Performing Live Forensics on Insider Attacks
An insider with trusted access, procedural and architectural knowledge of the system and its security blind spots has much greater potential to cause significant damage than an external attack. Insiders, armed with knowledge of the internals of the security and policies of a system are able to more easily slip past the security mechanisms that protect the system. To perform a meaningful forensic trace back, it is useful to preserve as much volatile evidence as possible. This includes the entire state of the running system with its open network sockets, encrypted file systems and processes. Preserving these resources can be helpful in identifying live ongoing attacks, dormant sleepers, and identifying the perpetrator.
Although specialized forensic tools can be used, they often induce side effects and may cause significant disruption during the evidence gathering process. This may affect the quality and quantity of artifacts gathered by tainting in the evidence. To allay these concerns, we present Forenscope, a lightweight tool which provides real-time forensic analysis of a system without any of the mentioned problems. We demonstrate that Forenscope can run in under 15 seconds and detect tools such as rootkits which may hide malicious software planted by an insider.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
- The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."
- The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."
- The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."