Visible to the public Enhanced Operating System Protection to Support Digital Forensic Investigations

TitleEnhanced Operating System Protection to Support Digital Forensic Investigations
Publication TypeConference Paper
Year of Publication2017
AuthorsMcDonald, J. T., Manikyam, R., Glisson, W. B., Andel, T. R., Gu, Y. X.
Conference Name2017 IEEE Trustcom/BigDataSE/ICESS
ISBN Number978-1-5090-4906-6
KeywordsCED, CEF, Ciphers, component encryption, composability, computer systems, computing on encrypted data, computing with encrypted functions, criminal activity footprints, cryptography, data integrity, data provenance, data veracity, digital forensic investigations, digital forensics, Encryption, evidence collection, Forensic software, forensic-friendly OS design, Forensics, fully homomorphic encryption, Metrics, obfuscation, operating system extensions, operating system protection, Operating systems, operating systems (computers), OS tamper-resistance, pubcrawl, resilience, Resiliency, security, system data recovery, White Box Encryption, white-box cryptography

Digital forensic investigators today are faced with numerous problems when recovering footprints of criminal activity that involve the use of computer systems. Investigators need the ability to recover evidence in a forensically sound manner, even when criminals actively work to alter the integrity, veracity, and provenance of data, applications and software that are used to support illicit activities. In many ways, operating systems (OS) can be strengthened from a technological viewpoint to support verifiable, accurate, and consistent recovery of system data when needed for forensic collection efforts. In this paper, we extend the ideas for forensic-friendly OS design by proposing the use of a practical form of computing on encrypted data (CED) and computing with encrypted functions (CEF) which builds upon prior work on component encryption (in circuits) and white-box cryptography (in software). We conduct experiments on sample programs to provide analysis of the approach based on security and efficiency, illustrating how component encryption can strengthen key OS functions and improve tamper-resistance to anti-forensic activities. We analyze the tradeoff space for use of the algorithm in a holistic approach that provides additional security and comparable properties to fully homomorphic encryption (FHE).

Citation Keymcdonald_enhanced_2017