Abstract:
Digital forensics has been proposed as a methodology for doing root-cause analysis of major software failures for quite a
while. Despite this, similar software failures still occur repeatedly. A reason for this is the difficulty of obtaining detailed evidence of
software failures. Acquiring such evidence can be challenging, as the relevant data may be lost or corrupt following a software system‘s
crash. This paper proposes the use of near-miss analysis to improve on the collection of evidence for software failures. Near-miss analysis
is an incident investigation technique that detects and subsequently analyses indicators of failures. The results of a near-miss analysis investigation
are then used to detect an upcoming failure before the failure unfolds. The detection of these indicators – known as near misses
– therefore provides an opportunity to proactively collect relevant data that can be used as digital evidence, pertaining to software failures.
A Near Miss Management System (NMS) architecture for the forensic investigation of software failures is proposed. The viability of the
proposed architecture is demonstrated through a prototype.