Improving the Trustworthiness of Evidence
Derived from Security Trace Files
Ennio Pozzetti (a) and Vidar Vetland (b)
(a) Politecnico di Milano, Dip. Elettronica e Informazione,
I-20133 Milano, Italy, Email: pozzetti@elet.polimi.it
(b) Carleton University, Dept. Systems and Computer Engineering,
Ottawa, Ontario, Canada K1S 5B6, Email: vidar@sce.carleton.ca
Abstract
Evidence is required to prosecute intruders in computer systems and
networks. Reliable trace files are needed to obtain such
evidence. Trace files normally contain vast amounts of data of which
only small portions are useful as evidence. Use of temporary files
during analysis of the data is dangerous because inconsistencies may
be introduced in that way. Since one inconsistency is enough to reduce
the trustworthiness of the evidence, it is of paramount importance to
develop a consistent way to extract and analyze information from trace
files. In this paper we suggest such a method accompanied by proper
tool support. We conclude that the raw trace files should never be
altered, not even for the purpose of making them readable. All
extraction and purification should be the result of systematic
application of data filters. The systematic use of filters should be
repeatable so that anyone can apply the filters. Thus the filters
document the process from raw traces to information used as evidence.
Download the full text of this paper in
ASCII (33,048 bytes),
POSTSCRIPT (251,667 bytes),
and PDF (198,443 bytes) form.
To Become a USENIX Member, please see our
Membership Information.