A hypothesis-based approach to digital forensic investigations

This work formally defines a digital forensic investigation and categories of analysis techniques. The definitions are based on an extended finite state machine (FSM) model that was designed to include support for removable devices and complex states and events. The model is used to define the concept of a computer's history, which contains the primitive and complex states and events that existed and occurred. The goal of a digital investigation into make valid inferences about a computer's history. Unlike the physical world, where an investigator can directly observe objects, the digital world involves many indirect observations. The investigator cannot directly observe the state of a hard disk sector or bytes in memory. He can only directly observe the state of output devices. Therefore, all statements about digital states and events are hypotheses that must be tested to some degree. Using the dynamic FSM model, seven categories and 31 unique classes of digital investigation analysis techniques are defined. The techniques in each category can be used to test and formulate different types of hypotheses and completeness is shown. The classes are defined based on the model design and current practice. Using the categories of analysis techniques and the history model, the process models that investigators use are formally compared. Until now, it was not clear how the phases in the models were different. The model is also used to identify where assumptions are made during an investigation and to show differences between the concepts of digital forensics and the more traditional forensic disciplines.

[1]  Michael C. Tanner,et al.  Automated diagnosis for computer forensics , 2002 .

[2]  Marc Rogers,et al.  COMPUTER FORENSICS: MEETING THE CHALLENGES OF SCIENTIFIC EVIDENCE , 2005 .

[3]  Ruven E. Brooks,et al.  Towards a Theory of the Comprehension of Computer Programs , 1983, Int. J. Man Mach. Stud..

[4]  Brian D. Carrier,et al.  Defining event reconstruction of digital crime scenes. , 2004, Journal of forensic sciences.

[5]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[6]  Erwin Engeler Introduction to the theory of computation , 1973 .

[7]  W. Twining Theories of evidence : Bentham and Wigmore , 1987 .

[8]  Bernard M. E. Moret Theory of computation , 1978, Inf. Process. Manag..

[9]  Harlan D. Mills,et al.  Understanding and Documenting Programs , 1982, IEEE Transactions on Software Engineering.

[10]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[11]  Martin P. Ward Reverse engineering from assembler to formal specifications via program transformations , 2000, Proceedings Seventh Working Conference on Reverse Engineering.

[12]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[13]  Cristina Cifuentes,et al.  Reverse compilation techniques , 1994 .

[14]  Ana Castelló,et al.  DNA from a Computer Keyboard , 2004 .

[15]  Atul Prakash,et al.  Theories and techniques of program understanding , 1991, CASCON.

[16]  Ketil Kintel Using hash values to identify fragments of evidence. Taking the concept of known file hash databases a step further. , 2004 .

[17]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[18]  Gavin Wylie Manes,et al.  Linking Individuals to Digital Information , 2006, IFIP Int. Conf. Digital Forensics.

[19]  James H. Cross,et al.  Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.

[20]  E. D. Klemke,et al.  Introductory Readings in the Philosophy of Science , 1988 .

[21]  Peter Gutmann,et al.  Data Remanence in Semiconductor Devices , 2001, USENIX Security Symposium.

[22]  Stephen Mason Trusted computing and forensic investigations , 2005, Digit. Investig..

[23]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[24]  Richard Saferstein,et al.  Criminalistics: An introduction to forensic science , 1977 .

[25]  Nicole Beebe,et al.  A hierarchical, objectives-based framework for the digital investigations process , 2005, Digit. Investig..

[26]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[27]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[28]  Axel W. Krings,et al.  A Formalization of Digital Forensics , 2004, Int. J. Digit. EVid..

[29]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[30]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[31]  Peter Stephenson A comprehensive approach to digital incident investigation , 2003, Inf. Secur. Tech. Rep..

[32]  R. Gopal,et al.  Dynamic program slicing based on dependence relations , 1991, Proceedings. Conference on Software Maintenance 1991.

[33]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984, SDE 1.

[34]  Olivier Y. de Vel File classification using byte sub-stream kernels , 2004, Digit. Investig..

[35]  Ross Gardner,et al.  Bloodstain Pattern Analysis: With an Introduction to Crime Scene Reconstruction, Second Edition , 1997 .

