Friday, January 11, 2008

application ballistics

Following on the tail of a few of my previous posts I wanted again to illustrate the reason for and benefits of having a tool mark library.

Take this photo in to consideration:

You can see clearly the shape of the object I took this blurry picture of. However, it's not necessarily recognizable unless you have experience with this type of object.

Given the picture you can make an assumption as to what the object is and what its purpose may be. You may even be able to provide a better description and explanation if you've dealt with it previously. You can then make an educated guess as to what it is. Can you identify anything other than a generic class that this object fits in to? If you had to conduct a comparison to this object in future cases, would this photo be of assistance? Probably not.

Let's clear it up a bit shall we?

Now we have some clarity. It's clearly a bullet of some type. Note the deformities, the rifling impressions, the slightly blunted tip, the other markings that coat the bullet. Note the shape of the bullet, the retention of its original shape, the lands and grooves, the twist, and even the corrosion. From looking at these class and individual characteristics we can ascertain a number of things. Imagine if we had the cartridge casing, a macroscope, or even the original weapon. We could determine a whole lot more if we had something to compare against, and our rate of accuracy and precision would increase dramatically.

This bullet followed a path during it's lifecycle - from original machining to being sold, to being loaded in to the stripper clip, in to the breech, down the barrel of a russian sks at a high rate of rotation downrange about 30 yards and through a few 2x4's to finally rest in the dirt behind them. It then made its way in to my backpack where it stayed for about 6 months.

Applications whether used for good or evil purposes follow a similar lifecycle. They are authored, purchased or downloaded, installed, used, then possibly they are uninstalled. If it's malware it follows a slightly different path but you get the idea. An application will have class and individual characteristics each of which will be caused by a number of factors and affect a system based on a number of factors as well.

*note to self*
The more I consider this the less I think it should focus on malware and focus more on applications in use. I think there would be a greater benefit if the focus was less on a specific type of software. Certainly malware has a place in the library however it shouldn't be that limited.

*EDIT* Anyone want to guess the bullet type?