Providing process origin information to aid in computer forensic investigations | Zendy

Florian Buchholz | Zendy; Clay Shields | Zendy

AI Assistant Blog Pricing

Home ZAIA Blog

Open Access

Providing process origin information to aid in computer forensic investigations

Author(s) -

Florian Buchholz,

Clay Shields

Publication year - 2004

Publication title -

journal of computer security

Language(s) - English

Resource type - Journals

SCImago Journal Rank - 0.201

H-Index - 56

eISSN - 1875-8924

pISSN - 0926-227X

DOI - 10.3233/jcs-2004-12505

Subject(s) - computer science , computer forensics , process (computing) , forensic science , data science , digital forensics , computer security , programming language , history , archaeology

The number of computer attacks has been growing dramatically as the Internet has grown. Attackers currently have little or no disincentive to conducting attacks because they are able to hide their location effectively by creating a chain of connections through a series of hosts. This method is effective because most current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections. In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic. Our method makes small modifications to the operating system that associate origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets. We present implementation results, show that our method can effectively record origin information about a variety of attacks, and describe the limitations of our approach.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.

Having issues? You can contact us here

Accelerating Research