Snapshots save digital evidence
Technology Research News
software is a computer tool designed to allow administrators to backup and
recover data and more smoothly introduce new systems into a network. The
tool stores the state of a running program, or process, so that it can be
restarted from that point.
Researchers from the University of Florida have combined the concept
of checkpointing with that of intrusion detection -- determining when an
unauthorized user is accessing a computer -- to come up with a new tool
that could help in computer crime investigations.
Like its physical-world counterpart, computer forensics involves
determining who did what after an attack has taken place. Although intrusion
prevention is the ultimate goal, as long as intruders continue to be successful,
there's a need for good ways to collect data concerning intrusions, said
Mark Foster, a researcher at the University of Florida. Internet growth
in the U.S. is around 2 million new users each month, according to the U.S.
Department of Commerce, and security-related incidents have increased every
year since 1998 and doubled from 2001 to 2003, according to the CERT Coordination
The researchers' process forensics method makes use of their previously-developed
checkpointing method, dubbed Uclik, to save information from the portions
of memory, or address space, of a computer so that a forensic investigator
can track down the information for a given process used in a computer attack.
Ordinarily a processes' address space is not saved. This makes it
more difficult for a forensic investigator analyzing the hard disk and file
system of a computer to trace the details of an attack, according to Foster.
Checkpointing software creates a checkpoint by stopping the execution
of a process, saving the address space and kernel state, and continuing
the process. The kernel is the core of the operating system software that
controls a computer. Checkpoints can be made at regular time intervals and
only the incremental changes in address space and kernel state need be stored.
This allows the computer to be rolled back and restarted if necessary. The
researchers' system adapts the checkpointing system to collect a third type
of checkpoint -- the terminal checkpoint, collected just before a process
is closed, or terminated.
Forensic investigators looking for evidence of a computer crime
typically analyze several types of files looking for data that will allow
them to piece together computer activity. These include log files, which
keep track of computer events; swap files, which are used by the computer
as a temporary holding space for data and could still house evidence of
the illicit computer activity; and unallocated space and slack space, which
may contain data from files that were deleted but have not yet been completely
In contrast to this data saved in files, checkpointing saves data
that resides in memory and is usually discarded when it is no longer needed
by the process or when the computer is turned off.
Potentially useful forensics information resides in this temporary
space, including pointers to related processes and the process identification,
or PID, which indicates which user owns the given process, said Foster.
Knowing which user owns a process is a clue about who started the process
or whose account was compromised, and what permissions level the process
had, he said. Processes that have root permissions, for example, are allowed
to change many of the settings of the computer and thus can be used to do
more damage than processes with lesser permissions.
A process' address space also includes a stack, which contains information
about the execution sequence of process steps. This is particularly useful
information for someone investigating one common type of attack -- the buffer
overflow -- because it shows where and how the attack was made possible;
is also useful in preventing future attacks, said Foster.
A buffer overflow attack involves an attempt to overwrite a processes'
return address in order to take control of a program, said Foster.
The address space also contains information about process peripherals:
the files, sockets and pipes opened by the process, said Foster. Sockets
and pipes are network connections. Compromised files may include those containing
passwords, and log files, which could be accessed by an intruder in order
to hide the intrusion; sockets and pipes may provide information about where
on a network an attack originated or where data is being sent, he said.
Using checkpointing to save data for possible forensics use is a
natural progression from using log files, said Foster. "Checkpoints require
more storage space, and right now storage space is becoming quite inexpensive,"
he said. "Resources increase, so we use them."
Checkpointing is appropriate for collecting information about malicious
processes because the information can be collected and stored quickly, transparently,
and without modifying the process being checkpointed, according to Foster.
This allows users to checkpoint malicious processes without affecting the
processes and without tipping off a potential attacker who is controlling
the processes, he said.
The method can be applied to any online service, said Foster. Ideally,
it would be built into the operating system of the computer as a kernel
patch, kernel module, or even built into the kernel.
It is difficult to tell when the researchers' software could be
ready for practical use, said Foster. The researchers are currently working
on a proof-of-concept prototype.
Ultimately, no single security measure is enough, said Foster. The
best approach to system security is using multiple measures, and the goal
of the checkpoint forensics research is to introduce a new area of computer
forensics that can provide an additional method of protecting computer systems,
Foster's research colleague was Joseph N. Wilson. The work appeared
in the Summer, 2004 issue of The International Journal of Digital Evidence.
The research was funded by the university.
TRN Categories: Security; Operating Systems
Story Type: News
Related Elements: Technical paper, "Process Forensics: A Pilot
Study on the Use of Checkpointing Technology in Computer Forensics," International
Journal of Digital Evidence, Summer, 2004, and posted at http://www.ijde.org/docs/foster.pdf;
related papers " Using Greedy Hamiltonian Call Paths to Detect Stack Smashing
Attacks" posted at http://www.cise.ufl.edu/~mfoster/GHCP%20Paper%20Final.pdf
and "Pursuing the Three AP's to Checkpointing with Uclik" posted at http://www.cise.ufl.edu/~mfoster/LinuxKongressPaper.pdf
March 9/16, 2005
Snapshots save digital
email by task
Wire guides terahertz
How it Works Files:
scheme goes one-way
Method makes double
cochlea tells tones apart
boost molecular devices
Avalanches up disk
laser goes continuous
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link