Forensic Analysis of Computer Compromises

Page Content

Charles Boeckman

Charles Boeckman - MITRE Corporation

Apr 02, 1999

Abstract

A key step between detecting an attack and reacting to an intrusion is understanding the attack and why it is successful. Questions that must be investigated before a detected or suspected attack can be understood include: Who performed the attack? How did they perform the attack? What damage was caused by the attack? To answer these questions, a compromised system must be examined to identify evidence left behind by the attacker. To be successful at determining the nature of an attack, a systematic methodology must be identified. The MITRE Corporation has developed a methodology for use in investigating compromised systems. The results of this work include a Linux based analysis tool that implement the methodology called the Forensic Intrusion Analysis Tool (FIAT). The application, which is written in PERL, can be used in a networked environment where data related to a system compromise may exist on multiple hosts such as a firewall or an intrusion detection system.

About the Speaker

Chuck Boeckman is a Lead Information Systems Security Engineer with the MITRE Corporation. He has a B. S. in Electrical Engineering from Southern Illinois University, and has been working in information security for over 9 years. His work includes the installation of firewalls and intrusion detection systems, performing vulnerability assessments, and analyzing system compromises. He is task lead for MITRE's research in the area of computer forensic analysis. Prior to joining MITRE, Chuck spent 10 years in the US Air Force with assignments at the National Security Agency and the Air Force Information Warfare Center.

Footer

Intranet Site