Forensic Investigations of
Cyber-Physical Incidents

As systems are becoming more cyber-physical, the complexity of forensic investigations is increasing due to the cyber and physical attack surfaces that an adversary can exploit. Although commercial tools are being utilised extensively to support evidence collection and analysis activities the factors determining the conduct of an investigation remain heavily dependent on the investigators' experience. In comparison to physical investigations where collection and analysis of evidence is performed after a crime has been committed, cyber investigations may require the collection and analysis to be performed proactively - before an incident occurs - owing to the availability of potentially ephemeral evidence coming from volatile sources (such as RAMs), which might be lost if it is not preserved in advance. Therefore, before an investigation starts, it is necessary to help organisations achieve forensic-readiness, i.e. their ability to maximise the use of evidence whilst minimising the costs of an investigation.

Once preliminary data has been collected, investigators need to unveil how a particular incident occurred. Generating hypotheses about how incidents occured in cyber-physical environments is even more difficult as they must consider the opportunities that arise owing to the interplay between cyber and physical spaces, thus increasing the number of possibilities that investigators may need to consider.

Finally, existing and upcoming regulations, such as the EU data protection reforms, should also be taken into account, as they may constrain the evidence that can be collected and analysed during an investigation. Ensuring legal compliance of evidence collection activities is more challenging for cyber evidence, which can easily and undetectably be modified, especially when it may be spread across vast geographic distances and several sovereign jurisdictions.

The research proposed by the For-CoPS project aims to develop a software platform to engineer forensic-ready systems that inhabit cyber and physical operational environments. Proactive data collection activities will be configured depending on different crimes and evidence types, as well as physical and cyber crime scenes. These systems will ensure trustworthiness and usefulness of collected data. As forensic-ready systems must be acceptable within society, proactive data collection activities will satisfy privacy requirements of the citizens and will comply with the regulations of the jurisdiction each data source belongs to.

The software platform developed during this project will also support the activities performed during a forensic investigation, partcularly interpretation of data, and generation of hypotheses explaining the data. It will deal with the heterogeneity of crimes and evidence types, crime scenes, and the various jurisdictions a crime case might span. Additionally, it will provide transparent investigative suggestions.