Toward Models for Forensic Analysis

The existing solutions in the field of computer forensics are largely ad hoc. This paper discusses the need for a rigorous model of forensics and outlines qualities that such a model should possess. It presents an overview of a forensic model and an example of how to apply the model to a real-world, multi-stage attack. We show how using the model can result in forensic analysis requiring a much smaller amount of carefully selected, highly useful data than without the model

[1]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[2]  Andrew Harrison Gross,et al.  Analyzing computer intrusions , 1998 .

[3]  Keith Marzullo,et al.  Second International Workshop on Systematic Approaches to Digital Forensic Engineering , 2007 .

[4]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[5]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[6]  Dan Farmer,et al.  Forensic Discovery , 2004 .

[7]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[8]  Matt Bishop,et al.  Your Security Policy is What , 2006 .

[9]  Matt Bishop A model of security monitoring , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[10]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[11]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[12]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[13]  Keith Marzullo,et al.  Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[14]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[15]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[16]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[17]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[18]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[19]  Keith Marzullo,et al.  Principles-driven forensic analysis , 2005, NSPW '05.

[20]  Peter Sommer,et al.  Intrusion detection systems as evidence , 1999, Comput. Networks.

[21]  M. Bishop Vulnerabilities Analysis , 1967 .

[22]  Peter Stephenson The Application of Intrusion Detection Systems in a Forensic Environment ( Extended , 2000 .