Justifying the need for forensically ready protocols: a case study of identifying malicious web servers using client honeypots

Seifert, Christian, Endicott-Popovsky, Barbara, Frincke, Deborah A., Komisarczuk, Peter, Muschevici, Radu and Welch, Ian (2008) Justifying the need for forensically ready protocols: a case study of identifying malicious web servers using client honeypots. In: Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics, 27–30 Jan 2008, Kyoto, Japan.

[thumbnail of Justifying the need for forensically ready protocols.pdf]
Preview
PDF
Justifying the need for forensically ready protocols.pdf - Accepted Version

Download (398kB) | Preview

Abstract

Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record / replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.

Item Type: Conference or Workshop Item (Paper)
Keywords: Security, Digital Forensics, Client Honeypots, Network Forensics
Subjects: Computing
Depositing User: Vani Aul
Date Deposited: 21 Mar 2014 14:37
Last Modified: 28 Aug 2021 07:17
URI: https://repository.uwl.ac.uk/id/eprint/802

Downloads

Downloads per month over past year

Actions (login required)

View Item View Item

Menu