Many companies have cited lack of cyber-security as the main barrier to Industrie 4.0 or digitalization. Security functions include protection, detection, response and investigation. Cyber-attack investigation is important as it can support the mitigation of damages and maturing future prevention approaches. Nowadays, the investigation of cyber-attacks has evolved more than ever leveraging combinations of intelligent tools and digital forensics processes. Intelligent tools (e.g., YARA rules and Indicators of Compromise) are effective only when there is prior knowledge about software and mechanisms used in the cyber-attack, i.e., they are not attack-agnostic. Therefore, the effectiveness of these intelligent tools is inversely proportional to the number of the never-seen-before software and mechanisms utilized. Digital forensic processes, while not suffering from such issue, lack the ability to provide in-depth support to a cyber-attack investigation mainly due to insufficient detailed instructions in the examination and analysis phases. This paper proposes a digital forensics framework for reviewing and investigating cyber-attacks, called D4I, which focuses on enhancing the examination and analysis phases. First, the framework proposes a digital artifacts categorization and mapping to the Cyber-Kill-Chain steps of attacks. Second, it provides detailed instructing steps for the examination and analysis phases. The applicability of D4I is demonstrated with an application example that concerns a typical case of a spear phishing attack.
Keywords: Artifacts categorization and mapping; Digital forensics framework; Digital reviewing and investigation; Examination and analysis.