Abstract
The Computer Forensics is a research area that finds the malicious users by collecting and analyzing the intrusion or infringement evidence of computer crimes such as hacking. Many researches about Computer Forensics have been done so far. But those researches have focused on how to collect the forensic evidence for both analysis and proofs after receiving the intrusion or infringement reports of hosts from computer users or network administrators. In this paper, we describe how to selectively collect the forensic evidence of good quality from observable and protective hosts at the time of infringement occurrence by malicious users. By correlating the event logs of Intrusion Detection Systems(IDSes) and hosts with the configuration information of hosts periodically, we calculate the value of infringement severity that implies the real infringement possibility of the hosts. Based on this severity value, we selectively collect the evidence for proofs at the time of infringement occurrence. As a result, we show that we can minimize the information damage of the evidence for both analysis and proofs, and reduce the amount of data which are used to analyze the degree of infringement severity.
This research was supported by the University IT Research Center Project.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Snort v2.0, an open source network intrusion detection system, http://www.snort.org
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis (1992)
Advanced Security Audit Trail Analysis on (ASAX also called SAT-X) (1994)
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (1997)
Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proc. of New Security Paradigms Workshop, September 2000, pp. 31–38 (2000)
Morin, B., et al.: M2D2: A formal data model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212. Springer, Heidelberg (2001)
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. Proceedings of IEEE S&P (2002)
A tool to locally check for signs of a rootkit, http://www.chkrootkit.org/
Burdach, M.: Forensic Analysis of a Live Linux System, Pt. 1, 2 (1997), http://www.securityfocus.com/
nmap-3.93, a free open source utility for network exploration or security auditing, http://www.insecure.org/nmap/
Nessus 2.2.8, the network vulnerability scanner, http://www.nessus.org/
iplog 2.2.3, a TCP/IP traffic logger, http://www.freshports.org/net/iplog/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, YH. et al. (2006). An Efficient Forensic Evidence Collection Scheme of Host Infringement at the Occurrence Time. In: Rhee, M.S., Lee, B. (eds) Information Security and Cryptology – ICISC 2006. ICISC 2006. Lecture Notes in Computer Science, vol 4296. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11927587_18
Download citation
DOI: https://doi.org/10.1007/11927587_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49112-5
Online ISBN: 978-3-540-49114-9
eBook Packages: Computer ScienceComputer Science (R0)