• DocumentCode
    2524204
  • Title

    Burn Before Reading: A stealthy framework for combating live forensics examinations

  • Author

    Guirguis, Mina ; Valdez, Justin ; El Lababedi, B. ; Valdez, Justin

  • Author_Institution
    Comput. Sci. Dept., Texas State Univ., San Marcos, TX, USA
  • fYear
    2009
  • fDate
    Sept. 20 2009-Oct. 21 2009
  • Firstpage
    1
  • Lastpage
    10
  • Abstract
    Malicious Software/programs (malware) have grown to be quite sophisticated in their design causing significant levels of damage and for prolonged periods of time. Their capabilities encompass a wide range of activities; from simple monitoring/spying programs to more complex, highly destructive tools. Moreover, they typically aim to hide their own existence through a large number of techniques. To that end, this paper demonstrates that the full malicious potentials of malware have not been realized yet. In particular, we present a novel framework - which we term Burn Before Reading (BBR) - that actively aims to detect potential live forensics investigations and adapts the behavior of the malware online. In a nutshell, the BBR framework registers for a set of triggers that typically occur in live forensics investigations. Once a trigger fires, BBR executes actions as dictated by the malware to destroy any evidence. To remain stealthy during the execution of those actions, BBR utilizes control-theoretic actuators that dynamically adjust the timing information for the executing modules, at a very fine time scale (in the order of micro seconds). We study the stability regions for those actuators under different parameters. We believe that this framework can be used by malware to destroy incriminating evidence, their own signatures and their own existence and thus its capabilities should be brought to the attention of the forensics and security communities. We also discuss potential defense mechanisms against BBR.
  • Keywords
    invasive software; burn before reading; control-theoretic actuators; live forensics examinations; malicious program; malicious software; malware; potential defense mechanisms; Australia; Business; Counting circuits; Electronic mail; Forensics; Internet; Laboratories; Protocols; Psychology; Security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    eCrime Researchers Summit, 2009. eCRIME '09.
  • Conference_Location
    Tacoma, WA
  • Print_ISBN
    978-1-4244-4625-4
  • Type

    conf

  • DOI
    10.1109/ECRIME.2009.5342613
  • Filename
    5342613