Honeypot Forensics, Part II: Analyzing the Compromised Host

Although flows are an effective method for monitoring honeypots in real time, they are not sufficient if we want to learn more about the intruder. To accomplish this goal, we must investigate the compromised host itself. In this article, we show how to build two timelines of events: one from network clues and the other from what the host tells us. We can then merge these timelines and answer additional questions.