Protecting Data with Forensics Just-in-Time (FoJiT) [921-2C0]
Christopher N. Gutierrez, Eugene H. Spafford, Saurabh Bagchi, and Thomas Yurek
The identification, preservation, and integrity of digital evidence are crucial in digital crime investigations. Criminals destroy digital evidence through secure delete methods that overwrite data objects that indicate malfeasance, making the recovery of evidence infeasible for a forensic examiner. Other anti-forensic techniques destroy file metadata timestamps which complicate the creation of a forensic timeline. Our proposed solution mitigates anti-forensic (meta)data destruction attacks by examining system calls and creating a snapshot just before a destructive action takes place. Our system, Forensics Just-in-Time (FoJiT) uses Virtual Machine Introspection (VMI) whereby the applications to be monitored are executing within a virtual machine (VM). When an attacker within the VM attempts to purge protected data, FoJiT preserves potential evidence isolated from the guest VM for later analysis. We demonstrate that FoJit is capable of detecting data destruction actions with a recall and precision rate above 0.99 on several secure delete algorithms and tools. Our results show that FoJiT is capable of producing file system snapshots and detecting fraudulent time stamp changes in 10s of milliseconds upon detecting destructive behavior, which would be unnoticeable for most users.