...

Tampering

Chris Neale PhD Project

We are currently in the process of submitting a paper which describes a means by which tampering can be modelled as an action. If and when this work is published, we will provide a link here. We don't attempt to try and provide a comprehensive overview of it in this format, you need to read the paper when it is eventually available. However, there is some information which is often too verbose to include in such publications which have space limitations and so we provide a reference resource below.

The first of these is a table which outlines two things for the 14 types of tampering we identify and define in our model. First, it shows the difference in a system execution between if the tampering occurs and if it doesn't. Seocndly, it shows the knowledge an investigator would need regarding that system in order to detect this.

Type of tampering action t Difference between 𝜛 and 𝜛' Knowledge required
Invisible complete artefact destruction (ICAD) None N/A
Visible complete artefact destruction (VCAD) Elements of δt in the artefact set Elements of δt
Invisible incomplete artefact destruction (IIAD) Elements of δa in artefact set Elements of δa which appear in artefact set out of place (i.e. without the whole of δa)
Visible incomplete artefact destruction (VIAD) Elements of δt in the artefact set
OR
Elements of δa in artefact set
Elements of δt
OR
Elements of δa which appear in artefact set out of place (i.e. without the whole of δa)
Invisible complete artefact source elimination (ICASE) 𝘈s̅ |𝜛 > |𝘈s̅ |𝜛' Whether |𝘈s̅ | is within expected bounds for a given execution
Visible complete artefact source elimination (VCASE) Elements of δt in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δt
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
Invisible incomplete artefact source elimination (IIASE) Elements of δa in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δa , especially those which occur out of place (i.e. without the whole of δa)
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
Visible incomplete artefact source elimination (VIASE) Elements of δt in the artefact set
OR
𝘈Elements of δa in the artefact set
OR
𝘈s̅ |𝜛 > |𝘈s̅ |𝜛'
Elements of δt
OR
Elements of δa , especially those which occur out of place (i.e. without the whole of δa)
OR
Whether |𝘈s̅ | is within expected bounds for a given execution
Artefact hiding (AH) Artefact set has been transformed by 𝛳 How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set
OR
Whether artefacts are constructed correctly in the artefact set
Artefact corruption (AC) Artefact set has been transformed by 𝛳 and as a result, one or more elements of the artefact are not properly constructed How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set
OR
Whether artefacts are constructed correctly in the artefact set
Invisible complete artefact counterfeiting (ICAC) Elements of δa occur in implausible locations
OR
Elements of δa not correctly formed
How system should behave when δa is plausible
OR
Whether artefacts are constructed correctly in the artefact set
Visible complete artefact counterfeiting (VCAC) Elements of δt in the artefact set
OR
Elements of δa occur in implausible locations
OR
Elements of δa not correctly formed
Elements of δt
OR
How system should behave when δa is plausible
OR
Whether artefacts are constructed correctly in the artefact set
Invisible incomplete artefact counterfeiting (IIAC) Elements of δa occur in implausible locations
OR
Elements of δa not correctly formed
OR
Not all elements of δa are present in the artefact set
How system should behave when δa is plausible
OR
Whether artefacts are constructed correctly in the artefact set
OR
Elements of δa which appear in artefact set out of place (i.e. without the whole of δa)
Visible incomplete artefact counterfeiting (VIAC) Elements of δt in the artefact set
OR
Elements of δa occur in implausible locations
OR
Elements of δa not correctly formed
OR
Not all elements of δa are present in the artefact set
Elements of δt
OR
How system should behave when δa is plausible
OR
Whether artefacts are constructed correctly in the artefact set
OR
Elements of δa which appear in artefact set out of place (i.e. without the whole of δa)

This is summarised into the following knowledge codes for identifying tampering, shown in the next table and illustrated in the various images

Identifying attacks (AT) Identifying abnormality (AB)
AT-1: Elements of δt AB-1: Elements of δa which appear in artefact set out of place (i.e. without the whole of δa)
AT-2: How 𝛳 behaves such that the investigator can distinguish whether 𝛳 has likely been applied to the artefact set AB-2: Whether |𝘈s̅ | is within expected bounds for a given execution
AB-3: Whether artefacts are constructed correctly in the artefact set
AB-4: How system should behave when δa is plausible