Browse > Article
http://dx.doi.org/10.13089/JKIISC.2006.16.6.81

A Study of Detecting Malicious Files using Similarity between Machine Code in Deleted File Slices  

Lee, Dong-Ju (IT Bank)
Lee, Suk-Bong (Chonnam National University)
Kim, Min-Soo (Mokpo National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.16, no.6, 2006 , pp. 81-93 More about this Journal
Abstract
A file system is an evidence resource of cyber crime in computer forensics. Therefore the methods of recovering the file system and searching important information have been offered. However, the methods for finding a malicious fie in free blocks or slack spaces have not been suggested. In this paper, we propose an investigation method to find a maliciously executable fragmented file. After estimating if a file is executable with a machine code rate, we conclude it could be malicious by comparing a similarity of instruction sequences. To examine instruction sequences, we also propose a method of profiling malicious files using file and a method of comparing the continued scores. As the results, we could exactly pick out the malicious execution files, such as buffer overflow attack program, at fitting threshold level.
Keywords
computer forensics; file recovery; hacking; instruction sequence;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. Carrier. 'Defining Digital Forensics Examination and Analysis Tools,' In Digital Research Workshop II, 2002
2 D. Farmer and W. Venema, 'Forensic Computer Analysis: An Introduction,' Dr. Dobbs Journal, Jul. 2001
3 최종호, 조성배 '침입탐지 시스템을 위한 은닉 마르코프 모델의 적용,' 한국정보과학회논문지, 28(6), pp. 429-438, 2001
4 L. R. Rabiner, 'A tutorial on hidden Markov models and selected applications in speech recognition,' Proc. of the IEEE, vol. 77, no. 2, pp. 257-286, Feb. 1989   DOI   ScienceOn
5 Intel Corporation, $Intel^{\circledR}$ 64 and IA-32 Architecture Software Developer's Manual, http://www.intel.com/ design/pentium4/manuals/index_n ew.htm, 2006
6 L. Garber, 'EnCase: A Case Study in Computer-Forensic Technology,' IEEE Computer Magazine, Jan., 2001
7 libdisasm x86 Disassembler Library, http://bastard.sourceforge.net/ libdisasm.html
8 B. Carrier, The Sleuth Kit, http:// www.sleuthkit.org/sleuthkit, 2006
9 M. Schultz, E. Eskin, E. Zadok, and S. Stolfo, 'Data Mining Methods for Detection of New Malicious Executables,' Proc. of IEEE Symposium on Security and Privacy, pp. 38-49, 2001
10 J. Park, M. Kim, B. Noh, J. Joshi, 'A Similarity based Technique for Detecting Malicious Executable files for Computer Forensics,' IEEE International Conf. on IRI, Sep. 2006
11 K. McLaughlin, 'Hacker Sophistication Outpacing Forensics,' Dr. Dobbs Journel, Aug. 2006
12 B. Carrier. 'Performing an autopsy examination on FFS and EXT2FS partition images: An Introduction to TCTUTILs and the Autopsy Forensic Browser,' In Digital Research Workshop II, 2002
13 이석봉, 박준형, 김민수, 노봉남, '컴퓨터 포렌 식스 관점에서 파일 지스러기 영역의 활용방법 연구,' 한국정보과학회 학술발표논문집, pp. 859-861, Oct. 2003
14 W. Venema, 'File Discovery Techniques,' Dr. Dobbs Journal, Jul. 2001