Sean Peisert
Matt Bishop
Keith Marzullo
Skip Abstract Section
Abstract
Different users apply computer forensic systems, models, and terminology in very different ways. They often make incompatible assumptions and reach different conclusions about the validity and accuracy of the methods they use to log, audit, and present forensic data. In fact, it can be hard to say who, if anyone is right. We present several forensic systems and discuss situations in which they produce valid and accurate conclusions and also situations in which their accuracy is suspect. We also present forensic models and discuss areas in which they are useful and areas in which they could be augmented. Finally, we present some recommendations about how computer scientists, forensic practitioners, lawyers, and judges could build more complete models of forensics that take into account appropriate legal details and lead to scientifically valid forensic analysis.
- New Oxford American Dictionary. Second edition.Google Scholar
- R. Abdulrahim. Results of Goshen school vote on $70M bond are lost forever. Times Herald-Record, December 6 2007.Google Scholar
- E. Allman. Personal conversations, January 2005.Google Scholar
- J. P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P. Anderson Co., Fort Washington, PA, April 1980.Google Scholar
- M. W. Andrew. Defining a Process Model for Forensic Analysis of Digital Devices and Storage Media. In Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), pages 16--30, Seattle, WA, April 2007. Google ScholarDigital Library
- M. Bishop. A Model of Security Monitoring. In Proceedings of the Fifth Annual Computer Security Applications Conference (ACSAC), pages 46--52, Tucson, AZ, December 1989.Google Scholar
- M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, Boston, MA, 2003.Google Scholar
- M. Bishop and D. Wagner. Risks of E-Voting. Communications of the ACM, 50(11):120, November 2008. Google ScholarDigital Library
- M. Bishop et al. UC Red Team Report of California Secretary of State Top-to-Bottom Voting Systems Review, 2007.Google Scholar
- D. Bonyun. The Role of a Well-Defined Auditing Process in the Enforcement of Privacy and Data Security. In Proceedings of the 1980 IEEE Symposium on Security and Privacy, 1980.Google Scholar
- F. Buchholz. Pervasive Binding of Labels to System Processes. PhD thesis, Purdue University, 2005. Google ScholarDigital Library
- F. P. Buchholz and C. Shields. Providing process origin information to aid in computer forensic investigations. Journal of Computer Security, 12(5):753--776, September 2004. Google ScholarDigital Library
- B. Carrier. File System Forensic Analysis. Addison Wesley Professional, 2005. Google ScholarDigital Library
- B. Carrier and E. H. Spafford. Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2), Fall 2003.Google Scholar
- B. D. Carrier. A Hypothesis-Based Approach to Digital Forensic Investigations. PhD thesis, Purdue University, 2006. Google ScholarDigital Library
- A. L. Cowan. Teacher Faces Jail Over Pornography on Class Computer. New York Times, February 14 2007.Google Scholar
- G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), 2002. Google ScholarDigital Library
- M. W. Eichin and J. A. Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA, 1989.Google ScholarCross Ref
- B. E. Endicott-Popovsky, J. D. Fluckiger, and D. A. Frincke. Establishing Tap Reliability in Expert Witness Testimony: Using Scenarios to Identify Calibration Needs. In Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), pages 131--144, Seattle, WA, April 2007. Google ScholarDigital Library
- D. Farmer and W. Venema. Forensic Discovery. Addison Wesley Professional, 2004. Google ScholarDigital Library
- R. Gardner, S. Garera, and A. D. Rubin. On the difficulty of validating voting machine software with software. In Proceedings of the 2nd USENIX/ACCURATE Electronic Voting Technology Workshop (EVT'07), pages 39--54, 2007. Google ScholarDigital Library
- A. H. Gross. Analyzing Computer Intrusions. PhD thesis, University of California, San Diego, Department of Electrical and Computer Engineering, 1997. Google ScholarDigital Library
- P. Gutmann. Data Remanence in Semiconductor Devices. In Proceedings of the 10th USENIX Security Symposium, 2001. Google ScholarDigital Library
