Skip to main content
SpringerLink
Log in

Towards Automated Forensic Event Reconstruction of Malicious Code (Poster Abstract)

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Included in the following conference series:

Abstract

A call for formalizing digital forensic investigations has been proposed by academics and practitioners alike [1, 2]. Many currently proposed methods of malware analysis for forensic investigation purposes, however, are derived based on the investigators’ practical experience. This paper presents a formal approach for reconstructing the activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of a suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim’s system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Stephenson, P.: Using a Formalized Approach to Digital Investigation. In: Computer Fraud & Security (2003)

    Google Scholar 

  2. Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation (2004)

    Google Scholar 

  3. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: USENIX Security Symposium (2003)

    Google Scholar 

  4. Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: ESEC-FSE (2007)

    Google Scholar 

  5. Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting Malicious Code by Model Checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. James, J., et al.: Analysis of Evidence Using Formal Event Reconstruction. Digital Forensics and Cyber Crime (2010)

    Google Scholar 

  7. Emerson, E.A.: Temporal and modal logic. In: van Jan, L. (ed.) Handbook of Theoretical Computer Science, vol. B (1990)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University College Dublin, Ireland

    Ahmed F. Shosha, Joshua I. James, Chen-Ching Liu & Pavel Gladyshev

Authors
  1. Ahmed F. Shosha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joshua I. James
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chen-Ching Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pavel Gladyshev
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shosha, A.F., James, J.I., Liu, CC., Gladyshev, P. (2012). Towards Automated Forensic Event Reconstruction of Malicious Code (Poster Abstract). In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation