Forensic Analysis of Computer Compromises
Charles Boeckman - MITRE Corporation
Apr 02, 1999
AbstractA key step between detecting an attack and reacting to an intrusion is understanding the attack and why it is successful. Questions that must be investigated before a detected or suspected attack can be understood include: Who performed the attack? How did they perform the attack? What damage was caused by the attack? To answer these questions, a compromised system must be examined to identify evidence left behind by the attacker. To be successful at determining the nature of an attack, a systematic methodology must be identified. The MITRE Corporation has developed a methodology for use in investigating compromised systems. The results of this work include a Linux based analysis tool that implement the methodology called the Forensic Intrusion Analysis Tool (FIAT). The application, which is written in PERL, can be used in a networked environment where data related to a system compromise may exist on multiple hosts such as a firewall or an intrusion detection system.
About the SpeakerChuck Boeckman is a Lead Information Systems Security Engineer with the MITRE Corporation. He has a B. S. in Electrical Engineering from Southern Illinois University, and has been working in information security for over 9 years. His work includes the installation of firewalls and intrusion detection systems, performing vulnerability assessments, and analyzing system compromises. He is task lead for MITRE's research in the area of computer forensic analysis. Prior to joining MITRE, Chuck spent 10 years in the US Air Force with assignments at the National Security Agency and the Air Force Information Warfare Center.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.