1. Field
The present inventive concept pertains to a system and method of conducting a forensic investigation on a computer system to identify potentially malicious computer items. The present inventive concept more particularly concerns an improved system and method for locating character strings potentially associated with malicious computer items.
2. Discussion of Related Art
As more businesses and governmental entities increasingly rely on computer networks to conduct their operations and store relevant data, security of these networks has become increasingly important. The need for increased security is emphasized when these networks are connected to non-secure networks such as the Internet. The preservation of important data and the ability to retrieve and analyze the data has become a major focus of forensic investigators.
Various technologies may be employed to aid in the processing and organizing of data, including search technologies, software that copies the entire contents of the hard drive in a computer system, and software that allows an analyst to review its contents and categorize it based on their observations. A computer attacker, for example, someone that seeks to introduce malicious software into a computer system and/or extract information from the computer system without authorization, may introduce files or other computer items onto a computer system that contain or are associated with character strings. The character strings are accessible or visible to users and investigators and, for example, may serve an identifying function such as by serving as a file name or subject line, or otherwise providing information about the computer items. As such, investigators may seek to identify malicious software or files by first identifying their character strings from amongst innocuous character strings occurring in the computer system.
Existing technologies for detecting such character strings include “rack and stack” frequency analysis mechanisms and/or attempts to identify explicit misspellings in the character strings. These technologies are to some extent unreliable or sluggish given their dependency on external information and contextual information available from other systems, or are otherwise flawed in their ability to accurately identify character strings more likely to be associated with malicious software.
Accordingly, there exists a need for additional technologies to improve location of character strings potentially associated with malicious computer items.