...

Tampering

Chris Neale PhD Project

We are currently in the process of submitting a paper which describes a means by which tampering can be modelled as an action. If and when this work is published, we will provide a link here. We don't attempt to try and provide a comprehensive overview of it in this format, you need to read the paper when it is eventually available. However, there is some information which is often too verbose to include in such publications which have space limitations and so we provide a reference resource below.

The first of these is a table which outlines two things for the 14 types of tampering we identify and define in our model. First, it shows the difference in a system execution between if the tampering occurs and if it doesn't. Secondly, it shows the knowledge an investigator would need regarding that system in order to detect this.

Type of tampering action t Difference between 𝜛 and 𝜛' Knowledge Required Real-world explanation
Invisible complete artefact destruction (ICAD) None N/A N/A
Visible complete artefact destruction (VCAD) Elements of δT in the artefact set Elements of δT The tampering action itself leaves a trace
Invisible incomplete artefact destruction (IIAD) Elements of δX in artefact set Elements of δX which appear in artefact set out of place (i.e. without the whole of δX) Some action can be inferred but only some of the expected traces can be found
Visible incomplete artefact destruction (VIAD) Elements of δT in the artefact set
OR
Elements of δX in artefact set
Elements of δT
OR
Elements of δX which appear in artefact set out of place (i.e. without the whole of δX)
The tampering action itself leaves a trace
OR
Some action can be inferred but only some of the expected traces can be found
Invisible complete artefact source elimination (ICASE) 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' Whether |𝘈s̅ | is within expected bounds for a given execution Less artefacts are present than would be expected
Visible complete artefact source elimination (VCASE) Elements of δT in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δT
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
The tampering action itself leaves a trace
OR
Less artefacts are present than would be expected
Invisible incomplete artefact source elimination (IIASE) Elements of δX in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δX , especially those which occur out of place (i.e. without the whole of δX)
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
Some action can be inferred but only some of the expected traces can be found
OR
Less artefacts are present than would be expected
Visible incomplete artefact source elimination (VIASE) Elements of δT in the artefact set
OR
Elements of δX in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δT
OR
Elements of δX , especially those which occur out of place (i.e. without the whole of δX)
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
The tampering action itself leaves a trace
OR
Some action can be inferred but only some of the expected traces can be found
OR
Less artefacts are present than would be expected
Artefact hiding (AH) Artefact set has been transformed by 𝛳 How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set
OR
Whether artefacts are constructed correctly in the artefact set
A known obfuscation behaviour such as encryption can be found to be have occurred
Artefact corruption (AC) Artefact set has been transformed by 𝛳 and as a result, one or more elements of the artefact are not properly constructed How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set
OR
Whether artefacts are constructed correctly in the artefact set
A known obfuscation behaviour such as encryption can be found to be have occurred
OR
Artefacts have a form that indicates they were not created as part of normal operation
Invisible complete artefact counterfeiting (ICAC) Elements of δX occur in implausible locations
OR
Elements of δX not correctly formed
How system should behave when δX is plausible
OR
Whether artefacts are constructed correctly in the artefact set
The context around an action does not make logical sense or fit with normal parameters
OR
Artefacts have a form that indicates they were not created as part of normal operation
Visible complete artefact counterfeiting (VCAC) Elements of δT in the artefact set
OR
Elements of δX occur in implausible locations
OR
Elements of δX not correctly formed
Elements of δT
OR
How system should behave when δX is plausible
OR
Whether artefacts are constructed correctly in the artefact set
The tampering action itself leaves a trace
OR
The context around an action does not make logical sense or fit with normal parameters
OR
Artefacts have a form that indicates they were not created as part of normal operation
Invisible incomplete artefact counterfeiting (IIAC) Elements of δX occur in implausible locations
OR
Elements of δX not correctly formed
OR
Not all elements of δa are present in the artefact set
How system should behave when δX is plausible
OR
Whether artefacts are constructed correctly in the artefact set
OR
Elements of δX which appear in artefact set out of place (i.e. without the whole of δX)
The context around an action does not make logical sense or fit with normal parameters
OR
Artefacts have a form that indicates they were not created as part of normal operation
OR
Some action can be inferred but only some of the expected traces can be found
Visible incomplete artefact counterfeiting (VIAC) Elements of δT in the artefact set
OR
Elements of δX occur in implausible locations
OR
Elements of δX not correctly formed
OR
Not all elements of δX are present in the artefact set
Elements of δT
OR
How system should behave when δX is plausible
OR
Whether artefacts are constructed correctly in the artefact set
OR
Elements of δX which appear in artefact set out of place (i.e. without the whole of δX)
The tampering action itself leaves a trace
OR
The context around an action does not make logical sense or fit with normal parameters
OR
Artefacts have a form that indicates they were not created as part of normal operation
OR
Some action can be inferred but only some of the expected traces can be found

This is summarised into the following knowledge codes for identifying tampering, shown in the next table and illustrated in the various images

Identifying attacks (AT) Identifying abnormality (AB)
AT-1: Elements of δT AB-1: Elements of δX which appear in artefact set out of place (i.e. without the whole of δX)
AT-2: How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set AB-2: Whether |𝘈s̅ | is within expected bounds for a given execution
AB-3: Whether artefacts are constructed correctly in the artefact set
AB-4: How system should behave when δX is plausible