Justifying the ned for forensically ready protocols: a case study of identifying malicious web servers using client honeypots

Seifert, C., Endicott-Popovsky, B., Frincke, D., Komisarczuk, Peter, Muschevici, R. and Welch, I. (2008) Justifying the ned for forensically ready protocols: a case study of identifying malicious web servers using client honeypots. In: the 4th Annual IFIP WG 11, 27–30 January 2008, Kyoto, Japan.

Full text not available from this repository.

Abstract

Abstract Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record / replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.

Item Type: Conference or Workshop Item (Paper)
Subjects: Computing
Depositing User: Vani Aul
Date Deposited: 21 Mar 2014 14:37
Last Modified: 09 Oct 2015 15:41
URI: http://repository.uwl.ac.uk/id/eprint/802

Actions (login required)

View Item View Item

Menu