usenix conference policies
You are here
Improving the Trustworthiness of Evidence Derived from Security Trace Files
Ennio Pozzetti, Politecnico di Milano; Vidar Vetland, Carleton University
Evidence is required to prosecute intruders in computer systems and networks. Reliable trace files are needed to obtain such evidence. Trace files normally contain vast amounts of data of which only small portions are useful as evidence. Use of temporary files during analysis of the data is dangerous because inconsistencies may be introduced in that way. Since one inconsistency is enough to reduce the trustworthiness of the evidence, it is of paramount importance to develop a consistent way to extract and analyze information from trace files. In this paper we suggest such a method accompanied by proper tool support. We conclude that the raw trace files should never be altered, not even for the purpose of making them readable. All extraction and purification should be the result of systematic application of data filters. The systematic use of filters should be repeatable so that anyone can apply the filters. Thus the filters document the process from raw traces to information used as evidence.
author = {Ennio Pozzetti and Vidar Vetland},
title = {Improving the Trustworthiness of Evidence Derived from Security Trace Files},
booktitle = {5th USENIX UNIX Security Symposium (USENIX Security 95)},
year = {1995},
address = {Salt Lake City, UT},
url = {https://www.usenix.org/conference/5th-usenix-unix-security-symposium/improving-trustworthiness-evidence-derived-security},
publisher = {USENIX Association},
month = jun
}
connect with us