BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Enriching network security analysis with time travel
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Dynamic recreation of kernel data structures for live forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
The investigation of malware infections in enterprise networks is today a tedious task with a lot of manual intervention in order to find the scattered relevant bits and bytes from infected hosts. We propose in this work AFR, a framework for automatic multi-stage forensic data retrieval, that automatically analyzes and retrieves network, memory and disk data to preserve the evidence of host compromise at a central location. AFR performs automated malware analysis using traditional intrusion detection techniques like network intrusion detection systems and anti-virus software but combines the resulting alarms in real-time to proactively retrieve and archive data that is relevant for retrospective investigations. The proactive retrieval approach reduces the manual work load of IT administrators while significantly improving the likelihood that volatile data is collected before it vanishes. We show that proactive storing of selected memory and disk dumps is feasible and scales over time in virtualized thin client enterprise environments.