Link Search Menu Expand Document
Cybersecurity Research
  1. 4. BUILDING THE SMURF FRAMEWORK
    1. 4.1 Capture
    2. 4.2 Identify
    3. 4.3 Process
    4. 4.4 Present

4. BUILDING THE SMURF FRAMEWORK

This section discusses at a high level, the theoretical aspects of SMURF. The intention was to build a linear, modular investigative tool, with the potential to extend and mature its functionality. SMURF’s modularity allows for the addition or exclusion of components based on the use case.

Figure 1 is a graphical representation of how SMURF works. The components used to achieve these are discussed in Section 5.

4.1 Capture

This stage involves recovering data from a live machine. As this is the stage that initiates interaction between the triage device and the target device, it was necessary to first programmatically record the triage device details, the date and time it was connected to the target device before proceeding with the data collection.

The data collection at this stage focused on system generated and user generated artefacts (e.g. web browser artefacts).

Figure 1: An illustration of how SMURF works Figure 1: An illustration of how SMURF works

4.2 Identify

This stage involves segregating the data collected during the capture. The artefacts are grouped based on type and the location found. For example, if the data contains the social media platform name or an associated name, and it is a URL (type), put it in the “visited places group” for further processing.

4.3 Process

The artefacts recovered and grouped at the “Identify” stage are processed to highlight the type of activity that could have created them. For example, user account registration, viewing and sharing content etc.

This stage also involves the use of pattern matching techniques as presented in David et al. (2020) to extract features of interest.

4.4 Present

The data from preceding stages feed into the “Present” stage. Here, the results from the processing stage are parsed and returned in a text based HTML report. Following the theme of a live triage, this report provides the investigator with a quick view of the data recovered, in a usable manner.

Table of Contents