Digital Forensic Reconstruction and the Virtual Security Testbed ViSe

  • André Årnes
  • Paul Haas
  • Giovanni Vigna
  • Richard A. Kemmerer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4064)


This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate forensic testing of a digital crime using minimal resources. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court.


Intrusion Detection System Virtual Network Digital Evidence Digital Forensic Guest Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Richmond, M.: ViSe: A virtual security testbed. Master’s thesis, University of California, Santa Barbara (2005)Google Scholar
  2. 2.
    Guidance Software, Inc.: Encase (2006),
  3. 3.
    Spencer, E.: ILook investigator toolsets (2006),
  4. 4.
    Carrier, B.: The Sleuth Kit and Autopsy (2006),
  5. 5.
    Chisum, W.J., Turvey, B.E.: Evidence dynamics: Locard’s exchange principle & crime reconstruction. Journal of Behavioral Profiling 1(1) (2000)Google Scholar
  6. 6.
    O’Connor, T.: Introduction to crime reconstruction. Lecture Notes for Criminal Investigation, North Carolina Wesleyan College (2004)Google Scholar
  7. 7.
    Aitken, C., Taroni, F.: Statistics and the Evaluation of Evidence for Forensic Scientists. Wiley, Chichester (2004)MATHCrossRefGoogle Scholar
  8. 8.
    Carrier, B.D., Spafford, E.H.: Defining event reconstruction of digital crime scenes. Journal of Forensic Sciences 49 (2004)Google Scholar
  9. 9.
    Carrier, B.: An event-based digital forensic investigation framework. In: Digital Forensic Research Workshop (2004)Google Scholar
  10. 10.
    Stephenson, P.: Formal modeling of post-incident root cause analysis. International Journal of Digital Evidence 2 (2003)Google Scholar
  11. 11.
    Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation 1 (2004)Google Scholar
  12. 12.
    Baca, E.: Using linux VMware and SMART to create a virtual computer to recreate a suspect’s computer (2003),
  13. 13.
    Provos, N.: The honeyd virtual honeypot (2005),
  14. 14.
    Honeynet Project: Know your enemy: Learning with VMware – building virtual honeynets using VMware (2003),
  15. 15.
    Seifried, K.: Honeypotting with VMware (2002),
  16. 16.
    Rossey, L., Cunningham, R., Fried, D., Rabek, J., Lippman, R., Haines, J., Zissman, M.: LARIAT: lincoln adaptable real-time information assurance testbed. 2002 IEEE Aerospace Conference Proceedings (2002)Google Scholar
  17. 17.
    Haines, J., Goulet, S., Durst, R., Champion, T.: Llsim: Network simulation for correlation and response testing. In: IEEE Workshop on Information Assurance, West Point, NY (2003)Google Scholar
  18. 18.
    White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An integrated experimental environment for distributed systems and networks. In: Fifth Symposium on Operating Systems Design and Implementation, Boston, MA, USENIX Association, pp. 255–260 (2002)Google Scholar
  19. 19.
    The DETER project: The DETER Testbed: Overview (2004),
  20. 20.
    Jiang, X., Xu, D., Wang, H.J., Spafford, E.H.: Virtual playgrounds for worm behavior investigation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 1–21. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Dike, J.: User mode linux (2005),
  22. 22.
    Vada, H.: Rekonstruksjon av angrep mot IKT-systemer (reconstruction of attacks on ICT systems). Master’s thesis, Norwegian University of Science and Technology, Trondheim, Norway (2004)Google Scholar
  23. 23.
    VMware: VMware 5.0 manual (2005),
  24. 24.
    University of Cambridge Computer Laboratory: The Xen virtual machine monitor (2005),
  25. 25.
    Microsoft: Microsoft Virtual PC (2004),
  26. 26.
    The Open Web Application Security Project: The ten most critical web application security vulnerabilities. Technical report, OWASP (2004)Google Scholar
  27. 27.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199 (2004)Google Scholar
  28. 28.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  29. 29.
    Honeynet Project: Detecting VMware (2005),
  30. 30.
    Shelton, T.: VMware Flaw in NAT Function Lets Remote Users Execute Arbitrary Code (2005),
  31. 31.
    Cuff, A.: Talisker Anti Forensic Tools (2004),
  32. 32.
    PHPBB Viewtopic.PHP remote code execution vulnerability, Bugtraq ID 14086 (2005),
  33. 33.
    aXiS: IWConfig Local ARGV command line buffer overflow vulnerability, Bugtraq ID 8901 (2003)Google Scholar
  34. 34.
    Vozeler, M.: CDRTools RSH environment variable privilege escalation vulnerability, Bugtraq ID 11075 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • André Årnes
    • 1
  • Paul Haas
    • 2
  • Giovanni Vigna
    • 2
  • Richard A. Kemmerer
    • 2
  1. 1.Centre for Quantifiable Quality of Service in Communication SystemsNorwegian University of Science and TechnologyTrondheimNorway
  2. 2.Department of Computer ScienceUniversity of California Santa BarbaraSanta BarbaraUSA

Personalised recommendations