Oct 042012
Towards Automated Forensic Event Reconstruction of Malicious Code

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where […]

Oct 042012
A Novel Methodology for Malware Intrusion Attack Path Reconstruction

When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a […]

Oct 042012
Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows […]

Oct 032012
InfoSecurity Russia 2012: Digital Forensics, Cloud Computing, Future of Cybercrime Investigation

Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012 Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges […]

Sep 132012
Automata Intersection to Test Possibility of Statements in Investigations

When conducting an investigation, many statements are given by witnesses and suspects. A “witness” could be considered as anything that provides information about the occurrence of an event. While a witness may traditionally be a human, a digital device – such as a computer or cell phone – could also help to provide information about […]

Sep 132012
Limitations of Malware Sandbox Usage in Digital Forensic Investigation

When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If […]

Jul 212011

From December 7th 2010 to December 12th 2010 a survey on Digital Investigation Process and Accuracy was conducted in an attempt to determine the current state of digital investigations, the process of examination (examination phases), and how those examinations are being verified as accurate. An online survey was created in English, and consisted of 10 […]

Aug 122010

This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10 respondents). The key findings of the survey are given, […]