A Hierarchical Visibility theory for formal digital investigation of anti-forensic attacks
Introduction
Faced with the growth and evolution of security attacks in terms of frequency, ease of use, automation, and estimated damages, research in information security has taken interest over the past few years to digital forensic investigation. The latter aims to conduct a post-incident analysis on compromised systems and make inquiries about past events. To do so, digital information stored, generated, processed, or transmitted by networked systems are used as a source of evidence. The collected evidence sets are therefore analysed to reconstruct information about past events (i.e., events that happened during the incident) and to show how the system security was compromised.
Many problems could force a security incident to remain unsolved, allowing attackers to evade responsibility due to lack of evidences to convict them. A first predominant problem is related to anti-forensic attacks which may happen during the incident to alter traces regarding occurred events. Once an attacker has succeeded in compromising a system, it executes an anti-forensic attack to reduce the quantity and quality of evidential data available after the incident. To do so, he tries to alter the evidence already generated by the deployed security solutions in order to mislead investigation, evade detection, and prevent the accurate reconstruction of provable attack scenarios.
Another important problem, which makes digital investigation inconclusive, is related to preparation. While security administrators are motivated by deploying a large set of security mechanisms which support evidences collection, they do not take into consideration the need for assessing and verifying (before the incident occurrence) whether the evidences to be generated would be sufficient to: a) prove relevant events that would occur on the compromised system; b) detect and demonstrate the occurrence of anti-forensic attacks; and c) mitigate the effect of these attacks on the compromised evidences.
A major interest perceived by research in digital forensic investigation is the development of theoretical and scientifically proven methods which validate the correctness of the techniques used to process and analyse evidences, provide a formal meaning to event reconstruction, and prove the conclusive descriptions regarding hackers' activities. In this context, some important frameworks have been proposed to base the process of digital investigation on formal theory. They can be categorized, based on the formalism they use to reason about attack scenarios, into: expert systems based modelling (Stallard and Levitt, 2003), finite state Machine (FSM)-based modelling (James et al., 2009; Carrier and Spafford, 2006), Coloured Petri Nets-based modelling (Stephenson, 2003), model checking-based modelling (Arasteha et al., 2007), and logic-based modelling (Rekhis and Boudriga, 2011). However, none of these methods is able to cope with the two problems described in the last paragraph, i.e., they do not allow proving occurred events if the conducted scenarios include anti-forensic attacks, nor they allow characterizing provable events and mitigate their effect.
The aim of this research is to develop a theoretical technique of digital investigation which copes with scenarios of attacks that include anti-forensic techniques. We develop a formal logic-based model that allows describing the investigated system and the generated evidences under different layers of abstraction, making the investigator able to tune the complexity of investigation. We define the concept of Hierarchical Visibility as an extension of Visibility theory which was previously defined in Rekhis and Boudriga (2009), to prove a given system property solely based on incomplete observations of a system execution. We define Hierarchical Visibility to cope with a layered modelling of attack scenarios and prove anti-forensic actions executed within attack scenarios over complex systems. The proof exploits knowledge about attack scenarios, description of the deployed security solutions, and information observable from the set of collected evidences. Using a set of propositions which exploit visibility properties, we describe situations where anti-forensic attacks would be potential or provable, and where traces regarding actions hidden by these attacks would become identified. We also propose a methodology, which is based on the use of the set of defined propositions, to support the investigation of anti-forensic attacks and extend the process of forensic investigation. This paper is an extension of the work proposed in Rekhis and Boudriga (2010) where the concept of anti-forensic was first prospected. The extension can be summed up in choosing a new definition of anti-forensic attacks, developing new theoretical results regarding provable anti-forensic attacks, and providing a new methodology of forensic investigation using the theory of Hierarchical Visibility.
The paper contribution is four-fold. First, we describe a logic-based formalism for forensic digital investigation of security incidents over complex systems. Such formalism allows to hierarchically model complex systems, and define the behaviour of security solutions and the manner by which they generate the evidences. As most of systems and applications are designed and developed using a layered form, the formalism we are developing promotes the description of realistic specifications and allows investigators to tune the investigation complexity by choosing the adequate number of layers to use in order to model the system. Second, we define a theory of Visibility over hierarchical system specifications, which is useful to prove actions starting from a known library of attacks and a set of incomplete evidences in the form traces regarding executed scenarios. Such a theory is tailored to the proof of anti-forensic actions and copes with hierarchical modelling of complex systems. In addition, we describe a strategy for defining and selecting the optimal set of observation functions, representing security solutions, to make new forms of attacks visible starting from the evidences to generate, increasing consequently the number of provable actions. Once visible, these attacks could be proved even if their traces are included in the generated evidences.
