tailieunhanh - An Event-Based Digital Forensic Investigation Framework∗
Malware-type clickbots infect machines in order to achieve IP diversity, and their traffic may or may not be as easily iden- tifiable as that generated by for-sale clickbots. is a malware-type clickbot, and is identified as a trojan by some anti-virus packages. The result of a VirusTOTAL scan, which runs various anti-virus scanners, on the binary pro- duced the results shown in Table 1 in the Appendix, as noted by SANS handler Swa Frantzen [2]. Many of the popular virus scanners includingMcAfee, Sophos, and Symantec did not detect that was malicious, and some of those that did detect it only did so because it used a common Trojan. | An Event-Based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford carrier@ spaf@ Center for Education and Research in Information Assurance and Security - CERIAS Purdue University West Lafayette IN 47907 USA Abstract In this paper we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model each digital device is considered a digital crime scene which is included in the physical crime scene where it is located. The investigation includes the preservation of the system the search for digital evidence and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses. 1 Introduction Since the first Digital Forensic Research Workshop DFRWS in 2001 Pal01 the need for a standard framework has been understood yet there has been little progress on one that is generally accepted. A framework for digital forensics needs to be flexible enough so that it can support future technologies and different types of incidents. Therefore it needs to be simple and abstract. On the other hand if it is too simple and abstract then it is difficult to create tool requirements and test procedures for each phase. For this paper we have examined the concept of an investigation to determine what is required. The result is an event-based framework that can be used to develop hypotheses and answer questions about an incident or crime. Hypotheses are developed by collecting objects that may have played a role in an event that was related to the incident. Once the objects are collected as evidence the investigator can develop hypotheses about previous events at the crime scene. This framework is based on the process model that is used at physical
đang nạp các trang xem trước