Using process labels to obtain forensic and traceback information

Mar 02, 2005

Download: MP4 Video Size: 220.4MB  
Watch on YouTube

Abstract

Much of the research in computer security, especially in digital
forensics and intrusion detection, is concerned with retrieving and
analyzing the information that is present on a system. In my talk I
will analyze what kind of information is actually desired by a
forensic investigator and examine if these needs can be fulfilled by
today's operating systems. Some of the desired information is
currently not present in many systems and I will make suggestions on
how to supply more relevant audit data on a system and increase its
quality.

The second part of my talk will focus on two particular difficult
categories of information that a forensic investigator might desire:
user influence and origin information. I will present a model that
allows a system to bind arbitrary information in the form of labels to
its principals and then propagate the labels as information is
exchanged among them. I will demonstrate the usefulness of the model
with various case studies and discuss a proof-of-concept
implementation. While my work is motivated and aimed primarily at
digital forensic investigations, it has applications in other areas of
computer science, in particular network traceback, intrusion
detection, and access control.