posted on 2013-02-15, 16:11authored byAhmed F Shosha, Joshua I James, Liu Chen-Ching, Pavel Gladyshev
A call for formalizing digital forensic investigations has been
proposed by academics and practitioners alike [1, 2]. Many currently proposed
methods of malware analysis for forensic investigation purposes, however, are
derived based on the investigators’ practical experience. This paper presents a
formal approach for reconstructing the activities of a malicious executable
found in a victim’s system during a post-mortem analysis. The behavior of a
suspect executable is modeled as a finite state automaton where each state
represents behavior that results in an observable modification to the victim’s
system. The derived model of the malicious code allows for accurate reasoning
and deduction of the occurrence of malicious activities even when anti-forensic
methods are employed to disrupt the investigation process.
History
Publication
15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2012) Lecture Notes in Computer Science;7462, pp. 388-389
Publisher
Springer
Note
peer-reviewed
Other Funding information
SFI
Rights
The original publication is available at www.springerlink.com