Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies

Identifying the authors of suspect email

In this paper, we present the results of an investigation into identifying the authorship of email messages by analysis of the contents and style of the email messages themselves. A set of stylistics features applicable to text in general and an extended set of email-specific structural features were identified. A Support Vector Machine learning method was used to discriminate between the authorship classes. Through a series of baseline experiments on non-email data, it was found that approximately 20 email messages with approximately 100 words in each message should be sufficient to discriminate authorship in most cases. These results were confirmed with a corpus of email data and performance was further enhanced when a set of email-specific features were added. This outcome has important implications in the management of such problems as email abuse, anonymous email messages and computer forensics

Detecting network-based obfuscated code injection attacks using sandboxing

Intrusion detection systems (IDSs) are widely recognised as the last line of defence often used to enable incident response when intrusion prevention mechanisms are ineffective, or have been compromised. A signature based network IDS (NIDS) which operates by comparing network traffic to a database of suspicious activity patterns (known as signatures) is a popular solution due to its ease of deployment and relatively low false positive (incorrect alert) rate. Lately, attack developers have focused on developing stealthy attacks designed to evade NIDS. One technique used to accomplish this is to obfuscate the shellcode (the executable component of an attack) so that it does not resemble the signatures the IDS uses to identify the attacks but is still logically equivalent to the clear-text attacks when executed. We present an approach to detect obfuscated code injection attacks, an approach which compensates for efforts to evade IDSs. This is achieved by executing those network traffic segments that are judged potentially to contain executable code and monitoring the execution to detect operating system calls which are a necessary component of any such code. This detection method is based not on how the injected code is represented but rather on the actions it performs. Correct configuration of the IDS at deployment time is crucial for correct operation when this approach is taken, in particular, the examined executable code must be executed in an environment identical to the execution environment of the host the IDS is monitoring with regards to both operating system and architecture. We have implemented a prototype detector that is capable of detecting obfuscated shellcodes in a Linux environment, and demonstrate how it can be used to detect new or previously unseen code injection attacks and obfuscated attacks as well as well known attacks

Real-time programming in Modula-2

The unit of pseudo-parallelism in Modula-2 is the coroutine; coroutines switch control to one another through the use of simple coroutine TRANSFER operations. In the case of programs which need to cater for realtime events (i.e. interupts) an I/O coroutine awaiting an interrupt suspends itself pending the occurrence of the specified interrupt using the IOTRANSFER operation. Recognition of the awaited interupt, when it occurs, then causes execution of an asynchronous coroutine transfer which despatches the awaiting I/O coroutine. The module priority mechanism ensures inter alia, that other interrupts occurring during execution of that I/O or device handler coroutine will only be recognised if they are of higher priority. A modified set of Modula-2 coroutine primitives, prototyped using the PDP-11 M23 Modula-2 system, has been described previously. That model included the new primitive operation Attachinterrupt which effectively replaces IOTRANSFER, leading to an arguably simpler and more elegant structure for real-time pseudo- parallel Modula-2 programs. That model has now been extended to incorporate the additional primitive functions Priority and Previous respectively. The former provides a means by which a realtime coroutine may interrogate the priority of the coroutine which it has preempted (interrupted), while the latter is invoked by a coroutine in order to establish the identity of the coroutine which it has preempted via an interrupt or which it has succeeded via a synchronous transfer operation. This paper discusses the rationale for the extended model and its implementation in one of the most popular Modula-2 systems in use today, the Logitech Version 3 compiler for the IBM PC, and illustrates its use

Synapse : auto correlation and dynamic attack redirection in an immunologically-inspired IDS

