A Method for Historical Ext3 Inode to Filename Translation on Honeypots

In an environment where computer compromises are no longer anomalies, but are frequent occurrences, the field of computer forensics has increasingly gained importance. The development of this forensic field is matched by a growth in anti-forensic techniques. To overcome potential difficulties with external applications, operating systems should contain methods for storing and protecting meaningful information. The Linux Ext3 journal is one source of information that should be fully utilized for its intended purpose and forensics as well. However, due to its limited size and circular nature, this source of information has restrictions that can be addressed by the operating system. For example, when collecting and examining Ext3 journal data, it can be difficult to determine the filename that an inode number is associated with. In this paper, the design of a method for honeypots is presented which takes advantage of the Virtual File System Layer in Linux to address this difficulty. This technique allows the translation of inode numbers to filenames in a historical context thereby providing a forensic analyst with a better picture of what has transpired.

[1]  David Lie,et al.  Using VMM-based sensors to monitor honeypots , 2006, VEE '06.

[2]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[3]  Henry Owen,et al.  A program behavior matching architecture for probabilistic file system forensics , 2008, OPSR.

[4]  H. Owen,et al.  Establishing trust in black-box programs , 2007, Proceedings 2007 IEEE SoutheastCon.

[5]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[6]  Alok Mishra,et al.  An efficient technique for enhancing forensic capabilities of Ext2 file system , 2007, Digit. Investig..

[7]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[8]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[9]  H.L. Owen,et al.  TimeKeeper: A Metadata Archiving Method for Honeypot Forensics , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[10]  Steve R. Kleiman,et al.  Vnodes: An Architecture for Multiple File System Types in Sun UNIX , 1986, USENIX Summer.

[11]  Simson L. Garfinkel,et al.  Anti-Forensics: Techniques, Detection and Countermeasures , 2007 .