Check out the new USENIX Web site.

Improving the Trustworthiness of Evidence Derived from Security Trace Files

Ennio Pozzetti (a) and Vidar Vetland (b)

(a) Politecnico di Milano, Dip. Elettronica e Informazione,
I-20133 Milano, Italy, Email:
(b) Carleton University, Dept. Systems and Computer Engineering,
Ottawa, Ontario, Canada K1S 5B6, Email:


Evidence is required to prosecute intruders in computer systems and networks. Reliable trace files are needed to obtain such evidence. Trace files normally contain vast amounts of data of which only small portions are useful as evidence. Use of temporary files during analysis of the data is dangerous because inconsistencies may be introduced in that way. Since one inconsistency is enough to reduce the trustworthiness of the evidence, it is of paramount importance to develop a consistent way to extract and analyze information from trace files. In this paper we suggest such a method accompanied by proper tool support. We conclude that the raw trace files should never be altered, not even for the purpose of making them readable. All extraction and purification should be the result of systematic application of data filters. The systematic use of filters should be repeatable so that anyone can apply the filters. Thus the filters document the process from raw traces to information used as evidence.

Download the full text of this paper in ASCII (33,048 bytes),
POSTSCRIPT (251,667 bytes),
and PDF (198,443 bytes) form.

To Become a USENIX Member, please see our Membership Information.