Game-theoretic defensive approaches for forensic investigators against anti-forensics
University of New Brunswick
Forensic investigators employ methods, procedures and tools of digital forensics to identify and present reliable evidence in court against attackers' crime. However, the attackers employ a set of malicious methods and tools as anti-forensics to impact results of digital forensics and even mislead a forensic investigation. Therefore, regarding the challenging threat of anti-forensics in the forensic investigation, to detect anti-forensics, the investigators employ counter anti-forensics. The review of previous studies in digital forensics shows that existing shortcomings are related to the evaluation of forensic tools; accelerating forensic methods; and the lack of additional research for understanding the attacker's behaviour. The review also shows the existing shortcomings in the area of anti-forensics as the necessity of additional research on anti-forensics; understanding the attacker's behaviour when he/she employs anti-forensics and the evaluation of forensic tools against anti-forensics. In a forensic environment, the attacker and the investigator interact rationally and competitively to increase their payoff. The simulation of their interactions can provide beneficent knowledge for the investigator. However, the simulation of their interactions in the real-world requires enormous financial and human resources. Game theory provides a capability for simulating their interactions. However, the employment of game-theoretic algorithms to simulate their interactions in the forensic environment requires dealing with some shortcomings. The shortcomings are 1) a need for addressing the players' capability to expand their action spaces in the forensic environment; 2) the necessity of constructing a beneficiary model regarding the attacker's behaviour when he/she employs anti-forensics; 3) a need for a criterion to compare the performance of game-theoretic algorithms, and 4) a need for addressing the acceleration for current memory mechanisms. Therefore, in this thesis, we propose a memory-based game-theoretic defensive approach. The proposed approach is for forensic investigators against anti-forensics. The approach lets us simulate interactions between an attacker and an investigator (players) in the forensic environment when the attacker employs anti-forensics, while the investigator uses counter-anti-forensics. The approach enables the investigator to identify the most stable and desired defensive strategies against the attacker's most stable and desired offensive strategy. The investigator can assess the existing counter-anti-forensics using the approach. We identify a set of comprehensive characteristics regarding the players' interactions in the forensic environment to profile potential game-theoretic algorithms and models. Next, we evaluate them using a set of criteria to choose the most coordinated game-theoretic algorithms and models for the simulation of interactions. We consider anti-forensics (i.e. rootkits, backdoors, and Trojans) to define the attacker's action spaces and counter-anti-forensics (i.e. anti-rootkits, anti-backdoors, and Anti-Trojans) to determine the investigator's action spaces, and we build three datasets. We formulate the players' payoff functions and calculate their payoff matrices. Finally, the fictitious and gradient play algorithms are selected as the most coordinated game-theoretic algorithms. Furthermore, to introduce a capability for the players to expand their action spaces in the forensic environment and examine Nash equilibrium of the game without a need for re-simulating the game since the beginning, we propose a memory component and introduce an extended game-theoretic algorithm. We identify the fictitious play algorithm as the best game-theoretic algorithm and introduce assistive rules for the investigator.