- D. Hayes (quoting Scott C. Williams, supervisory special agent for the FBI's computer analysis and response team in Kansas City). KC to join high-tech fight against high-tech crimes: FBI to open $2 million center here. Kansas City Star, page A1, April 26 2002.Google Scholar
- S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 6:151--180, 1999. Google ScholarDigital Library
- E. Kenneally. Computer Forensics Beyond the Buzzword. ;login:, 27(4):8--11, August 2002.Google Scholar
- G. H. Kim and E. H. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. In Proceedings of the 1994 ACM Conference on Communications and Computer Security (CCS), November 1994. Google ScholarDigital Library
- S. T. King and P. M. Chen. Backtracking Intrusions. ACM Transactions on Computer Systems, 23(1):51--76, February 2005. Google ScholarDigital Library
- S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen. Enriching Intrusion Alerts Through Multi-Host Causality. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
- T. Kohno, A. Broido, and kc claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing (TDSC), 2(2):93--108, April--June 2005. Google ScholarDigital Library
- T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach. Analysis of an Electronic Voting System. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, pages 27--40, 2004.Google ScholarCross Ref
- B. A. Kuperman. A Categorization of Computer Security Monitoring Systems and the Impact on the Design of Audit Sources. PhD thesis, Purdue University, 2004. Google ScholarDigital Library
- U. Lindqvist and P. A. Porras. eXpert-BSM: A Host-Based Intrusion Detection System for Sun Solaris. In Proceedings of the 17th Annual Computer Secrity Applications Conference (ACSAC), pages 240--251. IEEE Computer Society, December 10--14 2001. Google ScholarDigital Library
- Martin Littlefield (Assistant U.S. Attorney, WDNY). Emerging Legal and Forensic Issues for Computer Scientists Teaching Digital Forensics and Information Assurance: The Import of United States v. Garnier. Digital Forensics Working Group 2007 Workshop, June 2007.Google Scholar
- J. McHugh. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by the Lincoln Laboratory. ACM Transactions on Information and System Security (TISSEC), 3(4):262--294, November 2000. Google ScholarDigital Library
- S. Narayanasamy, G. Pokam, and B. Calder. BugNet: Continuously Recording Program Execution for Deterministic Replay Debugging. In Proceedings of the 32nd International Symposium on Computer Architecture (ISCA), June 2005. Google ScholarDigital Library
- National Institute of Standards and Technology (NIST). Computer forensic tool testing program. http://www.cftt.nist.gov/.Google Scholar
- National Institute of Standards and Technology (NIST). Deleted File Recovery Specifications Draft Report. http://www.cftt.nist.gov/DFR-Specification-SC.pdf, January 19 2005.Google Scholar
- W. Osser and A. Noordergraaf. Auditing in the Solaris Operating Environment. Sun Microsystems, Inc., February 2001.Google Scholar
- S. Peisert. Forensics for System Administrators. ;login:, 30(4):34--42, August 2005.Google Scholar
- S. Peisert and M. Bishop. How to Design Computer Security Experiments. In Proceedings of the Fifth World Conference on Information Security Education (WISE), pages 141--148, West Point, NY, June 2007.Google ScholarCross Ref
- S. Peisert and M. Bishop. I'm a Scientist, Not a Philosopher! IEEE Security and Privacy Magazine, 5(4):48--51, July--August 2007. Google ScholarDigital Library
- S. Peisert, M. Bishop, S. Karin, and K. Marzullo. Principles-Driven Forensic Analysis. In Proceedings of the 2005 New Security Paradigms Workshop (NSPW), pages 85--93, Lake Arrowhead, CA, October 2005. Google ScholarDigital Library
- S. Peisert, M. Bishop, S. Karin, and K. Marzullo. Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions on Dependable and Secure Computing (TDSC), 4(2):137--150, April--June 2007. Google ScholarDigital Library
- S. Peisert, M. Bishop, S. Karin, and K. Marzullo. Toward Models for Forensic Analysis. In Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), pages 3--15, Seattle, WA, April 2007. Google ScholarDigital Library
