Backtracking intrusions

King, Samuel T.; Chen, Peter M.

doi:10.1145/1047915.1047918

Cited by 145 publications

(139 citation statements)

References 9 publications

Supporting

Mentioning

138

Contrasting

Unclassified

Order By: Relevance

“…Related work in forensics includes Backtracker [21], a tool to identify the events leading to a malicious file operation. Backtracker tracks all system calls through virtualization or kernel introspection and displays a graph of the relevant events.…”

Section: Forensicsmentioning

confidence: 99%

“…None of those approaches consider easy secure deletion for content that is replicated across different files. To identify files with shared content, previous work has studied information flow [8,21], file provenance [20,36] and causality between files [24]. However, these works were application [20,43] or operating-system specific [36] and required modification of existing systems [13,24,25] or virtualization [16,21].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Assisted deletion of related content

Ritzdorf

Karapanos

Čapkun

2014

Proceedings of the 30th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

On primary storage systems content is often replicated, converted or modified, and the users quickly lose control over its dispersal on the system. Deleting content related to a particular project from the system therefore becomes a labor-intensive task for the user. In this paper we present IRCUS, a system that assists the user in securely removing project-related content, but does not require changes to the user's behavior or to any of the system components, such as the file system, kernel or applications. IRCUS transparently integrates within the user's system, operates in user-space and stores the resulting metadata alongside the files. We implemented and evaluated our system and show that its overhead and accuracy are acceptable for practical use and deployment.

show abstract

Section: Forensicsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Assisted deletion of related content

Ritzdorf

Karapanos

Čapkun

2014

Proceedings of the 30th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Two tools, BSM (Basic Security Module) [16] and BackTracker [9], gather enhanced data that is useful for forensic analysis, and both must be installed and running on a system before the events to be analyzed occur. The perspective gained from pre-instailation is what gives them an advantage over other tools, though they are usually not used until it is too late, as was the case on the machine in our example intrusion.…”

Section: The Current Problems With Foren-sics 21 Principle 1: Considmentioning

confidence: 99%

Principles-driven forensic analysis

Peisert

Karin

Bishop

et al. 2005

Proceedings of the 2005 Workshop on New Security Paradigms - NSPW '05

View full text Add to dashboard Cite

It is possible to enhance our understanding of what has happened on a computer system by using forensic techniques that do not require prediction of the nature of the attack, the skill of the attacker, or the details of the system resources or objects affected. These techniques address five fundamental principles of computer forensics. These principles include recording data about the entire operating system, particularly user space events and environments, and interpreting events at different layers of abstraction, aided by the context in which they occurred. They also deal with modeling the recorded data as a multi-resolution, finite state machine so that results can be established to a high degree of certainty rather than merely inferred.

show abstract

“…Most often the image of the hard disk is the only evidence available to the investigators. In the presence of such limited information, event reconstruction often becomes a tedious and highly inaccurate effort (King and Chen, 2003).…”

Section: Introductionmentioning

confidence: 99%

“…However, the reconstruction process in cases of incidents typified by examples one and three (commonly referred to as operational forensic analysis or intrusion analysis (King and Chen, 2003) as opposed to prosecutorial forensic analysis in the case of example two) can often leverage the presence of additional evidence in the form of audit logs. In the past few years, many researchers have developed automated reconstruction systems that rely on a priori audit logging to help the reconstruction effort.…”

Section: Introductionmentioning

confidence: 99%

An empirical study of automatic event reconstruction systems

Jeyaraman

Atallah

2006

Digital Investigation

View full text Add to dashboard Cite

a b s t r a c tReconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process. The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan horse defense. In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques. We quantify (as applicable) the rates of false positives and false negatives, and scalability in terms of both computational burden and memory-usage. Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96%).

show abstract

Backtracking intrusions

Cited by 145 publications

References 9 publications

Assisted deletion of related content

Assisted deletion of related content

Principles-driven forensic analysis

An empirical study of automatic event reconstruction systems

Contact Info

Product

Resources

About