More Web Proxy on the site http://driver.im/

research-article

Trail of bytes: efficient support for forensic analysis

Authors:

Srinivas Krishnan,

Fabian MonroseAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Pages 50 - 60

https://doi.org/10.1145/1866307.1866314

Published: 04 October 2010 Publication History

Abstract

For the most part, forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we tend to lack detailed information just when we need it the most. Simply put, the current state of computer forensics leaves much to be desired. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromised has been detected.

References

[1]

}}Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003), pp. 164--177.

Digital Library

[2]

}}Buchholz, F., and Spafford, E. On the Role of File System Metadata in Digital Forensics. Digital Investigation 1, 4 (2004), 298 -- 309.

Digital Library

[3]

}}Chen, P., and Noble, B. When Virtual is Better than Real. In Proceedings of the Workshop on Hot Topics in Operating Systems (May. 2001), pp. 133--138.

Digital Library

[4]

}}Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., and Iyer, R. K. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In IEEE International Conference on Dependable Systems and Networks (DSN (2005), pp. 378--387.

Digital Library

[5]

}}Chen, X., Andersen, J., Mao, Z., Bailey, M., and Nazario, J. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. In Dependable Systems and Networks (June 2008), pp. 177--186.

[6]

}}Denning, D. E., and Denning, P. J. Certification of Programs for Secure Information Flow. Communications of the ACM 20, 7 (1977), 504--513.

Digital Library

[7]

}}Dinaburg, A., Royal, P., Sharif, M., and Lee, W. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (2008), pp. 51--62.

Digital Library

[8]

}}F-Secure. MBR Rootkit, A New Breed of Malware. See http://www.f-secure.com/weblog/archives/ 00001393.html (2008).

[9]

}}Farmer, D., and Venema, W. Forensic Discovery. Addison-Wesley, 2006.

Digital Library

[10]

}}Franklin, J., Perrig, A., Paxson, V., and Savage, S. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In Proceedings of the 14th ACM conference on Computer and communications security (2007), pp. 375--388.

Digital Library

[11]

}}Garfinkel, T., Adams, K., Warfield, A., and Franklin, J. Compatibility is not Transparency: VMM Detection Myths and Realities. In Proceedings of the 11th USENIX workshop on Hot topics in operating systems (2007), pp. 1--6.

Digital Library

[12]

}}Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of ACM Symposium on Operating System Principles (2003), pp. 193--206.

Digital Library

[13]

}}Garfinkel, T., and Rosenblum, M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Network and Distributed Systems Security Symposium (2003), pp. 191--206.

[14]

}}Goel, A., Po, K., Farhadi, K., Li, Z., and de Lara, E. The Taser Intrusion Detection System. In Proceedings of Symposium on Operating Systems Principles (Oct. 2005).

Digital Library

[15]

}}Goldberg, R. Survey of Virtual Machine Research. IEEE Computer Magazine 7, 6 (1974), 34--35.

Digital Library

[16]

}}Jain, S., Shafique, F., Djeric, V., and Goel, A. Application-Level Isolation and Recovery with Solitude. In Proceedings of EuroSys (Apr. 2008), pp. 95--107.

Digital Library

[17]

}}Jay, C., Glencross, M., and Hubbold, R. Modeling the Effects of Delayed Haptic and Visual Feedback in a Collaborative Virtual Environment. ACM Transactions on Computer-Human Interaction 14, 2 (2007), 8.

Digital Library

[18]

}}Jiang, X., Wang, X., and Xu, D. Stealthy Malware Detection through VMM-based "out-of-the-box" Semantic View Reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security (2007), pp. 128--138.

Digital Library

[19]

}}Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proceedings of the USENIX Annual Technical Conference (2006).

Digital Library

[20]

}}Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment. SIGPLAN Not. 41, 11 (2006), 14--24.

Digital Library

[21]

}}Kim, G. H., and Spafford, E. H. The Design and Implementation of Tripwire: a File System Integrity Checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security (1994), ACM, pp. 18--29.

Digital Library

[22]

}}King, S., and Chen, P. Backtracking Intrusions. Proceedings of the nineteenth ACM Symposium on Operating Systems Principles (Dec 2003).

Digital Library

[23]

}}King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. Enriching intrusion alerts through multi-host causality. In Proceedings of Network and Distributed System Security Symposium (2005).

[24]

}}Krishnan, S., and Monrose, F. Time Capsule: Secure Recording of Accesses to a Protected Datastore. In Proceedings of the 2nd ACM Workshop on Virtual Machine Security (Nov. 2009).

Digital Library

[25]

}}Leung, A. W., Pasupathy, S., Goodson, G., and Miller, E. L. Measurement and Analysis of Large-scale Network File System Workloads. In USENIX Annual Technical Conference (2008), pp. 213--226.

Digital Library

[26]

}}Leung, F., Neiger, G., Rodgers, D., Santoni, A., and Uhlig, R. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal 10 (2006).

[27]

}}Litty, L., Lagar-Cavilla, H., and Lie, D. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of USENIX Security Symposium (Aug. 2008), pp. 243--257.

