Automated Analysis for Digital Forensic Science: Semantic Integrity Checking

Authors:
Tye Stallard;Karl Levitt
Affiliations:
-;-
Venue:
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Year:
2003

Citing 0
Cited 11

A formal logic-based language and an automated verification tool for computer forensic investigation

Proceedings of the 2005 ACM symposium on Applied computing
Principles-driven forensic analysis

NSPW '05 Proceedings of the 2005 workshop on New security paradigms
Forensic analysis of logs: Modeling and verification

Knowledge-Based Systems
Computer forensics in forensis

ACM SIGOPS Operating Systems Review
A Formal Approach for the Forensic Analysis of Logs

Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Attribution of malicious behavior

ICISS'10 Proceedings of the 6th international conference on Information systems security
A temporal logic-based model for forensic investigation in networked system security

MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
Analyzing multiple logs for forensic evidence

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Automated Windows event log forensics

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: From stack and code to execution history

Digital Investigation: The International Journal of Digital Forensics & Incident Response
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

When computer security violations are detected, computerforensic analysts attempting to determine the relevantcauses and effects are forced to perform the tedious tasks offinding and preserving useful clues in large networks of operationalmachines. To augment a computer crime investigator'sefforts, the approach presented in this paper is anexpert system with a decision tree that uses predeterminedinvariant relationships between redundant digital objectsto detect semantic incongruities. By analyzing data from ahost or network and searching for violations of known datarelationships, particularly when an attacker is attemptingto hide his presence, an attacker's unauthorized changesmay be automatically identified. Examples of such invariantdata relationships are provided, as are techniques toidentify new, useful ones. By automatically identifying relevantevidence, experts can focus on the relevant files, users,times and other facts first.