Research Article
Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots
@INPROCEEDINGS{10.1007/978-3-642-31909-9_12, author={Deepa Srinivasan and Xuxian Jiang}, title={Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots}, proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={10}, keywords={Honeypots Virtualization Forensic Analysis}, doi={10.1007/978-3-642-31909-9_12} }- Deepa Srinivasan
Xuxian Jiang
Year: 2012
Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots
SECURECOMM
Springer
DOI: 10.1007/978-3-642-31909-9_12
Abstract
Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, we propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, we propose and implement a number of systematic analysis modules in Timescope, including , , and , to facilitate honeypot forensics. These analysis modules can “travel back in time” to investigate various aspects of computer intrusions or malware infections during different execution time windows. We have developed Timescope based on the open-source QEMU virtual machine monitor and the evaluation with a number of real malware infections shows the practicality and effectiveness of Timescope.