Towards More Trustable Log Files for Digital Forensics by Means of “Trusted Computing”

Trustable log data is essential in digital forensic investigations in order to allow reliable reconstruction of events. Existing solutions do not provide adequate protection, exposing the log-producing application to software-based attacks. In this paper we provide a solution based on Trusted Computing using a Trusted Platform Module (TPM) and AMD’s Secure Virtual Machine technology (SVM). While current solutions only protect against manipulation of existing logs, we go one step further by establishing hardware-based trust in the log producing application. Our solution ensures confidentiality, integrity and non-repudiation during creation, storage and transmission of log data.

[1]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[2]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[3]  P.D. Dixon,et al.  An overview of computer forensics , 2005, IEEE Potentials.

[4]  Robert F. Erbacher,et al.  Exemplifying Attack Identification and Analysis in a Novel Forensically Viable Syslog Model , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[5]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[6]  L. Jiqiang,et al.  Secure Audit Logs Server to support computer forensics in criminal investigations , 2002, 2002 IEEE Region 10 Conference on Computers, Communications, Control and Power Engineering. TENCOM '02. Proceedings..

[7]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[8]  Linda Volonino Electronic Evidence and Computer Forensics , 2003, Commun. Assoc. Inf. Syst..

[9]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[10]  Michael K. Reiter,et al.  How low can you go?: recommendations for hardware-supported minimal TCB code execution , 2008, ASPLOS.

[11]  Christian S. Collberg,et al.  Tamper Detection in Audit Logs , 2004, VLDB.

[12]  H. Shigeno,et al.  A secure logging scheme for Forensic Computing , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[13]  Robert F. Erbacher,et al.  An authentication and validation mechanism for analyzing syslogs forensically , 2008, OPSR.

[14]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[15]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[16]  Vijay Varadharajan Authorization and Trust Enhanced Security for Distributed Applications , 2005, ICISS.

[17]  Keith Marzullo,et al.  Forensics for System Administrators , .

[18]  Brent Waters,et al.  Building an Encrypted and Searchable Audit Log , 2004, NDSS.

[19]  Leendert van Doorn,et al.  Take control of TCPA , 2003 .

[20]  Pieter H. Hartel,et al.  Secure Audit Logging with Tamper-Resistant Hardware , 2003, SEC.

[21]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[22]  Chris Lonvick,et al.  The BSD Syslog Protocol , 2001, RFC.

[23]  Federico Pellegrin,et al.  System Administration: Secure Logging Over a Network , 2000 .

[24]  Michael K. Reiter,et al.  Minimal TCB Code Execution , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Mohammad Ali Hadavi,et al.  Software Security; A Vulnerability Activity Revisit , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[26]  Tom Killalea,et al.  Guidelines for Evidence Collection and Archiving , 2002, RFC.

[27]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[28]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[29]  Setsuo Ohsuga,et al.  INTERNATIONAL CONFERENCE ON VERY LARGE DATA BASES , 1977 .

[30]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[31]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .