Feb 192013

Digital forensics is a very practical discipline that addresses the needs of every day investigations. Whether deleted data needs to be recovered or the suspect’s  photographs need to be attributed to the suspect’s photo camera – forensic analyst has to do whatever it takes to advance the investigation. There is rarely any time to think about the big picture – why do we do forensics the way we do, and whether it is the best way to do it.  Nevertheless, forensics is supposed to be based on the scientific method – our findings should be testable, based on the established scientific theories in the field.  This is particularly important if we are to develop highly automated analysis tools and techniques, whose results may be used as evidence.

The science of digital forensics is rooted in computer science, and the computer science is rooted in mathematics. I believe that it essential for digital forensic researchers to have good understanding of the relevant mathematical concepts and formal machinery.  With this aim in mind, and with the understanding that many forensic researchers come from practical background, I started a series of introductory lectures, which describe the relevant concepts and mathematical language of computer science in a very informal fashion. I teach these to our new PhD students in order to help them get up to speed quicker. I welcome anyone interested in developing digital forensics as a science to listen to these lectures.

Feb 022013

shutterstock_114969346Everyday new ideas all around the world are born. By the start of the new millennium the race was on, as everyone and their brother realized how potent technology was to their future. And now as we move into the second decade of the millennium, technological advancements became one of the pillars of a nation.

The laws that were written to govern any society had to also keep up with this dynamic shift. If one were to take a look at information technology related crimes, they’d come to the same conclusion; many law related issues, incidents, and crimes are deeply entwined with a cyber element. You ask why? If one were to answer this question given one word it would have to be Convenience.

As law enforcement agencies around the globe battle daily to try and keep up with these advancements; there is simply not enough resources to do so. There is just too much information and so little time to soak it up until we move into the next batch of information.

Furthermore, an investigator has many work demands, as is the case within any profession, and trying to stay up-to-date on all the happenings within the different fields in technology is humanly infeasible. A digital forensic investigator might try and obtain all of the world’s best forensic (and otherwise) toolkits to perform his/her investigations. However, if one lacks the fundamentals of what’s under the hood of the digital device they’re investigating, they might fall into the folly of relying blindly on an automated tool, not knowing that what they perceive as the “smoking gun” to close the case, might actually be there for a different reason. Additionally, knowing the techniques and having the mental prowess to “connect the dots” of the findings with relation to the case is one of the most important elements to being an investigator.

Another element is to know which tools and techniques to use in certain circumstances. If one were to focus on specific areas in a case what would it be? For example would it be the timeline, indicators of a system intrusion, indicators of malware activities, Internet activities, user related files, encrypted data, remnants of data saved elsewhere, or presence of specific files? On the other hand restricting one’s vision, while beneficial to some extents, might limit one’s view of the bigger picture. So based on what would an investigator determine the correct method to pursue relevant information?

Bridging the gap between the everyday practitioner of digital forensics and the research community is one of the more successful solutions to the issues mentioned above. In the upcoming posts, I hope to highlight the importance of research and further discuss digital forensic topics from the viewpoint of an investigator.

 Posted by at 6:08 am
Oct 042012

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim’s system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.

Paper [Towards Automated Forensic Event Reconstruction of Malicious Code].

Poster [Automated Forensic Event Reconstruction of Malicious Code].

Sep 132012

When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything that provides information about the occurrence of an event. While a witness may traditionally be a human, a digital device – such as a computer or cell phone – could also help to provide information about an event. Once a witness provides a statement, the investigator needs to evaluate the level of trust he or she places in the validity of the statement. For example, a statement from a witness that is known to lie may be considered less trustworthy Similarly, in the digital realm, information gathered from a device may be less trustworthy if the device has been known to be compromised by a hacker or virus.

When an investigator gets statements from witnesses, the investigator can then begin to restrict possibilities of happened events based on the information. For example, if a trustworthy witness says she saw a specific suspect at a specific time, and the suspect claims to be out of the country at that time, these are conflicting statements. A witness statement may not be true for a number of reasons, but the statement may be highly probable. At a minimum when conflicting statements occur, these indicate that one or both statements should be investigated further to find either inculpatory or exculpatory evidence.

If an action happens that affects a computer system, observation of the affected data in the system could be used a evidence to reduce the possible states the system could have been in before it’s current state. Taking this further, if we create a complete model of a system then without any restriction on the model, any state of the system could possibly be reachable.

Computer systems can be modeled as finite state automata (FSA). In this model, each state of the system is represented as a state in the FSA. The set of all states is defined as Q. Each action that alters the state of the system can be represented as a symbol in the alphabet (Σ) of the automaton. Moving from one state to another is controlled by a transition function δ where δ: Q × Σ → Q.

In the case of an investigation of a computer system, the investigator may be able to directly observe only the final state of the system. The set of final, or accepting, states is defined as F, where F ⊆ Q. The start state (q0, where q0∈ Q) is likely to be unobservable, and may be unknown. Because of this, any state in the model may potentially be a start state. To account for this, a generic start state g, where  g ∉ Q, can be defined. g is a generic start state with a tradition to each state in Q on each input leading to that particular state. The result of this process is a model of the system that allows for any possible transitions in the system that result in the observed final state from any starting state.

This FSA of the system can then be used to test statements about interactions with the system. As a very basic example, consider an FSA with only two states. The first state is the system before a program is ran, and no prefetch entry has been created (!PrefetchX). The second state is after a program has been ran, and a prefetch entry has been created (PrefetchX). The transition symbol is defined as “Run_Program_X”. The FSA can be visiualized as:

(!PrefetchX) -> Run_Program_X -> (PrefetchX)

For the sake of this example, it is known that a prefetch entry will not be created unless a program is ran, so the start state is defined as (!PrefetchX). An investigator observes that in the final state of the system PrefetchX did exist, so the final accepting state is (PrefetchX).

A suspect who normally uses the system is asked whether they executed Program X, and she claims she did not. Her statement may then also be modeled in terms of the previous FSA, where any transition is allowed except “Run_Program_X”. Her statement can be visualized as:

(*) -> !Run_Program_X -> (*)

In this statement, she is claiming that any state and transition is possible except for “Run_Program_X”.

When both the system and the suspect’s statement are modeled, the FSA can be intersected to determine if the final observed state of the system is reachable with the restrictions the suspect statement places on the model. In the given example, the only possible transition to get to the observed final state is Run_Program_X. If the system model were intersected with the suspect’s statement, the final state (PrefetchX) would not be reachable because the transition that leads to the final state would not be possible. In this case, the suspect statement is inconsistent with the observed final state, and should therefore be investigated further.

This very simple example can be applied to more complex situations and models; however, a challenge with using a computational approach to model real-world systems is a very large state-space to model even for relatively simple systems.

For a more in-depth explanation, please see Analysis of Evidence Using Formal Event Reconstruction.

[1] James, J., P. Gladyshev, M.T. Abdullah, Y. Zhu. (2010) “Analysis of Evidence Using Formal Event Reconstruction.” Digital Forensics and Cyber Crime 31: 85-98. [PDF][arXiv:1302.2308]