[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1866307.1866314acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Trail of bytes: efficient support for forensic analysis

Published: 04 October 2010 Publication History

Abstract

For the most part, forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we tend to lack detailed information just when we need it the most. Simply put, the current state of computer forensics leaves much to be desired. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromised has been detected.

References

[1]
}}Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003), pp. 164--177.
[2]
}}Buchholz, F., and Spafford, E. On the Role of File System Metadata in Digital Forensics. Digital Investigation 1, 4 (2004), 298 -- 309.
[3]
}}Chen, P., and Noble, B. When Virtual is Better than Real. In Proceedings of the Workshop on Hot Topics in Operating Systems (May. 2001), pp. 133--138.
[4]
}}Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., and Iyer, R. K. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In IEEE International Conference on Dependable Systems and Networks (DSN (2005), pp. 378--387.
[5]
}}Chen, X., Andersen, J., Mao, Z., Bailey, M., and Nazario, J. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. In Dependable Systems and Networks (June 2008), pp. 177--186.
[6]
}}Denning, D. E., and Denning, P. J. Certification of Programs for Secure Information Flow. Communications of the ACM 20, 7 (1977), 504--513.
[7]
}}Dinaburg, A., Royal, P., Sharif, M., and Lee, W. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (2008), pp. 51--62.
[8]
}}F-Secure. MBR Rootkit, A New Breed of Malware. See http://www.f-secure.com/weblog/archives/ 00001393.html (2008).
[9]
}}Farmer, D., and Venema, W. Forensic Discovery. Addison-Wesley, 2006.
[10]
}}Franklin, J., Perrig, A., Paxson, V., and Savage, S. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In Proceedings of the 14th ACM conference on Computer and communications security (2007), pp. 375--388.
[11]
}}Garfinkel, T., Adams, K., Warfield, A., and Franklin, J. Compatibility is not Transparency: VMM Detection Myths and Realities. In Proceedings of the 11th USENIX workshop on Hot topics in operating systems (2007), pp. 1--6.
[12]
}}Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of ACM Symposium on Operating System Principles (2003), pp. 193--206.
[13]
}}Garfinkel, T., and Rosenblum, M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Network and Distributed Systems Security Symposium (2003), pp. 191--206.
[14]
}}Goel, A., Po, K., Farhadi, K., Li, Z., and de Lara, E. The Taser Intrusion Detection System. In Proceedings of Symposium on Operating Systems Principles (Oct. 2005).
[15]
}}Goldberg, R. Survey of Virtual Machine Research. IEEE Computer Magazine 7, 6 (1974), 34--35.
[16]
}}Jain, S., Shafique, F., Djeric, V., and Goel, A. Application-Level Isolation and Recovery with Solitude. In Proceedings of EuroSys (Apr. 2008), pp. 95--107.
[17]
}}Jay, C., Glencross, M., and Hubbold, R. Modeling the Effects of Delayed Haptic and Visual Feedback in a Collaborative Virtual Environment. ACM Transactions on Computer-Human Interaction 14, 2 (2007), 8.
[18]
}}Jiang, X., Wang, X., and Xu, D. Stealthy Malware Detection through VMM-based "out-of-the-box" Semantic View Reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security (2007), pp. 128--138.
[19]
}}Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proceedings of the USENIX Annual Technical Conference (2006).
[20]
}}Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment. SIGPLAN Not. 41, 11 (2006), 14--24.
[21]
}}Kim, G. H., and Spafford, E. H. The Design and Implementation of Tripwire: a File System Integrity Checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security (1994), ACM, pp. 18--29.
[22]
}}King, S., and Chen, P. Backtracking Intrusions. Proceedings of the nineteenth ACM Symposium on Operating Systems Principles (Dec 2003).
[23]
}}King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. Enriching intrusion alerts through multi-host causality. In Proceedings of Network and Distributed System Security Symposium (2005).
[24]
}}Krishnan, S., and Monrose, F. Time Capsule: Secure Recording of Accesses to a Protected Datastore. In Proceedings of the 2nd ACM Workshop on Virtual Machine Security (Nov. 2009).
[25]
}}Leung, A. W., Pasupathy, S., Goodson, G., and Miller, E. L. Measurement and Analysis of Large-scale Network File System Workloads. In USENIX Annual Technical Conference (2008), pp. 213--226.
[26]
}}Leung, F., Neiger, G., Rodgers, D., Santoni, A., and Uhlig, R. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal 10 (2006).
[27]
}}Litty, L., Lagar-Cavilla, H., and Lie, D. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of USENIX Security Symposium (Aug. 2008), pp. 243--257.
[28]
}}Muniswamy-Reddy, K., Holland, D., Braun, U., and Seltzer, M. Provenance-aware Storage Systems. In Proceedings of the 2006 USENIX Annual Technical Conference (2006), pp. 43--56.
[29]
}}Muniswamy-Reddy, K.-K., Macko, P., and Seltzer, M. Provenance for the Cloud. In USENIX Conference on File and Storage Technologies (FAST) (Berkeley, CA, USA, 2010), USENIX Association.
[30]
}}NIST. National Software Reference Library, 2009.
[31]
}}Payne, B. D., Carbone, M., and Lee, W. Secure and flexible monitoring of virtual machines. Annual Computer Security Applications Conference (2007), 385--397.
[32]
}}Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. The Ghost in the Browser: Analysis of Web-based Malware. In First Workshop on Hot Topics in Understanding Botnets (2006).
[33]
}}Quinlan, S., and Dorward, S. Venti: A New Approach to Archival Data Storage. In Proceedings of the USENIX Conference on File and Storage Technologies (2002), pp. 89--101.
[34]
}}Sean Peiset and Matt Bishop and Keith Marzullo. Computer Forensics in Forensis. ACM Operating System Review 42 (2008).
[35]
}}Shneiderman, B. Response Time and Display Rate in Human Performance with Computers. ACM Computing Surveys 16, 3 (1984), 265--285.
[36]
}}Slowinska, A., and Bos, H. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proceedings of EuroSys (Apr. 2009).
[37]
}}Vincenzetti, D., and Cotrozzi, M. ATP - Anti Tampering Program. In Proceedings of USENIX Security (1993), pp. 79--90.

