Abstract:

Administrators and developers are not learning from mistakes made in the past and computer forensics analysts are swamped in evidence. An expert system with a decision tree that uses predetermined invariant relationships between redundant digital objects (like a log entry) to detect semantic incongruities could aid a computer crime investigator. A requirement for such a system is to have the evidence available in a standard machine-readable format. A prototype of a general approach has been written, integrating The Coroner's Toolkit and JESS, The Expert System Shell for the Java Platform, that automatically identifies files that have been modified when the users with modification permissions were not logged in. By automatically identifying relevant evidence, experts can focus on the important data first.