Certificates for Verifiable Forensics

Author

Jagadeesan, Radha ; Lubinski, C.M. ; Pitcher, Corin ; Riely, James ; Winebrinner, Charles

fYear

2014

fDate

19-22 July 2014

Firstpage

33

Lastpage

47

Abstract

Digital forensics reports typically document the search process that has led to a conclusion, the primary means to verify the report is to repeat the search process. We believe that, as a result, the Trusted Computing Base for digital forensics is unnecessarily large and opaque. We advocate the use of forensic certificates as intermediate artifacts between search and verification. Because a forensic certificate has a precise semantics, it can be verified without knowledge of the search process and forensic tools used to create it. In addition, this precision opens up avenues for the analysis of forensic specifications. We present a case study using the specification of a deleted file. We propose a verification architecture that addresses the enormous size of digital forensics data sets. As a proof of concept, we consider a computer intrusion case study, drawn from the Honey net project. Our Coq formalization yields a verifiable certificate of the correctness of the underlying forensic analysis.

Keywords

digital forensics; trusted computing; Coq formalization; Honeynet project; computer intrusion; deleted file specification; digital forensic data sets; forensic specifications; forensic tools; search process; trusted computing base; verifiable forensic certificates; verification architecture; Data structures; Digital forensics; Libraries; Software; Transform coding; Coq; forensic certificates; theorem proving; trustworthy digital forensics; verifiable forensics; verification;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Foundations Symposium (CSF), 2014 IEEE 27th

Conference_Location

Vienna

Type

conf

DOI

10.1109/CSF.2014.11

Filename

6957101