Title :
IR4CF: A intrusion replay system for computer forensics
Author :
Xu, Lei ; Tian, Zhihong ; Ye, Jianwei ; Zhang, HongLi
Author_Institution :
Res. Center of Comput. Network & Inf. Security Technol., Harbin Instn. of Technol., Harbin, China
Abstract :
When computer intrusions occur, one of the most costly, time-consuming, and human-intensive tasks is to analysis and take the evidence of the compromised system. IR4CF: a system call based intrusion replay system for supporting the computer forensics. IR4CF uses three key mechanisms to improve the accuracy and reduce the human overhead of performing forensic analysis. First, it streams the kernel event information in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Second, it uses system-call hijacking technology to perform comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Third, it analyses and replays the intrusion actions dynamically, which can be used for evidence in a court of law.
Keywords :
computer forensics; operating system kernels; system monitoring; IR4CF; append-only storage; computer forensics; intrusion replay system; kernel event information; logging machine; system-call hijacking technology; target system monitoring; Computers; File systems; Forensics; Kernel; Linux; Registers; Auditing; Forensics; Intrusion replay;
Conference_Titel :
Computing, Control and Industrial Engineering (CCIE), 2011 IEEE 2nd International Conference on
Conference_Location :
Wuhan
Print_ISBN :
978-1-4244-9599-3
DOI :
10.1109/CCIENG.2011.6007958
