Skip to main content

A Temporal Logic-Based Model for Forensic Investigation in Networked System Security

  • Conference paper
Computer Network Security (MMM-ACNS 2005)

Abstract

Research in computer and network forensic investigation has recently addressed the development of procedural guidelines, technical documents, and semi-automation tools. It has however omitted the need of formal proof. This work provides a novel approach that formalizes and automates the proof in digital forensic investigation. First, it brings out a formal logic-based language, called S-TLA + , to enable reasoning on systems with uncertainty, by adding forward hypotheses to fulfill potential lack of details. S-TLA +  is suitable for the description of evidences, as well as elementary scenarios fragments representing the investigators knowledge. Secondly, the proposal provides an automated verification tool, S-TLC, to prove the correctness of S-TLA +  specifications. It checks whether there are possible hacking scenarios that meet the available digital evidences, and explores additional evidences. To demonstrate its effectiveness, the formalized analysis is applied on a compromised host.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Kruse, W.G., Heiser, J.G.: Computer Forensics: Incident Response Essentials. Pearson Education, London (2001)

    Google Scholar 

  2. Stephenson, P.: Modeling of post-incident root cause analysis. International Journal of Digital Evidence 2(2) (2003)

    Google Scholar 

  3. Elsaesser, C., Tanner, M.C.: Automated diagnosis for computer forensics. tech. rep., The MITRE Corporation (2001)

    Google Scholar 

  4. Stallard, T., Levitt, K.: Automated analysis for digital forensic science: Semantic integrity checking. In: Proceedings of the 19th Annual Computer Security Applications Conference (2003)

    Google Scholar 

  5. Rekhis, S., Boudriga, N.: A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation. In: Proceedings of the 20th ACM Symposium on Applied Computing (SAC 2005) (2005)

    Google Scholar 

  6. Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, Reading (2002)

    Google Scholar 

  7. Yu, Y., Manolios, P., Lamport, L.: Model checking TLA+ specifications. In: Conference on Correct Hardware Design and Verification Methods, pp. 54–66 (1999)

    Google Scholar 

  8. Keppens, J., Zeleznikow, J.: A model based reasoning approach for generating plausible crime scenarios from evidence. In: Proceedings of the 9th International Conference on Artificial Intelligence and Law (2003)

    Google Scholar 

  9. Lamport, L.: The temporal logic of actions. ACM Transactions on Programming Languages and Systems 16, 872–923 (1994)

    Article  Google Scholar 

  10. de Kleer, J.: An assumption-based TMS. Artificial Intelligence 28(2), 127–162 (1986)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rekhis, S., Boudriga, N. (2005). A Temporal Logic-Based Model for Forensic Investigation in Networked System Security. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_25

Download citation

  • DOI: https://doi.org/10.1007/11560326_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29113-8

  • Online ISBN: 978-3-540-31998-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics