Client honeypots can be used to identify malicious web servers that attack web browsers and push malware to client machines. Merely recording network traffic is insufficient to perform comprehensive forensic analyses of such attacks. Custom tools are required to access and analyze network protocol data. Moreover, specialized methods are required to perform a behavioral analysis of an attack, which helps determine exactly what transpired on the attacked system. This paper proposes a record/replay mechanism that enables forensic investigators to extract application data from recorded network streams and allows applications to interact with this data in order to conduct behavioral analyses. Implementations for the HTTP and DNS protocols are presented and their utility in network forensic investigations is demonstrated.
[1]
Stephen E. Deering,et al.
Internet Protocol, Version 6 (IPv6) Specification
,
1995,
RFC.
[2]
P ? ? ? ? ? ? ? % ? ? ? ?
,
1991
.
[3]
Paul V. Mockapetris,et al.
Domain names - implementation and specification
,
1987,
RFC.
[4]
Bogdan M. Wilamowski,et al.
The Transmission Control Protocol
,
2005,
The Industrial Information Technology Handbook.
[5]
Deborah A. Frincke,et al.
A Theoretical Framework for Organizational Network Forensic Readiness
,
2007,
J. Comput..