Charles Boeckman - MITRE Corporation
"Forensic Analysis of Computer Compromises"
Apr 02, 1999
AbstractA key step between detecting an attack and reacting to an intrusion is understanding the attack and why it is successful. Questions that must be investigated before a detected or suspected attack can be understood include: Who performed the attack? How did they perform the attack? What damage was caused by the attack? To answer these questions, a compromised system must be examined to identify evidence left behind by the attacker. To be successful at determining the nature of an attack, a systematic methodology must be identified. The MITRE Corporation has developed a methodology for use in investigating compromised systems. The results of this work include a Linux based analysis tool that implement the methodology called the Forensic Intrusion Analysis Tool (FIAT). The application, which is written in PERL, can be used in a networked environment where data related to a system compromise may exist on multiple hosts such as a firewall or an intrusion detection system.
About the Speaker
Chuck Boeckman is a Lead Information Systems Security Engineer with the MITRE Corporation. He has a B. S. in Electrical Engineering from Southern Illinois University, and has been working in information security for over 9 years. His work includes the installation of firewalls and intrusion detection systems, performing vulnerability assessments, and analyzing system compromises. He is task lead for MITRE's research in the area of computer forensic analysis. Prior to joining MITRE, Chuck spent 10 years in the US Air Force with assignments at the National Security Agency and the Air Force Information Warfare Center.
Unless otherwise noted, the security Fall and Spring seminar series is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...