Title :
An Automatic Identification of a Damaged Malicious File Using HMM against Anti-Forensics
Author :
Ryu, Dongju ; Minsoo Kim ; Kim, Yong-Min
Author_Institution :
Mokpo Univ., UNETsystem Corp., Chonnam
Abstract :
These days, an increasing use of Internet has brought many trials to steal personal information. These unlawful users usually hide their own crime evidence or destroy evidence against their being arrested, which disturbs investigation. To come up with this, investigators use various methods to find evidence, and forensics investigation technique is also developing. Forensics tools can recover deleted file even when it is formatted. However, it is hard to know the original attributes when the header of a file is damaged. Data carving skill supports restoration techniques partly, but it canpsilat find the attributes of clusters in small unit. In this paper, we study a way to find out attributes of original file even with small clusters. We also find a method to decide if a damaged file is malignancy or not by analyzing the properties of execution file. We use HMMpsilas modeling techniques for auto-detect method, and propose estimation method to identify malicious file information. Finally, we test the whole process of analyzing clusters after formatting a real system with an attack code for disturbing its recovery.
Keywords :
Internet; hidden Markov models; security of data; HMM; Internet; anti-forensics; automatic file identification; damaged malicious file; forensics investigation; hidden Markov model; personal information; Accidents; Computer networks; Forensics; Hidden Markov models; IP networks; Information management; Information technology; Internet; Layout; System testing; Anti-Forensics; Damaged Malicious File; File Recovery; Forensics; Identification File Type;
Conference_Titel :
Networked Computing and Advanced Information Management, 2008. NCM '08. Fourth International Conference on
Conference_Location :
Gyeongju
Print_ISBN :
978-0-7695-3322-3
DOI :
10.1109/NCM.2008.255
