Traditionally, the term "forensics" is the use of science to discover evidence of criminal activity. Extending this to software broadens the use case to consider all of the purposes of software investigation techniques. Many of these fall outside criminal investigation into civil cases (e.g. safety failures) or commercial (product failures), or investigation into security breaches.
- NIST Computer Security Incident Handling Guide
- Federal Drug Administration (FDA) Recommends Static Analysis for Medical Devices
- GrammaTech Used In Toyota Unintended Acceleration Investigation
Beyond the Law
Investigating software mishaps is important in many industries. Although the required results may not be associated with crime, they are similar to desired evidence gathered during a criminal investigation of software. A prime example would be the investigation of a software failure that has led to an accident resulting in injury, loss of life, or property. Investigators would use similar approaches even if criminal activity or negligence wasn’t suspected. Investigation is bound to require analyzing source code and binary code to detect errors as well as the cause and effect of these errors to the failure. Software forensics is about the techniques, tools, and required results -- not necessarily the intent of the investigation. In all cases, evidence collection is the goal.
Broadening Software Forensics
When we broaden the definition of software forensics, the term encompasses any activity that requires analysis of source and binary code for the purposes of investigation, post mortem analysis, or preventive measures. Some examples of use cases for software forensics include the following (but not limited by this list):
- Malicious code: Detecting malicious code and tracking down its author is a common software forensics scenario. This code is often written on purpose but with hidden intentions. Detection can be difficult with manual techniques, especially beforehand, meaning manual inspections and regular software testing often fail to reveal malicious code.
- Safety incidents: Software failures in safety-critical systems have potentially high impact on persons and property, and manufacturers are obliged to track down and investigate the root cause of these problems. Investigations may be initiated to settle civil suits or to investigate and prevent future incidents. For example, the FDA used CodeSonar to investigate the quality of various infusion pumps’ control software, and the NHTSB used CodeSonar to investigate Toyota vehicle unintended acceleration problems.
- Security vulnerabilities: Severe security breaches often lead to an investigation into the source of the problem. Vulnerabilities could be either intentional malicious code or accidental bugs in the software. Root cause and remediation are critical for security vulnerabilities. NIST provides a security incident guide which provides details on investigation and documentation techniques.
- Software fault analysis: In a more generic case, any software fault may be the subject of investigation. For example, a monitoring device may provide inaccurate results that has led to overcharging a customer (household “smart meters”, for example). As such, techniques used to detect and determine the root cause remain the same.
The Role of Static Analysis
The key aspect of current software forensics techniques is painstaking manual investigation of source and binary code. Detecting errors or traces of manipulation manually is difficult and time consuming and automated tools and techniques save time and money. Static analysis tools have an important role to play in software forensics, a topic I will discuss in my next post.
Software forensics includes the investigation of source and binary code for the detection of not just criminal activity but also malicious code, safety software failures, and security incidents. In most cases, the techniques and tools are similar even if the motivation for the investigation may not be. Most important is leveraging tools and best practices in order to establish strong software forensics techniques.