Forensic Software Analysis

From Stephen F. Heffner, Heffner@Pennington.com:

I think the most interesting meaning of "forensic software analysis" is the analysis of software itself in support of a civil or criminal case, or of due diligence (e.g. for a merger or acquisition). This falls into a number of possible scenarios:

• Analyzing the code's architecture, at some level of abstraction or detail
• Determining the code's quality
• Comparing two bodies of code to determine if one was copied from the other, especially in situations where "clean room" implementations have been mandated
• Determining whether code satisfies contractual requirements
• Determining whether code contains any "back doors", "trap doors", or "bombs" that could be exploited without the knowledge of the code's current operator

A common problem in these cases is the sheer bulk of code to examine and the limited time allowed by the court. In such cases, the only practical answer is automation of the analysis. I am the author of an expert system for manipulating computer languages that provides such automation. I also have experience as an expert witness in such cases.

---

From http://www.jli.com/fsadefn.html

Definition: Borrowing from a dictionary definition, we define forensic software analysis as the preservation and analysis of computer-based evidence either for discussion by the public or in the Courts.

For commerce, it involves the analysis of existing software products to verify that they are what they are represented to be. This is of interest for example, to those wishing to acquire a software company or products.

For the Courts, this includes examination of computer software, and computer-based evidence (text, audio, and video) involved in litigation. We also specialize in the analysis of failed software development projects; the delivery of an unsatisfactory system, or time/cost overruns.

---

MichaelFeathers privately asked BillTrost: What is software forensic analysis? I have visions of Quincy cutting open a DLL and talking into a tape recorder... trying to find out who did the dirty deed.

Hmm... what kind of tools does one use to cut open a DLL? OccamsRazor?

Actually, that description is not too far off for a lot of what I have experienced. More often, the question is "was there possibly a dirty deed", but other than than... well, I guess I use a notepad other than a tape recorder.

First and foremost, though, the real deliverable in this work is an explanation (written and ultimately verbal) of technology and technical evidence that can be understood by a judge and jury. If this goal has not been reached, everything else is moot.

Here is a summary of what I have to do to accomplish the above.

1. Data recovery and analysis. This starts with "Hi, meet Special Agent Pat, we've come to take your data", and ends looking over the disk with a microscope.
2. Patent analysis. The question we try to answer is "Does the accused device embody the invention the patent discloses?" This seems to most frequently occur in an embedded controller context, which often means we end up with code written by hardware engineers.
3. Literal similarity analyses. Usually, there is some claim of copyright infringement, but maybe someone is trying to head off such a claim.
4. Trade secret analysis. This is really sketchy stuff, and I am not really familiar with it.
5. Exhibit production -- slides, videotapes, or maybe even live demos.

Some other, related tasks.

1. Clean room development. This is how a Minbari software developer works - you are "told what you need to know, and no more". This is done in response to or to prevent a copyright or trade secret claim.

Any questions?

-- BillTrost

---

...we define forensic software analysis as the preservation and analysis of computer-based evidence either for discussion by the public or in the Courts.

Examples:

1. Defendant causes a fatal road accident. Defendant claims he did not fall asleep at the wheel. Prosecution offers evidence that defendant was surfing the internet for 43 out of the past 48 hours.

2. Ransom is demanded following a kidnap. Prosecution offers evidence that defendant's hard disk included sectors that were deleted but not yet overwritten and contained fragments of the ransom letter.

3. Bank's computer is cracked. Prosecution examines logs at bank and defendant's ISP and offers evidence that defendant systematically probed the bank's system looking for a point of weakness.

---

Interesting term: Forensic Software Analysis. Not one I've heard. Could I suggest it's a little misleading? The more common term is surely Computer Forensic Analysis, or just Computer Forensics.

Am I just nit picking here? I don't think so. There's a big difference between software and computer. The former refers to software, which seems to exclude files, unallocated disk areas... you know... the sort of areas that most likely hold the useful data/information.

There's an interesting introduction and FAQ at: http://www.computerforensicsworld.com. This actually defines it as "The use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded"

This sounds a lot more inclusive than simple Forensic Software Analysis.

In this context, I think the term itself is pretty important.

-- Neilz