Crime Pattern Matching based on Process Execution Context – An Evidence Acquisition Technique

Asha Joseph and K. John Singh

Once a digital crime is committed, the availability and collection of evidence data are becoming major challenges. This is because of large amount of data to analyse as well as complex data flow patterns in contemporary software systems. Compared to traditional methods of evidence collection which usually rely upon analysis of application and system logs, a security enhanced operating system kernel can make the evidence collection more authentic and comprehensive. In this paper, such a security solution is proposed (Crime Pattern Matching based on Process Execution Contexts - CPM-PEC) that includes a process monitoring mechanism that is implemented in OS kernel. The kernel mode process monitor reports potential security sensitive events to an application counterpart that analyses the events to find matches with potential crime patterns –which are pre-defined sequences of security sensitive events. This combination of kernel mode and user mode components makes sure that every process in the system is monitored from its creation to termination for various events in its lifetime and data flow between processes are also monitored. For evaluation purposes, the proposed solution is implemented and integrated to Linux Security Module (LSM). It is observed that less than 2% overhead is incurred by the addition of this proposed solution in Linux kernel. The future work shall focus on enhancing the digital forensic investigation process by distributed pattern matching to prevent the crime before the damage is widespread.

Volume 11 | 04-Special Issue

Pages: 202-211