Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots
Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, the authors propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, they propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics.