Cybercrime Method Doubles Computer Crime-Solving Evidence

In the latest issue of the International Journal of Digital Evidence, University of Florida doctoral student Mark Foster details a new “process forensics” technique that can yield twice as much forensic evidence to unmask the perpetrators of computer crimes.

Foster, who co-authored the paper with UF computer science professor Joseph Wilson, says the method combines intrusion-detection and checkpointing technology to provide digital investigators with the most possible data to solve a case.

The UF student says the technique takes a new spin on cybercrime by focusing on intruders who want to hack a running program.

International Journal of Digital Evidence editor John Leeson thinks Foster’s method will help digital detectives contend with hacks as they occur. Process forensics uses an intrusion-detection system that automatically creates checkpoints or intermittent snapshots of a running computer program. The method is directed at hackers who target host-based systems using exploits such as buffer overflow attacks, in which the intruder infiltrates the system through a flaw in a running program.

Another advantage of Foster’s technique is that users do not need to be trained to use the intrusion-detection system. “I like the fact that [Foster is] taking a proactive approach–forensics for years has been a reactive field,” Leeson notes.
Abstracted by the National Law Enforcement and Corrections Technology Center(NLECTC) from Newswise (11/16/04) .