Issue No.05 - September-October (2004 vol.2)
Yann Berthier , Herv? Schauer Consultant
Philippe Biondi , Arche/Omnetica Group
Danielle Kaminsky , TEGAM International
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.70
In the previous issue, we focused on how to analyze network activity by looking at flows. This activity gives us a quick, but imprecise, idea of what happens to a honeypot and reveals almost all of an intruder?s actions. Although flows are an effective method for monitoring honeypots in real time, they?re not sufficient if we want to learn more about the intruder. To accomplish this goal, we must investigate the compromised host itself. In this article. we'll show how to build two timelines of events: one from network clues and the other from what the host tells us. We can then merge these timelines and answer additional questions.
honeypots, honeynets, network analysis
Yann Berthier, Philippe Biondi, Danielle Kaminsky, "Honeypot Forensics, Part II: Analyzing the Compromised Host", IEEE Security & Privacy, vol.2, no. 5, pp. 77-80, September-October 2004, doi:10.1109/MSP.2004.70