Using a virtual security testbed for digital forensic reconstruction

This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court.

[1]  Franco Taroni,et al.  Statistics and the Evaluation of Evidence for Forensic Scientists , 2004 .

[2]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[3]  Brian D. Carrier,et al.  Defining event reconstruction of digital crime scenes. , 2004, Journal of forensic sciences.

[4]  David A. Bandel User-Mode Linux: user-mode-linux.sourceforge.net , 2004 .

[5]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[6]  Claude Roux,et al.  Statistics and the Evaluation of Evidence for Forensic Scientists, by Colin G. G. Aitken and Franco Taroni 2nd edition. John Wiley and Sons, 2004. , 2006 .

[7]  C. Aitken,et al.  Statistics and the Evaluation of Evidence for Forensic Scientists: Aitken/Statistics and the Evaluation of Evidence for Forensic Scientists , 2005 .

[8]  Giovanni Vigna,et al.  Digital Forensic Reconstruction and the Virtual Security Testbed ViSe , 2006, DIMVA.

[9]  Paul Turner,et al.  Winning the Battles, Losing the War? Rethinking Methodology for Forensic Computing Research , 2006, Journal in Computer Virology.

[10]  Jesse C. Rabek,et al.  LARIAT: Lincoln adaptable real-time information assurance testbed , 2002, Proceedings, IEEE Aerospace Conference.

[11]  Joshua W. Haines,et al.  LLSIM: network simulation for correlation and response testing , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[12]  Peter Stephenson,et al.  Conducting Incident Post Mortems , 2003 .

[13]  Michael Richmond ViSe : The Virtual Security Testbed , 2005 .

[14]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[15]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[16]  Megan Carney,et al.  The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction , 2004, Int. J. Digit. EVid..

[17]  George M. Mohay,et al.  Automated recognition of event scenarios for digital forensics , 2006, SAC '06.

[18]  Phillip M. Sauter Introduction to Crime Scene Reconstruction Using Real-time Interactive 3d Technology Introduction to Crime Scene Reconstruction Using Real-time Interactive 3d Technology , 2006 .

[19]  Eric Filiol,et al.  Strong Cryptography Armoured Computer Viruses Forbidding Code Analysis: the Bradley Virus 1 , 2004 .

[20]  Richard Starnes Trojan Defence: The Trojan Defence , 2003 .

[21]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[22]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[23]  Stephan Neuhaus,et al.  Isolating Intrusions by Automatic Experiments , 2006, NDSS.

[24]  Michael C. Tanner,et al.  Automated diagnosis for computer forensics , 2002 .