System-Level Support for Intrusion Recovery
Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can the user still trust their own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, the authors describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU.