SPHINX User Interface Functional Requirements & Guidelines: Forensics Data Collection Engine

The SPHINX System interacts with the user in order to develop cyber awareness concerning risks, vulnerabilities and incidents within the  IT  network and connected devices. Moreover,  it allows the user to perform vulnerability assessment and certification of devices.  In this regard,  the user interface needs to be designed according to the user’s needs and expectations to ensure the utility of SPHINX.

Continue from Part VI.

Forensics Data Collection Engine (FDCE)

FDCE provides the necessary tools that allow users to conduct a digital investigation of security events through an easy-to-use user Interface. FDCE can parse logs, files and data from the rest of SPHINX components or logs and other relevant information from computers, as seen in the snapshots below.

During upload, users can select (or de-select from the catalogue of artifacts) which categories of artifacts they wish to be integrated in the list (see below).

Upon the completion of processing the unified list of artifacts, for the selected case, is presented to the users. The details for each row can be presented either by simple or double-click on the row.

On the top right corner of the list there is a menu with 5 elements.

Moving from left to right, the provided options are:

  • Refresh – refresh the results based on the selected fields in the search-bar
  • Simple search – create a simple query (see snapshot below)
  • Advanced search – create a more complex query.
  • Search – execution of query
  • Save – Save query as a rule. These rules act as indicators facilitating the monitoring of the cases, which raise alerts whenever those rules succeed on the artifacts.

Additionally, on the left side of each row using option  , users can select the row to be part of the timeline of evidence.

Finally, after identifying all artifacts that are relevant to the forensic process and might have played a role during an incident, the user can produce a timeline of these events interlaced with her / his own comments. Ιn order to access the timeline of selected artifacts panel, users should select the “Timeline” option from the left-side vertical menu. In the following snapshot the timeline of selected artifacts is presented. The “Add new tag” is selected on the top right corner, which is provides users with the option to insert user-tags, to manually enrich investigation with their comments.

Concluding, the button  exports the created timeline in .json format.

More information about the Functional Requirements and Guidelines of SPHINX can be found in Deliverable 2.10 that is publicly available here.