Intrusion detection systems (IDS) perform an important role in the provision of network security, providing real- time notification of attacks in progress. One promising category of IDS attempts to incorporate into its design properties found in the natural immune system. Although previous attempts to apply immunology to intrusion detection have considered the issue of accuracy, more work still needs to be done. We present an immunologically-inspired intrusion detection model in which the false positive rate is moderated through a process of event correlation between multiple sensors. In addition, the model offers a novel response mechanism. Previous research has flirted with a variety of response mechanisms, including those that are capable of tearing down connections, killing processes and dynamically updating firewall rules. Although such mechanisms may prevent or at least mitigate an attack before its full impact is achieved, they work against the collection of information for investigatory or evidence purposes. To overcome this limitation, a response strategy is proposed in which the attack is dynamically redirected to an isolated host deployed as a honeypot. In this way, it becomes possible to mitigate the effects of the attack while at the same time study the attack itself

A model for computer profiling

This paper discusses the use of models in automatic computer forensic analysis, and proposes and elaborates on a novel model for use in computer profiling, the computer profiling object model. The computer profiling object model is an information model which models a computer as objects with various attributes and inter-relationships. These together provide the information necessary for a human investigator or an automated reasoning engine to make judgements as to the probable usage and evidentiary value of a computer system. The computer profiling object model can be implemented so as to support automated analysis to provide an investigator with the information needed to decide whether manual analysis is required

Multi-Topic E-mail Authorship Attribution Forensics

In this paper we describe an investigation of forensic authorship identification or categorisation undertaken on multitopic e-mail documents. We use an extended set of e-mail\ud document features such as structural characteristics and linguistic patterns together with a Support Vector Machine learning algorithm. Experiments on a number of e-mail documents\ud generated by different authors on a set of topics gave promising results for both inter- and intra-topic author categorisation

The use of packet inter-arrival times for investigating unsolicited Internet traffic

Monitoring the Internet reveals incessant activity, that has been referred to as background radiation. In this paper, we propose an original approach that makes use of packet inter-arrival times, or IATs, to analyse and identify such abnormal or unexpected network activity. Our study exploits a large set of data collected on a distributed network of honeypots during more than six months. Our main contribution in this paper is to demonstrate the usefulness of IAT analysis for network forensic purposes, and we illustrate this with examples in which we analyse particular IAT peak values. In addition, we pinpoint some network anomalies that we have been able to determine through such analysis

Computer and Intrusion Forensics

A comprehensive and broad introduction to computer and intrusion forensics, this practical book helps you master the tools, techniques and underlying concepts you need to know, covering the areas of law enforcement, national security and the private sector. The book presents case studies from around the world, and treats key emerging areas such as stegoforensics, image identification, authorship categorization, link discovery and data mining. You also learn the principles and processes for effectively handling evidence from digital sources and law enforcement considerations in dealing with computer-related crimes, as well as how the effectiveness of computer forensics procedures may be influenced by organizational security policy\ud \ud The book opens with a comprehensive introduction to computer and intrusion forensics and relates them to computer security in general and computer network security. It details the current practice of computer forensics and its role in combating computer crime, and examines the relationship between intrusion detection and intrusion forensics. What's more, the book explores the most important new areas for future research in computer forensics. This leading-edge resource is an indispensable reference for working professionals and post-graduate students alike

Event-based computer profiling for the forensic reconstruction of computer activity

In cases where an investigator has no prior knowledge of a computer\ud system to be investigated, the significant investment of time and resources\ud required to undertake a detailed computer forensic examination may deter\ud investigators, given it is not known whether it will yield any relevant evidence.\ud This problem is particularly acute in cases involving acceptable usage\ud monitoring or intelligence operations, where an investigator has no particular\ud expectations about the digital evidence which might be found on a collection of\ud computer systems, or no prior knowledge of their usage. Computer profiling is\ud a process by which a computer system is automatically examined, without\ud direction, to determine whether the computer system is of interest to a human\ud investigator. This paper proposes a new technique for automated computer\ud forensic investigations which provides a computer profile with historical timelining\ud of user and application activity. A prototype software implementation of\ud the technique is described and experimental results are provided and discussed\ud which demonstrate the feasibility and value of incorporating activity traces into\ud a computer profile