Digital Forensic Investigative Tools: Identifying Intrusion and Unauthorized Activities
Law enforcement officers need to identify any malicious software that is present on a computer of interest. If the computer
of interest is on a corporate network for example, malicious software might be located elsewhere on the network and be used
to destroy evidence if the computer is seized by law enforcement.
To support law enforcement in this endeavor, NIJ is funding a WetStone Technologies project called "Trait Analytic Program
Search" (TAPS) that plans to further research detection methods for malicious applications. The project is being developed
as an optional component of the US-LATT tool (see "Preventing Data Loss When Seizing Electronic Devices of Interest" for more information).
TAPS researchers identify the traits of malicious software. Those traits include code, data, system call and other common
software characteristics. A knowledge base of these characteristics will be created, allowing researchers to distinguish between
benign and malicious applications.
TAPS researchers are particularly interested in two types of malicious code that can change appearance seamlessly without
losing its core functionality (called "morphing code"):
- Polymorphic code — computer code that constantly mutates while keeping the original algorithm, making the malicious code difficult
to locate and neutralize.
- Metamorphic code — computer code capable of reprogramming itself to avoid detection by pattern recognition antivirus software
but still maintains its original malicious function.
If the project goals are met, the TAPS tool could help:
- Detect the presence of previously unseen malicious software.
- Improve understanding and early warning of potentially dangerous cyberweapons.
- Execute collections of statistical data regarding malicious codes and software traits.
- Identify which malicious programs are running on a machine at a crime scene before first responders turn off and remove the
device — a process known as live forensics.
- Increase speed and accuracy when identifying malicious computer applications.
Learn more about the TAPS project:
Date Created: November 5, 2010