Theoretical Aspects of Digital Investigation of Security Incidents

Slim Rekhis. Theoretical Aspects of Digital Investigation of Security Incidents. PhD thesis, Engineering School of Communications (Sup’Com), Networks and Security Research Lab (CN&S), February 2007. (Under the direction of Pr. Noureddine Boudriga). While research in computer security has started giving importance to digital investigation of security incidents, the focus is still on the development of procedural guidelines and technical documents for specific software investigation. Several issues remain unsolved including a) the need of formalization in the investigation reasoning, b) misconception of uncertainty in the investigators knowledge and collected evidences; c) tolerance to digital anti-forensic attacks, and d) network digital investigation in wireless networks. This thesis enriches the digital investigation by several formal theories and techniques and uses them to alleviate the above shortcomings, providing three-axis based contribution. In the first axis, we took interest to providing a logic-based investigation theory. We brought out a novel logic entitled Temporal Logic of Security Actions and its logic-based language. The latter are used to formally specify the set of available evidences and the investigator knowledge and infer the potential attack scenarios as a series of events that moves the system from a safe state to a set of final states satisfying evidences. To tolerate missing evidences and information about the incident and the investigated systems, two different techniques for reasoning with hypotheses were prospected. A Model Checker that integrates automated generation and management of hypotheses was also provided. In the second axis, we developed a formal verification theory for digital investigation based on the concept of Opacity that we extended by new classes and properties to support multiobservations and handle cooperative digital investigation. Such concept was integrated to the Temporal Logic of Security Actions to automate the reconstruction of potential attack scenarios with respect to investigators’ observations, and verify the Opacity properties. We also provided a novel theoretical concept entitled Visibility and set up its relation with network digital investigation, particularly the investigation of source address spoofing attacks in packet switching communication protocols. In the third axis, we extended the scope of digital investigation at different layers, particularly systems, networks, and disks. First, we set up a formal and automated approach based on the use of the Temporal Logic of Security Actions to support computer investigation of systems that are exposed to disk-based anti-forensic attacks. Second, we proposed two novel techniques for tracing intruders’ sources in wired and wireless ad-hoc networks, respectively. Third, we provided a Cooperative Intrusion Detection and Tolerance System that uses network-level, host-level and storage-level information to better detect intrusion attempts in their early stages, and allows tracing users’ activities in terms of opened sockets, involved processes, and read/write disk blocks requests.