Feb 272013

The concept of signatures is used in many fields, normally for the detection of some sort of pattern. For example, antivirus and network intrusion detection systems sometimes implement signature matching to attempt to differentiate legitimate code or network traffic from malicious data. The principle of these systems that that within a given set of data, malicious data will have some recognizable pattern. If malicious code, for example, has a pattern that is different in some way to non-malicious data, then the malicious data may be able to be differentiated with signature-based methods. In terms of malware, however, signature based methods are becoming less effective as malicious software gains the ability to alter or hide malicious patterns. For example, polymorphic or encrypted code.

This work suggests that signature based methods may also be used to detect patterns or user actions of a digital system. This is based on the principle that computer systems are interactive. This means that when a user interacts with the system, the system is immediately updated. In this work, we analyzed a user’s actions in relation to timestamp updates on the system.

During experimentation, we found that timestamps on a system may be updated for many different reasons. Our work, however, determined that there are at least three major timestamp update patterns given a user action. We define these as Core, Supporting and Shared timestamp update patterns.

Core timestamps are timestamps that are updated each time, and only when, the user action is executed.

Supporting timestamps are timestamps that are updated sometimes, and only when, the user action is executed.

Shared timestamps are timestamps that are shared between multiple user actions. So, for example, the timestamps of a single file might be updated by two different user actions. With shared timestamps it is impossible to determine which action updated the timestamp without more information.

By categorizing timestamps into these three primary categories, we can construct timestamp signatures to detect if and when a user action must have happened. For example, since only one action can update Core timestamps, the time value of the timestamp is approximately the time in which the user action must have taken place.

The same can be said for Supporting timestamps, but we would expect Supporting timestamps values to be at or before the last instance of the user action.

Using this categorization system, and finding associations of timestamps to user actions, user actions in the past can be reconstructed just by using readily available meta-data in a computer system.

For more information, please see our article on this topic:

James, J., P. Gladyshev, and Y. Zhu. (2011) “Signature Based Detection of User Events for Post-Mortem Forensic Analysis”. Digital Forensics and Cyber Crime: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Volume 53, pp 96-109. Springer. [PDF][arXiv:1302.2395]

Feb 192013

Digital forensics is a very practical discipline that addresses the needs of every day investigations. Whether deleted data needs to be recovered or the suspect’s  photographs need to be attributed to the suspect’s photo camera – forensic analyst has to do whatever it takes to advance the investigation. There is rarely any time to think about the big picture – why do we do forensics the way we do, and whether it is the best way to do it.  Nevertheless, forensics is supposed to be based on the scientific method – our findings should be testable, based on the established scientific theories in the field.  This is particularly important if we are to develop highly automated analysis tools and techniques, whose results may be used as evidence.

The science of digital forensics is rooted in computer science, and the computer science is rooted in mathematics. I believe that it essential for digital forensic researchers to have good understanding of the relevant mathematical concepts and formal machinery.  With this aim in mind, and with the understanding that many forensic researchers come from practical background, I started a series of introductory lectures, which describe the relevant concepts and mathematical language of computer science in a very informal fashion. I teach these to our new PhD students in order to help them get up to speed quicker. I welcome anyone interested in developing digital forensics as a science to listen to these lectures.

Feb 022013

shutterstock_114969346Everyday new ideas all around the world are born. By the start of the new millennium the race was on, as everyone and their brother realized how potent technology was to their future. And now as we move into the second decade of the millennium, technological advancements became one of the pillars of a nation.

The laws that were written to govern any society had to also keep up with this dynamic shift. If one were to take a look at information technology related crimes, they’d come to the same conclusion; many law related issues, incidents, and crimes are deeply entwined with a cyber element. You ask why? If one were to answer this question given one word it would have to be Convenience.

As law enforcement agencies around the globe battle daily to try and keep up with these advancements; there is simply not enough resources to do so. There is just too much information and so little time to soak it up until we move into the next batch of information.

Furthermore, an investigator has many work demands, as is the case within any profession, and trying to stay up-to-date on all the happenings within the different fields in technology is humanly infeasible. A digital forensic investigator might try and obtain all of the world’s best forensic (and otherwise) toolkits to perform his/her investigations. However, if one lacks the fundamentals of what’s under the hood of the digital device they’re investigating, they might fall into the folly of relying blindly on an automated tool, not knowing that what they perceive as the “smoking gun” to close the case, might actually be there for a different reason. Additionally, knowing the techniques and having the mental prowess to “connect the dots” of the findings with relation to the case is one of the most important elements to being an investigator.

Another element is to know which tools and techniques to use in certain circumstances. If one were to focus on specific areas in a case what would it be? For example would it be the timeline, indicators of a system intrusion, indicators of malware activities, Internet activities, user related files, encrypted data, remnants of data saved elsewhere, or presence of specific files? On the other hand restricting one’s vision, while beneficial to some extents, might limit one’s view of the bigger picture. So based on what would an investigator determine the correct method to pursue relevant information?

Bridging the gap between the everyday practitioner of digital forensics and the research community is one of the more successful solutions to the issues mentioned above. In the upcoming posts, I hope to highlight the importance of research and further discuss digital forensic topics from the viewpoint of an investigator.

 Posted by at 6:08 am