Forensic analysis is the process of understanding, re-creating, and analyzing arbitrary events that have previously occurred. It seeks to answer such questions as how an intrusion occurred, what an attacker did during an intrusion, and what the effects of an attack were.
Currently the field of computer forensics is largely ad hoc. Data is generally collected because applications log it for debugging purposes or because someone thought it to be important. Practical forensic analysis has traditionally traded off analyzability against the amount of data recorded. Recording less data puts a smaller burden both on computer systems and on the humans that analyze them. Not recording enough data leaves analysts drawing their conclusions based on inference, rather than deduction.
This dissertation presents a model of forensic analysis, called Laocoön, designed to determine what data is necessary to understand past events. The model builds upon an earlier model used for intrusion detection, called the requires/provides model. The model is based on a set of qualities we believe a good forensic model should possess. Those qualities are in turn influenced by a set of five principles of computer forensic analysis. We apply Laocoön to examples, and present the results for a UNIX system. The results demonstrate how the model can be used to record smaller amounts of highly useful data, rather than forcing a choice between overwhelming amounts of data or such a small amount of data to be effectively useless.
|School:||University of California, San Diego|
|School Location:||United States -- California|
|Source:||DAI-B 67/12, Dissertation Abstracts International|
|Keywords:||Auditing, Forensic, Goal-oriented, Logging|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be