCOPE also have a technology-agnostic approach to account for the diverse range of smart city infrastructure in various sectors such as energy, home, oil & gas etc.
While conducting the research, the ASSET group analysed the current ontologies such as Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE). After careful consideration and thorough research, the group concluded that such current ontologies lack SCI representation, and extending them on an ad hoc basis is inefficient and ineffective for investigators. This led to the design and development of SCOPE.
Building on the prior work from ASSET group, which also involved Dr Tok as the key contributor, the ASSET group researchers and their SIT collaborator embedded their earlier work on SCI threats, cybercrime, and evidence sources into SCOPE. Other critical information, such as attack techniques and pattern classifications from MITRE, was also accounted for. With SCOPE, users can adopt it for a wide range of use cases, such as SCI cybercrime incidents, evidence sharing, or even adversary emulation.
While the design of SCOPE was challenging, its suitability for a real-life cybercrime scenario needed to be investigated thoroughly. To this end, Dr Tok and his colleagues evaluated the usability of SCOPE via a few carefully crafted scenarios based on real-world activity by Advanced Persistent Threats (APTs). The evaluation consisted of i) ontological representation of the scenario, ii) investigation and the Tactics, Techniques and Procedures (TTPs) used by the APT and iii) containment and recovery using identified Indicators of Compromise (IoCs). In a nutshell, this evaluation was necessary to understand how the end users of SCOPE will apply SCOPE for realistic scenarios and accomplish the crucial tasks should a cybercrime takes place in SCI.
The evaluation results showed that, through the usage of SCOPE, investigators could add more granular details during their investigation, such as affected areas of malicious software infection and damage. The additional context allowed increased efficiency and rapid remediation. Investigators also benefit from easily accessible complex technical details such as threat type and affected systems.
ASSET research group has made SCOPE publicly available for the digital forensic community to use and assist in future SCI investigations. In future, the ASSET research group will add further tooling support to use the SCOPE ontology and will conduct a user study with digital forensic professionals from the public and private sectors. This will determine how SCOPE could be further improved for industry usage. The group also hopes future researchers could explore integrating SCOPE into digital forensics tools to empower digital forensic investigators in their future workflows.
Journal
Forensic Science International