SBIR-STTR Award

We propose to create an advanced forensic analysis tool called TheSieve. This tool will use machine learning techniques that can classify files as malicious or benign as well as suggesting files for closer inspection. Built upon custom enhancements to the National Software Reference Library (NSRL), TheSieve will allow forensic investigators to spend theirvaluable time examining the most significant files. An important application of data repositories, like those in the NSRL, is a system that associates NSRL hash values with additional information derived through static and dynamic analysis. Phase I will yield a prototype web service and application delivered with integrations into at least one forensic analysis software package. TheSieve will be used in a controlled case study to determine if searching and provided suggestions can reduce the amount of time spent identifying files. Time permitting, the prototype will improve file suggestions using machine learning. We do not believe that TheSieve can replace endpoint detection and response products (EDR), instead it will augment them by applying Big Data analysis techniques. Finally, we will develop a process by which TheSieve database can be improved with an analyst feedback loop to enhance previously seen queries.

CyberPoint International presents the design of a cross platform product for the autonomous execution of live forensic investigations of Personal Computers, Laptops and Servers leveraging the NIST NSRL corpus and a combination of at least 3 forms of machine learning/artificial intelligent algorithms for the processing of preliminary digital evidence titled TheSieve. We build upon work from our phase one research effort to develop the suspicion score for a file based on an ensemble learning approach for features including entropy, location, size and file type. TheSieve will be a multi-tier product for conducting a live investigation requiring zero installation on target systems. TheSieve possesses the ability to automatically execute evidence collection and analysis techniques using a deterministic rule engine which fires during each step of analysis of a single host. Leveraging probability-based decision tree modeling, TheSieve will automatically offer suggestions on a target system under investigation at the end of collection and analysis. At the conclusion of this research effort, TheSieve will be a functional minimally viable product for conducting a live investigation of malicious code events or system misuse for Mac OS X and Linux endpoints and re-train data models based expert user feedback.