Process forensics: the crossroads of checkpointing and intrusion detection

The goal of our study was to introduce a new area of computer forensics we call process forensics. Process forensics involves extracting information from a process' address space for the purpose of finding digital evidence pertaining to a computer crime. The challenge of this subfield is that the address space of a given process is usually lost long before the forensic investigator is analyzing the hard disk and file system of a computer. Our study began with an in-depth look at checkpointing techniques. After surveying the literature and developing our own checkpointing tool, we believe checkpointing technology is the most appropriate method for extracting information from a process's address space. We make the case that an accurate and reliable checkpointing tool provides a new source of evidence for the forensic investigator. We also thoroughly examined the literature and methods for detecting buffer overflow attacks. In addition, we have developed a new method for detecting the most common form of a buffer overflow attack, namely, stack-smashing attacks. We believe that the boundary where these two areas meet (specifically, incorporating checkpointing with intrusion detection) can readily provide process forensics. The technology of checkpointing is nothing new when considering process migration, fault tolerance, or load balancing. Furthermore, a plethora of research has already focused on finding methods for detecting buffer overflow attacks. However, with respect to computer forensics, the gains from incorporating checkpointing with intrusion detection systems have yet to be explored.