Digital Forensic Investigative Tools: Identifying Intrusion and Unauthorized Activities

Law enforcement officers need to identify any malicious software that is present on a computer of interest. If the computer of interest is on a corporate network for example, malicious software might be located elsewhere on the network and be used to destroy evidence if the computer is seized by law enforcement.

To support law enforcement in this endeavor, NIJ is funding a WetStone Technologies project called "Trait Analytic Program Search" (TAPS) that plans to further research detection methods for malicious applications. The project is being developed as an optional component of the US-LATT tool (see "Preventing Data Loss When Seizing Electronic Devices of Interest" for more information).

TAPS researchers identify the traits of malicious software. Those traits include code, data, system call and other common software characteristics. A knowledge base of these characteristics will be created, allowing researchers to distinguish between benign and malicious applications.

TAPS researchers are particularly interested in two types of malicious code that can change appearance seamlessly without losing its core functionality (called "morphing code"):

  • Polymorphic code — computer code that constantly mutates while keeping the original algorithm, making the malicious code difficult to locate and neutralize.
  • Metamorphic code — computer code capable of reprogramming itself to avoid detection by pattern recognition antivirus software but still maintains its original malicious function.

If the project goals are met, the TAPS tool could help:

  • Detect the presence of previously unseen malicious software.
  • Improve understanding and early warning of potentially dangerous cyberweapons.
  • Execute collections of statistical data regarding malicious codes and software traits.
  • Identify which malicious programs are running on a machine at a crime scene before first responders turn off and remove the device — a process known as live forensics.
  • Increase speed and accuracy when identifying malicious computer applications.

Learn more about the TAPS project:

Date Created: November 5, 2010