A formal logic-based language and an automated verification tool for computer forensic investigation
Proceedings of the 2005 ACM symposium on Applied computing
Principles-driven forensic analysis
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
Forensic analysis of logs: Modeling and verification
Knowledge-Based Systems
Computer forensics in forensis
ACM SIGOPS Operating Systems Review
A Formal Approach for the Forensic Analysis of Logs
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
A temporal logic-based model for forensic investigation in networked system security
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
Analyzing multiple logs for forensic evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Automated Windows event log forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: From stack and code to execution history
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
When computer security violations are detected, computerforensic analysts attempting to determine the relevantcauses and effects are forced to perform the tedious tasks offinding and preserving useful clues in large networks of operationalmachines. To augment a computer crime investigator'sefforts, the approach presented in this paper is anexpert system with a decision tree that uses predeterminedinvariant relationships between redundant digital objectsto detect semantic incongruities. By analyzing data from ahost or network and searching for violations of known datarelationships, particularly when an attacker is attemptingto hide his presence, an attacker's unauthorized changesmay be automatically identified. Examples of such invariantdata relationships are provided, as are techniques toidentify new, useful ones. By automatically identifying relevantevidence, experts can focus on the relevant files, users,times and other facts first.