[36]  Peter Stephenson Application Of Formal Methods To Root Cause Analysis of Digital Incidents , 2004, Int. J. Digit. EVid..

[37]  Keith J. Jones,et al.  Real Digital Forensics: Computer Security and Incident Response , 2005 .

[38]  Zeno J. M. H. Geradts,et al.  Content-Based Information Retrieval from Forensic Databases , 2002 .

[39]  Arun Lakhotia,et al.  Program comprehension , 1999 .

[40]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[41]  Susan Horwitz,et al.  Effective, automatic procedure extraction , 2003, 11th IEEE International Workshop on Program Comprehension, 2003..

[42]  K. Inman,et al.  Principles and Practice of Criminalistics: The Profession of Forensic Science , 2000 .

[43]  Eugene H. Spafford,et al.  Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence , 2005, DFRWS.

[44]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[45]  Eric G. Manning,et al.  A framework for distributed debugging , 1990, IEEE Software.

[46]  Eoghan Casey,et al.  Digital Evidence and Computer Crime , 2000 .

[47]  Carla E. Brodley,et al.  Machine learning techniques for the computer security domain of anomaly detection , 2000 .

[48]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[49]  Brian D. Carrier Defining Digital Forensic Examination and Analysis Tool Using Abstraction Layers , 2003, Int. J. Digit. EVid..

[50]  The Common Digital Evidence Storage Format Working Standardizing digital evidence storage , 2006, CACM.

[51]  K. Thompson Reflections on trusting trust , 1984, CACM.

[52]  Richard H. Crawford,et al.  A dataflow approach to event‐based debugging , 1991, Softw. Pract. Exp..

[53]  D. Schum The Evidential Foundations of Probabilistic Reasoning , 1994 .

[54]  Megan Carney,et al.  The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction , 2004, Int. J. Digit. EVid..

[55]  Gregg H. Gunsch,et al.  An Examination of Digital Forensic Models , 2002, Int. J. Digit. EVid..

[56]  Chet Langin,et al.  Languages and Machines: An Introduction to the Theory of Computer Science , 2007 .

[57]  Ahmed Patel,et al.  Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[58]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[59]  James Robert Lyle Evaluating variations on program slicing for debugging (data-flow, ada) , 1984 .

[60]  Marilyn T. Miller,et al.  Henry Lee's Crime Scene Handbook , 2001 .

[61]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[62]  Eugene H. Spafford,et al.  Dynamic slicing in the presence of unconstrained pointers , 1991, TAV4.

[63]  Kate Ehrlich,et al.  Empirical Studies of Programming Knowledge , 1984, IEEE Transactions on Software Engineering.

[64]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[65]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[66]  Susan W. Brenner,et al.  The Trojan Horse Defense in Cybercrime Cases , 2004 .

[67]  Peter Stephenson Modeling of Post-Incident Root Cause Analysis , 2003, Int. J. Digit. EVid..

[68]  Janusz W. Laski,et al.  Dynamic Program Slicing , 1988, Inf. Process. Lett..

[69]  William G. Griswold,et al.  Automated assistance for program restructuring , 1993, TSEM.

[70]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[71]  Bill Nelson,et al.  Computer Forensics and Investigations , 2004 .

[72]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[73]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[74]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[75]  Rebecca Gurley Bace,et al.  A Guide to Forensic Testimony - The Art and Practice of Presenting Testimony As An Expert Technical Witness , 2002 .

[76]  Karl R. Popper,et al.  Science : Conjectures and Refutations , 2005 .

[77]  Hausi A. Müller,et al.  Manipulating and documenting software structures using SHriMP views , 1995, Proceedings of International Conference on Software Maintenance.

[78]  Peter J. Denning,et al.  Is computer science science? , 2005, CACM.

[79]  Abraham Silberschatz,et al.  Database System Concepts , 1980 .

[80]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[81]  Chris Davis,et al.  Hacking Exposed Computer Forensics: Secrets & Solutions , 2004 .

[82]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[83]  Richard C. Waters,et al.  The programmer's apprentice , 1990, ACM Press frontier series.

[84]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[85]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .