Snapshots save digital evidence

By Kimberly Patch, Technology Research News

Checkpointing software is a computer tool designed to allow administrators to backup and recover data and more smoothly introduce new systems into a network. The tool stores the state of a running program, or process, so that it can be restarted from that point.

Researchers from the University of Florida have combined the concept of checkpointing with that of intrusion detection -- determining when an unauthorized user is accessing a computer -- to come up with a new tool that could help in computer crime investigations.

Like its physical-world counterpart, computer forensics involves determining who did what after an attack has taken place. Although intrusion prevention is the ultimate goal, as long as intruders continue to be successful, there's a need for good ways to collect data concerning intrusions, said Mark Foster, a researcher at the University of Florida. Internet growth in the U.S. is around 2 million new users each month, according to the U.S. Department of Commerce, and security-related incidents have increased every year since 1998 and doubled from 2001 to 2003, according to the CERT Coordination Center.

The researchers' process forensics method makes use of their previously-developed checkpointing method, dubbed Uclik, to save information from the portions of memory, or address space, of a computer so that a forensic investigator can track down the information for a given process used in a computer attack.

Ordinarily a processes' address space is not saved. This makes it more difficult for a forensic investigator analyzing the hard disk and file system of a computer to trace the details of an attack, according to Foster.

Checkpointing software creates a checkpoint by stopping the execution of a process, saving the address space and kernel state, and continuing the process. The kernel is the core of the operating system software that controls a computer. Checkpoints can be made at regular time intervals and only the incremental changes in address space and kernel state need be stored. This allows the computer to be rolled back and restarted if necessary. The researchers' system adapts the checkpointing system to collect a third type of checkpoint -- the terminal checkpoint, collected just before a process is closed, or terminated.

Forensic investigators looking for evidence of a computer crime typically analyze several types of files looking for data that will allow them to piece together computer activity. These include log files, which keep track of computer events; swap files, which are used by the computer as a temporary holding space for data and could still house evidence of the illicit computer activity; and unallocated space and slack space, which may contain data from files that were deleted but have not yet been completely overwritten.

In contrast to this data saved in files, checkpointing saves data that resides in memory and is usually discarded when it is no longer needed by the process or when the computer is turned off.

Potentially useful forensics information resides in this temporary space, including pointers to related processes and the process identification, or PID, which indicates which user owns the given process, said Foster. Knowing which user owns a process is a clue about who started the process or whose account was compromised, and what permissions level the process had, he said. Processes that have root permissions, for example, are allowed to change many of the settings of the computer and thus can be used to do more damage than processes with lesser permissions.

A process' address space also includes a stack, which contains information about the execution sequence of process steps. This is particularly useful information for someone investigating one common type of attack -- the buffer overflow -- because it shows where and how the attack was made possible; is also useful in preventing future attacks, said Foster.

A buffer overflow attack involves an attempt to overwrite a processes' return address in order to take control of a program, said Foster.

The address space also contains information about process peripherals: the files, sockets and pipes opened by the process, said Foster. Sockets and pipes are network connections. Compromised files may include those containing passwords, and log files, which could be accessed by an intruder in order to hide the intrusion; sockets and pipes may provide information about where on a network an attack originated or where data is being sent, he said.

Using checkpointing to save data for possible forensics use is a natural progression from using log files, said Foster. "Checkpoints require more storage space, and right now storage space is becoming quite inexpensive," he said. "Resources increase, so we use them."

Checkpointing is appropriate for collecting information about malicious processes because the information can be collected and stored quickly, transparently, and without modifying the process being checkpointed, according to Foster. This allows users to checkpoint malicious processes without affecting the processes and without tipping off a potential attacker who is controlling the processes, he said.

The method can be applied to any online service, said Foster. Ideally, it would be built into the operating system of the computer as a kernel patch, kernel module, or even built into the kernel.

It is difficult to tell when the researchers' software could be ready for practical use, said Foster. The researchers are currently working on a proof-of-concept prototype.

Ultimately, no single security measure is enough, said Foster. The best approach to system security is using multiple measures, and the goal of the checkpoint forensics research is to introduce a new area of computer forensics that can provide an additional method of protecting computer systems, he said.

Foster's research colleague was Joseph N. Wilson. The work appeared in the Summer, 2004 issue of The International Journal of Digital Evidence. The research was funded by the university.

Timeline:   Unknown
Funding:   University
TRN Categories:   Security; Operating Systems
Story Type:   News
Related Elements:  Technical paper, "Process Forensics: A Pilot Study on the Use of Checkpointing Technology in Computer Forensics," International Journal of Digital Evidence, Summer, 2004, and posted at; related papers " Using Greedy Hamiltonian Call Paths to Detect Stack Smashing Attacks" posted at and "Pursuing the Three AP's to Checkpointing with Uclik" posted at


March 9/16, 2005

Page One

Snapshots save digital evidence

Software organizes email by task

Wire guides terahertz waves

How it Works Files:
Pattern Recognition

Quantum crypto scheme goes one-way
Method makes double nanotubes
Material promises denser DVDs
Artificial cochlea tells tones apart
Nanotubes boost molecular devices
Avalanches up disk storage
Silicon chip laser goes continuous


Research News Roundup
Research Watch blog

View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link


Ad links: Clear History

Buy an ad link

Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN

© Copyright Technology Research News, LLC 2000-2006. All rights reserved.