Digital Library

[28]

}}Muniswamy-Reddy, K., Holland, D., Braun, U., and Seltzer, M. Provenance-aware Storage Systems. In Proceedings of the 2006 USENIX Annual Technical Conference (2006), pp. 43--56.

Digital Library

[29]

}}Muniswamy-Reddy, K.-K., Macko, P., and Seltzer, M. Provenance for the Cloud. In USENIX Conference on File and Storage Technologies (FAST) (Berkeley, CA, USA, 2010), USENIX Association.

Digital Library

[30]

}}NIST. National Software Reference Library, 2009.

[31]

}}Payne, B. D., Carbone, M., and Lee, W. Secure and flexible monitoring of virtual machines. Annual Computer Security Applications Conference (2007), 385--397.

[32]

}}Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. The Ghost in the Browser: Analysis of Web-based Malware. In First Workshop on Hot Topics in Understanding Botnets (2006).

Digital Library

[33]

}}Quinlan, S., and Dorward, S. Venti: A New Approach to Archival Data Storage. In Proceedings of the USENIX Conference on File and Storage Technologies (2002), pp. 89--101.

Digital Library

[34]

}}Sean Peiset and Matt Bishop and Keith Marzullo. Computer Forensics in Forensis. ACM Operating System Review 42 (2008).

Digital Library

[35]

}}Shneiderman, B. Response Time and Display Rate in Human Performance with Computers. ACM Computing Surveys 16, 3 (1984), 265--285.

Digital Library

[36]

}}Slowinska, A., and Bos, H. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proceedings of EuroSys (Apr. 2009).

Digital Library

[37]

}}Vincenzetti, D., and Cotrozzi, M. ATP - Anti Tampering Program. In Proceedings of USENIX Security (1993), pp. 79--90.

Cited By

Feng SYe YShi QCheng ZXu XCheng SChoi HZhang XFilkov VRay BZhou M(2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695530
Gandhi VBanerjee SAgrawal AAhmad ALee SPeinado MCalandrino JTroncoso C(2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620260
Yang RChen XXu HCheng YXiong CRuan LKavousi MLi ZXu LChen Y(2022)RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on WindowsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303257019:3(1621-1638)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3032570
Show More Cited By

Index Terms

Trail of bytes: efficient support for forensic analysis
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Investigating 'Internet Crimes Against Children' (ICAC) cases in the state of Florida
SAC '06: Proceedings of the 2006 ACM symposium on Applied computing

The purpose of this article is to highlight efforts by the Computer Crime Center at the Florida Department of Law Enforcement (FDLE) to prosecute ICAC cases under their jurisdiction. Section 1 presents an overview of the FDLE ICAC Initiative, a project ...
Trail of Bytes: New Techniques for Supporting Data Provenance and Limiting Privacy Breaches

Forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has ...
Towards event ordering in digital forensics
MM&Sec '10: Proceedings of the 12th ACM workshop on Multimedia and security

In criminal investigation and criminal justice, investigators are usually faced with several reports, which contain a set of events of interest. Often, it is important to be able to order these events so that relevant queries can be posed on this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
1,295
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Feng SYe YShi QCheng ZXu XCheng SChoi HZhang XFilkov VRay BZhou M(2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695530
Gandhi VBanerjee SAgrawal AAhmad ALee SPeinado MCalandrino JTroncoso C(2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620260
Yang RChen XXu HCheng YXiong CRuan LKavousi MLi ZXu LChen Y(2022)RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on WindowsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303257019:3(1621-1638)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3032570
Ghosh SSatvat KGjomemo RVenkatakrishnan V(2022)Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity DetectionInformation Systems Security10.1007/978-3-031-23690-7_1(1-22)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-23690-7_1
Röckl JProtsenko MHuber MMüller TFreiling F(2021)Advanced System Resiliency Based on Virtualization Techniques for IoT DevicesProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485836(455-467)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485836
Zhu TWang JRuan LXiong CYu JLi YChen YLv MChen T(2021)General, Efficient, and Real-Time Data Compaction Strategy for APT Forensic AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.307628816(3312-3325)Online publication date: 2021
https://doi.org/10.1109/TIFS.2021.3076288
Li TMa JShen YPei Q(2019)Anomalies Detection and Proactive Defence of Routers Based on Multiple Information LearningEntropy10.3390/e2108073421:8(734)Online publication date: 26-Jul-2019
https://doi.org/10.3390/e21080734
Ben YHan YCai NAn WXu Z(2019)An Online System Dependency Graph Anomaly Detection based on Extended Weisfeiler-Lehman KernelMILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM47813.2019.9020815(1-6)Online publication date: Nov-2019
https://doi.org/10.1109/MILCOM47813.2019.9020815
Li TMa JPei QShen YLin CMa SObaidat M(2019)AClog: Attack Chain Construction Based on Log Correlation2019 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM38437.2019.9013518(1-6)Online publication date: Dec-2019
https://doi.org/10.1109/GLOBECOM38437.2019.9013518
Li B(2019)Optimal Offloading for Dynamic Compute-Intensive Applications in Wireless Networks2019 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM38437.2019.9013327(1-6)Online publication date: Dec-2019
https://doi.org/10.1109/GLOBECOM38437.2019.9013327
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents