Software Forensics: Can We Track Code to its Authors?

Viruses, worms, trojan horses, and crackers all exist and threaten the security of our computer systems. Often, we are aware of an intrusion only after it has occurred. On some occasions, we may have a fragment of code left behind --- used by an adversary to gain access or damage the system. A natural question to ask is "Can we use this remnant of code to positively identify the culprit?" In this paper, we detail some of the features of code remnants that might be analyzed and then used to identify their authors. We further outline some of the difficulties involved in tracing an intruder by analyzing code. We conclude by discussing some future work that needs to be done before this approach can be properly evaluated. We refer to our process as software forensics, similar to medical forensics: we are examining the remains to obtain evidence about the factors involved. 1 Introduction An aspect of both computer crime and computer vandalism that makes them more attractive activities is th..