As a third contribution, our proposal allows modelling the major known categories of anti-forensic attacks. We start by modelling simple forms of anti-forensic attack scenarios obtained by the execution of recurrent series of events. In fact, during an attack scenario execution, every time an attacker generates a series of events to compromise some security properties of the target system, it may follow them by another series of malicious actions to make the system look still safe. In a second part of this proposal we take interest to advanced forms of anti-forensic attacks that compromise the security solutions which neither efficiently protect their evidences nor tolerate attacks and errors over their algorithms. Our formal approach supports proving simple and advanced forms of anti-forensic attacks. These attacks correspond in practice to several classes ranging from overwriting of metadata and log files, and generic data hiding techniques, to memory injection and system calls proxying.
Fourth, guided by the definition of anti-forensic attacks and forms of potential and provable actions, we enhance the process of digital forensic investigation, by integrating the use of Visibility theory in the preparation and analysis phases, making the process suitable for the investigation of systems subjected to anti-forensic attacks. Precisely, in the preparation phase, investigators could generate all potential forms of anti-forensic attacks that target their systems based on their formal description and the content of the library of attacks. Second, investigator could select the adequate security solutions that make these properties provable from the evidences that would be collected after the incident. In the analysis phase, starting from a collected set of compromised and secure evidences, an investigator would be able to prove the occurrence of anti-forensic attacks and identify the hidden or inserted traces of executed actions within those evidences.
The remaining part of this paper is organized as follows. The next section describes classes of anti-forensic attacks and reviews the literature in the field of formal forensic investigation. Section 3 identifies the requirements for a formal approach of digital investigation able to cope with situations where evidences are compromised, and prove simple and advanced forms of anti-forensic attacks. In Section 4, a formal description of layered specifications of systems and attack scenarios is defined. Section 5 provides a model of security solutions, together with a description of mechanisms of evidences generation. In Section 6, we define and provide a formal description of legitimate, regular, and anti-forensic malicious scenarios. After that, we define the concept of Visibility, and formalize different ways of defining variants of Visibility. A methodology of proving anti-forensic attacks is defined. In Section 7, we formally describe advanced forms of anti-forensic attacks that target the observation systems, and we enunciate a set of theoretical results, in the form of propositions, to describe situations under which these forms of anti-forensic attacks can be proved. Section 8 enhances the process of digital investigation by integrating the theory of Visibility. In Section 9 we discuss the most important properties of the proposal. Before concluding the work, we provide in Section 10 a case study that illustrates the use of Visibility theory.
Section snippets
Background and related works on anti-forensic attacks
Users with malicious intent and malware are increasingly using anti-forensic techniques to subvert forensic analysis and avoid detection and analysis of malicious executed actions and written codes. These techniques target digital evidences by compromising their usefulness or availability to the forensics process. Unlike physical evidences, digital evidences can be easily modified, removed, hidden, or prevented from creation, possibly without leaving obvious traces that such an alteration has
Requirements and objectives of digital investigation of anti-forensic attacks
Digital investigation of anti-forensic attacks should meet several requirements that we describe hereinafter.
First, modern security attacks target a wide range of systems ranging from network gateways and servers to mobile phones. A framework of digital investigation, should not only be able to model events on these different types of systems, but also cope with the complexity and variation of security attacks. Moreover, the framework should enable the reuse of existing data from the already
State-based formal description of investigated systems
In this section, we provide a formal description of investigated systems. We use a layered description of complex systems and a state-based formalism to model executable scenarios.
Modelling security solutions and mechanisms of evidence generation
Roughly speaking a security solution is used to observe the attack scenarios executed on the system. Typically, this solution, which is installed to detect some anomalies or misuses on the system, is not able to monitor all the system components at once. In practice, every security solution is in charge of monitoring a subset of variables, and therefore it can only monitor the evolution of an attack scenario through the visible modifications on the observed variables.
Anti-forensic visibility: a theory for proving anti-forensic attacks
The aim of this section is to formalize the description of malicious scenarios, including anti-forensic attacks, and develop a theory of Hierarchical Visibility to prove them starting from a set of incomplete evidences.
Coping with advanced forms of anti-forensic attacks
In the first part of this paper we based the definition of an anti-forensic attack on the safety properties of the system. In other words, we considered an anti-forensic attack scenario as any succession of events that compromise the system security and later revert the status of the system back to safe. A thorough reader would have noticed that such a definition requires that the content of the collected evidences is trusted.
Some forms of advanced anti-forensic attacks can affect the deployed
Integrating Visibility theory to the forensic investigation process
The aim of this section is to show how can an investigator take benefit from the use of the Hierarchical Visibility theory and the formalism we have proposed in the previous sections. While several propositions were made by the literature to describe the process of digital investigation, the whole majority of them are not supported by theories or proof techniques that maximize the reliability of the tasks they describe. While these processes differ by the number of steps and procedures that
Discussion
Despite its usefulness in proving simple and advanced forms of anti-forensic attacks, the approach proposed in this paper requires having a complete library of attacks which does not contain false descriptions of elementary actions. Such a requirement is fundamental in order to avoid false positive and negative decisions. In fact, a missing fragment in the library could prevent the generation of some attack scenarios. Consequently, it may happen that some actions could not be identified as
Case study
To illustrate the proposal we consider a case study related to the investigation of anti-forensic attacks based on the use of general techniques of data hiding. We consider a system specified according to two abstraction layers, say l1 and l2, as shown in Fig. 3. In the first abstraction layer l1, which represents the user connection layer, two variables are defined, namely Pr and . Variable Pr is a primitive variable which represents the privilege granted to the user of the system.
