Reasoning About a Simulated Printer Case Investigation with Forensic Lucid

TL;DR

This paper models a simulated printer case using Forensic Lucid, a logic-based language, to analyze evidence, reconstruct events, and verify claims in a cyberforensic investigation, improving usability over previous finite-state automata methods.

Contribution

It introduces a novel application of Forensic Lucid for modeling and analyzing a forensic case, demonstrating enhanced usability and reasoning capabilities over traditional FSA approaches.

Findings

Successfully modeled the printer case in Forensic Lucid

Enabled event reconstruction and claim verification using the language

Showed improved usability compared to finite-state automata

Abstract

In this work we model the ACME (a fictitious company name) "printer case incident" and make its specification in Forensic Lucid, a Lucid- and intensional-logic-based programming language for cyberforensic analysis and event reconstruction specification. The printer case involves a dispute between two parties that was previously solved using the finite-state automata (FSA) approach, and is now re-done in a more usable way in Forensic Lucid. Our simulation is based on the said case modeling by encoding concepts like evidence and the related witness accounts as an evidential statement context in a Forensic Lucid program, which is an input to the transition function that models the possible deductions in the case. We then invoke the transition function (actually its reverse) with the evidential statement context to see if the evidence we encoded agrees with one's claims and then attempt to reconstruct the sequence of events that may explain the claim or disprove it.