Chris Neale PhD Project
We are currently in the process of submitting a paper which describes a means by which tampering can be modelled as an action. If and when this work is published, we will provide a link here. We don't attempt to try and provide a comprehensive overview of it in this format, you need to read the paper when it is eventually available. However, there is some information which is often too verbose to include in such publications which have space limitations and so we provide a reference resource below.
The first of these is a table which outlines two things for the 14 types of tampering we identify and define in our model. First, it shows the difference in a system execution between if the tampering occurs and if it doesn't. Seocndly, it shows the knowledge an investigator would need regarding that system in order to detect this.
Type of tampering action t | Difference between 𝜛 and 𝜛' | Knowledge required |
---|---|---|
Invisible complete artefact destruction (ICAD) | None | N/A |
Visible complete artefact destruction (VCAD) | Elements of δt in the artefact set | Elements of δt |
Invisible incomplete artefact destruction (IIAD) | Elements of δa in artefact set | Elements of δa which appear in artefact set out of place (i.e. without the whole of δa) |
Visible incomplete artefact destruction (VIAD) | Elements of δt in the artefact set OR Elements of δa in artefact set |
Elements of δt OR Elements of δa which appear in artefact set out of place (i.e. without the whole of δa) |
Invisible complete artefact source elimination (ICASE) | 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' | Whether |𝘈s̅ | is within expected bounds for a given execution |
Visible complete artefact source elimination (VCASE) | Elements of δt in the artefact set OR 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' |
Elements of δt OR Whether |𝘈s̅ | is within expected bounds for a given execution |
Invisible incomplete artefact source elimination (IIASE) | Elements of δa in the artefact set OR 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' |
Elements of δa , especially those which occur out of place (i.e. without the whole of δa)
OR Whether |𝘈s̅ | is within expected bounds for a given execution |
Visible incomplete artefact source elimination (VIASE) | Elements of δt in the artefact set OR 𝘈Elements of δa in the artefact set OR 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' |
Elements of δt OR Elements of δa , especially those which occur out of place (i.e. without the whole of δa) OR Whether |𝘈s̅ | is within expected bounds for a given execution |
Artefact hiding (AH) | Artefact set has been transformed by 𝛳 | How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set OR Whether artefacts are constructed correctly in the artefact set |
Artefact corruption (AC) | Artefact set has been transformed by 𝛳 and as a result, one or more elements of the artefact are not properly constructed | How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set OR Whether artefacts are constructed correctly in the artefact set |
Invisible complete artefact counterfeiting (ICAC) | Elements of δa occur in implausible locations OR Elements of δa not correctly formed |
How system should behave when δa is plausible OR Whether artefacts are constructed correctly in the artefact set |
Visible complete artefact counterfeiting (VCAC) | Elements of δt in the artefact set OR Elements of δa occur in implausible locations OR Elements of δa not correctly formed |
Elements of δt OR How system should behave when δa is plausible OR Whether artefacts are constructed correctly in the artefact set |
Invisible incomplete artefact counterfeiting (IIAC) | Elements of δa occur in implausible locations OR Elements of δa not correctly formed OR Not all elements of δa are present in the artefact set |
How system should behave when δa is plausible OR Whether artefacts are constructed correctly in the artefact set OR Elements of δa which appear in artefact set out of place (i.e. without the whole of δa) |
Visible incomplete artefact counterfeiting (VIAC) | Elements of δt in the artefact set OR Elements of δa occur in implausible locations OR Elements of δa not correctly formed OR Not all elements of δa are present in the artefact set |
Elements of δt OR How system should behave when δa is plausible OR Whether artefacts are constructed correctly in the artefact set OR Elements of δa which appear in artefact set out of place (i.e. without the whole of δa) |
This is summarised into the following knowledge codes for identifying tampering, shown in the next table and illustrated in the various images
Identifying attacks (AT) | Identifying abnormality (AB) |
---|---|
AT-1: Elements of δt | AB-1: Elements of δa which appear in artefact set out of place (i.e. without the whole of δa) |
AT-2: How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set | AB-2: Whether |𝘈s̅ | is within expected bounds for a given execution |
AB-3: Whether artefacts are constructed correctly in the artefact set | |
AB-4: How system should behave when δa is plausible |