Reconstruction of Falsified Computer Logs for Digital Forensics Investigations

Digital forensics investigations aim to find evidence that helps confirm or disprove a hypothesis about an alleged computer-based crime. However, the ease with which computer-literate criminals can falsify computer event logs makes the prosecutor's job highly challenging. Given a log which is suspected to have been falsified or tampered with, a prosecutor is obliged to provide a convincing explanation for how the log may have been created. Here we focus on showing how a suspect computer event log can be transformed into a hypothesised actual sequence of events, consistent with independent, trusted sources of event orderings. We present two algorithms which allow the effort involved in falsifying logs to be quantified, as a function of the number of 'moves' required to transform the suspect log into the hypothesised one, thus allowing a prosecutor to assess the likelihood of a particular falsification scenario. The first algorithm always produces an optimal solution but, for reasons of efficiency, is suitable for short event logs only. To deal with the massive amount of data typically found in computer event logs, we also present a second heuristic algorithm which is considerably more efficient but may not always generate an optimal outcome.

[1]  Svein Yngvar Willassen Finding Evidence of Antedating in Digital Investigations , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[2]  Johann-Christoph Freytag Private Information Retrieval, Optimal for Users and Secure Coprocessors , 2002 .

[3]  Johann-Christoph Freytag,et al.  Almost Optimal Private Information Retrieval , 2002, Privacy Enhancing Technologies.

[4]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[5]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .

[6]  Golden G. Richard,et al.  Next-generation digital forensics , 2006, CACM.

[7]  Jerome L. Paul,et al.  Algorithms: Sequential, Parallel, and Distributed , 2004 .

[8]  Niv Gilboa,et al.  Computationally private information retrieval (extended abstract) , 1997, STOC '97.

[9]  Ahmed Patel,et al.  Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[10]  Sean W. Smith,et al.  Protecting client privacy with trusted computing at the server , 2005, IEEE Security & Privacy Magazine.

[11]  George M. Mohay,et al.  Machine-independent audit trail analysis – a decision support tool for continuous audit assurance , 2004 .

[12]  Sean W. Smith,et al.  Using a High-Performance, Programmable Secure Coprocessor , 1998, Financial Cryptography.

[13]  E. Kushilevitz,et al.  Barrier for Information-Theoretic Private Information Retrieval , 2002 .

[14]  Sean W. Smith,et al.  Private Information Storage with Logarithm-Space Secure Hardware , 2004, International Information Security Workshops.

[15]  George M. Mohay,et al.  ECF - Event Correlation for Forensics , 2003, Australian Computer, Network & Information Forensics Conference.

[16]  Sean W. Smith,et al.  Practical server privacy with secure coprocessors , 2001, IBM Syst. J..

[17]  David R. Safford,et al.  Practical Private Information Retrieval with Secure Coprocessors , 2000 .

[18]  Yan-Cheng Chang,et al.  Single Database Private Information Retrieval with Logarithmic Communication , 2004, ACISP.

[19]  Craig Gentry,et al.  Single-Database Private Information Retrieval with Constant Communication Rate , 2005, ICALP.

[20]  Yuval Ishai,et al.  Breaking the O(n/sup 1/(2k-1)/) barrier for information-theoretic Private Information Retrieval , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[21]  Sean W. Smith,et al.  Privacy-enhanced credential services , 2003 .

[22]  Robert H. Deng,et al.  An Efficient PIR Construction Using Trusted Hardware , 2008, ISC.

[23]  David P. Woodruff,et al.  A Geometric Approach to Information-Theoretic Private Information Retrieval , 2005, Computational Complexity Conference.

[24]  Svein Yngvar Willassen Timestamp evidence correlation by model based clock hypothesis testing , 2008, e-Forensics '08.

[25]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[26]  Nils J. Nilsson,et al.  A Formal Basis for the Heuristic Determination of Minimum Cost Paths , 1968, IEEE Trans. Syst. Sci. Cybern..

[27]  Robert H. Deng,et al.  Private Information Retrieval Using Trusted Hardware , 2006, IACR Cryptol. ePrint Arch..

[28]  Loïc Hélouët,et al.  Event Correlation with Boxed Pomsets , 2007, FORTE.

[29]  Brian D. Carrier,et al.  Open Source Digital Forensics Tools The Legal Argument 1 , 2003 .

[30]  Pete Forster,et al.  Time and date issues in forensic computing - a case study , 2004, Digit. Investig..

[31]  George M. Mohay,et al.  Technical challenges and directions for digital forensics , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).

[32]  Radu Sion,et al.  On the Computational Practicality of Private Information Retrieval , 2006 .

[33]  Karen Kent,et al.  Guide to Computer Security Log Management , 2006 .

[34]  Andris Ambainis,et al.  On Lower Bounds for the Communication Complexity of Private Information Retrieval ∗ , 2000 .

[35]  George M. Mohay,et al.  Generalising Event Forensics Across Multiple Domains , 2004, Australian Computer, Network & Information Forensics Conference.

[36]  David P. Woodruff,et al.  A geometric approach to information-theoretic private information retrieval , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[37]  George M. Mohay,et al.  FIA: An Open Forensic Integration Architecture for Composing Digital Evidence , 2009, e-Forensics.

[38]  George M. Mohay,et al.  A correlation method for establishing provenance of timestamps in digital evidence , 2006, Digit. Investig..