A Model of Computer Forensic Logging and Analysis
28 August 2008, 1500-1500 - GE-117

Much "forensic" data gets collected, but most is useless for understanding what happened previously on a computer system. Forensic techniques have broad applications, in analyzing attacks, compliance, and as legal evidence, but also particularly for analyzing behavior of insiders, where using typical access control and intrusion detection techniques would prevent legitimate users from doing their jobs. However, current forensic techniques have limited usefulness.

Our research has sought to enable analysis of many types of attacks, including multi-step intrusions, insider attacks, worms, and client-side scripting exploits. We have focused on systematic approaches to forensic logging and analysis, with the goal of making system and network audit logs more useful. Our goal is to record better, potentially useful data specifically designed for forensic analysis, as opposed to simply high-level debugging, performance measurement, or accounting. We do this by turning the typical procedure around and asking, "given a set of intrusions, what data do we need to record in order to analyze those intrusions?" We also ask, "given a system instrumented normally to record a set of data, what intrusions can we analyze?" The results of our approach have shown promise for allowing more accurate and efficient forensic analysis.

About Dr. Sean Peisert

Sean Peisert is a postdoc at the University of California, Davis. His research focuses on computer forensic analysis, intrusion detection, vulnerability analysis, security policy modeling, electronic voting, and empirical studies and real science to measure problems and validate solutions. Previously, he was a postdoc and lecturer in the Computer Science and Engineering department at UC San Diego (UCSD), was a computer security researcher at the San Diego Supercomputer Center (SDSC), and co-founded a now-defunct software company. Dr. Peisert received his Ph.D., Masters and Bachelors degrees in Computer Science from UCSD, where his dissertation focused on a developing a systematic approach to forensic logging. He is an 13P Fellow and is a Fellow of the San Diego Supercomputer Center.