{"id":368,"date":"2012-10-04T19:25:39","date_gmt":"2012-10-04T19:25:39","guid":{"rendered":"http:\/\/digitalfire.ucd.ie\/?p=368"},"modified":"2013-03-10T03:46:21","modified_gmt":"2013-03-10T03:46:21","slug":"towards-automated-forensic-event-reconstruction-of-malicious-code","status":"publish","type":"post","link":"https:\/\/dfire.ucd.ie\/?p=368","title":{"rendered":"Towards Automated Forensic Event Reconstruction of Malicious Code"},"content":{"rendered":"

\"\"<\/a>Many existing methods of forensic malware analysis rely on the investigators\u2019 practical experience rather than hard science. This paper presents a\u00a0formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable\u00a0found in a victim\u2019s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where each state\u00a0represents behavior that results in an observable modification to the victim\u2019s\u00a0system. The derived model of the malicious code allows for accurate reasoning\u00a0and deduction of the occurrence of malicious activities even when anti-forensic\u00a0methods are employed to disrupt the investigation process.<\/p>\n

Paper [Towards Automated Forensic Event Reconstruction of Malicious Code<\/a>].<\/p>\n

Poster [Automated Forensic Event Reconstruction of Malicious Code<\/a>].<\/p>\n","protected":false},"excerpt":{"rendered":"

Many existing methods of forensic malware analysis rely on the investigators\u2019 practical experience rather than hard science. This paper presents a\u00a0formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable\u00a0found in a victim\u2019s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where […]<\/p>\n","protected":false},"author":5,"featured_media":488,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,23,34],"tags":[],"class_list":["post-368","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-theory","category-malware-analysis","category-dfire-publications"],"_links":{"self":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/368"}],"collection":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=368"}],"version-history":[{"count":29,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions"}],"predecessor-version":[{"id":843,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions\/843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/media\/488"}],"wp:attachment":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}