Graph clustering and anomaly detection of access control log for forensic purposes

Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset.     

An improved non-destructive method for detection of latent fingerprints on documents with iodine-7,8-benzoflavone

A solution of iodine and 7,8 benzoflavone¹ is an extremely sensitive reagent for developing old latent fingerprints on porous surfaces. The new reagent solution was compared with conventional ones, e.g. iodine, iodine fixed with 7,8-benzoflavone and iodine fixed with tetrabase, and was found to be superior with regard to sensitivity, clarity and reduced background intensity. The developed blue fingerprint stains are cleared in a fairly short time by air oxidation at room temperature without altering the chemical composition of the fingerprints. This leaves open the possibility of further examination of the latent fingerprints by alternative techniques should a double check be desired or in the event of failure.