Trail of Bytes: New Techniques for Supporting Data Provenance and Limiting Privacy Breaches

Forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades,...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on information forensics and security 2012-12, Vol.7 (6), p.1876-1889
Main Authors: Krishnan, S., Snow, K. Z., Monrose, F.
Format: Article
Language:English
Subjects:
checkpointing
Computer security
Couplings
Forensics
information security
intrusion detection
Monitoring
operating systems
Semantics
system recovery
Virtual machine monitors
Virtual machining
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we lack detailed information just when we need it the most. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a tamper evident version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromise has been detected. We also extend our earlier work by providing a tracking mechanism that can monitor data exfiltration attempts across multiple disks and also block attempts to copy data over the network.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2012.2210217