Forensic framework for honeypot analysis
The objective of this research is to evaluate and develop new forensic techniques for use in honeynet environments, in an effort to address areas where anti-forensic techniques defeat current forensic methods. The fields of Computer and Network Security have expanded with time to become inclusive o...
| Main Author: | |
|---|---|
| Published: |
Georgia Institute of Technology
2010
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/1853/33977 |
| id |
ndltd-GATECH-oai-smartech.gatech.edu-1853-33977 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-GATECH-oai-smartech.gatech.edu-1853-339772013-01-07T20:36:00ZForensic framework for honeypot analysisFairbanks, Kevin D.DentryTimeKeeperExt4File system forensicsExt3HoneypotComputer crimes InvestigationComputer networks Security measuresThe objective of this research is to evaluate and develop new forensic techniques for use in honeynet environments, in an effort to address areas where anti-forensic techniques defeat current forensic methods. The fields of Computer and Network Security have expanded with time to become inclusive of many complex ideas and algorithms. With ease, a student of these fields can fall into the thought pattern of preventive measures as the only major thrust of the topics. It is equally important to be able to determine the cause of a security breach. Thus, the field of Computer Forensics has grown. In this field, there exist toolkits and methods that are used to forensically analyze production and honeypot systems. To counter the toolkits, anti-forensic techniques have been developed. Honeypots and production systems have several intrinsic differences. These differences can be exploited to produce honeypot data sources that are not currently available from production systems. This research seeks to examine possible honeypot data sources and cultivate novel methods to combat anti-forensic techniques. In this document, three parts of a forensic framework are presented which were developed specifically for honeypot and honeynet environments. The first, TimeKeeper, is an inode preservation methodology which utilizes the Ext3 journal. This is followed with an examination of dentry logging which is primarily used to map inode numbers to filenames in Ext3. The final component presented is the initial research behind a toolkit for the examination of the recently deployed Ext4 file system. Each respective chapter includes the necessary background information and an examination of related work as well as the architecture, design, conceptual prototyping, and results from testing each major framework component.Georgia Institute of Technology2010-06-10T17:02:23Z2010-06-10T17:02:23Z2010-04-05Dissertationhttp://hdl.handle.net/1853/33977 |
| collection |
NDLTD |
| sources |
NDLTD |
| topic |
Dentry TimeKeeper Ext4 File system forensics Ext3 Honeypot Computer crimes Investigation Computer networks Security measures |
| spellingShingle |
Dentry TimeKeeper Ext4 File system forensics Ext3 Honeypot Computer crimes Investigation Computer networks Security measures Fairbanks, Kevin D. Forensic framework for honeypot analysis |
| description |
The objective of this research is to evaluate and develop new forensic techniques for use in honeynet environments, in an effort to address areas where anti-forensic techniques defeat current forensic methods. The fields of Computer and Network Security have expanded with time to become inclusive of many complex ideas and algorithms. With ease, a student of these fields can fall into the thought pattern of preventive measures as the only major thrust of the topics. It is equally important to be able to determine the cause of a security breach. Thus, the field of Computer Forensics has grown. In this field, there exist toolkits and methods that are used to forensically analyze production and honeypot systems. To counter the toolkits, anti-forensic techniques have been developed. Honeypots and production systems have several intrinsic differences. These differences can be exploited to produce honeypot data sources that are not currently available from production systems. This research seeks to examine possible honeypot data sources and cultivate novel methods to combat anti-forensic techniques.
In this document, three parts of a forensic framework are presented which were developed specifically for honeypot and honeynet environments. The first, TimeKeeper, is an inode preservation methodology which utilizes the Ext3 journal. This is followed with an examination of dentry logging which is primarily used to map inode numbers to filenames in Ext3. The final component presented is the initial research behind a toolkit for the examination of the recently deployed Ext4 file system. Each respective chapter includes the necessary background information and an examination of related work as well as the architecture, design, conceptual prototyping, and results from testing each major framework component. |
| author |
Fairbanks, Kevin D. |
| author_facet |
Fairbanks, Kevin D. |
| author_sort |
Fairbanks, Kevin D. |
| title |
Forensic framework for honeypot analysis |
| title_short |
Forensic framework for honeypot analysis |
| title_full |
Forensic framework for honeypot analysis |
| title_fullStr |
Forensic framework for honeypot analysis |
| title_full_unstemmed |
Forensic framework for honeypot analysis |
| title_sort |
forensic framework for honeypot analysis |
| publisher |
Georgia Institute of Technology |
| publishDate |
2010 |
| url |
http://hdl.handle.net/1853/33977 |
| work_keys_str_mv |
AT fairbankskevind forensicframeworkforhoneypotanalysis |
| _version_ |
1716475309100892160 |