Detecting the software usage on a compromised system: A triage solution for digital forensics

One of the challenges of digital forensics is the high volume of investigative cases. To address this problem, researchers have proposed various triage methods. Detecting the applications that have run on the compromised system under inspection can be an excellent triage method that gives the investigator an overview of the system. In this paper, we construct the signature of software usage on a system using file path artifacts. We propose a software signature detection engine (SSDE) to identify the usage of the software on the system under investigation. The SSDE consists of two subsystems: the signature con-struction subsystem, which builds the software signature using the TF-IDF weighting scheme, and the signature detection subsystem, which identifies the executed set of software on the target system. We consider several parameters with different values in the design of SSDEs, leading to more than 500 SSDE models. We test the SSDE models against 14 pseudo-real systems from the M57 Patents scenario and evaluate their performance. The experimental results show that about 38% of SSDE models achieve near-perfect Precision, and about 18% of them achieve near-perfect Recall. We introduce the top models and determine which parameter values lead to the superior models. Besides, we compare the SSDE models with some doc2vec-based models. The results show that SSDE models have higher average Precision, slightly lower average Recall, and much less computational time.(c) 2022 Elsevier Ltd. All rights reserved.