Prioritizing Computer Forensics Using Triage Techniques

There is a lot of information contained on a single computer and a company can contain a lot of computer and other devices. If there is a breach somewhere in this organization how will a forensic analyst find the source and extend of the breach? Investigating all of the computer is not doable, there are simply too much computers and information. One of the solutions to this problem is the use of forensic triage. This research combines a couple of forensic triage methods and uses these techniques to classify computers into either malicious or clean. This method was tested on two datasets, a generated set and a set containing computers from real companies. The first dataset was reduced by 50% where the remaining computers were all infected. The second dataset was reduced by 79%, the result included all of the malicious computers. Thus this method can be used successful to reduce the workload of forensic analysts.

[1]  Christopher Krügel,et al.  Blacksheep: detecting compromised hosts in homogeneous crowds , 2012, CCS '12.

[2]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[3]  Kris Harms,et al.  Forensic analysis of System Restore points in Microsoft Windows XP , 2006, Digit. Investig..

[4]  Neil C. Rowe,et al.  Finding Anomalous and Suspicious Files from Directory Metadata on a Large Corpus , 2011, ICDF2C.

[5]  Chris Buzelli,et al.  Next-Generation DIGITAL FORENSICS , 2006 .

[6]  Derrick J. Farmer A FORENSIC ANALYSIS OF THE WINDOWS REGISTRY , 2007 .

[7]  Graeme Horsman,et al.  A Case Based Reasoning System for Automated Forensic Examinations. , 2011 .

[8]  Gianluigi Me,et al.  Data Mining based Crime-Dependent Triage in Digital Forensics Analysis , 2012 .

[9]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[10]  Keith Marzullo,et al.  Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[11]  Won Hyung Park,et al.  A study on the live forensic techniques for anomaly detection in user terminals , 2013 .

[12]  Gianluigi Me,et al.  Triage-based automated analysis of evidence in court cases of copyright infringement , 2012, 2012 IEEE International Conference on Communications (ICC).

[13]  Elias Pimenidis,et al.  Computer Anti-forensics Methods and Their Impact on Computer Forensic Investigation , 2009 .

[14]  Sotiris B. Kotsiantis,et al.  Supervised Machine Learning: A Review of Classification Techniques , 2007, Informatica.

[16]  Richard Boddington,et al.  Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? , 2010 .

[17]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[18]  Felix C. Freiling,et al.  Towards Reliable Rootkit Detection in Live Response , 2007, IMF.

[19]  Karen A. Forcht,et al.  LEGAL METHODS OF USING COMPUTER FORENSICS TECHNIQUES FOR COMPUTER CRIME ANALYSIS AND INVESTIGATION , 2004 .

[20]  Robert Lyda,et al.  Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.

[21]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[22]  Wenke Lee,et al.  Classification of packed executables for accurate computer virus detection , 2008, Pattern Recognit. Lett..

[23]  CarveyHarlan The Windows Registry as a forensic resource , 2005 .

[24]  Karthik Raman,et al.  Selecting Features to Classify Malware , 2012 .

[25]  Corey Thuen,et al.  Understanding Counter-Forensics to Ensure a Successful Investigation , 2007 .

[27]  Zhendong Su,et al.  Automatic detection of unsafe component loadings , 2010, ISSTA '10.

[28]  Neil C. Rowe,et al.  Finding suspicious activity on computer systems , 2012 .

[29]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[30]  Sotiris Kotsiantis,et al.  Assessing Supervised Machine Learning Techniques for Predicting Student Learning Preferences , 2002 .

[31]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[32]  Simson L. Garfinkel,et al.  Digital media triage with bulk data analysis and bulk_extractor , 2013, Comput. Secur..

[33]  Susan E. Searing,et al.  Online Sources , 1990, Spirituality, Mental Health, and Social Support.

[34]  Mohamed Saleh,et al.  Analyzing multiple logs for forensic evidence , 2007, Digit. Investig..

[35]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[36]  T. Arnold,et al.  A comparative analysis of rootkit detection techniques , 2011 .

[37]  Simson L. Garfinkel,et al.  A general strategy for differential forensic analysis , 2012, Digit. Investig..

[38]  Simson L. Garfinkel,et al.  Anti-Forensics: Techniques, Detection and Countermeasures , 2007 .

[39]  Zainuddin Hassan,et al.  COMMON PHASES OF COMPUTER FORENSICS INVESTIGATION MODELS , 2011 .

[40]  Keyu Jiang,et al.  FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION , 2012 .

[41]  Gary C. Kessler,et al.  Anti-Forensics and the Digital Investigator , 2007 .

[42]  Mark Pollitt,et al.  Computer Forensics Education , 2003, IEEE Secur. Priv..

[43]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[44]  Vassil Roussev,et al.  Real-time digital forensics and triage , 2013, Digit. Investig..

[45]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[46]  Mafaz Mohsin Khalil Al-Anezi,et al.  Generic Packing Detection using Several Complexity Analysis for Accurate Malware Detection , 2014 .

[47]  K. J. Ray Liu,et al.  Undetectable image tampering through JPEG compression anti-forensics , 2010, 2010 IEEE International Conference on Image Processing.

[48]  Sherri Davidoff Cleartext Passwords in Linux Memory , 2008 .

[49]  George M. Mohay,et al.  CAT Detect (Computer Activity Timeline Detection) : a toolfor detecting inconsistency in computer activity timelines , 2011 .

[50]  K. P. Chow,et al.  The Rules of Time on NTFS File System , 2007, Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'07).

[51]  Igor Santos,et al.  Collective classification for packed executable identification , 2011, CEAS '11.

[52]  Anna Carlin,et al.  Is the Open Way a Better Way? Digital Forensics Using Open Source Tools , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[53]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[54]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[55]  Yoginder S. Dandass,et al.  Research toward a Partially-Automated, and Crime Specific Digital Triage Process Model , 2012, Comput. Inf. Sci..

[56]  Fauzan Mirza,et al.  Determining malicious executable distinguishing attributes and low-complexity detection , 2011, Journal in Computer Virology.

[57]  Cristina L. Abad,et al.  Log correlation for intrusion detection: a proof of concept , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[58]  Uwe Aickelin,et al.  Detecting Botnets Through Log Correlation , 2010, ArXiv.

[59]  K. J. Ray Liu,et al.  Anti-forensics of JPEG compression , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.

[60]  D. Azar,et al.  Peer-Reviewed Literature , 2008 .