Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots

Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, the authors propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, they propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics.

Provided by: North Carolina State University Topic: Security Date Added: Nov 2011 Format: PDF

Find By Topic