This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Honeypot Forensics, Part II: Analyzing the Compromised Host
September-October 2004 (vol. 2 no. 5)
pp. 77-80
Frederic Raynal, MISC Magazine
Yann Berthier, Herv? Schauer Consultant
Philippe Biondi, Arche/Omnetica Group
Danielle Kaminsky, TEGAM International
In the previous issue, we focused on how to analyze network activity by looking at flows. This activity gives us a quick, but imprecise, idea of what happens to a honeypot and reveals almost all of an intruder?s actions. Although flows are an effective method for monitoring honeypots in real time, they?re not sufficient if we want to learn more about the intruder. To accomplish this goal, we must investigate the compromised host itself. In this article. we'll show how to build two timelines of events: one from network clues and the other from what the host tells us. We can then merge these timelines and answer additional questions.
Index Terms:
honeypots, honeynets, network analysis
Citation:
Frederic Raynal, Yann Berthier, Philippe Biondi, Danielle Kaminsky, "Honeypot Forensics, Part II: Analyzing the Compromised Host," IEEE Security & Privacy, vol. 2, no. 5, pp. 77-80, Sept.-Oct. 2004, doi:10.1109/MSP.2004.70
Usage of this product signifies your acceptance of the Terms of Use.