Applying Elasticsearch for remote attestation data analysis in digital forensics

Abstract

The number of cyberattacks and vulnerabilities continue to rise annually, including cyberattacks targeting the boot up-sequence and firmware of computing systems. Just as digital forensic systems nowadays analyze and process data, track and identify threats in enterprise networks, there is a need for forensic systems based on remote attestation data to identify malware residing in the lower layers of systems, thereby maintaining trust in the system. In this thesis, we evaluate the suitability of Elasticsearch as the foundation for such a forensic system. Our research included implementing Elasticsearch, exploring its potential in processing, analyzing and visualizing remote attestation data. Additionally a rule system was designed to aid in anomaly detection, incident response and Root Cause Analysis investigations using attestation data. Our findings indicate that while Elasticsearch is an excellent tool for processing, analyzing and visualizing attestation data, it has some limitations in its native rule system implementation, requiring possibly an additional third party rule system to function the way that is required. Moreover, a motivational use case was demonstrated, displaying the value of a forensic system in the realm of confidential computing.