Preserving Cybercrime Evidence

Martin de la Herran Brickmanne

AbstractCybercriminals who are trying to hack into a system usually take precautions to remove or hide as many traces of their activity as possible, for example by deleting (parts of) log files, replacing certain system functions by special "hacker versions" which if activated will not reveal the presence of the hacker, and so on. This can make it difficult for a prosecutor to secure reliable evidence of what has happened, in case it is necessary to proceed with criminal charges.

In this project, techniques for ensuring that reliable evidence can be preserved are to be investigated. These will include secure logging, secure system monitoring, and hardening of the system against changes introduced by authorised or unauthorised users. The analysis should consider as many aspects of these techniques as possible, including for example:

- The type of evidence which they can secure and its significance for the investigation of cybercrimes;
- The technical requirements for their implementation;
- The extent to which they degrade system performance.

Based on this analysis, a design proposal for a system which is resistant to the destruction of cybercrime evidence is to be produced, and (to the the extent that time permits) a demonstration model of such a system is to be implemented.
TypeMaster's thesis [Academic thesis]
Year2003
PublisherInformatics and Mathematical Modelling, Technical University of Denmark, DTU
AddressRichard Petersens Plads, Building 321, DK-2800 Kgs. Lyngby
SeriesIMM-Thesis-2003-56
NoteSupervisor: Robin Sharp
Electronic version(s)[pdf] [ps]
BibTeX data [bibtex]
IMM Group(s)Computer Science & Engineering