Feb 022013
The Digital Investigation Process

Everyday new ideas all around the world are born. By the start of the new millennium the race was on, as everyone and their brother realized how potent technology was to their future. And now as we move into the second decade of the millennium, technological advancements became one of the pillars of a nation. […]

 Posted by at 6:08 am
Nov 082012
Social Media and Intelligence Gathering

Online social media has changed the way many people, businesses and even governments interact with each other. Because of Twitter’s popularity and its ability to broadcast small pieces of information to a large number of people, it is an effective form of mass communication. However, ease in communication that allows the public to freely communicate […]

Oct 042012
Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this […]

Oct 042012
Towards Automated Forensic Event Reconstruction of Malicious Code

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where […]

Oct 042012
A Novel Methodology for Malware Intrusion Attack Path Reconstruction

When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a […]

Oct 042012
Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows […]

Oct 032012
InfoSecurity Russia 2012: Digital Forensics, Cloud Computing, Future of Cybercrime Investigation

Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012 Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges […]

Sep 132012
Automata Intersection to Test Possibility of Statements in Investigations

When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything that provides information about the occurrence of an event. While a witness may traditionally be a human, a digital device – such as a computer or cell phone – could also help to provide information about […]

Sep 132012
Limitations of Malware Sandbox Usage in Digital Forensic Investigation

When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If […]

Jul 212011

From December 7th 2010 to December 12th 2010 a survey on Digital Investigation Process and Accuracy was conducted in an attempt to determine the current state of digital investigations, the process of examination (examination phases), and how those examinations are being verified as accurate. An online survey was created in English, and consisted of 10 […]