Yonghwi Kwon (University of Virginia), Weihang Wang (University at Buffalo, SUNY), Jinho Jung (Georgia Institute of Technology), Kyu Hyung Lee (University of Georgia), Roberto Perdisci (Georgia Institute of Technology and University of Georgia)

Cybercrime scene reconstruction that aims to reconstruct a previous execution of the cyber attack delivery process is an important capability for cyber forensics (e.g., post mortem analysis of the cyber attack executions). Unfortunately, existing techniques such as log-based forensics or record-and-replay techniques are not suitable to handle complex and long-running modern applications for cybercrime scene reconstruction and post mortem forensic analysis. Specifically, log-based cyber forensics techniques often suffer from a lack of inspection capability and do not provide details of how the attack unfolded. Record-and-replay techniques impose significant runtime overhead, often require significant modifications on end-user systems, and demand to replay the entire recorded execution from the beginning. In this paper, we propose C^2SR, a novel technique that can reconstruct an attack delivery chain (i.e., cybercrime scene) for post-mortem forensic analysis. It provides a highly desired capability: interactable partial execution reconstruction. In particular, it reproduces a partial execution of interest from a large execution trace of a long-running program. The reconstructed execution is also interactable, allowing forensic analysts to leverage debugging and analysis tools that did not exist on the recorded machine. The key intuition behind C^2SR is partitioning an execution trace by resources and reproducing resource accesses that are consistent with the original execution. It tolerates user interactions required for inspections that do not cause inconsistent resource accesses. Our evaluation results on 26 real-world programs show that C^2SR has low runtime overhead (less than 5.47%) and acceptable space overhead. We also demonstrate with four realistic attack scenarios that C^2SR successfully reconstructs partial executions of long-running applications such as web browsers, and it can remarkably reduce the user's efforts to understand the incident.

View More Papers

Demo #9: Attacking Multi-Sensor Fusion based Localization in High-Level...

Junjie Shen, Jun Yeon Won, Zeyuan Chen and Qi Alfred Chen (UC Irvine)

Read More

Work in Progress: Programmable In-Network Obfuscation of DNS Traffic

Liang Wang, Hyojoon Kim, Prateek Mittal, Jennifer Rexford (Princeton University)

Read More

Polypyus – The Firmware Historian

Jan Friebertshauser, Florian Kosterhon, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstad)

Read More

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of...

Jun Zeng (National University of Singapore), Zheng Leong Chua (Independent Researcher), Yinfang Chen (National University of Singapore), Kaihang Ji (National University of Singapore), Zhenkai Liang (National University of Singapore), Jian Mao (Beihang University)

Read More