Kevin D. Fairbanks

TimeKeeper: A Metadata Archiving Method for Honeypot Forensics

Internet attacks are becoming more advanced as the economy for cybercrime grows and the tools for evading detection become ubiquitous. To counter this threat, new detection and forensics tools are needed to capture these new techniques. In this paper, we propose a method to extract and analyze a richer set of forensic information from the file system journal of honeypots in spite of anti-forensic tool use. We show initial results of our journal monitoring prototype, TimeKeeper, of file system activities and argue that by detecting these events, we are able to capture previously unavailable forensic information. This forensic information can then be used for system recovery, research on attack techniques, insight into attacker motives, and for criminal investigations.

The Design of NetSecLab: A Small Competition-Based Network Security Lab

This paper describes a competition-style of exercise to teach system and network security and to reinforce themes taught in class. The exercise, called NetSecLab, is conducted on a closed network with student-formed teams, each with their own Linux system to defend and from which to launch attacks. Students are expected to learn how to: 1) install the specified Linux distribution; 2) set up the required services; 3) find ways to harden the box; 4) explore attack methods; and 5) compete. The informal write-up at the end of the lab focuses on their research into defense and attack methods, which contributes to their grade, while their competition score is dependent on their abilities to attack during the competition. Surveys were performed to evaluate the efficacy of the exercise in teaching system security.

Visual Analysis of Program Flow Data with Data Propagation

Host based program monitoring tools are an essential part of maintaining proper system integrity due to growing malicious network activity. As systems become more complicated, the quantity of data collected by these tools often grows beyond the ability of analysts to easily comprehend in a short amount of time. In this paper, we present a method for visual exploration of a system program flow over time to aid in the detection and identification of significant events. This allows automatic accentuation of programs with irregular file access and child process propagation, which results in more efficient forensic analysis and system recovery times.

BlackBerry IPD parsing for open source forensics

In this paper, we present a framework for an open source BlackBerry Inter@ctive Pager Backup/Restore (IPD) file forensics tool. Our reasoning for developing an open source version of an IPD parser is to enhance the available open source forensic tools; an example of this category of tools is the Sleuth Kit. One intention of this work is to make users of BlackBerrys aware of the vulnerability of their information on their computers. Commercial tools such as the ABC Amber BlackBerry Converter application [6] presently exist. That commercial tool is able to gather the messages, contacts, SMS records, memos, call logs, and the task list from an IPD file. It then exports these records in a variety of forms. Another commercial tool by Paraben [4] can export data into closed source forensic tool kits such as Encase and FTK

Forensic implications of Ext4

Ext4 has become the default file system on popular Linux distributions; this means that it will be the subject of digital forensic investigations. In this paper a brief overview of Ext4 is given followed by a discussion of how the differences between it and its predecessors affects file system forensics. The new file system presents some unique challenges not only to digital forensics but to privacy in general. Therefore, strides must be made in the open source forensic community for its support.

A program behavior matching architecture for probabilistic file system forensics

Even the most secure computing system can be successfully attacked by a sufficiently motivated entity. To investigate the means of entry, the victim machine will come under the scrutiny of forensic analysis tools. In this era where system compromises occur on a regular basis, the design and implementation of operating systems should consider the necessity of computer forensics. Additionally, forensics techniques should take advantage of existing system capabilities such as the journaling feature of the Ext3 file system. With our forensics enabling architecture, we provide a means of using the metadata inherent in the Ext3 file system to reconstruct probable sequences of events that occurred during the journaling process. The reconstruction procedure is achieved by generating program behavior signatures. These signatures allow forensic investigators to perform probabilistic analysis by using information theory models to extract a more significant set of data.

Establishing trust in black-box programs

Encrypted binaries are increasingly being used as deterrence for software piracy as well as vulnerability exploitation. The application of encrypted programs, however, leads to increased security concerns, as users are unable to identify malicious behavior by monitoring the encrypted executables. This paper proposes a method to monitor encrypted programs that assures users that the black-box program on their system is not violating any security concerns. Our approach is to embed a system call monitoring tool into the operating system that monitors system call content for suspicious behavior or the lack thereof.

Visual network traffic classification using multi-dimensional piecewise polynomial models

Computer networks have become a ubiquitous part of modern society. As the spread of networks continues to increase, so do the various applications for the underlying technology. Thus traffic classification has become and remains important to network administrators. In this paper, preliminary results using multi-dimensional piecewise polynomials to model network traffic are shown. Different types of traffic are modeled and inspected visually to demonstrate the usefulness of the procedure.

A Method for Historical Ext3 Inode to Filename Translation on Honeypots

In an environment where computer compromises are no longer anomalies, but are frequent occurrences, the field of computer forensics has increasingly gained importance. The development of this forensic field is matched by a growth in anti-forensic techniques. To overcome potential difficulties with external applications, operating systems should contain methods for storing and protecting meaningful information. The Linux Ext3 journal is one source of information that should be fully utilized for its intended purpose and forensics as well. However, due to its limited size and circular nature, this source of information has restrictions that can be addressed by the operating system. For example, when collecting and examining Ext3 journal data, it can be difficult to determine the filename that an inode number is associated with. In this paper, the design of a method for honeypots is presented which takes advantage of the Virtual File System Layer in Linux to address this difficulty. This technique allows the translation of inode numbers to filenames in a historical context thereby providing a forensic analyst with a better picture of what has transpired.