By Bill Graham, Technical Marketing Consultant, GrammaTech
Introduction
Traditionally, the term “forensics” is the use of science to discover evidence of criminal activity. Extending this to software broadens the use case to consider all of the purposes of software investigation techniques. Many of these fall outside criminal investigation into civil cases (e.g. safety failures) or commercial (product failures), or investigation into security breaches.
Beyond the Law
Investigating software mishaps is important in many industries. Although the required results may not be associated with crime, they are similar to desired evidence gathered during a criminal investigation of software.
A prime example would be the investigation of a software failure that has led to an accident resulting in injury, loss of life, or property. Investigators would use similar approaches even if the criminal activity or negligence wasn’t suspected.
The investigation is bound to require analyzing source code and binary code to detect errors as well as the cause and effect of these errors to the failure.
Software forensics is about the techniques, tools, and required results — not necessarily the intent of the investigation. In all cases, evidence collection is the goal.
Broadening Software Forensics
When we broaden the definition of software forensics, the term encompasses any activity that requires analysis of source and binary code for the purposes of investigation, post mortem analysis, or preventive measures. Some examples of use cases for software forensics include the following (but not limited by this list):
• Malicious code: Detecting malicious code and tracking down its author is a common software forensics scenario. This code is often written on purpose but with hidden intentions. Detection can be difficult with manual techniques, especially beforehand, meaning manual inspections and regular software testing often fails to reveal malicious code.
• Safety incidents: Software failures in safety-critical systems have potentially high impact on persons and property, and manufacturers are obliged to track down and investigate the root cause of these problems. Investigations may be initiated to settle civil suits or to investigate and prevent future incidents.
Security vulnerabilities: Severe security breaches often lead to an investigation into the source of the problem. Vulnerabilities could be either intentional malicious code or accidental bugs in the software. Root cause and remediation are critical for security vulnerabilities. NIST provides a security incident guide that provides details on investigation and documentation techniques.
• Software fault analysis: In a more generic case, any software fault may be the subject of investigation. For example, a monitoring device may provide inaccurate results that has led to overcharging a customer (household “smart meters”, for example). As such, techniques used to detect and determine the root cause remain the same.
The Role of Static Analysis
The key aspect of current software forensics techniques is a painstaking manual investigation of the source and binary code. Detecting errors or traces of manipulation manually is difficult and time-consuming and automated tools and techniques save time and money.
Static analysis tools have an important role to play in software forensics by automating and speeding up the error detection process.
Conclusion
Software forensics includes the investigation of the source and binary code for the detection of not just criminal activity but also malicious code, safety software failures, and security incidents. In most cases, the techniques and tools are similar even if the motivation for the investigation may not be.
Most important is leveraging tools and best practices in order to establish strong software forensics techniques.
About The Author
Bill Graham is a seasoned embedded software development manager with years of development, technical product marketing, and product management experience.
Bill can be reached online at @Bill_Graham and at http://iot.williamgraham.ca.
