Title :
Certificates for Verifiable Forensics
Author :
Jagadeesan, Radha ; Lubinski, C.M. ; Pitcher, Corin ; Riely, James ; Winebrinner, Charles
Abstract :
Digital forensics reports typically document the search process that has led to a conclusion, the primary means to verify the report is to repeat the search process. We believe that, as a result, the Trusted Computing Base for digital forensics is unnecessarily large and opaque. We advocate the use of forensic certificates as intermediate artifacts between search and verification. Because a forensic certificate has a precise semantics, it can be verified without knowledge of the search process and forensic tools used to create it. In addition, this precision opens up avenues for the analysis of forensic specifications. We present a case study using the specification of a deleted file. We propose a verification architecture that addresses the enormous size of digital forensics data sets. As a proof of concept, we consider a computer intrusion case study, drawn from the Honey net project. Our Coq formalization yields a verifiable certificate of the correctness of the underlying forensic analysis.
Keywords :
digital forensics; trusted computing; Coq formalization; Honeynet project; computer intrusion; deleted file specification; digital forensic data sets; forensic specifications; forensic tools; search process; trusted computing base; verifiable forensic certificates; verification architecture; Data structures; Digital forensics; Libraries; Software; Transform coding; Coq; forensic certificates; theorem proving; trustworthy digital forensics; verifiable forensics; verification;
Conference_Titel :
Computer Security Foundations Symposium (CSF), 2014 IEEE 27th
Conference_Location :
Vienna
DOI :
10.1109/CSF.2014.11
