A System for Formal Digital Forensic Investigation Aware of Anti-Forensic Attacks

To defeat the process of investigation and make the analysis and reconstruction of attack scenarios difficult, challenging, or even impossible, attackers are motivated by conducting anti-forensic attacks. Several methods were proposed by the literature to formally reconstruct the sequence of events executed during the incident using theoretical and scientifically proven methods. However, these methods are not tailored to cope with anti-forensic attacks, as they assume that the collected evidence is trusted, do not model anti-forensic actions, and do not characterize provable anti-forensic attacks based on the knowledge of attacks, security solutions, and forms of evidence expected to be generated. We develop in this work a theoretical approach of digital investigation aware of anti-forensic attacks. After describing an investigation process which is able to address these attacks, we develop a state-based logic to describe the investigated system, the deployed security solution, the evidence they provide, and the library of attacks. An inference system is proposed to mitigate anti-forensic attacks and generate potential scenarios starting from traces that were targeted by these attacks. To exemplify the proposal, we provide a case study related to the investigation of an incident that exhibited anti-forensic attacks.