- S. P. Peisert. A Model of Forensic Analysis Using Goal-Oriented Logging. PhD thesis, Department of Computer Science and Engineering, University of California, San Diego, March 2007. Google ScholarDigital Library
- M. M. Pollitt. An Ad Hoc Review of Digital Forensic Models. In Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), pages 43--52, Seattle, WA, April 2007. Google ScholarDigital Library
- F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security (TISSEC), 3(1):30--50, February 2000. Google ScholarDigital Library
- B. Schneier and J. Kelsey. Secure Audit Logs to Support Computer Forensics. ACM Transactions on Information and System Security (TISSEC), 2(2):159--176, May 1999. Google ScholarDigital Library
- S. Sitaraman and S. Venkatesan. Forensic Analysis of File System Intrusions using Improved Backtracking. In Proceedings of the Third IEEE International Workshop on Information Assurance, pages 154--163, 2005. Google ScholarDigital Library
- F. C. Smith and R. G. Bace. A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness. Addison Wesley Professional, 2003. Google ScholarDigital Library
- P. Sommer. Intrusion Detection Systems as Evidence. In Proceedings of the First International Workshop on Recent Advances in Intrusion Detection (RAID), 1998.Google Scholar
- E. H. Spafford and S. A. Weeber. Software forensics: Can we track code to its authors? Technical Report CSD-TR 92--010, Department of Computer Science, Purdue University, 1992.Google Scholar
- T. Stallard and K. Levitt. Automated Analysis for Digital Forensic Science: Semantic Integrity Checking. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), December 8--12 2003. Google ScholarDigital Library
- P. Stephenson. The Application of Intrusion Detection Systems in a Forensic Environment (extended abstract). In The Third International Workshop on Recent Advances in Intrusion Detection (RAID), 2000.Google Scholar
- K. M. Tan and R. A. Maxion. "Why 6?" --- Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 188--201, Oakland, CA, 2002. Google ScholarDigital Library
- K. Thompson. Reflections on Trusting Trust. Communications of the ACM, 27(8):761--763, August 1984. Google ScholarDigital Library
- W. Venema. TCP WRAPPER: Network monitoring, access control, and booby traps. In Proceedings of the 3rd USENIX Security Symposium, September 1992.Google Scholar
- E. J. Wagner. The Science of Sherlock Holmes. Wiley, 2006.Google Scholar
- J. Wildermuth. Secretary of state casts doubt on future of electronic voting. San Francisco Chronicle, pages C--7, December 2 2007.Google Scholar
- A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Medeiros, G. Tyson, M. Shamos, and M. Burmester. Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware: Final Report For the Florida Department of State. Security and Assurance in Information Technology Laboratory, Florida State University, Tallahassee, Florida, February 23 2007.Google Scholar
- K. J. Ziese. Computer based forensics -- a case study -- U.S. support to the U.N. In Proceedings of CMAD IV: Computer Misuse and Anomaly Detection, 1996.Google Scholar
Index Terms
- Computer forensics in forensis
Recommendations
Computer Forensics in Forensis
SADFE '08: Proceedings of the 2008 Third International Workshop on Systematic Approaches to Digital Forensic EngineeringDifferent users apply computer forensic systems, models, and terminology in very different ways. They often make incompatible assumptions and reach different conclusions about the validity and accuracy of the methods they use to log, audit, and present ...
Digital Forensics and Crime Investigation: Legal Issues in Prosecution at National Level
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic EngineeringAbstract: Revolution in Internet and ease in use of latest technology is significantly increasing the use of latest technology worldwide, day by day. Advancement in digital devices such as computers and cell phones also helped the people to work both ...
Procedure guidance for Internet forensics coping with copyright arguments of client-server-based P2P models
Digital technology for transferring and controlling data has made substantial advances in recent years. It is important to protect innovations and to curb the copyright infringements in computer-based systems. Copyright is a legal framework of basic ...
Comments