This is the Tool kind of Application that records the system events, e.g. File Delete, File Execute etc., on the central Server, which are the potential events used by Digital Forensic Investigators while investigating Offensive Event, e.g. Hosting an Attack.
Real Time Event Recording System the Tool for Digital Forensics Investigation by Madhav Limaye
1. Real Time Event Recording
System, the tool for Digital
Forensics Investigation
Madhav Limaye
mlimaye@gmail.com
2. Practice today
• Investigator finds device been used
• Attempt to dig out all events in past,
e.g.
– an object (file/registry) deleted from the Disk/Device
– executing an EXE
– Cookies
– contents sent out, e.g. for printing
– access the network resource
– Calls made through IP phones
– Etc.
3. Success factors
• Success rate depends on multiple factors
• Need multiple tools
• Need expertise
• Total failure if,
– Device Reset
– physically damaged
• Etc.
4. Things available native…
• Native tools/repository is present
– Cookies
– Windows
• Event Log
• Registry
– Cell phone
• call history
• Those are local, can be cleaned or overflow
5. The proposed tool
• Record When It Happens/Occurs
• Should support all Devices
• Can be Agent Based/Less
• Records to central server
• Can work On-line/Off-line
6. Challenges for implementation
• Biggest – data storage
• Switching off the agent
• Taking the device off the n/w, in case
Agentless
7. Other Utilization
• At nation level, for national security
– Monitor activities at public places, e.g. Net cafes
• At Enterprise to enforce policies of device
usage
• At home, to monitor usage by minors
8. Approaches for implementation
• Agent Based
– To avoid device, being monitored, performance does not degrade
– Have “off-line” monitor
– Avoid n/w bandwidth conservation
• Protecting the Agent
– Heartbeat: poll for agent alive
– Tie it to Device Kernel, somehow, so if someone tries to “kill” it, it will take the device down
• Configurable Events/Devices
– The Events/Devices, depth/detail etc. should be configurable
– There should be “white-list” for Devices and Events/Applications
– E.g.
• the “Exchange” server is “trusted”
• Not monitoring the Events for tools Source Code Control
• Pushing the logs to server
– On “configurable” interval
– On “shut-down” of the device