Conclusion
We developed in this work a formal technique, based on the concept of Visibility, to cope with anti-forensic attacks, detect and mitigate their effects, and prove events occurred in the conducted scenarios starting from collected evidences and knowledge about attack scenarios. A set of propositions were developed to characterize provable evidences and support the preparation and analysis phase of digital investigation.
Despite the formal nature of our proposal, we believe that it is enough
Dr. Slim Rekhis received the Ph.D. in Telecommunications from the Engineering School of Communications (SUP'Com, Tunisia) in 2007. He is currently an Assistant Professor in the School of Communication engineering (SUP'Com, University of Carthage, Tunisia) and member of the Communication Networks and Security (CN&S) research Laboratory at the same University. Dr. Rekhis is conducting research activities in the area of digital investigation of security incidents, formal modelling, intrusion
References (26)
- et al.
Categories of digital investigation analysis techniques based on the computer history model
Digital Investigation Journal
(2006) - et al.
Android anti-forensics through a local paradigm
Digital Investigation
(2010) Arriving at an anti-forensics consensus: examining how to define and control the anti-forensics problem
Digital Investigation
(2006)- et al.
Designing a cluster-based covert channel to evade disk investigation and forensics
Computers and Security
(2011) - et al.
Logic-based approach for digital forensic investigation in communication networks
Computers & Security
(2011) - Altheide C, Merloni C, Zanero S. A methodology for the repeatable forensic analysis of encrypted drives. In:...
- et al.
Analyzing multiple logs for forensic evidence
Digital Investigation
(2007) Data breach investigations report
(2011)- Eckstein K, Jahnke M. Data hiding in journaling file systems. In: Proceedings of the 5th Annual Digital Forensic...
- Garfinkel S. Anti-forensics: techniques, detection and countermeasures. In: Proceedings of the 2nd International...
Finite state machine analysis of a blackmail investigation
International Journal of Digital Evidence
Cited by (5)
Fool me once: A systematic review of techniques to authenticate digital artefacts
2023, Forensic Science International: Digital InvestigationA novel principle to validate digital forensic models
2020, Forensic Science International: Digital InvestigationCitation Excerpt :However, their framework can detect anti-forensic attacks only in the analysis phase of the digital forensic process. Their framework is supported by several complex propositions to develop hierarchical visibility theory to detect anti-forensic attacks as proposed in Rekhis and Boudriga (2012b). A case study is also provided explaining how their propositions are applicable to a case where an administrative account has been compromised, but they fail to explicitly show how their theory or proposition can detect an anti-forensic attack.
Modelling and refinement of forensic data acquisition specifications
2014, Digital InvestigationCitation Excerpt :The model is also capable of expressing anti-forensic attacks and provides the machinery to detect such attacks based on the analysis of their action traces. Recently, this model was extended in Rekhis and Boudriga (2012) to include a theory of hierarchical visibility providing better verification framework of anti-forensic attacks. In Mazza et al. (2011); Métayer et al. (2011), the authors propose a formal framework for specifying and reasoning about decentralised logs, and define an analysis that can generate both precise and approximate evidence of past events.
Data Mining Analytics for Crime Security Investigation and Intrusion Detection
2019, Securing the Internet of Things: Concepts, Methodologies, Tools, and ApplicationsData mining analytics for crime security investigation and intrusion detection
2016, Data Mining Trends and Applications in Criminal Science and Investigations
Dr. Slim Rekhis received the Ph.D. in Telecommunications from the Engineering School of Communications (SUP'Com, Tunisia) in 2007. He is currently an Assistant Professor in the School of Communication engineering (SUP'Com, University of Carthage, Tunisia) and member of the Communication Networks and Security (CN&S) research Laboratory at the same University. Dr. Rekhis is conducting research activities in the area of digital investigation of security incidents, formal modelling, intrusion detection and tolerance, traceback of host and network attacks, and wireless security.
Pr. Noureddine Boudriga received his Ph.D. in Algebraic topology from University Paris XI (France) and his Ph.D. in Computer science from University of Tunis (Tunisia). He is currently a full Professor of Telecommunications at the University of Carthage, Tunisia and the Director of the Communication Networks and Security Research Laboratory (CN&S, University of Carthage). He was involved in very active research in communication networks and system security. He authored and co-authored many chapters and books on information security, security of mobiles networks, and communication networks. He published over 250 refereed journal and conference papers.