This paper presents FOXP (computer FOrensic eXPerience), an open source project to support network Live Digital Forensics (LDF), where the network nodes run a Windows NT family Operating System (OS). In particular, the FOXP architecture is composed of a set of software sensors, once for every network node, that log node activities and then send these logs to a FOXP collector node; this collector node analyzes collected data and manages the sensors activities. Software sensors, implementing the technique called System Call Interposition for Win32, intercepts all the kernel API (native API) invoked by the OS of the node. Thanks to the fine granularity of the logs, FOXP can intercept malicious activities. Centralized logs collected in the collector node, allow to detect coordinated-attacks on network nodes: attacks that would not be detectable with a single node analysis only. Note that the implemented System Call Interposition technique has allowed to intercept and redirect all of the 284 Windows XP system calls. The technique is exposed in detail and could be considered a contribution on its own. Finally, an overview of next steps to complete the FOXP project is provided.

A live digital forensic system for windows networks / Battistoni, Roberto; Di Biagio, Alessandro; Di Pietro, Roberto; Formica, Matteo; Mancini, Luigi Vincenzo. - STAMPA. - 278:(2008), pp. 653-667. (Intervento presentato al convegno 23rd International Information Security Conference tenutosi a Milano, Italia nel September 2008) [10.1007/978-0-387-09699-5_42].

A live digital forensic system for windows networks

MANCINI, Luigi Vincenzo
2008

Abstract

This paper presents FOXP (computer FOrensic eXPerience), an open source project to support network Live Digital Forensics (LDF), where the network nodes run a Windows NT family Operating System (OS). In particular, the FOXP architecture is composed of a set of software sensors, once for every network node, that log node activities and then send these logs to a FOXP collector node; this collector node analyzes collected data and manages the sensors activities. Software sensors, implementing the technique called System Call Interposition for Win32, intercepts all the kernel API (native API) invoked by the OS of the node. Thanks to the fine granularity of the logs, FOXP can intercept malicious activities. Centralized logs collected in the collector node, allow to detect coordinated-attacks on network nodes: attacks that would not be detectable with a single node analysis only. Note that the implemented System Call Interposition technique has allowed to intercept and redirect all of the 284 Windows XP system calls. The technique is exposed in detail and could be considered a contribution on its own. Finally, an overview of next steps to complete the FOXP project is provided.
2008
23rd International Information Security Conference
Information Systems and Management, Computer Communication Networks, Systems and Data Security, Digital Forensic, Legal Aspects of Computing
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
A live digital forensic system for windows networks / Battistoni, Roberto; Di Biagio, Alessandro; Di Pietro, Roberto; Formica, Matteo; Mancini, Luigi Vincenzo. - STAMPA. - 278:(2008), pp. 653-667. (Intervento presentato al convegno 23rd International Information Security Conference tenutosi a Milano, Italia nel September 2008) [10.1007/978-0-387-09699-5_42].
File allegati a questo prodotto
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/879567
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 4
  • ???jsp.display-item.citation.isi??? 2
social impact