Issue No. 05 - September-October (2004 vol. 2)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.70
Frederic Raynal , MISC Magazine
Yann Berthier , Herv? Schauer Consultant
Philippe Biondi , Arche/Omnetica Group
Danielle Kaminsky , TEGAM International
In the previous issue, we focused on how to analyze network activity by looking at flows. This activity gives us a quick, but imprecise, idea of what happens to a honeypot and reveals almost all of an intruder?s actions. Although flows are an effective method for monitoring honeypots in real time, they?re not sufficient if we want to learn more about the intruder. To accomplish this goal, we must investigate the compromised host itself. In this article. we'll show how to build two timelines of events: one from network clues and the other from what the host tells us. We can then merge these timelines and answer additional questions.
honeypots, honeynets, network analysis
D. Kaminsky, F. Raynal, Y. Berthier and P. Biondi, "Honeypot Forensics, Part II: Analyzing the Compromised Host," in IEEE Security & Privacy, vol. 2, no. , pp. 77-80, 2004.