This paper presents FOXP (computer FOrensic eXPerience), an open source project to support network Live Digital Forensics (LDF), where the network nodes run a Windows NT family Operating System (OS). In particular, the FOXP architecture is composed of a set of software sensors, once for every network node, that log node activities and then send these logs to a FOXP collector node; this collector node analyzes collected data and manages the sensors activities. Software sensors, implementing the technique called System Call Interposition for Win32, intercepts all the kernel API (native API) invoked by the OS of the node. Thanks to the fine granularity of the logs, FOXP can intercept malicious activities. Centralized logs collected in the collector node, allow to detect coordinated-attacks on network nodes: attacks that would not be detectable with a single node analysis only. Note that the implemented System Call Interposition technique has allowed to intercept and redirect all of the 284 Windows XP system calls. The technique is exposed in detail and could be considered a contribution on its own. Finally, an overview of next steps to complete the FOXP project is provided.
A live digital forensic system for windows networks / Battistoni, Roberto; Di Biagio, Alessandro; Di Pietro, Roberto; Formica, Matteo; Mancini, Luigi Vincenzo. - STAMPA. - 278:(2008), pp. 653-667. (Intervento presentato al convegno 23rd International Information Security Conference tenutosi a Milano, Italia nel September 2008) [10.1007/978-0-387-09699-5_42].
A live digital forensic system for windows networks
MANCINI, Luigi Vincenzo
2008
Abstract
This paper presents FOXP (computer FOrensic eXPerience), an open source project to support network Live Digital Forensics (LDF), where the network nodes run a Windows NT family Operating System (OS). In particular, the FOXP architecture is composed of a set of software sensors, once for every network node, that log node activities and then send these logs to a FOXP collector node; this collector node analyzes collected data and manages the sensors activities. Software sensors, implementing the technique called System Call Interposition for Win32, intercepts all the kernel API (native API) invoked by the OS of the node. Thanks to the fine granularity of the logs, FOXP can intercept malicious activities. Centralized logs collected in the collector node, allow to detect coordinated-attacks on network nodes: attacks that would not be detectable with a single node analysis only. Note that the implemented System Call Interposition technique has allowed to intercept and redirect all of the 284 Windows XP system calls. The technique is exposed in detail and could be considered a contribution on its own. Finally, an overview of next steps to complete the FOXP project is provided.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.