The State of the Art in Digital Forensics - Advances in Computers

Information Technology Reference

In-Depth Information

Log analysis

◦ Allows arbitrary log file formats to be easily uploaded to database.

◦ GUI driven complex database searches using an advanced table GUI element.

The ultimate objective is to integrate PyFlag into IRItaly's CD-ROM, in order to

provide first responders with a tool that can guarantee a minimum of correlation that

is significantly broader than that offered by the current version.

Another research project included in the IRItaly CdRom, and related to Log

Analysis, is called SecSyslog. As stated in the first part of this chapter, one of

the most critical problems related to Syslog is Integrity. This part of the CIA Par-

adigm (Confidentiality, Integrity Availability) could be violated by compromising

authentication between machines, even spoofing addresses and intercepting traffic.

SecSyslog wants solve this problem using covert channels. In a hypothetical scenario

where the machine “A” is syslog sender and the machine “B” is receiver/daemon,

SecSyslog would use the following factors:

(1) tcp in addition to the “simple” and inadequate UDP to establish connection

between the machines;

(2) the “syslog” packets are encapsulated in particular fields of the UP packets

using crypto. In this way, even an interception would not be able to understand

which kind of traffic is passing the line;

(3) Once at destination, the syslog packets are “decrypted” by the SecSyslog Dae-

mon and the messages can be analyzed.

It is clear that with the use of SecSyslog (which has many differences rather than

solutions such as Syslog NG and so on) is an example of a “good dual use” of hackers

techniques. Using SecSyslog could solve many integrity and confidentiality prob-

lems, related to the lack of security and the “forensic compliance” of many logging

architectures.

5.

SecSyslog and Covert Channels in Detail: Introduction

and Definition

The commonly accepted definition states that a covert channel is “any communi-

cations channel which can be used to transmit information using methods that violate

existing security policies. 1 ”

1

Department of Defense Trusted Computer System Evaluation Criteria . The translation is ours.

Search WWH ::

Custom Search

Home