Inferring Past Activity from Partial Digital Artifacts (an OSDFCon presentation)


This week we continue our blog series covering the speakers and topics we’re offering at OSDFCon in Herndon this coming October. Jim Jones, Associate Professor of Computer Forensics and Cybersecurity Engineering at George Mason University and a 20-year cyber security veteran, talks about digital artifacts as the pieces of a puzzle depicting the what, where, when, and how of an incident:

BT: Your talk topic this year is “Inferring Past Activity from Partial Digital Artifacts.” What drove you to research this topic?

JHJ: I’m drawn to problems that involve figuring out what happened in the past, be it archaeology, accident reconstruction, Sherlock Holmes stories, cyber incident response, etc. This topic is a digital version of that type of problem, where we have some fragments of digital artifacts and want to know what happened in the past.

We’re inferring past application activity on a system, typically where the user is trying to hide the activity. For example, a malicious user might install a network sniffer, use it to capture passwords, then uninstall it to try and remove evidence of their activity. Similarly, an attacker might install keylogging or screen capturing malware, use it for a while, then uninstall the malware to hide their tracks. In any case, we’re collecting the pieces of the application that inevitably remain, and reasoning over these pieces (partial artifacts) to infer past presence of the application. This work could apply to data breaches, insider activity, counterintelligence, etc. – anywhere we need to know that an application was present in the past but is no longer installed.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn?

JHJ: How to determine past activity on a digital system when the application of interest has been uninstalled and the system has been rebooted and remained in use. Whole artifacts, i.e., files, are no longer intact; we only have residual parts of these files, and we reason over these fragments to determine past activity.

BT: What brought you into the digital forensics domain?

JHJ: A passion for puzzles and mysteries. I spent some years securing systems, then some years breaking them. When I drifted into the logical next step, i.e., looking at the digital debris when someone else broke a system, I knew I had found my calling.

BT: What is your favorite aspect of digital forensics?

JHJ: The hunt. Finding the needle in the haystack that solves a case is gratifying, but the hunt itself is immensely gratifying on a personal and professional level. Working a case can and frequently does consume me, to the extent that it’s all I think about for a series of days. If I were an animal, I’d be a Jack Russell terrier – if you’ve ever seen one locked on to a chew toy, you’ll understand.

BT: How do open source digital forensics tools make your research and/or your investigative work easier?

JHJ: I continue to be awed by the contributions of others to open source tools. Many of these tools are as good or better than commercial closed source tools, and they have the added advantage that I can see how they work. As a university-based researcher, I can stand on the shoulders of giants on a limited budget.

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

JHJ: The other presentations and the time talking with others working in this domain. So many people have great ideas and are doing great work – the conference exposes me to their work and always generates lots of ideas.

BT: What’s next for your research?

JHJ: We’re starting to apply our approach to malware, and we’re adapting the approach for mobile devices.

Learn more about Jim’s approach to partial digital artifacts and the wealth of other research being presented at OSDFCon — register to attend here. We look forward to seeing you October 28!