Title :
Honeypot forensics
Author :
Raynal, Frederic ; Berthier, Yann ; Biondi, Philippe ; Kaminsky, Daniell
Author_Institution :
MISC Magazine, Paris, France
Abstract :
The deployment of low-interaction honeypots used mainly as deception tools has become more and more common these days. Another interesting but more resource and time consuming playground is made available thanks to high interaction honeypots where a blackhat can connect to the system and download, install and execute his own tools in a less constrained environment. Once caught in the honeypot, the blackhat leaves many fingerprints behind: network (information gathering scans, IRC chats, mail, etc) and system activity (what he did on the system, which tools he used, etc). The aim of honeypot forensics is to identify these fingerprints as part of the evidence gathering process. We present a methodology that will help the analyst to achieve this goal. The first step is to analyze the honeypot´s ingress and egress network traffic. The second one is to look at the actions performed by the blackhat and the tools he used on the honeypot. The next step is to correlate these data: network and system events are joined to identify common events or patterns, and also to highlight unexplained items and focus on them.
Keywords :
security of data; telecommunication security; telecommunication traffic; egress network traffic; evidence gathering process; fingerprint identification; honeypot forensics; network event; system event; Event detection; Fingerprint recognition; Forensics; Humans; IP networks; Local area networks; Marine animals; Postal services; Telecommunication traffic; Wireless networks;
Conference_Titel :
Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC
Print_ISBN :
0-7803-8572-1
DOI :
10.1109/IAW.2004.1437793
