TimeKeeper: A Metadata Archiving Method for Honeypot Forensics

Internet attacks are becoming more advanced as the economy for cybercrime grows and the tools for evading detection become ubiquitous. To counter this threat, new detection and forensics tools are needed to capture these new techniques. In this paper, we propose a method to extract and analyze a richer set of forensic information from the file system journal of honeypots in spite of anti-forensic tool use. We show initial results of our journal monitoring prototype, TimeKeeper, of file system activities and argue that by detecting these events, we are able to capture previously unavailable forensic information. This forensic information can then be used for system recovery, research on attack techniques, insight into attacker motives, and for criminal investigations.

[1]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[2]  Stephen C. Tweedie,et al.  Journaling the Linux ext2fs Filesystem , 2008 .

[3]  中嶋 和久,et al.  環境 Environment について , 1992 .

[4]  Kevin Mandia,et al.  Incident Response: Investigating Computer Crime , 2001 .

[5]  H. Owen,et al.  Establishing trust in black-box programs , 2007, Proceedings 2007 IEEE SoutheastCon.

[6]  V. Conclusion , .

[7]  Simson L. Garfinkel,et al.  Anti-Forensics: Techniques, Detection and Countermeasures , 2007 .