IR4CF: A intrusion replay system for computer forensics

Author

Xu, Lei ; Tian, Zhihong ; Ye, Jianwei ; Zhang, HongLi

Author_Institution

Res. Center of Comput. Network & Inf. Security Technol., Harbin Instn. of Technol., Harbin, China

Volume

1

fYear

2011

fDate

20-21 Aug. 2011

Firstpage

66

Lastpage

69

Abstract

When computer intrusions occur, one of the most costly, time-consuming, and human-intensive tasks is to analysis and take the evidence of the compromised system. IR4CF: a system call based intrusion replay system for supporting the computer forensics. IR4CF uses three key mechanisms to improve the accuracy and reduce the human overhead of performing forensic analysis. First, it streams the kernel event information in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Second, it uses system-call hijacking technology to perform comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Third, it analyses and replays the intrusion actions dynamically, which can be used for evidence in a court of law.

Keywords

computer forensics; operating system kernels; system monitoring; IR4CF; append-only storage; computer forensics; intrusion replay system; kernel event information; logging machine; system-call hijacking technology; target system monitoring; Computers; File systems; Forensics; Kernel; Linux; Registers; Auditing; Forensics; Intrusion replay;

fLanguage

English

Publisher

ieee

Conference_Titel

Computing, Control and Industrial Engineering (CCIE), 2011 IEEE 2nd International Conference on

Conference_Location

Wuhan

Print_ISBN

978-1-4244-9599-3

Type

conf

DOI

10.1109/CCIENG.2011.6007958

Filename

6007958