• DocumentCode
    2933331
  • Title

    Holmes: A data theft forensic framework

  • Author

    Masti, Ramya Jayaram ; Lenders, Vincent ; Strasser, Mario ; Engel, Stefan ; Plattner, Bernhard

  • Author_Institution
    ETH Zurich, Zurich, Switzerland
  • fYear
    2011
  • fDate
    Nov. 29 2011-Dec. 2 2011
  • Firstpage
    1
  • Lastpage
    6
  • Abstract
    This paper presents Holmes, a forensic framework for postmortem investigation of data theft incidents in enterprise networks. Holmes pro-actively collects potential evidence from hosts and the network for correlation analysis at a central location. In order to optimize the storage requirements for the collected data, Holmes relies on compact network and host data structures. We evaluate the theoretical storage requirements of Holmes in average networks and quantify the improvements compared to raw data collection alternatives. Finally, we present the application of Holmes to two realistic data theft investigation scenarios and discuss how combining network and host data can improve the efficiency and reliability of these investigations.
  • Keywords
    computer forensics; computer network security; correlation methods; Holmes; correlation analysis; data theft forensic framework; data theft incident postmortem investigation; enterprise networks; storage requirements; Data structures; Forensics; IP networks; Memory management; Operating systems; Payloads; Servers;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Forensics and Security (WIFS), 2011 IEEE International Workshop on
  • Conference_Location
    Iguacu Falls
  • Print_ISBN
    978-1-4577-1017-9
  • Electronic_ISBN
    978-1-4577-1018-6
  • Type

    conf

  • DOI
    10.1109/WIFS.2011.6123144
  • Filename
    6123144
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2933331