Cited By

View all
  • (2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
  • (2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
  • (2022)RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on WindowsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303257019:3(1621-1638)Online publication date: 1-May-2022
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security
October 2010
782 pages
ISBN:9781450302456
DOI:10.1145/1866307
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. audit
  2. forensics
  3. provenance
  4. virtualization

Qualifiers

  • Research-article

Conference

CCS '10
Sponsor:

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)2
Reflects downloads up to 03 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695530(1620-1632)Online publication date: 27-Oct-2024
  • (2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
  • (2022)RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on WindowsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303257019:3(1621-1638)Online publication date: 1-May-2022
  • (2022)Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity DetectionInformation Systems Security10.1007/978-3-031-23690-7_1(1-22)Online publication date: 11-Dec-2022
  • (2021)Advanced System Resiliency Based on Virtualization Techniques for IoT DevicesProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485836(455-467)Online publication date: 6-Dec-2021
  • (2021)General, Efficient, and Real-Time Data Compaction Strategy for APT Forensic AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.307628816(3312-3325)Online publication date: 2021
  • (2019)Anomalies Detection and Proactive Defence of Routers Based on Multiple Information LearningEntropy10.3390/e2108073421:8(734)Online publication date: 26-Jul-2019
  • (2019)An Online System Dependency Graph Anomaly Detection based on Extended Weisfeiler-Lehman KernelMILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM47813.2019.9020815(1-6)Online publication date: Nov-2019
  • (2019)AClog: Attack Chain Construction Based on Log Correlation2019 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM38437.2019.9013518(1-6)Online publication date: Dec-2019
  • (2019)Optimal Offloading for Dynamic Compute-Intensive Applications in Wireless Networks2019 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM38437.2019.9013327(1-6)Online publication date: Dec-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media