Digital Forensics through Application Behavior Analysis

Full Text (PDF, 260KB), PP.50-56

Views: 0 Downloads: 0


Shuaibur Rahman 1,* M. N. A. Khan 1

1. Shaheed Zulfikar Ali Bhutto Institute of Science and Technology, Islamabad, Pakistan

* Corresponding author.


Received: 11 Mar. 2016 / Revised: 12 Apr. 2016 / Accepted: 10 May 2016 / Published: 8 Jun. 2016

Index Terms

Digital Forensic Analysis, Digital Crime Investigation, Live Forensic Analysis, Memory-based analysis, Exculpatory Evidence


The field of digital forensic analysis has emerged in the past two decades to counter the digital crimes and investigate the modus operandi of the culprits to secure the computer systems. With the advances in technologies and pervasive nature of the computing devices, the digital forensic analysis is becoming a challenging task. Due to ease of digital equipment and popularity of Internet, criminals have been enticed to carry out digital crimes. Digital forensic is aimed to investigate the criminal activity and bring the culprits to justice. Traditionally the static analysis is used to investigate about an incident but due to a lot of issues related the accuracy and authenticity of the static analysis, the live digital forensic analysis shows an investigator a more complete picture of memory dump. In this paper, we introduce a module for profiling behavior of application programs. Profiling of application is helpful in forensic analysis as one can easily analyze the compromised system. Profiling is also helpful to the investigator in conducting malware analysis as well as debugging a system. The concept of our model is to trace the unique process name, loaded services and called modules of the target system and store it in a database for future forensic and malware analysis. We used VMware workstation version 9.0 on Windows 7 platform so that we can get the detailed and clean image of the current state of the system. The profile of the target application includes the process name, modules and services which are specific to an application program.

Cite This Paper

Shuaibur Rahman, M. N. A. Khan, "Digital Forensics through Application Behavior Analysis", International Journal of Modern Education and Computer Science(IJMECS), Vol.8, No.6, pp.50-56, 2016. DOI:10.5815/ijmecs.2016.06.07


[1]B. Hay, K. Nance, and M. Bishop, “Live Analysis: Progress and Challenges,” IEEE Security and Privacy vol. 7, no. 2, pp. 30–37 (Mar. 2009).
[2]S. Yadav, “Analysis of Digital Forensic and Investigation,” VSRD-IJCSIT, vol. 1, no. 3, pp. 171-178 (2011).
[3]B. D. Carrier, “Risks of live digital forensic analysis,” Communications of the ACM, vol. 49 no. 2, pp. 56-61 (2006)
[4]A.Savold., and p. Gubian, “Towards the virtual memory space reconstruction for windows live forensic purposes,” In IEEE Systematic Approaches to Digital Forensic Engineering, 2008. SADFE'08. Third International Workshop on, pp. 15-22 (2008, May).
[5]L. Wang, R. Zhang., and S. Zhang, “A model of computer live forensics based on physical memory analysis,” In IEEE Information Science and Engineering (ICISE), 2009 1st International Conference on, pp. 4647-4649 (2009, December).
[6]A. Aljaedi., D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari,, “Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging,” In IEEE Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom), pp. 1253-1258 (2011, October).
[7]S. Mrdovic, A. Huseinovic, and E. Zajko, “Combining static and live digital forensic analysis in virtual environment,” In IEEE Information, Communication and Automation Technologies, 2009. ICAT 2009. XXII International Symposium on, pp. 1-6 (2009, October).
[8]F. Gianni, and F. Solinas, “Live Digital Forensics: Windows XP vs Windows 7,” In IEEE Informatics and Applications (ICIA),2013 Second International Conference on, pp. 1-6 (2013, September).
[9]L. Zhang, D. Zhang, and L. Wang, “Live digital forensics in a virtual machine,” In IEEE Computer Application and System Modeling (ICCASM), 2010 International Conference on, vol. 4, pp. V4-328 (2010, October).
[10]S. Balogh, and M. Pondelik, “Capturing encryption keys for digital analysis,” In IEEE Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2011 IEEE 6th International Conference on, vol. 2, pp. 759-763 (2011, September).
[11]I. Mohanty, and R. L. Velusamy, “Information Retrieval From Internet Applications For Digital Forensic,” arXiv preprint arXiv:1209.3590 (2012).
[12]V. Meera, M. M. Isaac, and C. Balan, “ Forensic acquisition and analysis of VMware virtual machine artifacts,” In IEEE Automation, Computing, Communication, Control and Compressed Sensing (iMac4s), 2013 International Multi-Conference on, pp. 255-259 (2013, March).
[13]Y. Kim, S. Lee, and D. Hong, “Suspects' data hiding at remaining registry values of uninstalled programs,” In ICST Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop on. p. 32 (2008, January).
[14]C. H. Yang, and P. H. Yen, “Fast deployment of computer forensics with USBs,” In IEEE Broadband, Wireless Computing, Communication and Applications (BWCCA),
2010 International Conference on, pp. 413-416 (2010, November).
[15]S. Mrdovic, and A. Huseinovic, “Forensic analysis of encrypted volumes using hibernation file,“ In IEEE Telecommunications Forum (TELFOR), 2011 19th on, pp. 1277-1280 (2011, November).
[16]Iqbal S., Khalid M., Khan, M N A. A Distinctive Suite of Performance Metrics for Software Design. International Journal of Software Engineering & Its Applications, 7(5), (2013).
[17]Iqbal S., Khan M.N.A., Yet another Set of Requirement Metrics for Software Projects. International Journal of Software Engineering & Its Applications, 6(1), (2012).
[18]Faizan M., Ulhaq S., Khan M N A., Defect Prevention and Process Improvement Methodology for Outsourced Software Projects. Middle-East Journal of Scientific Research, 19(5), 674-682, (2014).
[19]Faizan M., Khan M NA., Ulhaq S., Contemporary Trends in Defect Prevention: A Survey Report. International Journal of Modern Education & Computer Science, 4(3), (2012).
[20]Khan K., Khan A., Aamir M., Khan M N A., Quality Assurance Assessment in Global Software Development. World Applied Sciences Journal, 24(11), (2013).
[21]Amir M., Khan K., Khan A., Khan M N A., An Appraisal of Agile Software Development Process. International Journal of Advanced Science & Technology, 58, (2013).
[22]Khan, M., & Khan, M. N. A. Exploring Query Optimization Techniques in Relational Databases. International Journal of Database Theory & Application, 6(3). (2013).
[23]Khan, MNA., Khalid M., ulHaq S., Review of Requirements Management Issues in Software Development. International Journal of Modern Education & Computer Science, 5(1),(2013).
[24]Umar M., Khan, M N A., A Framework to Separate NonFunctional Requirements for System Maintainability. Kuwait Journal of Science & Engineering, 39(1 B), 211- 231,(2012).
[25]Umar M., Khan, M. N. A, Analyzing Non-Functional Requirements (NFRs) for software development. In IEEE 2nd International Conference on Software Engineering and Service Science (ICSESS), 2011 pp. 675-678), (2011).
[26]Khan, M. N. A., Chatwin, C. R., & Young, R. C. (2007). A framework for post-event timeline reconstruction using neural networks. digital investigation, 4(3), 146-157.
[27]Khan, M. N. A., Chatwin, C. R., & Young, R. C. (2007). Extracting Evidence from Filesystem Activity using Bayesian Networks. International journal of Forensic computer science, 1, 50-63.
[28]Khan, M. N. A. (2012). Performance analysis of Bayesian networks and neural networks in classification of file system activities. Computers & Security, 31(4), 391-401.
[29]Rafique, M., & Khan, M. N. A. (2013). Exploring Static and Live Digital Forensics: Methods, Practices and Tools. International Journal of Scientific & Engineering Research 4(10): 1048-1056.
[30]Bashir, M. S., & Khan, M. N. A. (2013). Triage in Live Digital Forensic Analysis. International journal of Forensic Computer Science 1, 35-44.
[31]Sarwar, A., & Khan, M. N. (2013). A Review of Trust Aspects in Cloud Computing Security. International Journal of Cloud Computing and Services Science (IJCLOSER), 2(2), 116-122.
[32]Gondal, A. H., & Khan, M. N. A. (2013). A review of fully automated techniques for brain tumor detection from
MR images. International Journal of Modern Education and Computer Science (IJMECS), 5(2), 55.

[33]Zia, A., & Khan, M. N. A. (2012). Identifying key challenges in performance issues in cloud computing. International Journal of Modern Education and Computer Science (IJMECS), 4(10), 59.
[34]Ur Rehman, K., & Khan, M. N. A. (2013). The Foremost Guidelines for Achieving Higher Ranking in Search Results through Search Engine Optimization. International Journal of Advanced Science and Technology, 52, 101-110.
[35]Khan, M., & Khan, M. N. A. (2013). Exploring query optimization techniques in relational databases. International Journal of Database Theory & Application,6(3).
[36]Shehzad, R., KHAN, M. N., & Naeem, M. (2013). Integrating knowledge management with business intelligence processes for enhanced organizational learning. International Journal of Software Engineering and Its Applications, 7(2), 83-91.
[37]Ul Haq, S., Raza, M., Zia, A., & Khan, M. N. A. (2011). Issues in global software development: A critical review. An Appraisal of Off-line Signature Verification Techniques 75 Copyright © 2015 MECS I.J. Modern Education and Computer Science, 2015, 4, 67-75 Journal of Software Engineering and Applications, 4(10), 590.
[38]Zia, A., & Khan, M. N. A. (2013). A Scheme to Reduce Response Time in Cloud Computing Environment. International Journal of Modern Education and Computer Science (IJMECS), 5(6), 56.
[39]Tariq, M. & Khan, M.N.A., (2011). The Context of Global Software Development: Challenges, Best Practices and Benefits. Information Management & Business Review, 3(4).
[40]Shahzad, A., Hussain, M., & Khan, M. N. A. (2013). Protecting from Zero-Day Malware Attacks. Middle-East Journal of Scientific Research, 17(4), 455-464. [38] Khan, A. A., & Khan, M. (2011). Internet content regulation framework. International Journal of U-& EService, Science & Technology, 4(3).
[41]Kaleem Ullah, K. U., & MNA Khan, M. K. (2014). Security and Privacy Issues in Cloud Computing Environment: A Survey Paper. International Journal of Grid and Distributed Computing, 7(2), 89-98.
[42]Abbasi, A. A., Khan, M. N. A., & Khan, S. A. (2013). A Critical Survey of Iris Based Recognition Systems. Middle-East Journal of Scientific Research, 15(5), 663- 668.
[43]Khan, M. N. A., Qureshi, S. A., & Riaz, N. (2013). Gender classification with decision trees. Int. J. Signal Process. Image Process. Patt. Recog, 6, 165-176.
[44]Ali, S. S., & Khan, M. N. A. (2013). ICT Infrastructure Framework for Microfinance Institutions and Banks in Pakistan: An Optimized Approach. International Journal of Online Marketing (IJOM), 3(2), 75-86.
[45]Mahmood, A., Ibrahim, M., & Khan, M. N. A. (2013). Service Composition in the Context of Service Oriented Architecture. Middle East Journal of Scientific Research, 15(11).
[46]Masood, M. A., & Khan, M. N. A. (2015). Clustering Techniques in Bioinformatics. I.J. Modern Education and Computer Science, 2015, 1, 38-46.