Digital forensic reconstruction and the virtual security testbed vise

  • Authors:

  • André Årnes;Paul Haas;Giovanni Vigna;Richard A. Kemmerer

  • Affiliations:

  • Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University of Science and Technology, Trondheim, Norway;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA

  • Venue:
  • DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate forensic testing of a digital crime using minimal resources. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court