Ú One of the major interest perceived by research in digital forensic

investigation is the development of theoretical and scientifically proven
methods of incident analysis. However, two main problems, which remain
unsolved by the literature, could lead the formal incident analysis to be
inconclusive. The former is related to the absence of techniques to cope
with anti-forensic attacks and reconstruction of scenarios when evidences
are compromised by these attacks. The latter is related to lack of theoretical
techniques, usable during the system preparation (a phase which precedes
the occurrence of an incident) to assess whether the evidence to be
generated would be sufficient to prove relevant events that occurred on the
compromised system in the presence of anti-forensic attacks.
Ú The aim of this research is to develop a theoretical technique of digital
investigation which copes with anti-forensic attacks. After developing a
formal logic-based model which allows describing complex investigated
systems and generated evidences under different levels of abstractions, we
extend the concept of Visibility to characterize situations where anti-forensic
attacks would be provable and traces regarding actions hidden by these
attacks would become identified. A methodology showing the use of Visibility
properties during investigation of anti-forensic attacks is described, and a
case study, which exemplifies the proposal, is provided.

The aim of this research is to develop a theoretical technique of
digital investigation which copes with anti-forensic attacks. We
develop a formal logic-based model which allows describing the
investigated system and the generated evidences under
different layers of abstraction, making the investigator able to
tune the complexity of investigation. We enrich the concept of
visibility which was previously defined in to prove a given
system property solely based on incomplete observations of a
system execution. We define a new set of Visibility properties to
cope with a layered modeling of attack scenarios and describe
properties about complex and primitive actions executed within
attack scenarios, based on what is observable from the
collected evidences. Using a set of propositions which exploit
visibility properties, we describe situations where anti-forensic
attacks would be potential or provable and traces regarding
actions hidden by these attacks would become identified. Later,
we propose a methodology, which is based on the use of the
set of defined propositions, to support the investigation of anti-
forensic attacks
a 



a

Ú 0


0  
The defined FSM allows supporting a
large number of states and advanced
forms of transition functions to cope with
the complexity of systems and data
structures The approach uses the
evidential statement formalism to describe
the evidence. However, it does not allow to
cope with the reconstruction of plausible
scenarios if these evidences were
subjected to anti-forensic attacks..
Ú     
The proposed approach consists in formulating
hypotheses about clock adjustment and verifying
them by testing consistency with observed
evidences. Later in, the testing of hypotheses
consistency is enhanced by constructing a model of
actions affecting timestamps in the investigated
system. An action may affect several timestamps by
setting new values and removing the previous ones.
As incorrect values of timestamps may indicate that
the evidence was subjected to anti-forensic attack,
the two approaches are suitable to mitigate such
type of anti-forensic attacks. However, they do not
provide a theory to characterize provable evidences
]]
a



a
Ú ¦    

The definition of a system execution, as
provided in the previous Subsection,
cannot be used to model the behavior of
modern systems which support the
execution of complex actions and the
storage of data in complex structures.
Based on this statement, we extend the
description of a system execution to be
composed of complex system states which
are generated by executing complex
actions.
Ú ue to the complexity, diversity, and
multiplicity of attack scenarios, providing
a formal model which simplifies their
description and generation is of utmost
importance. A thorough analysis of
recent attack scenarios shows that they
practically share the same intrusion
scheme, while the difference is mostly in
the composition and the succession of
the executed actions
Ú M



 
Ú ] OCESSO
]ENTIUM IV 2.70GHz
Ú AM
0 MB AM
Ú HA  ISK
20 GB

Ú 0 


 
Ú LANGUAGE
AVA
Ú F ONT EN
SWING
Ú O]E ATING SYSTEM
WINOWSX]

a

Ú 0  
Ú
 
  
Ú  
   

Ú
 0 
  
Ú 
 
Ú 0   
The server which contains the files is
called as File server. This contains files that
we need to access the information. The file
server replies that any access performance
from client.
Ú
 
  
This is used to access the information
of that one who accessing the information
is authenticated one. This allows only
authenticated users and stops un
authenticated users.
Ú  
   

This is Application enables that to gives
the information to the client. This
application performs only to the
authenticated users. This give the
information to the user what he wants.
Ú
 0 
   
This is the attacker which attacks the
file server and prevents the information of
the file server to the client who accessing.
This entered into network layers and
performs the attacking operation.
Ú 
 
Investigator is arising when the Anti-
Forensic attack is in the file system. If
we want to investigate about that attack,
the Investigator gives the information of
the attack. This gives the details, time
information, description, etc.,




 

 
 0 
 

0



  


  
]a
 

  0 

   

0




     





  


 





    



 





 

  

 






ë
  

 

  


 

 

ë
 



 





 











 


  
 

 
Ú This digital investigation will be done in
adhoc network. And performance also can
be increased. This process can implement
in the convert channels, residual data
wiping. This process increase the wide
area implementation to it¶s application. The
various features can be added for the
investigation as per the user needs.
Investigation done with out process
affected by the investigator.
  
Ú In this work a formal technique, based on the
concept of Visibility, to cope with anti-forensic
attacks, detect and mitigate their effects, and
prove events occurred in the conducted
scenarios starting from collected evidences
and knowledge about attack scenarios. A set
of propositions were developed to characterize
provable evidences and support the
preparation and analysis phase of digital
investigation. Future works, will take interest to
the extension of the visibility concept to cope
with unknown attack scenarios..
aaaa


Ú S. ekhis and N. Boudriga, ³Visibility
a novel concept for

characterising provable network digital evidences,´ International
Journal
of Security and Networks, vol. , no. , pp. 232, 2009.
Ú å2] T. Stallard and K. Levitt, ³Automated analysis for digital forensic
science
Semantic integrity checking,´ in ]roceedings of the 19th
Annual Computer Security Applications Conference, Las Vegas,
Nevada, USA, ecember 2003.
Ú å3] . ames, ]. Gladyshev, M. T. Abdullah, and Y. Zhu, ³Analysis of
evidence using formal event reconstruction,´ in ]roceedings of
International Conference on Digital Forensics and Cyber Crime, 2009.
Ú å] B. . Carrier and E. H. Spafford, ³Categories of digital investigation
analysis techniques based on the computer history model,´
Digital Investigation Journal, vol. 3, no. S, pp. 230, August 2006.
Ú å] ]. Stephenson, ³Modeling of post-incident root cause analysis,´
International Journal of Digital Evidence, vol. 2, no. 2, pp. 6,
2003.