Deceptive Memory Systems – Countering Anti-Forensics with Deception
Primary Investigator:
Saurabh Bagchi
Christopher N. Gutierrez, Eugene Spafford, Saurabh Bagchi
Abstract
The identification and preservation of digital evidence are crucial to uncovering the truth in digital crime. The computing systems that criminals compromise may store forensically valuable information. However, a sophisticated attacker can also compromise the integrity or availability of forensically valuable information. This work explores the use of deception to enhance the preservation of forensically valuable data objects through Deceptive Memory Systems (DecMS). When an attacker attempts to purge or modify evidence, DecMS migrates the evidence into a container and tricks the adversary into believing that their malicious action was successful. A forensic examiner may then run additional analysis on the potential evidence stored in the container.